Edit tour

Windows Analysis Report
BEncode Editor.exe

Overview

General Information

Sample name:	BEncode Editor.exe
Analysis ID:	1582389
MD5:	26576bc77abd3e6817162e5c94bfbb97
SHA1:	bc994d975aafce10f5f6aef666d0505ce54054ea
SHA256:	6e62b0c23d6dd9dc1e7de4c3d8040a989e5dc1d6a663608e2bc129048b446aa5
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to detect sleep reduction / modifications

Uses Windows timers to delay execution

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w11x64_office

BEncode Editor.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\BEncode Editor.exe" MD5: 26576BC77ABD3E6817162E5C94BFBB97)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140041150 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_0000000140041150
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140052490 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_0000000140052490
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014005D710 FindFirstFileW,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000000014005D710
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140043770 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140043770
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008C880 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_000000014008C880
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014005D9A0 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	0_2_000000014005D9A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014006FC70 FindFirstFileW,FindClose,	0_2_000000014006FC70
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140060DD0 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_0000000140060DD0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014006DE70 FindFirstFileW,FindNextFileW,FindClose,	0_2_000000014006DE70

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140051E70 InternetQueryDataAvailable,InternetReadFile,

0_2_0000000140051E70

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014007E010 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000000014007E010

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014006A500 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000000014006A500

Source: C:\Users\user\Desktop\BEncode Editor.exe

0_2_000000014007E010

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_00000001400550E0 GetParent,GetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,SetKeyboardState,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,

0_2_00000001400550E0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_00000001400412F0: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

0_2_00000001400412F0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_00000001400474F0 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

0_2_00000001400474F0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140043060 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0000000140043060

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001A110	0_2_000000014001A110
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140003210	0_2_0000000140003210
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140086450	0_2_0000000140086450
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002F56C	0_2_000000014002F56C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002664C	0_2_000000014002664C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001A75C	0_2_000000014001A75C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400448A0	0_2_00000001400448A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400029A0	0_2_00000001400029A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140094C30	0_2_0000000140094C30
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002ED6C	0_2_000000014002ED6C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140052FF0	0_2_0000000140052FF0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140069000	0_2_0000000140069000
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140080020	0_2_0000000140080020
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002B050	0_2_000000014002B050
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002E050	0_2_000000014002E050
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001B0AC	0_2_000000014001B0AC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400840E0	0_2_00000001400840E0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400550E0	0_2_00000001400550E0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400891D0	0_2_00000001400891D0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002A260	0_2_000000014002A260
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400222AC	0_2_00000001400222AC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400252D0	0_2_00000001400252D0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008C2F0	0_2_000000014008C2F0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140095370	0_2_0000000140095370
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140067370	0_2_0000000140067370
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400233D0	0_2_00000001400233D0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140028404	0_2_0000000140028404
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140057420	0_2_0000000140057420
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002945C	0_2_000000014002945C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140065470	0_2_0000000140065470
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001D46C	0_2_000000014001D46C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140012520	0_2_0000000140012520
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400695B0	0_2_00000001400695B0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140031614	0_2_0000000140031614
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140091620	0_2_0000000140091620
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140079620	0_2_0000000140079620
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140027640	0_2_0000000140027640
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400596C0	0_2_00000001400596C0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140015720	0_2_0000000140015720
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140080760	0_2_0000000140080760
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140064770	0_2_0000000140064770
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400027A0	0_2_00000001400027A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400907C0	0_2_00000001400907C0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400787F0	0_2_00000001400787F0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001E828	0_2_000000014001E828
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001B82C	0_2_000000014001B82C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002A8BC	0_2_000000014002A8BC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001D8CC	0_2_000000014001D8CC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400027A0	0_2_00000001400027A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140067920	0_2_0000000140067920
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002E928	0_2_000000014002E928
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014007C930	0_2_000000014007C930
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001B9BC	0_2_000000014001B9BC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008A9E0	0_2_000000014008A9E0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140070A00	0_2_0000000140070A00
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140029A24	0_2_0000000140029A24
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001AB08	0_2_000000014001AB08
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140085B10	0_2_0000000140085B10
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140091B30	0_2_0000000140091B30
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002EB48	0_2_000000014002EB48
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001EB58	0_2_000000014001EB58
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140063BB0	0_2_0000000140063BB0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001DBE8	0_2_000000014001DBE8
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140001C60	0_2_0000000140001C60
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002DCEC	0_2_000000014002DCEC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140030D18	0_2_0000000140030D18
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140072D30	0_2_0000000140072D30
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140068D70	0_2_0000000140068D70
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008BE00	0_2_000000014008BE00
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140020E54	0_2_0000000140020E54
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140023E8C	0_2_0000000140023E8C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140059E90	0_2_0000000140059E90
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014001EE90	0_2_000000014001EE90
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140093F00	0_2_0000000140093F00
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140027F00	0_2_0000000140027F00
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140095F20	0_2_0000000140095F20
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014007CF20	0_2_000000014007CF20
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140090FB0	0_2_0000000140090FB0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140089FB0	0_2_0000000140089FB0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140028FBC	0_2_0000000140028FBC
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140029FD8	0_2_0000000140029FD8

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: String function: 0000000140056500 appears 66 times

Source: classification engine

Classification label: mal48.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014005CBC0 GetLastError,FormatMessageW,

0_2_000000014005CBC0

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140043060 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0000000140043060
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140067920 OpenProcess,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_0000000140067920

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014006F0C0 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000000014006F0C0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140089D60 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0000000140089D60

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014008C2F0 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_000000014008C2F0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140042CB0 FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0000000140042CB0

Source: BEncode Editor.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BEncode Editor.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe

File read: C:\Users\user\Desktop\BEncode Editor.exe

Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: BEncode Editor.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140001020 LoadLibraryA,GetProcAddress,

0_2_0000000140001020

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140004EF1 push 340003CCh; iretd

0_2_0000000140004EFD

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400448A0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00000001400448A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008DE00 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_000000014008DE00

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140003210

0_2_0000000140003210

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\BEncode Editor.exe	User Timer Set: Timeout: 750ms	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	User Timer Set: Timeout: 40ms	Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	User Timer Set: Timeout: 750ms	Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe	Window / User API: threadDelayed 7433			Jump to behavior
Source: C:\Users\user\Desktop\BEncode Editor.exe	Window / User API: foregroundWindowGot 1488			Jump to behavior

Source: C:\Users\user\Desktop\BEncode Editor.exe

API coverage: 7.4 %

Source: C:\Users\user\Desktop\BEncode Editor.exe TID: 7432

Thread sleep time: -74330s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\BEncode Editor.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140041150 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_0000000140041150
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140052490 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_0000000140052490
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014005D710 FindFirstFileW,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_000000014005D710
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140043770 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0000000140043770
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008C880 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_000000014008C880
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014005D9A0 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	0_2_000000014005D9A0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014006FC70 FindFirstFileW,FindClose,	0_2_000000014006FC70
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140060DD0 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_0000000140060DD0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014006DE70 FindFirstFileW,FindNextFileW,FindClose,	0_2_000000014006DE70

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140014330 GetVersionExW,GetCurrentProcess,GetSystemInfo,FreeLibrary,GetSystemInfo,

0_2_0000000140014330

Source: C:\Users\user\Desktop\BEncode Editor.exe

API call chain: ExitProcess graph end node

graph_0-56044

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014006A7C0 BlockInput,

0_2_000000014006A7C0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140012DD0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0000000140012DD0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140001020 LoadLibraryA,GetProcAddress,

0_2_0000000140001020

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140047080 GetProcessHeap,HeapAlloc,

0_2_0000000140047080

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_00000001400270B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00000001400270B0
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002B81C SetUnhandledExceptionFilter,	0_2_000000014002B81C
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140020A00 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140020A00
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014002CA58 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014002CA58

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_00000001400472A0 LogonUserW,

0_2_00000001400472A0

Source: C:\Users\user\Desktop\BEncode Editor.exe

0_2_0000000140012DD0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_00000001400448A0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00000001400448A0

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_000000014005D450 mouse_event,

0_2_000000014005D450

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140056A40 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0000000140056A40

Source: BEncode Editor.exe	Binary or memory string: Shell_TrayWnd
Source: BEncode Editor.exe	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALT0409000208090710050EASC 0%dupdownonoff0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: GetLocaleInfoA,

0_2_000000014002FAC8

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140042440 GetLocalTime,

0_2_0000000140042440

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140087430 GetUserNameW,

0_2_0000000140087430

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140028FBC _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0000000140028FBC

Source: C:\Users\user\Desktop\BEncode Editor.exe

Code function: 0_2_0000000140014330 GetVersionExW,GetCurrentProcess,GetSystemInfo,FreeLibrary,GetSystemInfo,

0_2_0000000140014330

Source: BEncode Editor.exe	Binary or memory string: WIN_XP
Source: BEncode Editor.exe	Binary or memory string: WIN_XPe
Source: BEncode Editor.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 2, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonewstrbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoublehwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARY+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINEGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@
Source: BEncode Editor.exe	Binary or memory string: WIN_VISTA
Source: BEncode Editor.exe	Binary or memory string: WIN_7

Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_000000014008A800 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_000000014008A800
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140091B30 OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0000000140091B30
Source: C:\Users\user\Desktop\BEncode Editor.exe	Code function: 0_2_0000000140075BC0 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_0000000140075BC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	111 Virtualization/Sandbox Evasion	Security Account Manager	111 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	21 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Process Injection	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	16 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BEncode Editor.exe	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582389
Start date and time:	2024-12-30 14:19:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BEncode Editor.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 82 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 4.175.87.197, 20.223.35.26, 20.190.159.64
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, x1.c.lencr.org, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: BEncode Editor.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	valyzt.msi	Get hash	malicious	XRed	Browse	192.229.221.95
	docx.msi	Get hash	malicious	XRed	Browse	192.229.221.95
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	192.229.221.95
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	192.229.221.95
	2GL073z1wL.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	installer64v1.0.0.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	192.229.221.95
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	192.229.221.95

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.497143669772378
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BEncode Editor.exe
File size:	832'005 bytes
MD5:	26576bc77abd3e6817162e5c94bfbb97
SHA1:	bc994d975aafce10f5f6aef666d0505ce54054ea
SHA256:	6e62b0c23d6dd9dc1e7de4c3d8040a989e5dc1d6a663608e2bc129048b446aa5
SHA512:	7d98010738647e487d5c7b5c4ad55f132442c606b9dc767d5381812df6ba7f70cb472de47bb55b2a25c6bec25c1237431eb795336d5ae7bfe513b83060322fe5
SSDEEP:	12288:LhwtMZsuC4jt6aOHAEN88qOQ2mxSx9IGsSluITDGJme0/NlF0Qryj8C0V3Ef:LOtMZfHt6vvVGJP0/Nf0QWox3Ef
TLSH:	6F057C59B7E800E5D47BE5BACE42C21BE7F1B8084774A6DB07505E2B1F23BE1593A321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.................k.......y.!.....~.......h.....?.......?.}.....?...9.............r._.....h.......i.......j.......l.....Rich...

File Icon


Icon Hash:	67c9342c4933164d

Static PE Info

General

Entrypoint:	0x14001f65c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4B2A6D96 [Thu Dec 17 17:42:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	7834b9da763b0d783827e9676412d9f9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE6048043C4h
dec eax
add esp, 28h
jmp 00007FE6047F7B5Fh
int3
int3
dec eax
jmp dword ptr [00079FD9h]
int3
xor ecx, ecx
dec eax
jmp dword ptr [00079FCFh]
int3
int3
int3
dec eax
jmp dword ptr [00079FCDh]
int3
dec eax
jmp dword ptr [00079FCDh]
int3
mov eax, dword ptr [0008FDBAh]
ret
int3
dec eax
jmp dword ptr [00079FC5h]
int3
dec eax
sub esp, 28h
mov ecx, dword ptr [0008FDA6h]
cmp ecx, FFFFFFFFh
je 00007FE6047F7D4Fh
call dword ptr [00079FB7h]
or dword ptr [0008FD94h], FFFFFFFFh
dec eax
add esp, 28h
jmp 00007FE6047F97C8h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
dec eax
lea eax, dword ptr [0007C64Dh]
dec eax
mov dword ptr [ecx+000000A0h], eax
mov dword ptr [ecx+1Ch], 00000001h
mov dword ptr [ecx+000000C8h], 00000001h
mov byte ptr [ecx+00000174h], 00000043h
mov byte ptr [ecx+000001F7h], 00000043h
dec eax
lea eax, dword ptr [0008FD50h]
dec eax
mov dword ptr [ecx+000000B8h], eax
mov ecx, 0000000Dh
call 00007FE6047F98F4h
nop
dec eax

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaafe0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x4410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xc9000	0x6a50	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x99000	0x10a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9787e	0x97a00	25bf208f067eb127bdc5003ccc11ea62	False	0.5203910758450123	data	6.39221719308833	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x99000	0x154dc	0x15600	1c9e8ab86a379e059abb5816a3f7dbe2	False	0.385953490497076	data	5.141667992398577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xaf000	0x19b08	0x4600	d92095712ae66c57575ec783fa802170	False	0.2551339285714286	data	3.4070952778882098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xc9000	0x6a50	0x6c00	55e148c16da85e6eac4e56c8e62a46d8	False	0.4930555555555556	data	5.757925689479366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x6911	0x6a00	965cf8f45e031c01d0bb9bf52404b4d1	False	0.3655291863207547	data	4.605163714639206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd06e8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd0810	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd0938	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd0a60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.4530956848030019
RT_ICON	0xd1b08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.6303191489361702
RT_ICON	0xd1f70	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.32358156028368795
RT_ICON	0xd23d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.44680851063829785
RT_ICON	0xd2840	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.5859929078014184
RT_ICON	0xd2ca8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6276595744680851
RT_ICON	0xd3110	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6312056737588653
RT_ICON	0xd3578	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6117021276595744
RT_ICON	0xd39e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.18173758865248227
RT_DIALOG	0xd3e48	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xd3f44	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xd4474	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xd4b04	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xd4f40	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xd553c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd5b98	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xd5f20	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xd6078	0x22	data	English	Great Britain	1.0588235294117647
RT_GROUP_ICON	0xd609c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xd60b0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xd60c4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xd60d8	0x14	data			1.25
RT_GROUP_ICON	0xd60ec	0x14	data			1.25
RT_GROUP_ICON	0xd6100	0x14	data			1.25
RT_GROUP_ICON	0xd6114	0x14	data			1.25
RT_GROUP_ICON	0xd6128	0x14	data			1.25
RT_GROUP_ICON	0xd613c	0x14	data			1.25
RT_GROUP_ICON	0xd6150	0x14	data			1.25
RT_VERSION	0xd6164	0x210	data	English	Great Britain	0.4981060606060606
RT_MANIFEST	0xd6374	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581
RT_MANIFEST	0xd65e0	0x331	XML 1.0 document, ASCII text, with CRLF line terminators	English	Great Britain	0.4944920440636475

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	WaitForSingleObject, HeapFree, GetProcessHeap, HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, ReadFile, SetFilePointer, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, CreateThread, GetLocalTime, CompareStringW, CompareStringA, WriteFile, GetStdHandle, CreatePipe, EnterCriticalSection, TerminateThread, LeaveCriticalSection, DeleteCriticalSection, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, VirtualAlloc, LoadLibraryExW, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, LoadLibraryA, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, FreeLibrary, InitializeCriticalSection, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetStartupInfoW, EncodePointer, DecodePointer, FlsGetValue, FlsSetValue, FlsFree, GetProcAddress, LoadLibraryW, SetLastError, FlsAlloc, HeapSize, RtlUnwindEx, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlPcToFileHeader, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, HeapSetInformation, HeapCreate, GetConsoleCP, GetConsoleMode, SetHandleCount, GetFileType, GetStartupInfoA, FlushFileBuffers, SetStdHandle, LCMapStringW, LCMapStringA, GetTimeZoneInformation, GetDateFormatA, GetTimeFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, OutputDebugStringW, SetEnvironmentVariableA
USER32.dll	IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetWindowLongW, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongPtrW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, SetWindowLongPtrW, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, TranslateMessage, PeekMessageW, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, IsCharAlphaW, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, OpenClipboard, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, keybd_event, VkKeyScanA, GetKeyboardLayoutNameA, CharUpperW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongPtrW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, GetKeyboardLayoutNameW, ClientToScreen, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, TrackPopupMenuEx, IsClipboardFormatAvailable, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, BlockInput, GetMessageW, LockWindowUpdate, SystemParametersInfoW, DispatchMessageW, EnumWindows
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, LineTo, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, SetSecurityDescriptorDacl, LogonUserW, GetTokenInformation, GetSecurityDescriptorDacl, GetAce, AddAce, GetAclInformation
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, VariantInit, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData, SafeArrayAccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 14:20:36.640564919 CET	1.1.1.1	192.168.2.24	0xa58a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 14:20:36.640564919 CET	1.1.1.1	192.168.2.24	0xa58a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:20:41
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\BEncode Editor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\BEncode Editor.exe"
Imagebase:	0x140000000
File size:	832'005 bytes
MD5 hash:	26576BC77ABD3E6817162E5C94BFBB97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1390
Total number of Limit Nodes:	65

Executed Functions

Function 0000000140003210 Relevance: 97.2, APIs: 50, Strings: 4, Instructions: 2722windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

CharUpperBuffW.USER32 ref: 00000001400032F4
PeekMessageW.USER32 ref: 000000014000433F
std::exception_ptr::_Current_exception.LIBCONCRT ref: 000000014003C85F

Strings

@GUI_WINHANDLE, xrefs: 000000014003BC12
@GUI_CTRLID, xrefs: 000000014003BBA0
@TRAY_ID, xrefs: 000000014003BDEB
@GUI_CTRLHANDLE, xrefs: 000000014003BC85

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: BuffCharCurrent_exceptionMessagePeekUppermallocstd::exception_ptr::_
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 3917704898-570651680
Opcode ID: e9cefeec81a4ad89115b667aae2d6ec473ea76b74b559234c9bf468bbf1232aa
Instruction ID: e1171606b2f59f630c2f821be0f338f4a628adf5b26b81358ecc06f62f4530ae
Opcode Fuzzy Hash: e9cefeec81a4ad89115b667aae2d6ec473ea76b74b559234c9bf468bbf1232aa
Instruction Fuzzy Hash: 91537B72208A8086EB66DF16E4943EE77A5F78DBC4F544116EB8E87BA5CF39C491C700

Function 00000001400029A0 Relevance: 53.4, APIs: 26, Strings: 4, Instructions: 862windowtimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0000000140002A4B
SleepEx.KERNELBASE ref: 0000000140002CC2
timeGetTime.WINMM ref: 0000000140002CD1
TranslateMessage.USER32 ref: 0000000140002D56
DispatchMessageW.USER32 ref: 0000000140002D64
PeekMessageW.USER32 ref: 0000000140002D82
LockWindowUpdate.USER32 ref: 0000000140002E10
DestroyWindow.USER32 ref: 0000000140002E1D
GetMessageW.USER32 ref: 0000000140002E33

Strings

@GUI_WINHANDLE, xrefs: 000000014003A06F
@GUI_CTRLID, xrefs: 000000014003A012
@TRAY_ID, xrefs: 000000014003A210
@GUI_CTRLHANDLE, xrefs: 000000014003A0CD

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Message$PeekWindow$DestroyDispatchLockSleepTimeTranslateUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 1013659676-570651680
Opcode ID: 5ee577aa908d69ec874692a85d7b94a57250f15d194bc2e06ba17b99d0fc8d42
Instruction ID: 75bf64f60d3dc5ab92b45f17fa3b343440d1e0f4bc21e3d1e8dc0794cf505dae
Opcode Fuzzy Hash: 5ee577aa908d69ec874692a85d7b94a57250f15d194bc2e06ba17b99d0fc8d42
Instruction Fuzzy Hash: FA92BF72208A8096FB66DB26E1907EEB7A1F79D7C4F404012F78A43AB5DF39C459CB01

Function 00000001400448A0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122
threadkeyboardwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 00000001400448BB
FindWindowW.USER32 ref: 00000001400448E3
IsIconic.USER32 ref: 00000001400448EF
ShowWindow.USER32 ref: 0000000140044901
SetForegroundWindow.USER32 ref: 000000014004490A
GetWindowThreadProcessId.USER32 ref: 000000014004491D
GetCurrentThreadId.KERNEL32 ref: 0000000140044925
GetWindowThreadProcessId.USER32 ref: 0000000140044933
AttachThreadInput.USER32 ref: 0000000140044949
AttachThreadInput.USER32 ref: 0000000140044957
AttachThreadInput.USER32 ref: 0000000140044965
SetForegroundWindow.USER32 ref: 000000014004496E
MapVirtualKeyW.USER32 ref: 0000000140044983
keybd_event.USER32 ref: 0000000140044994
MapVirtualKeyW.USER32 ref: 000000014004499E
keybd_event.USER32 ref: 00000001400449B0
MapVirtualKeyW.USER32 ref: 00000001400449BA
keybd_event.USER32 ref: 00000001400449CB
MapVirtualKeyW.USER32 ref: 00000001400449D5
keybd_event.USER32 ref: 00000001400449E7
SetForegroundWindow.USER32 ref: 00000001400449F0
AttachThreadInput.USER32 ref: 0000000140044A0D
AttachThreadInput.USER32 ref: 0000000140044A1B
AttachThreadInput.USER32 ref: 0000000140044A29

Strings

Shell_TrayWnd, xrefs: 00000001400448DA

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 3778422247-2988720461
Opcode ID: 014a6fed5b1e033a0115cdb94d4b9a2737cb83c2f6d73ce4c3b722a589adb6b9
Instruction ID: 89ccd0dae058f578d6489f8c2d7f31ef7fcac30ecdb3b3bc40364cc409d9558a
Opcode Fuzzy Hash: 014a6fed5b1e033a0115cdb94d4b9a2737cb83c2f6d73ce4c3b722a589adb6b9
Instruction Fuzzy Hash: C8416A3571095083F7569B6BA9687AE22E2BB8CBC9F905024EB0743B74DF3D884AC744

Function 000000014002ED6C Relevance: 36.5, APIs: 24, Instructions: 546fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002EE23
_errno.LIBCMT ref: 000000014002EE2D
__doserrno.LIBCMT ref: 000000014002EF8E
_errno.LIBCMT ref: 000000014002EF98
_errno.LIBCMT ref: 000000014002EFA3
CreateFileW.KERNELBASE ref: 000000014002EFE0
CreateFileW.KERNEL32 ref: 000000014002F035
GetLastError.KERNEL32 ref: 000000014002F068
_errno.LIBCMT ref: 000000014002F075
GetFileType.KERNELBASE ref: 000000014002F084
GetLastError.KERNEL32 ref: 000000014002F0B0
CloseHandle.KERNEL32 ref: 000000014002F0C4
_errno.LIBCMT ref: 000000014002F0CE
_lseek_nolock.LIBCMT ref: 000000014002F165
__doserrno.LIBCMT ref: 000000014002F173
_close_nolock.LIBCMT ref: 000000014002F182
_lseek_nolock.LIBCMT ref: 000000014002F1C7
_close_nolock.LIBCMT ref: 000000014002F353

Part of subcall function 0000000140025B64: CloseHandle.KERNELBASE(?,?,00000000,0000000140025CDE,?,?,?,?,00000000,000000014001A6B4,?,?,?,?,?,000000014001A743), ref: 0000000140025BC3
Part of subcall function 0000000140025B64: GetLastError.KERNEL32(?,?,00000000,0000000140025CDE,?,?,?,?,00000000,000000014001A6B4,?,?,?,?,?,000000014001A743), ref: 0000000140025BCD

_errno.LIBCMT ref: 000000014002F358
_lseek_nolock.LIBCMT ref: 000000014002F37A
CloseHandle.KERNEL32 ref: 000000014002F4BD
CreateFileW.KERNEL32 ref: 000000014002F4F2
GetLastError.KERNEL32 ref: 000000014002F4FE

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$ErrorFileLast$CloseCreateHandle__doserrno_lseek_nolock$_close_nolock$Type
String ID:
API String ID: 3224512341-0
Opcode ID: b5ac37c07a6281ecd4fd15c2590f6d36e98a8f57d9344391bc4d369399e167bb
Instruction ID: 56d83ad9469f424d674466cb49d31385ee932fec32b66abd75126878f07f8594
Opcode Fuzzy Hash: b5ac37c07a6281ecd4fd15c2590f6d36e98a8f57d9344391bc4d369399e167bb
Instruction Fuzzy Hash: EF32F43221468486FB769B2AD4843FE77A0E7897E4F65422DFB5A477F5CA38CC409B01

Function 0000000140086450 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 270
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

GetWindowRect.USER32 ref: 00000001400865C6
GetClientRect.USER32 ref: 00000001400865D4
GetSystemMetrics.USER32 ref: 00000001400865DF
GetSystemMetrics.USER32 ref: 00000001400865FF
GetSystemMetrics.USER32 ref: 0000000140086624
SystemParametersInfoW.USER32 ref: 0000000140086669
GetSystemMetrics.USER32 ref: 0000000140086674
SystemParametersInfoW.USER32 ref: 00000001400866AD
GetSystemMetrics.USER32 ref: 00000001400866B8
GetSystemMetrics.USER32 ref: 00000001400866E3
SetRect.USER32 ref: 0000000140086706
AdjustWindowRectEx.USER32 ref: 0000000140086719
CreateWindowExW.USER32 ref: 000000014008677B
SetWindowLongPtrW.USER32 ref: 0000000140086799
GetClientRect.USER32 ref: 00000001400867B9
GetStockObject.GDI32 ref: 00000001400867DD
SendMessageW.USER32 ref: 00000001400867F0
SetTimer.USER32 ref: 0000000140086825

Strings

AutoIt v3 GUI, xrefs: 0000000140086766

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimermalloc
String ID: AutoIt v3 GUI
API String ID: 3905288122-248962490
Opcode ID: 504c526d70586743b95d720a469b7166823be8283e87ad50bf6a7b1e5b196941
Instruction ID: 87889624da8a04cb7faf2b2416cf8ec3b9dd8a9f7c5d25b6df25762a39a7a1b3
Opcode Fuzzy Hash: 504c526d70586743b95d720a469b7166823be8283e87ad50bf6a7b1e5b196941
Instruction Fuzzy Hash: 68C16B77214B808AE725DF2AE8847AA77A1F38CBD4F414625EB5A43BB4DF38D554CB00

Function 0000000140012DD0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32 ref: 0000000140012DE6

Part of subcall function 0000000140007800: GetModuleFileNameW.KERNEL32 ref: 000000014000784A

IsDebuggerPresent.KERNEL32 ref: 0000000140012DFB
GetFullPathNameW.KERNEL32 ref: 0000000140012EA1

Part of subcall function 0000000140012440: GetFullPathNameW.KERNEL32 ref: 00000001400124A4

SetCurrentDirectoryW.KERNEL32 ref: 0000000140012F3E
MessageBoxA.USER32 ref: 000000014003DBA6
SetCurrentDirectoryW.KERNEL32 ref: 000000014003DBC1
SetCurrentDirectoryW.KERNEL32 ref: 000000014003DC1E
GetModuleFileNameW.KERNEL32 ref: 000000014003DC50
GetForegroundWindow.USER32 ref: 000000014003DC92
ShellExecuteW.SHELL32 ref: 000000014003DCC1

Part of subcall function 0000000140017370: GetSysColorBrush.USER32 ref: 0000000140017387
Part of subcall function 0000000140017370: LoadCursorW.USER32 ref: 0000000140017397
Part of subcall function 0000000140017370: LoadIconW.USER32 ref: 00000001400173AC
Part of subcall function 0000000140017370: LoadIconW.USER32 ref: 00000001400173C5
Part of subcall function 0000000140017370: LoadIconW.USER32 ref: 00000001400173DE
Part of subcall function 0000000140017370: LoadImageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140012EE6), ref: 0000000140017419
Part of subcall function 0000000140017370: RegisterClassExW.USER32 ref: 000000014001748A

Part of subcall function 0000000140017290: CreateWindowExW.USER32 ref: 00000001400172E9
Part of subcall function 0000000140017290: CreateWindowExW.USER32 ref: 0000000140017337
Part of subcall function 0000000140017290: ShowWindow.USER32 ref: 000000014001734D

Part of subcall function 0000000140013DE0: Shell_NotifyIconW.SHELL32 ref: 0000000140013EDA

Strings

runas, xrefs: 000000014003DCAD, 000000014003DCE5
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 000000014003DB97

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Load$CurrentDirectoryIconNameWindow$CreateFileFullModulePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
API String ID: 1782616709-3383388033
Opcode ID: 77ae25d35a89c21b8a2b363d1c01b722d7d416b348e65939e0470deddaac3fe1
Instruction ID: 43d52f7eb203a2d4ca56a2f4ce42d448cfe09fc9ac40135613172108d1b98db4
Opcode Fuzzy Hash: 77ae25d35a89c21b8a2b363d1c01b722d7d416b348e65939e0470deddaac3fe1
Instruction Fuzzy Hash: 9E713571218A8695EB26DB26F8543DA7760F74C3C8F840026F789476BADF7DC64AC700

Function 000000014002664C Relevance: 15.1, APIs: 10, Instructions: 106
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 0000000140026675
_errno.LIBCMT ref: 000000014002667E
__doserrno.LIBCMT ref: 00000001400266CF
_errno.LIBCMT ref: 00000001400266D6

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d4803c219e55af56a19d6c42fedf1db17a271446d3e4a765e7ec996017e05db8
Instruction ID: 1ac4028fada70ba444a9525d4b65c189cf559b859f7c6dacc238abe22c52a83e
Opcode Fuzzy Hash: d4803c219e55af56a19d6c42fedf1db17a271446d3e4a765e7ec996017e05db8
Instruction Fuzzy Hash: 7541B33221835086E7676F76A8857DE7651A7897E8F65861DBB6507FF3CB38CC408700

Function 0000000140014330 Relevance: 7.7, APIs: 5, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000000140014365
GetCurrentProcess.KERNEL32 ref: 000000014001445A
GetSystemInfo.KERNELBASE ref: 00000001400144AB
FreeLibrary.KERNEL32 ref: 00000001400144C4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CurrentFreeInfoLibraryProcessSystemVersion
String ID:
API String ID: 1203837996-0
Opcode ID: cfbb2ae9a73333b1244bc1529a5e2063950b3d47f902da95d6a8638383abaacc
Instruction ID: 48ce39780aaa2dd38d14e7a14449f126dc0ad6f1a96d0d43ebc77d39cd826275
Opcode Fuzzy Hash: cfbb2ae9a73333b1244bc1529a5e2063950b3d47f902da95d6a8638383abaacc
Instruction Fuzzy Hash: 3981703210C2C0E6E7A3DB65E2843DE7BA0F769384F441045E78547EA6CBBAE578C751

Function 000000014001A110 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A142

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014001A176

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 91faeecbaf84b4ddee86f53cd1136e5520acecb2e195e462faf91d0d0902407b
Instruction ID: eaf976ce10facf3ac79a6a99e4d4faf998ad4453455baef09fa2958c0147edde
Opcode Fuzzy Hash: 91faeecbaf84b4ddee86f53cd1136e5520acecb2e195e462faf91d0d0902407b
Instruction Fuzzy Hash: 6331C73531038042EB72AB7BA90179F6255B78E7C8F509514BF454BBA6DB3EC8508B00

Function 0000000140001020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,000000014000107E,?,?,?,000000014000100E), ref: 000000014000103A
GetProcAddress.KERNEL32(?,?,?,?,000000014000107E,?,?,?,000000014000100E), ref: 0000000140001052

Strings

IsThemeActive, xrefs: 0000000140001048
uxtheme.dll, xrefs: 0000000140001033

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: 20903d2320ee4c52eb40574edb783020524a6c3c509b55dfe414131a372362db
Instruction ID: 9314407f7463d875e0962fbbdcacd41306944a388e4c380f4117f88adfa5e6da
Opcode Fuzzy Hash: 20903d2320ee4c52eb40574edb783020524a6c3c509b55dfe414131a372362db
Instruction Fuzzy Hash: 33E07575602F4081EF169F56F8543D532A4F78CB88F440226EB8D47365DF7CC6A58700

Function 000000014002F56C Relevance: 4.6, APIs: 3, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002F595

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014002F5CC

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 7a4f058636096e8c8bb96a396607992c9e772393041a9911a195f7ce81af277b
Instruction ID: 142c25e5024d97c538fc9fd152eaa5755acb2cde459ff469413a87e45712dc2f
Opcode Fuzzy Hash: 7a4f058636096e8c8bb96a396607992c9e772393041a9911a195f7ce81af277b
Instruction Fuzzy Hash: 0C31C43231468543E7769F2AA4057AE7651E7C87D4F548228BB898BAE5CF39CC018B00

Function 000000014001A75C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A7A0
_errno.LIBCMT ref: 000000014001A981

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 189179f5958a573090f87fea1775d641fa56edd7a84917a6081d81ce4e3c6b53
Instruction ID: 2d549cf9eb991a4a15421a988ea21db037c2531ec985e03c642eaf57930f2ec3
Opcode Fuzzy Hash: 189179f5958a573090f87fea1775d641fa56edd7a84917a6081d81ce4e3c6b53
Instruction Fuzzy Hash: BF51E83170429046FA668E27A5007E9A691B78EBF4F148724BF795BFF5CB3EC5924700

Function 0000000140094C30 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8346f3251fe4efe349eaec54d18e388b11a685d99eb3e335eb7a097ad2a57a57
Instruction ID: 7a9838a4ab42980463825b1b44600bf78b18324788c39eb4b1d690d7913206ef
Opcode Fuzzy Hash: 8346f3251fe4efe349eaec54d18e388b11a685d99eb3e335eb7a097ad2a57a57
Instruction Fuzzy Hash: 7212B43661468182EB72EB17E0447EEBB61F3897C9F949102FB8A077B9DB78C585C700

Function 00000001400083E0 Relevance: 608.4, APIs: 2, Strings: 399, Instructions: 6936
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170A6
Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170B4
Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170C2
Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170D2
Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170E0
Part of subcall function 0000000140017070: MapVirtualKeyW.USER32 ref: 00000001400170EE
Part of subcall function 0000000140017070: GetKeyboardLayoutNameA.USER32 ref: 00000001400170FC
Part of subcall function 0000000140017070: VkKeyScanA.USER32 ref: 0000000140017114

Part of subcall function 0000000140011EB0: RegisterWindowMessageW.USER32 ref: 0000000140011F26

GetStdHandle.KERNEL32 ref: 00000001400086B1
CloseHandle.KERNEL32 ref: 0000000140038A77

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

Strings

GUISETACCELERATORS, xrefs: 000000014000CB7B
PROCESSLIST, xrefs: 000000014000E704
PROCESSWAIT, xrefs: 000000014000E7C0
ISNUMBER, xrefs: 000000014000DAC3
GUICTRLCREATELISTVIEW, xrefs: 000000014000BB0F
TRAYSETCLICK, xrefs: 0000000140010A70
FILEEXISTS, xrefs: 000000014000AA9F
MOUSEUP, xrefs: 000000014000DF60
GUICTRLCREATESLIDER, xrefs: 000000014000BE6F
TIMERINIT, xrefs: 00000001400105FC
ASC, xrefs: 0000000140008903
GUICTRLSETDATA, xrefs: 000000014000C4A1
MOUSECLICKDRAG, xrefs: 000000014000DD90
PLUGINOPEN, xrefs: 000000014000E588
DRIVEGETLABEL, xrefs: 000000014000A20B
REGENUMVAL, xrefs: 000000014000EB14
ISSTRING, xrefs: 000000014000DBB9
CONTROLSEND, xrefs: 000000014000990B
CONTROLGETFOCUS, xrefs: 000000014000966B
INETGET, xrefs: 000000014000D22F
FILEFINDFIRSTFILE, xrefs: 000000014000AAFF
HTTPSETUSERAGENT, xrefs: 000000014000D10F
GUICTRLCREATEMONTHCAL, xrefs: 000000014000BC8F
RUN, xrefs: 000000014000EC94
FILEFINDNEXTFILE, xrefs: 000000014000AB5F
FILESETTIME, xrefs: 000000014000B39B
PROCESSWAITCLOSE, xrefs: 000000014000E820
TRAYITEMSETSTATE, xrefs: 00000001400109B0
TOOLTIP, xrefs: 0000000140010654
DLLSTRUCTGETDATA, xrefs: 0000000140009FCB
ACOS, xrefs: 000000014000874A
TRAYITEMDELETE, xrefs: 00000001400107D0
PROCESSGETSTATS, xrefs: 000000014000E67D
STRINGFROMASCIIARRAY, xrefs: 000000014000F76C
DLLCALLBACKGETPTR, xrefs: 0000000140009DEB
TRAYITEMGETHANDLE, xrefs: 0000000140010830
GUICTRLCREATEDUMMY, xrefs: 000000014000B817
GUIREGISTERMSG, xrefs: 000000014000CB1B
ASCW, xrefs: 0000000140008963
PROCESSCLOSE, xrefs: 000000014000E5E8
GUISTARTGROUP, xrefs: 000000014000CF33
GUICTRLCREATETABITEM, xrefs: 000000014000BF2F
STRINGISLOWER, xrefs: 000000014000FA6C
SHUTDOWN, xrefs: 000000014000F054
DLLCLOSE, xrefs: 0000000140009EAB
GUISWITCH, xrefs: 000000014000CF68
MOUSECLICK, xrefs: 000000014000DD5B
TCPSTARTUP, xrefs: 0000000140010550
WINGETHANDLE, xrefs: 0000000140011336
OBJNAME, xrefs: 000000014000E22F
WINCLOSE, xrefs: 00000001400110E0
GUIGETCURSORINFO, xrefs: 000000014000CA07
ISOBJ, xrefs: 000000014000DB23
STRING, xrefs: 000000014000F5EC
WINMINIMIZEALLUNDO, xrefs: 00000001400116EA
WINLIST, xrefs: 00000001400115D6
CONTROLLISTVIEW, xrefs: 0000000140009821
FILEWRITE, xrefs: 000000014000B3FB
ASIN, xrefs: 00000001400089C3
TRAYSETPAUSEICON, xrefs: 0000000140010B88
BINARYMID, xrefs: 0000000140008D17
GUICTRLCREATEPIC, xrefs: 000000014000BD4F
GUICTRLCREATECHECKBOX, xrefs: 000000014000B671
CONTROLGETPOS, xrefs: 000000014000972B
ASSIGN, xrefs: 00000001400089F8
GUICTRLCREATELIST, xrefs: 000000014000BAAF
GUICTRLGETSTATE, xrefs: 000000014000C140
DRIVEMAPADD, xrefs: 000000014000A2FC
CONTROLENABLE, xrefs: 00000001400095AB
INIREADSECTION, xrefs: 000000014000D46B
ROUND, xrefs: 000000014000EC34
WINMINIMIZEALL, xrefs: 0000000140011663
DRIVEGETFILESYSTEM, xrefs: 000000014000A1AB
ENVGET, xrefs: 000000014000A627
WINWAITCLOSE, xrefs: 00000001400119B8
CONTROLDISABLE, xrefs: 000000014000954B
WINFLASH, xrefs: 00000001400111BE
STRINGLOWER, xrefs: 000000014000FCAC
CHRW, xrefs: 0000000140009257
MOD, xrefs: 000000014000DCFB
MOUSEMOVE, xrefs: 000000014000DF2F
BITXOR, xrefs: 0000000140008FB7
GUICTRLDELETE, xrefs: 000000014000C0AF
UDPOPEN, xrefs: 0000000140010E1C
DLLSTRUCTCREATE, xrefs: 0000000140009F41
FILEWRITELINE, xrefs: 000000014000B45B
BEEP, xrefs: 0000000140008BD0
GUISETSTYLE, xrefs: 000000014000CED3
DLLSTRUCTGETSIZE, xrefs: 000000014000A08B
WINGETTITLE, xrefs: 0000000140011516
ISDECLARED, xrefs: 000000014000D854
STRINGREGEXPREPLACE, xrefs: 000000014000FDA1
TRAYCREATEITEM, xrefs: 0000000140010685
STRINGUPPER, xrefs: 000000014001018C
OPT, xrefs: 000000014000E354
TCPLISTEN, xrefs: 0000000140010373
UDPSHUTDOWN, xrefs: 0000000140010F41
!, xrefs: 000000014000F754
PROCESSEXISTS, xrefs: 000000014000E648
ISHWND, xrefs: 000000014000D9A3
OBJCREATE, xrefs: 000000014000E10F
STRINGISALPHA, xrefs: 000000014000F88C
DEC, xrefs: 0000000140009AEB
PIXELSEARCH, xrefs: 000000014000E49E
EXP, xrefs: 000000014000A7FF
BITOR, xrefs: 0000000140008E97
FILESELECTFOLDER, xrefs: 000000014000B27B
SENDKEEPACTIVE, xrefs: 000000014000EE74
DRIVEGETSERIAL, xrefs: 000000014000A26B
BITSHIFT, xrefs: 0000000140008F39
GUICTRLSETSTYLE, xrefs: 000000014000C8EB
GUICTRLCREATEGRAPHIC, xrefs: 000000014000B8CF
FILEGETPOS, xrefs: 000000014000ACDF
GUICTRLSETGRAPHIC, xrefs: 000000014000C64B
TRAYSETONEVENT, xrefs: 0000000140010B28
DLLCALLBACKREGISTER, xrefs: 0000000140009E4B
UDPBIND, xrefs: 0000000140010D5C
SETEXTENDED, xrefs: 000000014000EF34
CONTROLCOMMAND, xrefs: 00000001400094BC
LOG, xrefs: 000000014000DC43
STDOUTREAD, xrefs: 000000014000F58C
TIMERDIFF, xrefs: 000000014001059C
GUICTRLCREATEAVI, xrefs: 000000014000B5DB
GUICTRLCREATETAB, xrefs: 000000014000BECF
FILEGETTIME, xrefs: 000000014000AE5F
FILESETPOS, xrefs: 000000014000B30C
PROGRESSSET, xrefs: 000000014000E938
AUTOITSETOPTION, xrefs: 0000000140008AEF
ISBINARY, xrefs: 000000014000D7C3
TAN, xrefs: 00000001400101EC
STATUSBARGETTEXT, xrefs: 000000014000F40C
DRIVESETLABEL, xrefs: 000000014000A44B
FILEINSTALL, xrefs: 000000014000AF1F
TRAYCREATEMENU, xrefs: 0000000140010714
GUICTRLCREATEMENUITEM, xrefs: 000000014000BC2F
STRINGREPLACE, xrefs: 000000014000FE2C
INPUTBOX, xrefs: 000000014000D64B
GUICTRLGETHANDLE, xrefs: 000000014000C10F
WINGETCARETPOS, xrefs: 000000014001121E
DLLSTRUCTGETPTR, xrefs: 000000014000A02B
ISADMIN, xrefs: 000000014000D70B
CDTRAY, xrefs: 000000014000910D
EXECUTE, xrefs: 000000014000A79F
MSGBOX, xrefs: 000000014000E04F
GUICTRLCREATEICON, xrefs: 000000014000B98F
PLUGINCLOSE, xrefs: 000000014000E528
GUICTRLCREATEBUTTON, xrefs: 000000014000B63B
GUICTRLSETFONT, xrefs: 000000014000C5EB
BITNOT, xrefs: 0000000140008E37
PIXELGETCOLOR, xrefs: 000000014000E468
SHELLEXECUTE, xrefs: 000000014000EF65
FILEREAD, xrefs: 000000014000B09F
RANDOM, xrefs: 000000014000E9F8
FILECREATENTFSLINK, xrefs: 000000014000A97F
AUTOITWINSETTITLE, xrefs: 0000000140008B9B
AUTOITWINGETTITLE, xrefs: 0000000140008B43
STRINGISDIGIT, xrefs: 000000014000F94C
UBOUND, xrefs: 0000000140010CFC
CONSOLEWRITE, xrefs: 00000001400093CB
FILESETATTRIB, xrefs: 000000014000B2DB
STRINGISXDIGIT, xrefs: 000000014000FB8C
FILERECYCLE, xrefs: 000000014000B134
GUICTRLSETCOLOR, xrefs: 000000014000C40B
TRAYTIP, xrefs: 0000000140010C9C
GUIGETMSG, xrefs: 000000014000CA4A
GUISETCOORD, xrefs: 000000014000CC3B
ABS, xrefs: 00000001400086EC
BITAND, xrefs: 0000000140008DBE
CONSOLEREAD, xrefs: 000000014000936F
GUISETCURSOR, xrefs: 000000014000CC9B
SOUNDPLAY, xrefs: 000000014000F174
CONTROLFOCUS, xrefs: 000000014000960B
FILESAVEDIALOG, xrefs: 000000014000B21B
DRIVEMAPGET, xrefs: 000000014000A3EB
STRINGLEFT, xrefs: 000000014000FBC1
CLIPGET, xrefs: 00000001400092B7
DIRCREATE, xrefs: 0000000140009BAB
UDPRECV, xrefs: 0000000140010E7C
DIRMOVE, xrefs: 0000000140009C6B
GUISETHELP, xrefs: 000000014000CD57
FTPSETPROXY, xrefs: 000000014000B51B
STRINGCOMPARE, xrefs: 000000014000F67D
DLLCALL, xrefs: 0000000140009D2B
TCPNAMETOIP, xrefs: 00000001400103D3
REGENUMKEY, xrefs: 000000014000EAB4
FILECHANGEDIR, xrefs: 000000014000A834
FILEOPENDIALOG, xrefs: 000000014000B03F
ISARRAY, xrefs: 000000014000D763
WINMOVE, xrefs: 0000000140011742
GUICTRLCREATETREEVIEW, xrefs: 000000014000BF64
GUICTRLCREATEOBJ, xrefs: 000000014000BCEF
GUICTRLSETDEFCOLOR, xrefs: 000000014000C58B
GUICTRLREAD, xrefs: 000000014000C1CB
REGDELETE, xrefs: 000000014000EA54
GUICTRLCREATEGROUP, xrefs: 000000014000B92F
FILEGETSHORTCUT, xrefs: 000000014000AD3F
UDPSEND, xrefs: 0000000140010EDC
TCPCONNECT, xrefs: 00000001400102E2
WINACTIVATE, xrefs: 000000014001103E
INT, xrefs: 000000014000D680
GUICTRLSETRESIZING, xrefs: 000000014000C82B
CONSOLEWRITEERROR, xrefs: 000000014000942B
CONTROLGETTEXT, xrefs: 000000014000978B
WINWAIT, xrefs: 0000000140011922
STDIOCLOSE, xrefs: 000000014000F52C
ENVUPDATE, xrefs: 000000014000A6E7
ISDLLSTRUCT, xrefs: 000000014000D8E3
PIXELCHECKSUM, xrefs: 000000014000E408
HOTKEYSET, xrefs: 000000014000D04F
FILEDELETE, xrefs: 000000014000AA14
BLOCKINPUT, xrefs: 0000000140009017
GUICTRLCREATEPROGRESS, xrefs: 000000014000BD85
TCPCLOSESOCKET, xrefs: 00000001400102AC
SOUNDSETWAVEVOLUME, xrefs: 000000014000F1D4
ADLIBDISABLE, xrefs: 00000001400087AC
PROGRESSOFF, xrefs: 000000014000E851
GUICTRLCREATEUPDOWN, xrefs: 000000014000C04F
WINSETSTATE, xrefs: 0000000140011802
WINGETPOS, xrefs: 0000000140011396
DRIVESTATUS, xrefs: 000000014000A56B
CALL, xrefs: 00000001400090D7
DLLCALLBACKFREE, xrefs: 0000000140009D8B
GUICTRLCREATETREEVIEWITEM, xrefs: 000000014000BFEF
GUICTRLSETTIP, xrefs: 000000014000C94B
ISFLOAT, xrefs: 000000014000D943
GUICTRLCREATEINPUT, xrefs: 000000014000B9EF
FILEFLUSH, xrefs: 000000014000ABBF
OBJEVENT, xrefs: 000000014000E16F
SPLASHIMAGEON, xrefs: 000000014000F234
STRINGLEN, xrefs: 000000014000FC4C
GUICTRLCREATEMENU, xrefs: 000000014000BBCF
MOUSEGETPOS, xrefs: 000000014000DED3
PROGRESSON, xrefs: 000000014000E8D8
TCPRECV, xrefs: 0000000140010433
DIRREMOVE, xrefs: 0000000140009CCB
INIREADSECTIONNAMES, xrefs: 000000014000D4A1
GUIGETSTYLE, xrefs: 000000014000CABF
WINSETTITLE, xrefs: 0000000140011862
RUNWAIT, xrefs: 000000014000ED89
GUICTRLSETLIMIT, xrefs: 000000014000C70B
SHELLEXECUTEWAIT, xrefs: 000000014000EFF4
ISKEYWORD, xrefs: 000000014000DA63
GUISETBKCOLOR, xrefs: 000000014000CBBD
BINARYLEN, xrefs: 0000000140008CB7
FILEREADLINE, xrefs: 000000014000B0FF
MOUSEWHEEL, xrefs: 000000014000DFEF
CLIPPUT, xrefs: 00000001400092EC
MEMGETSTATS, xrefs: 000000014000DCA3
TRAYGETMSG, xrefs: 0000000140010774
REGWRITE, xrefs: 000000014000EBAA
FILECOPY, xrefs: 000000014000A91F
INIREAD, xrefs: 000000014000D40B
SRANDOM, xrefs: 000000014000F3AC
ISBOOL, xrefs: 000000014000D823
GUICREATE, xrefs: 000000014000B57B
TRAYITEMGETTEXT, xrefs: 00000001400108F0
GUICTRLSETIMAGE, xrefs: 000000014000C680
ATAN, xrefs: 0000000140008A8A
INIDELETE, xrefs: 000000014000D3AB
ONAUTOITEXITREGISTER, xrefs: 000000014000E28F
GUICTRLCREATELABEL, xrefs: 000000014000BA20
HTTPSETPROXY, xrefs: 000000014000D0AF
INIWRITESECTION, xrefs: 000000014000D5EB
STRINGTOBINARY, xrefs: 000000014001006C
TRAYITEMSETTEXT, xrefs: 00000001400109E6
WINGETTEXT, xrefs: 000000014001148B
TCPACCEPT, xrefs: 000000014001024C
STRINGREGEXP, xrefs: 000000014000FD6C
GUISETONEVENT, xrefs: 000000014000CE17
PTR, xrefs: 000000014000E998
GUICTRLRECVMSG, xrefs: 000000014000C22B
ADLIBUNREGISTER, xrefs: 00000001400088B3
FILERECYCLEEMPTY, xrefs: 000000014000B1BF
GUISETFONT, xrefs: 000000014000CCF7
STRINGMID, xrefs: 000000014000FD0C
STRINGTOASCIIARRAY, xrefs: 000000014001000C
BINARYTOSTRING, xrefs: 0000000140008D77
GUICTRLCREATERADIO, xrefs: 000000014000BE0F
EVAL, xrefs: 000000014000A73F
GUISETICON, xrefs: 000000014000CD8D
GUICTRLREGISTERLISTVIEWSORT, xrefs: 000000014000C28B
DUMMYSPEEDTEST, xrefs: 000000014000A5CB
GUICTRLCREATECOMBO, xrefs: 000000014000B6FB
RUNASWAIT, xrefs: 000000014000ED54
VARGETTYPE, xrefs: 0000000140010FDE
GUICTRLSETDEFBKCOLOR, xrefs: 000000014000C52B
FILECLOSE, xrefs: 000000014000A8BF
GUICTRLSETPOS, xrefs: 000000014000C7CB
COS, xrefs: 0000000140009A8B
ENVSET, xrefs: 000000014000A65D
GUICTRLSENDMSG, xrefs: 000000014000C2EB
GUIDELETE, xrefs: 000000014000C9AB
STRINGISINT, xrefs: 000000014000F9E2
INIRENAMESECTION, xrefs: 000000014000D52B
CONTROLSHOW, xrefs: 00000001400099CB
ADLIBENABLE, xrefs: 0000000140008801
FILEGETVERSION, xrefs: 000000014000AEBF
CONTROLSETTEXT, xrefs: 000000014000996B
REGREAD, xrefs: 000000014000EB74
GUICTRLCREATEEDIT, xrefs: 000000014000B84C
CONTROLHIDE, xrefs: 00000001400097EB
SQRT, xrefs: 000000014000F34C
TRAYSETTOOLTIP, xrefs: 0000000140010C40
DIRGETSIZE, xrefs: 0000000140009BDC
GUICTRLCREATELISTVIEWITEM, xrefs: 000000014000BB6F
MOUSEDOWN, xrefs: 000000014000DE1B
WINWAITACTIVE, xrefs: 0000000140011982
GUICTRLSETONEVENT, xrefs: 000000014000C76B
DRIVESPACEFREE, xrefs: 000000014000A4AB
STDERRREAD, xrefs: 000000014000F46C
WINWAITNOTACTIVE, xrefs: 0000000140011A49
GUICTRLSETBKCOLOR, xrefs: 000000014000C3AB
SPLASHTEXTON, xrefs: 000000014000F2CA
PROCESSSETPRIORITY, xrefs: 000000014000E760
FILEOPEN, xrefs: 000000014000AFDF
INETCLOSE, xrefs: 000000014000D1CF
FILEGETSIZE, xrefs: 000000014000ADFF
DLLSTRUCTSETDATA, xrefs: 000000014000A0EB
CHR, xrefs: 00000001400091F7
STRINGISFLOAT, xrefs: 000000014000F9AC
TRAYSETICON, xrefs: 0000000140010ACC
CONTROLMOVE, xrefs: 00000001400098AB
STRINGRIGHT, xrefs: 000000014000FE8C
UDPCLOSESOCKET, xrefs: 0000000140010D8D
WINGETCLIENTSIZE, xrefs: 00000001400112AC
FILEGETLONGNAME, xrefs: 000000014000AC7F
DRIVEMAPDEL, xrefs: 000000014000A38B
INETREAD, xrefs: 000000014000D34B
WINMENUSELECTITEM, xrefs: 0000000140011632
STRINGSPLIT, xrefs: 000000014000FEEC
DRIVEGETDRIVE, xrefs: 000000014000A120
BREAK, xrefs: 0000000140009077
SLEEP, xrefs: 000000014000F114
UDPSTARTUP, xrefs: 0000000140010F92
ADLIBREGISTER, xrefs: 000000014000882B
STRINGSTRIPWS, xrefs: 000000014000FF93
WINSETTRANS, xrefs: 00000001400118C2
FILEMOVE, xrefs: 000000014000AF55
WINEXISTS, xrefs: 000000014001115E
SPLASHOFF, xrefs: 000000014000F294
STRINGTRIMRIGHT, xrefs: 000000014001010E
STRINGFORMAT, xrefs: 000000014000F70C
WINGETPROCESS, xrefs: 00000001400113F6
WINACTIVE, xrefs: 000000014001109E
GUICTRLSETSTATE, xrefs: 000000014000C860
OBJGET, xrefs: 000000014000E1CF
ONAUTOITEXITUNREGISTER, xrefs: 000000014000E2C5
SEND, xrefs: 000000014000EE14
INETGETSIZE, xrefs: 000000014000D2EB
TCPSHUTDOWN, xrefs: 00000001400104C9
TRAYSETSTATE, xrefs: 0000000140010BBD
STRINGSTRIPCR, xrefs: 000000014000FF4C
FILEGETSHORTNAME, xrefs: 000000014000AD81
SETERROR, xrefs: 000000014000EED4
NUMBER, xrefs: 000000014000E0AF
WINGETCLASSLIST, xrefs: 0000000140011276
FILEGETATTRIB, xrefs: 000000014000AC06
BITROTATE, xrefs: 0000000140008EF7
RUNAS, xrefs: 000000014000ECF4
CONTROLCLICK, xrefs: 000000014000948B
DRIVEGETTYPE, xrefs: 000000014000A2CB
PING, xrefs: 000000014000E3A8
GUICTRLSETCURSOR, xrefs: 000000014000C46B
FLOOR, xrefs: 000000014000B4BB
WINGETSTATE, xrefs: 0000000140011456
CONTROLGETHANDLE, xrefs: 00000001400096CB
HEX, xrefs: 000000014000CFEF
DRIVESPACETOTAL, xrefs: 000000014000A50B
TRAYITEMGETSTATE, xrefs: 0000000140010890
WINKILL, xrefs: 0000000140011576
STRINGISALNUM, xrefs: 000000014000F82C
WINSETONTOP, xrefs: 00000001400117A2
STRINGISSPACE, xrefs: 000000014000FACC
ISPTR, xrefs: 000000014000DB83
MOUSEGETCURSOR, xrefs: 000000014000DE7B
STDINWRITE, xrefs: 000000014000F4A1
DIRCOPY, xrefs: 0000000140009B4B
GUICTRLCREATEDATE, xrefs: 000000014000B7B7
GUICTRLSENDTODUMMY, xrefs: 000000014000C34B
CONTROLTREEVIEW, xrefs: 0000000140009A00
BINARY, xrefs: 0000000140008C57
DLLOPEN, xrefs: 0000000140009F0B
C, xrefs: 0000000140009D80
STRINGTRIMLEFT, xrefs: 00000001400100CC
CEILING, xrefs: 0000000140009197
INETGETINFO, xrefs: 000000014000D28F
FILECREATESHORTCUT, xrefs: 000000014000A9DF
SIN, xrefs: 000000014000F0B4
TCPSEND, xrefs: 0000000140010493
HWND, xrefs: 000000014000D140
INIWRITE, xrefs: 000000014000D58B
GUISETSTATE, xrefs: 000000014000CE77
STRINGINSTR, xrefs: 000000014000F7CC
ISINT, xrefs: 000000014000DA03
TRAYITEMSETONEVENT, xrefs: 0000000140010950
STRINGADDCR, xrefs: 000000014000F64C
STRINGISASCII, xrefs: 000000014000F8EC
GUICTRLCREATECONTEXTMENU, xrefs: 000000014000B75B
STRINGISUPPER, xrefs: 000000014000FB2C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Virtual$Handle$CloseKeyboardLayoutMessageNameRegisterScanWindowmalloc
String ID: !$ABS$ACOS$ADLIBDISABLE$ADLIBENABLE$ADLIBREGISTER$ADLIBUNREGISTER$ASC$ASCW$ASIN$ASSIGN$ATAN$AUTOITSETOPTION$AUTOITWINGETTITLE$AUTOITWINSETTITLE$BEEP$BINARY$BINARYLEN$BINARYMID$BINARYTOSTRING$BITAND$BITNOT$BITOR$BITROTATE$BITSHIFT$BITXOR$BLOCKINPUT$BREAK$C$CALL$CDTRAY$CEILING$CHR$CHRW$CLIPGET$CLIPPUT$CONSOLEREAD$CONSOLEWRITE$CONSOLEWRITEERROR$CONTROLCLICK$CONTROLCOMMAND$CONTROLDISABLE$CONTROLENABLE$CONTROLFOCUS$CONTROLGETFOCUS$CONTROLGETHANDLE$CONTROLGETPOS$CONTROLGETTEXT$CONTROLHIDE$CONTROLLISTVIEW$CONTROLMOVE$CONTROLSEND$CONTROLSETTEXT$CONTROLSHOW$CONTROLTREEVIEW$COS$DEC$DIRCOPY$DIRCREATE$DIRGETSIZE$DIRMOVE$DIRREMOVE$DLLCALL$DLLCALLBACKFREE$DLLCALLBACKGETPTR$DLLCALLBACKREGISTER$DLLCLOSE$DLLOPEN$DLLSTRUCTCREATE$DLLSTRUCTGETDATA$DLLSTRUCTGETPTR$DLLSTRUCTGETSIZE$DLLSTRUCTSETDATA$DRIVEGETDRIVE$DRIVEGETFILESYSTEM$DRIVEGETLABEL$DRIVEGETSERIAL$DRIVEGETTYPE$DRIVEMAPADD$DRIVEMAPDEL$DRIVEMAPGET$DRIVESETLABEL$DRIVESPACEFREE$DRIVESPACETOTAL$DRIVESTATUS$DUMMYSPEEDTEST$ENVGET$ENVSET$ENVUPDATE$EVAL$EXECUTE$EXP$FILECHANGEDIR$FILECLOSE$FILECOPY$FILECREATENTFSLINK$FILECREATESHORTCUT$FILEDELETE$FILEEXISTS$FILEFINDFIRSTFILE$FILEFINDNEXTFILE$FILEFLUSH$FILEGETATTRIB$FILEGETLONGNAME$FILEGETPOS$FILEGETSHORTCUT$FILEGETSHORTNAME$FILEGETSIZE$FILEGETTIME$FILEGETVERSION$FILEINSTALL$FILEMOVE$FILEOPEN$FILEOPENDIALOG$FILEREAD$FILEREADLINE$FILERECYCLE$FILERECYCLEEMPTY$FILESAVEDIALOG$FILESELECTFOLDER$FILESETATTRIB$FILESETPOS$FILESETTIME$FILEWRITE$FILEWRITELINE$FLOOR$FTPSETPROXY$GUICREATE$GUICTRLCREATEAVI$GUICTRLCREATEBUTTON$GUICTRLCREATECHECKBOX$GUICTRLCREATECOMBO$GUICTRLCREATECONTEXTMENU$GUICTRLCREATEDATE$GUICTRLCREATEDUMMY$GUICTRLCREATEEDIT$GUICTRLCREATEGRAPHIC$GUICTRLCREATEGROUP$GUICTRLCREATEICON$GUICTRLCREATEINPUT$GUICTRLCREATELABEL$GUICTRLCREATELIST$GUICTRLCREATELISTVIEW$GUICTRLCREATELISTVIEWITEM$GUICTRLCREATEMENU$GUICTRLCREATEMENUITEM$GUICTRLCREATEMONTHCAL$GUICTRLCREATEOBJ$GUICTRLCREATEPIC$GUICTRLCREATEPROGRESS$GUICTRLCREATERADIO$GUICTRLCREATESLIDER$GUICTRLCREATETAB$GUICTRLCREATETABITEM$GUICTRLCREATETREEVIEW$GUICTRLCREATETREEVIEWITEM$GUICTRLCREATEUPDOWN$GUICTRLDELETE$GUICTRLGETHANDLE$GUICTRLGETSTATE$GUICTRLREAD$GUICTRLRECVMSG$GUICTRLREGISTERLISTVIEWSORT$GUICTRLSENDMSG$GUICTRLSENDTODUMMY$GUICTRLSETBKCOLOR$GUICTRLSETCOLOR$GUICTRLSETCURSOR$GUICTRLSETDATA$GUICTRLSETDEFBKCOLOR$GUICTRLSETDEFCOLOR$GUICTRLSETFONT$GUICTRLSETGRAPHIC$GUICTRLSETIMAGE$GUICTRLSETLIMIT$GUICTRLSETONEVENT$GUICTRLSETPOS$GUICTRLSETRESIZING$GUICTRLSETSTATE$GUICTRLSETSTYLE$GUICTRLSETTIP$GUIDELETE$GUIGETCURSORINFO$GUIGETMSG$GUIGETSTYLE$GUIREGISTERMSG$GUISETACCELERATORS$GUISETBKCOLOR$GUISETCOORD$GUISETCURSOR$GUISETFONT$GUISETHELP$GUISETICON$GUISETONEVENT$GUISETSTATE$GUISETSTYLE$GUISTARTGROUP$GUISWITCH$HEX$HOTKEYSET$HTTPSETPROXY$HTTPSETUSERAGENT$HWND$INETCLOSE$INETGET$INETGETINFO$INETGETSIZE$INETREAD$INIDELETE$INIREAD$INIREADSECTION$INIREADSECTIONNAMES$INIRENAMESECTION$INIWRITE$INIWRITESECTION$INPUTBOX$INT$ISADMIN$ISARRAY$ISBINARY$ISBOOL$ISDECLARED$ISDLLSTRUCT$ISFLOAT$ISHWND$ISINT$ISKEYWORD$ISNUMBER$ISOBJ$ISPTR$ISSTRING$LOG$MEMGETSTATS$MOD$MOUSECLICK$MOUSECLICKDRAG$MOUSEDOWN$MOUSEGETCURSOR$MOUSEGETPOS$MOUSEMOVE$MOUSEUP$MOUSEWHEEL$MSGBOX$NUMBER$OBJCREATE$OBJEVENT$OBJGET$OBJNAME$ONAUTOITEXITREGISTER$ONAUTOITEXITUNREGISTER$OPT$PING$PIXELCHECKSUM$PIXELGETCOLOR$PIXELSEARCH$PLUGINCLOSE$PLUGINOPEN$PROCESSCLOSE$PROCESSEXISTS$PROCESSGETSTATS$PROCESSLIST$PROCESSSETPRIORITY$PROCESSWAIT$PROCESSWAITCLOSE$PROGRESSOFF$PROGRESSON$PROGRESSSET$PTR$RANDOM$REGDELETE$REGENUMKEY$REGENUMVAL$REGREAD$REGWRITE$ROUND$RUN$RUNAS$RUNASWAIT$RUNWAIT$SEND$SENDKEEPACTIVE$SETERROR$SETEXTENDED$SHELLEXECUTE$SHELLEXECUTEWAIT$SHUTDOWN$SIN$SLEEP$SOUNDPLAY$SOUNDSETWAVEVOLUME$SPLASHIMAGEON$SPLASHOFF$SPLASHTEXTON$SQRT$SRANDOM$STATUSBARGETTEXT$STDERRREAD$STDINWRITE$STDIOCLOSE$STDOUTREAD$STRING$STRINGADDCR$STRINGCOMPARE$STRINGFORMAT$STRINGFROMASCIIARRAY$STRINGINSTR$STRINGISALNUM$STRINGISALPHA$STRINGISASCII$STRINGISDIGIT$STRINGISFLOAT$STRINGISINT$STRINGISLOWER$STRINGISSPACE$STRINGISUPPER$STRINGISXDIGIT$STRINGLEFT$STRINGLEN$STRINGLOWER$STRINGMID$STRINGREGEXP$STRINGREGEXPREPLACE$STRINGREPLACE$STRINGRIGHT$STRINGSPLIT$STRINGSTRIPCR$STRINGSTRIPWS$STRINGTOASCIIARRAY$STRINGTOBINARY$STRINGTRIMLEFT$STRINGTRIMRIGHT$STRINGUPPER$TAN$TCPACCEPT$TCPCLOSESOCKET$TCPCONNECT$TCPLISTEN$TCPNAMETOIP$TCPRECV$TCPSEND$TCPSHUTDOWN$TCPSTARTUP$TIMERDIFF$TIMERINIT$TOOLTIP$TRAYCREATEITEM$TRAYCREATEMENU$TRAYGETMSG$TRAYITEMDELETE$TRAYITEMGETHANDLE$TRAYITEMGETSTATE$TRAYITEMGETTEXT$TRAYITEMSETONEVENT$TRAYITEMSETSTATE$TRAYITEMSETTEXT$TRAYSETCLICK$TRAYSETICON$TRAYSETONEVENT$TRAYSETPAUSEICON$TRAYSETSTATE$TRAYSETTOOLTIP$TRAYTIP$UBOUND$UDPBIND$UDPCLOSESOCKET$UDPOPEN$UDPRECV$UDPSEND$UDPSHUTDOWN$UDPSTARTUP$VARGETTYPE$WINACTIVATE$WINACTIVE$WINCLOSE$WINEXISTS$WINFLASH$WINGETCARETPOS$WINGETCLASSLIST$WINGETCLIENTSIZE$WINGETHANDLE$WINGETPOS$WINGETPROCESS$WINGETSTATE$WINGETTEXT$WINGETTITLE$WINKILL$WINLIST$WINMENUSELECTITEM$WINMINIMIZEALL$WINMINIMIZEALLUNDO$WINMOVE$WINSETONTOP$WINSETSTATE$WINSETTITLE$WINSETTRANS$WINWAIT$WINWAITACTIVE$WINWAITCLOSE$WINWAITNOTACTIVE
API String ID: 476934340-3975328208
Opcode ID: 7d65b3eac44421d2209c158eb4af51b2f4920e3d5e56cb9987a96031fa69e362
Instruction ID: 151627aaf99e920a279374d5b5d489c1e6832f24218e5f5c2a801d92cade035a
Opcode Fuzzy Hash: 7d65b3eac44421d2209c158eb4af51b2f4920e3d5e56cb9987a96031fa69e362
Instruction Fuzzy Hash: 852467B6519F85DADB65CF09E48038AB7A8F38CB48F504616E79C43B28DB79C295CF40

Function 0000000140025ECC Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140025EFF
_errno.LIBCMT ref: 0000000140025F08
__doserrno.LIBCMT ref: 0000000140025F62
_errno.LIBCMT ref: 0000000140025F69

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 8f32b312fef02a6121b9f06fcee6f3d7b95e0ed654156a37893e33c0728cdc26
Instruction ID: c28e0125ff3f8f650fe3a2b3f249e4f1450dfd9484e48a9088bbf26b300e7a67
Opcode Fuzzy Hash: 8f32b312fef02a6121b9f06fcee6f3d7b95e0ed654156a37893e33c0728cdc26
Instruction Fuzzy Hash: 5A22F972608A9481EB639B76D4843ED6BA1F38A7D4F588219FB9A037F5DB38CC45C701

Function 0000000140063890 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 187
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadImageW.USER32 ref: 000000014006396D
LoadLibraryExW.KERNELBASE ref: 00000001400639E2
LoadImageW.USER32 ref: 0000000140063A2A
LoadImageW.USER32 ref: 0000000140063A84
LoadImageW.USER32 ref: 0000000140063AC8
FreeLibrary.KERNEL32 ref: 0000000140063ADA
ExtractIconExW.SHELL32 ref: 0000000140063AED
DestroyIcon.USER32 ref: 0000000140063AFF
SendMessageW.USER32 ref: 0000000140063B20
SendMessageW.USER32 ref: 0000000140063B38
MoveWindow.USER32 ref: 0000000140063B6D

Part of subcall function 00000001400187BC: _errno.LIBCMT ref: 00000001400187D4

Strings

.exe, xrefs: 0000000140063901
.icl, xrefs: 00000001400638DF
.dll, xrefs: 0000000140063920

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFreeMoveWindow_errno
String ID: .dll$.exe$.icl
API String ID: 609567514-1154884017
Opcode ID: 5c224fb588f2a89f92b1415c60faca1c0a941570177be5ab58b4f5f41ae0033f
Instruction ID: 521cbfb84222bf7d93ad65e33eea04d69d7e6ea7220855c3da9759b43fc68d2a
Opcode Fuzzy Hash: 5c224fb588f2a89f92b1415c60faca1c0a941570177be5ab58b4f5f41ae0033f
Instruction Fuzzy Hash: 90817F3221469186EB329F26A8407EE77A1F38CBC5F500916FF8A47BA5DB7DC541D780

Function 00000001400643E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DestroyWindow.USER32 ref: 0000000140064529
CreateWindowExW.USER32 ref: 0000000140064598
SendMessageW.USER32 ref: 0000000140064611
SendMessageW.USER32 ref: 0000000140064629
DestroyWindow.USER32 ref: 0000000140064654
CreateWindowExW.USER32 ref: 00000001400646B4
SendMessageW.USER32 ref: 00000001400646D9
GetDesktopWindow.USER32 ref: 00000001400646F5
GetWindowRect.USER32 ref: 0000000140064703
SendMessageW.USER32 ref: 0000000140064719
SendMessageW.USER32 ref: 000000014006473B

Strings

tooltips_class32, xrefs: 0000000140064548, 0000000140064668
@, xrefs: 000000014006449F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopRect
String ID: @$tooltips_class32
API String ID: 2443926738-517154873
Opcode ID: a8ee8c13d6b8cd87cd3d98121cde7ea7dcf1ebbb4e507398a2bcf8c10eb0c03a
Instruction ID: 961e5430bb76eb16438e9c9ede0b5b2b7484ad69082132bb38ee9ab744087668
Opcode Fuzzy Hash: a8ee8c13d6b8cd87cd3d98121cde7ea7dcf1ebbb4e507398a2bcf8c10eb0c03a
Instruction Fuzzy Hash: BB917D36208B8586EB66CF2AE8847DA77A1F389BC4F945116EB8D47B74DF38C585C700

Function 000000014003F7C0 Relevance: 21.1, APIs: 14, Instructions: 118
filecommemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 000000014003F813
GetFileSize.KERNEL32 ref: 000000014003F82E
GlobalAlloc.KERNEL32 ref: 000000014003F83D
GlobalLock.KERNEL32 ref: 000000014003F849
ReadFile.KERNEL32 ref: 000000014003F865
GlobalUnlock.KERNEL32 ref: 000000014003F86E
CloseHandle.KERNEL32 ref: 000000014003F877
CreateStreamOnHGlobal.OLE32 ref: 000000014003F88A
OleLoadPicture.OLEAUT32 ref: 000000014003F8AB
GlobalFree.KERNEL32 ref: 000000014003F8BF
GetObjectW.GDI32 ref: 000000014003F8ED
CopyImage.USER32 ref: 000000014003F92A
DeleteObject.GDI32 ref: 000000014003F95B
SendMessageW.USER32 ref: 000000014003F97B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: 7b9b92fc94144ad34b6cfd525f49a667557e4e7870182b4bd64d1e04c818e701
Instruction ID: e1f0393f91dad3a2f06bc0eb50f9b09eada1caefdfd0ace4d8ffd7b7844b3a96
Opcode Fuzzy Hash: 7b9b92fc94144ad34b6cfd525f49a667557e4e7870182b4bd64d1e04c818e701
Instruction Fuzzy Hash: C251283A204B8086E751CF2AE8047AA73A1F78DBD8F514125EF9943B64DF39C949CB00

Function 00000001400174D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 0000000140017521
RegisterClassExW.USER32 ref: 0000000140017558
RegisterWindowMessageW.USER32 ref: 000000014001756C
InitCommonControlsEx.COMCTL32 ref: 0000000140017596
ImageList_Create.COMCTL32 ref: 00000001400175B3
LoadIconW.USER32 ref: 00000001400175CC
ImageList_ReplaceIcon.COMCTL32 ref: 00000001400175DF

Strings

+, xrefs: 0000000140017503
AutoIt v3 GUI, xrefs: 0000000140017536
TaskbarCreated, xrefs: 000000014001755E
P, xrefs: 00000001400174F4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$AutoIt v3 GUI$P$TaskbarCreated
API String ID: 2914291525-867404841
Opcode ID: ee901617d7778aa62f019ed5556ffad20a39d1640dd1e5966d19bbb2149a7e0a
Instruction ID: 957a0b2e540d759da73a0bd104ecff49e9fefb24c8ab4b512ba8719781be8d66
Opcode Fuzzy Hash: ee901617d7778aa62f019ed5556ffad20a39d1640dd1e5966d19bbb2149a7e0a
Instruction Fuzzy Hash: 12310736118B8186E711DF56F88878AB7B4F788781F500215EB9A43B78DF7DC599CB40

Function 0000000140064F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

LoadImageW.USER32 ref: 000000014006502F
ExtractIconExW.SHELL32 ref: 000000014006505F
LoadImageW.USER32 ref: 0000000140065086
ExtractIconExW.SHELL32 ref: 00000001400650B5
SendMessageW.USER32 ref: 00000001400650DD
DestroyIcon.USER32 ref: 00000001400650EC
SendMessageW.USER32 ref: 0000000140065118
DestroyIcon.USER32 ref: 0000000140065127
InvalidateRect.USER32 ref: 00000001400651BD

Strings

P, xrefs: 0000000140065079

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$InvalidateLongRectWindow
String ID: P
API String ID: 84695935-3110715001
Opcode ID: 1b943540689da192344aeae33d6eecbd05cd148b43c7fce11e7a3c7718372613
Instruction ID: 168e603f6474d96ff9f32c2f7e0334b1880e6ccc611adcd51cdc3069137d638b
Opcode Fuzzy Hash: 1b943540689da192344aeae33d6eecbd05cd148b43c7fce11e7a3c7718372613
Instruction Fuzzy Hash: CF615C36204B8086EB66EF2BE84079A77A2F79DBD5F544525EB4D87BB4DF38C4448B00

Function 000000014005F110 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

MoveWindow.USER32 ref: 000000014005F256
CreateCompatibleDC.GDI32 ref: 000000014005F25E
SendMessageW.USER32 ref: 000000014005F275
SelectObject.GDI32 ref: 000000014005F281
GetPixel.GDI32 ref: 000000014005F28F
DeleteDC.GDI32 ref: 000000014005F29A
GetWindowLongW.USER32 ref: 000000014005F2A8
SetLayeredWindowAttributes.USER32 ref: 000000014005F2C2
DestroyWindow.USER32 ref: 000000014005F2CC

Strings

static, xrefs: 000000014005F169

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectShowStock
String ID: static
API String ID: 2258642936-2160076837
Opcode ID: 520ffd621935e575edf393e803907acfee4543619afc952d27559d24472cce11
Instruction ID: 4fd09021e33cbea653cb7a4520c3eecc5784e780ecd1a5ea71bcdddbf584abea
Opcode Fuzzy Hash: 520ffd621935e575edf393e803907acfee4543619afc952d27559d24472cce11
Instruction Fuzzy Hash: CB514F76204B8086E721CF2AE84479AB7A5F78D7D0F544216EB9983BB8DF3DC451CB00

Function 0000000140017370 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 0000000140017387
LoadCursorW.USER32 ref: 0000000140017397
LoadIconW.USER32 ref: 00000001400173AC
LoadIconW.USER32 ref: 00000001400173C5
LoadIconW.USER32 ref: 00000001400173DE
LoadImageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140012EE6), ref: 0000000140017419
RegisterClassExW.USER32 ref: 000000014001748A

Part of subcall function 00000001400174D0: GetSysColorBrush.USER32 ref: 0000000140017521
Part of subcall function 00000001400174D0: RegisterClassExW.USER32 ref: 0000000140017558
Part of subcall function 00000001400174D0: RegisterWindowMessageW.USER32 ref: 000000014001756C
Part of subcall function 00000001400174D0: InitCommonControlsEx.COMCTL32 ref: 0000000140017596
Part of subcall function 00000001400174D0: ImageList_Create.COMCTL32 ref: 00000001400175B3
Part of subcall function 00000001400174D0: LoadIconW.USER32 ref: 00000001400175CC
Part of subcall function 00000001400174D0: ImageList_ReplaceIcon.COMCTL32 ref: 00000001400175DF

Strings

#, xrefs: 0000000140017461
P, xrefs: 000000014001744D
AutoIt v3, xrefs: 0000000140017435

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$AutoIt v3$P
API String ID: 423443420-3419303329
Opcode ID: e811ad14b02fb03eb33a171263279185b1942b87e634b5ed8504f4e2525fb77c
Instruction ID: cba823d7f043b5736e67f17e111d2a58cd399fd2bce847600851299c86fad332
Opcode Fuzzy Hash: e811ad14b02fb03eb33a171263279185b1942b87e634b5ed8504f4e2525fb77c
Instruction Fuzzy Hash: 8B41E035619B4186EB228F56F88438A77B5F38CB90F51012AEB8D43B78DB79C559CB40

Function 0000000140061300 Relevance: 16.6, APIs: 11, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014001A30C: _errno.LIBCMT ref: 000000014001A334

Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 0000000140061145
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 000000014006118E
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 00000001400611AE
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 00000001400611F7
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 0000000140061217

_fread_nolock.LIBCMT ref: 00000001400613BD
_fread_nolock.LIBCMT ref: 00000001400613D6
_fread_nolock.LIBCMT ref: 00000001400613F5
_fread_nolock.LIBCMT ref: 0000000140061415
malloc.LIBCMT ref: 0000000140061438
malloc.LIBCMT ref: 0000000140061446
_fread_nolock.LIBCMT ref: 000000014006145E
free.LIBCMT ref: 0000000140061495
free.LIBCMT ref: 000000014006149D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _fread_nolock$freemalloc$_errno
String ID:
API String ID: 990732115-0
Opcode ID: ab7c5cab745a81d4b79ebf2b6cd05fb39229b2e047813dccd9d94276bc780f88
Instruction ID: bc9ffda54976d039e0c421f10980e2d54bb7e14e95f4e1a0601b9e33e3fed323
Opcode Fuzzy Hash: ab7c5cab745a81d4b79ebf2b6cd05fb39229b2e047813dccd9d94276bc780f88
Instruction Fuzzy Hash: A4516B722147D486D721DF52A444BCEBBA9F78ABC4F954515FF8A0BB69CB3AC440CB00

Function 0000000140007800 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000784A

Part of subcall function 00000001400187BC: _errno.LIBCMT ref: 00000001400187D4

GetModuleFileNameW.KERNEL32 ref: 000000014003730C

Strings

/ErrorStdOut, xrefs: 0000000140007982
CMDLINE, xrefs: 00000001400078CD, 000000014000791D
/AutoIt3OutputDebug, xrefs: 0000000140007999
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0000000140007850
CMDLINERAW, xrefs: 000000014000787F
/AutoIt3ExecuteScript, xrefs: 00000001400079C7
/AutoIt3ExecuteLine, xrefs: 00000001400079B0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FileModuleName$_errno
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 3464838693-3513169116
Opcode ID: ceea752f5cf5deb40b5cc6fc992b52dd468ce1dcfea26a75dfcd3d314f517aee
Instruction ID: 7806dc51455742a7da7219f5d275b8834f0492c1cdde795d32325f36d5a73d96
Opcode Fuzzy Hash: ceea752f5cf5deb40b5cc6fc992b52dd468ce1dcfea26a75dfcd3d314f517aee
Instruction Fuzzy Hash: 88A17172628A4192EB52EB26F451BEE6361F7887C4F845012FB4E475BADF7CC246CB40

Function 00000001400133A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32 ref: 00000001400133F4
SetTimer.USER32 ref: 0000000140013490
RegisterWindowMessageW.USER32 ref: 000000014001349D
CreatePopupMenu.USER32 ref: 00000001400134B3
KillTimer.USER32 ref: 00000001400134D6
PostQuitMessage.USER32 ref: 00000001400134EA

Strings

TaskbarCreated, xrefs: 0000000140013496

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bc35c0e81716189030b78bdaa0410fa532b91c481cf934687f565ec324ca4c22
Instruction ID: c3102fc47cdbee3dcb329b7cbcfa1846357240aeafbf595e0a5e1e0accf68967
Opcode Fuzzy Hash: bc35c0e81716189030b78bdaa0410fa532b91c481cf934687f565ec324ca4c22
Instruction Fuzzy Hash: 83618A3521864486FB379B27E8957E967A5F39D7C0F840022FB8A4B6B6CF3EC6458301

Function 000000014004FAA0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 249windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

GetSystemMetrics.USER32 ref: 000000014004FB02
MoveWindow.USER32 ref: 000000014004FD51
SendMessageW.USER32 ref: 000000014004FD74
SendMessageW.USER32 ref: 000000014004FD9A
ShowWindow.USER32 ref: 000000014004FDBE
InvalidateRect.USER32 ref: 000000014004FDEB
DefDlgProcW.USER32 ref: 000000014004FE14

Strings

, xrefs: 000000014004FD82

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-3916222277
Opcode ID: 3ecaed77ed86ec431c39c261bb25ef97138c6cfa7639c12ce84acd25050f83d2
Instruction ID: d5178c07b86ba32f94d4d4be4fd3f340b6c6abd3ec6729ae0638213db1543aab
Opcode Fuzzy Hash: 3ecaed77ed86ec431c39c261bb25ef97138c6cfa7639c12ce84acd25050f83d2
Instruction Fuzzy Hash: E1A1E13662069582EB6A8F2BD584BBA36E1F34CBC4F165435FF0647AB4DB38E841D704

Function 0000000140017BE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

GetModuleFileNameW.KERNEL32 ref: 0000000140017CAA
_wmakepath.LIBCMT ref: 0000000140017D09
RegOpenKeyExW.KERNELBASE ref: 0000000140017D70
RegQueryValueExW.ADVAPI32 ref: 000000014003415A
RegCloseKey.ADVAPI32 ref: 000000014003426A

Strings

Software\AutoIt v3\AutoIt, xrefs: 0000000140017D54
Include, xrefs: 0000000140017CD2, 0000000140034130
\, xrefs: 00000001400341EF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue_wmakepathmalloc
String ID: Include$Software\AutoIt v3\AutoIt$\
API String ID: 3387008970-2276155026
Opcode ID: 9a1c21add42e16d3102201eac2f942f8a94a30a636e76be2fbb3bc1b66b4cd6d
Instruction ID: a1af9c00eeb0e23e12b9717ed6716dc06d7ae8b1dfb58272a50d4ff4756f8b8d
Opcode Fuzzy Hash: 9a1c21add42e16d3102201eac2f942f8a94a30a636e76be2fbb3bc1b66b4cd6d
Instruction Fuzzy Hash: 67813D71118B8585EB36CB26F8887DA73A4FB9C3C4F40012AF78947AB9DB79C556C740

Function 000000014002519C Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400251C5
_errno.LIBCMT ref: 00000001400251CE
__doserrno.LIBCMT ref: 000000014002521D
_errno.LIBCMT ref: 0000000140025224

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 47861647fd7ee14cab1df98a2e40f6c596f1724973e8e455cbcc571bd2c2a5a2
Instruction ID: a6e097622fa4a0584ff8a5308c1ce07b6c778f2b1f363de9a3e52f07b9c93dbb
Opcode Fuzzy Hash: 47861647fd7ee14cab1df98a2e40f6c596f1724973e8e455cbcc571bd2c2a5a2
Instruction Fuzzy Hash: 3F31F33261479086E723AF67A8467DD7650B78A7E4F658218BF250BBF3CB38CC418714

Function 0000000140092040 Relevance: 13.0, APIs: 6, Strings: 1, Instructions: 713windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0000000140092B18
SendMessageW.USER32 ref: 0000000140092B2F
SelectObject.GDI32 ref: 0000000140092B3B
SelectObject.GDI32 ref: 0000000140092B5D
ReleaseDC.USER32 ref: 0000000140092B6A
MoveWindow.USER32 ref: 0000000140092C44

Part of subcall function 000000014005FCF0: GetWindowTextLengthW.USER32 ref: 000000014005FDDD
Part of subcall function 000000014005FCF0: SendMessageW.USER32 ref: 000000014005FDF1

Strings

P, xrefs: 0000000140092120

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageObjectSelectSendWindow$LengthMoveReleaseText
String ID: P
API String ID: 4165875188-3110715001
Opcode ID: a83ec40bcb08e741990802b116add1c522343500d14c4ff0c484283b07a66047
Instruction ID: 748421c85e2bc4b597ebbad5fabc76b7c86b798c22f9bf769b700c5c22a1b0e2
Opcode Fuzzy Hash: a83ec40bcb08e741990802b116add1c522343500d14c4ff0c484283b07a66047
Instruction Fuzzy Hash: FD7205766182C18BE775DF1AA4807DABBA0F3997D4F50421AFB8983BA9D778C544CF00

Function 0000000140024C28 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140024C8E
_wsopen_s.LIBCMT ref: 0000000140024ED4

Part of subcall function 00000001400194FC: _errno.LIBCMT ref: 000000014001951D

Strings

UNICODE, xrefs: 0000000140024E82
UTF-8, xrefs: 0000000140024E3A
=, xrefs: 0000000140024E26
ccs, xrefs: 0000000140024DF8
UTF-16LE, xrefs: 0000000140024E5E

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$_wsopen_s
String ID: =$UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 586276568-31882262
Opcode ID: 9180b1f1e64e1e27bf08061996b1eba1eaf79df8b48f7d708dec5e38f1a54cec
Instruction ID: 4b529609bc652cfff7be9446dc545d350ab2a47deb570c8a06b943c1a97888fc
Opcode Fuzzy Hash: 9180b1f1e64e1e27bf08061996b1eba1eaf79df8b48f7d708dec5e38f1a54cec
Instruction Fuzzy Hash: EC71C176B0422081FBB75F1BE4807E92695B35DBC4F66410EFF4627AF8D679CD819202

Function 000000014005E730 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014005E857
SendMessageW.USER32 ref: 000000014005E86B
SetWindowPos.USER32 ref: 000000014005E898
SendMessageW.USER32 ref: 000000014005E92F
SendMessageW.USER32 ref: 000000014005E964

Strings

SysListView32, xrefs: 000000014005E7DA
-----, xrefs: 000000014005E905

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$Window
String ID: -----$SysListView32
API String ID: 2326795674-3975388722
Opcode ID: c33c6cd19dd6ad78dce8afddd1666c178a4c38f2dd34916f58b0f79644e523c3
Instruction ID: 4325a7f9b10eeaf5753d5a94697aa92b455c0f59975578a8265da4524d73163f
Opcode Fuzzy Hash: c33c6cd19dd6ad78dce8afddd1666c178a4c38f2dd34916f58b0f79644e523c3
Instruction Fuzzy Hash: 3361CD722047C58AE721CF26E8807CBB7A1F7887D0F904526FB8943BA9DB38C591CB40

Function 0000000140061100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 0000000140061145
_fread_nolock.LIBCMT ref: 000000014006118E
_fread_nolock.LIBCMT ref: 00000001400611AE
_fread_nolock.LIBCMT ref: 00000001400611F7
_fread_nolock.LIBCMT ref: 0000000140061217
_fread_nolock.LIBCMT ref: 000000014006129C

Strings

FILE, xrefs: 0000000140061160

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _fread_nolock
String ID: FILE
API String ID: 840049012-3121273764
Opcode ID: 3e3f62da7373288c3741b387d4f56d9a878291752b317897a039ff4fc661df93
Instruction ID: c7d1058a1028bb5ec0d7bb04169e5fd705cfaa6c074b9508f33fb2e417648150
Opcode Fuzzy Hash: 3e3f62da7373288c3741b387d4f56d9a878291752b317897a039ff4fc661df93
Instruction Fuzzy Hash: 8351CE7221464196EA21DE63E4807CEA3A1F78DBC4F908516FF8D4BB69CB3DC205CB00

Function 0000000140050AC0 Relevance: 12.1, APIs: 8, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

ShowWindow.USER32 ref: 0000000140050B8E
ShowWindow.USER32 ref: 0000000140050BBE
LockWindowUpdate.USER32 ref: 0000000140050C04
InvalidateRect.USER32 ref: 0000000140050C13
LockWindowUpdate.USER32 ref: 0000000140050C22
EnableWindow.USER32 ref: 0000000140050C32
ShowWindow.USER32 ref: 0000000140050C4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Show$LockUpdate$EnableInvalidateLongRect
String ID:
API String ID: 1084233729-0
Opcode ID: 20a8dd9992e11829186dfdf09cfdea1c7cd6c8281006c55799a45214192e9b50
Instruction ID: ff25929f20823a71c344ac5d9aaf8d784c59f01ba88244b1823142d99cd33d7f
Opcode Fuzzy Hash: 20a8dd9992e11829186dfdf09cfdea1c7cd6c8281006c55799a45214192e9b50
Instruction Fuzzy Hash: 91517F3130868086FB6BDF2B95D83ED2691A78EBC4F184125E74647AB5CB7BC995C301

Function 0000000140050760 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 0000000140050790
GetDC.USER32 ref: 0000000140050798
GetDeviceCaps.GDI32 ref: 00000001400507A9
ReleaseDC.USER32 ref: 00000001400507B6
CreateFontW.GDI32 ref: 0000000140050846
SendMessageW.USER32 ref: 000000014005085C
MoveWindow.USER32 ref: 00000001400508A2
SendMessageW.USER32 ref: 00000001400508C3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e04b0a9c5c75b18d4f31fcfd584bb297b9e75888ba4910ebb07fb8c0861837c8
Instruction ID: 52656c66e1ffafc12b5da83b1dce22689de0494abf749c7f5c3d9dbc9fbb9013
Opcode Fuzzy Hash: e04b0a9c5c75b18d4f31fcfd584bb297b9e75888ba4910ebb07fb8c0861837c8
Instruction Fuzzy Hash: 45419A726146C18BE765CF26E844BAFBBA4F388BD5F044125EF8A07B68DB39C444CB00

Function 0000000140025C20 Relevance: 12.1, APIs: 8, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140025C3F
_errno.LIBCMT ref: 0000000140025C48
__doserrno.LIBCMT ref: 0000000140025C98
_errno.LIBCMT ref: 0000000140025C9F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3e66ab9fd1745396fe94dace257a031b16e0fc3e5aa01d700535c659dffbabbf
Instruction ID: acceb93f83c61eecfa66e48e8783ef8bf00a10ac0d261c6ca3fbf6408d52aa92
Opcode Fuzzy Hash: 3e66ab9fd1745396fe94dace257a031b16e0fc3e5aa01d700535c659dffbabbf
Instruction Fuzzy Hash: 9E31B13260479445F723AF27A8457AD7651A7897D4FA5821DFF6507BE3CB38CC018708

Function 0000000140002E90 Relevance: 10.7, APIs: 7, Instructions: 241COMMON

Download Yara Rule

APIs

std::exception_ptr::_Current_exception.LIBCONCRT ref: 000000014003977F
VariantClear.OLEAUT32 ref: 0000000140039799
std::exception_ptr::_Current_exception.LIBCONCRT ref: 00000001400397BE
std::exception_ptr::_Current_exception.LIBCONCRT ref: 0000000140039802

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Current_exceptionstd::exception_ptr::_$ClearVariant
String ID:
API String ID: 332225251-0
Opcode ID: bef83641212884730778dacaf1c83f137b94e5cc5659ad8a14d822c99c9f2051
Instruction ID: da0d3d980b07d72bc0f723f43056d5ccbf8405b6a3229b64bd36181bb8da3476
Opcode Fuzzy Hash: bef83641212884730778dacaf1c83f137b94e5cc5659ad8a14d822c99c9f2051
Instruction Fuzzy Hash: 0FA14C72209A4086EB66DB1BE0903EE6368E78DBC4F144526FB0A477B6CB79C891C740

Function 0000000140059CF0 Relevance: 10.6, APIs: 7, Instructions: 90windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 0000000140059D3E
SetMenu.USER32 ref: 0000000140059D51
GetMenuItemInfoW.USER32 ref: 0000000140059DEA
IsMenu.USER32 ref: 0000000140059E01
CreatePopupMenu.USER32 ref: 0000000140059E0B
InsertMenuItemW.USER32 ref: 0000000140059E56
DrawMenuBar.USER32 ref: 0000000140059E5F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID:
API String ID: 161812096-0
Opcode ID: f731e4769f4dbd6bce317919fe755037327196e7861ff156254fc661676726cd
Instruction ID: e97be85962ac584f3fa528f19db3f2b61eb6b163b7568e49ebb54cc5c91c274e
Opcode Fuzzy Hash: f731e4769f4dbd6bce317919fe755037327196e7861ff156254fc661676726cd
Instruction Fuzzy Hash: 4541F036205B8486EB61CF26E48479A77B8F788F84F544126EB8E43B68DF39C495CB50

Function 0000000140017290 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00000001400172E9
CreateWindowExW.USER32 ref: 0000000140017337
ShowWindow.USER32 ref: 000000014001734D

Strings

AutoIt v3, xrefs: 000000014001729F, 00000001400172CA
d, xrefs: 00000001400172BA
edit, xrefs: 00000001400172FB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Create$Show
String ID: AutoIt v3$d$edit
API String ID: 2813641753-2600919596
Opcode ID: 891b5054f003c7f87485c089ee1c695238011559e50464b9185b40235a1e4605
Instruction ID: 8393adb8f14a91bb5b8aead08a6bde1628bfc783f71c136910b920ced53d36be
Opcode Fuzzy Hash: 891b5054f003c7f87485c089ee1c695238011559e50464b9185b40235a1e4605
Instruction Fuzzy Hash: 3A11B675519B4086EB65CF9AF88038AB7B1F78C794F51012AEB8A47B28DB7CC1948B00

Function 00000001400500E0 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000014005017C
EnableWindow.USER32 ref: 00000001400501A7
ShowWindow.USER32 ref: 0000000140050219
ShowWindow.USER32 ref: 0000000140050236
EnableWindow.USER32 ref: 0000000140050265

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Show$Enable
String ID:
API String ID: 2939132127-0
Opcode ID: e63a6ae4b924d751ec5d1ed6a7f9cfffc416ee2f2aa2973d285e4c0c4c1a02d0
Instruction ID: cd3675759cea18c4dbb5f582e80f888241433a6c5c958ec82e49423bec35f91c
Opcode Fuzzy Hash: e63a6ae4b924d751ec5d1ed6a7f9cfffc416ee2f2aa2973d285e4c0c4c1a02d0
Instruction Fuzzy Hash: FF510D32606E8485E756CF2AD4887ED77A1F388FD4F184022DF59476A1CF7AC496C705

Function 000000014001F488 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 000000014001F49A
_FF_MSGBANNER.LIBCMT ref: 000000014001F538
_FF_MSGBANNER.LIBCMT ref: 000000014001F563
GetCommandLineW.KERNEL32 ref: 000000014001F595
_cinit.LIBCMT ref: 000000014001F5D8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CommandInfoLineStartup_cinit
String ID:
API String ID: 1675588807-0
Opcode ID: 5be997067299028b163c0bb65d467eef64757c005bbc702ff357809633d205a2
Instruction ID: 0562ae9f371f5d5597c5850a7481345e891c3a4534d1e06b500c6b14c466bcc4
Opcode Fuzzy Hash: 5be997067299028b163c0bb65d467eef64757c005bbc702ff357809633d205a2
Instruction Fuzzy Hash: 9C41647060478186FB67AFA7A5513FA3292AB9C3C4F540039BB494B6F3DF7AC9409712

Function 0000000140058D40 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

GetClientRect.USER32 ref: 0000000140058D85
GetCursorPos.USER32 ref: 0000000140058D90
ScreenToClient.USER32 ref: 0000000140058DA8
WindowFromPoint.USER32 ref: 0000000140058DEF

Part of subcall function 0000000140040040: LoadCursorW.USER32 ref: 00000001400400F1

DefDlgProcW.USER32 ref: 0000000140058E89

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ClientCursorWindow$FromLoadLongPointProcRectScreen
String ID:
API String ID: 852998092-0
Opcode ID: 681aa13de41701f58aa37fa23451ac694cfb9b4df442c3e1a141096d1f8ba7e4
Instruction ID: f39269793a3479d1437c5a3796e72910e09d9a5c60b993dff8632e787a550ec9
Opcode Fuzzy Hash: 681aa13de41701f58aa37fa23451ac694cfb9b4df442c3e1a141096d1f8ba7e4
Instruction Fuzzy Hash: 19410636204B5486EA66EB17E4813996361F38CBD1F544522FF8E53BB5DB39D581CB00

Function 000000014005E9C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 000000014005EADA
GetWindowLongW.USER32 ref: 000000014005EB00
SetWindowLongPtrW.USER32 ref: 000000014005EB13

Strings

SysTreeView32, xrefs: 000000014005EA54

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 05bebc483137102995ea8ccc31334083562879635db7da46587412db50d7838d
Instruction ID: 9afb921b0545e361f9999070d24dbd686ffd673d23bf196f2cfe665117f4fda4
Opcode Fuzzy Hash: 05bebc483137102995ea8ccc31334083562879635db7da46587412db50d7838d
Instruction Fuzzy Hash: 8351B3322147C086D765CF26E44078E77A5F388BE0F644225FFAA57BA8CB39C951CB40

Function 00000001400151E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 0000000140015263

Strings

AU3!, xrefs: 0000000140015221
EA06, xrefs: 0000000140033538

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _fread_nolock
String ID: AU3!$EA06
API String ID: 840049012-2658333250
Opcode ID: c4131ff814c3a4698ffcb14db40054eb9cbe9e7c1e151d853410c01b5fef0689
Instruction ID: 79a413de0083abe822058fa484201c3242fcaa0a898e5f7e8984f29b23a8234a
Opcode Fuzzy Hash: c4131ff814c3a4698ffcb14db40054eb9cbe9e7c1e151d853410c01b5fef0689
Instruction Fuzzy Hash: 5E31E87320858585E723D766E5407DE3760E38E7C4F905212FB898B5AADA7EC689CF01

Function 0000000140016950 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32 ref: 000000014003711A

Part of subcall function 00000001400169D0: GetFullPathNameW.KERNEL32 ref: 00000001400169F5

Part of subcall function 0000000140016C80: SHGetMalloc.SHELL32 ref: 0000000140016C98
Part of subcall function 0000000140016C80: SHGetDesktopFolder.SHELL32 ref: 0000000140016CB5
Part of subcall function 0000000140016C80: SHGetPathFromIDListW.SHELL32 ref: 0000000140016D18

Part of subcall function 0000000140016A70: GetFullPathNameW.KERNEL32 ref: 0000000140016A98

Strings

Run Script:, xrefs: 00000001400370BD
AutoIt script files (*.au3, *.a3x), xrefs: 00000001400370CE
au3, xrefs: 00000001400370E2

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
API String ID: 819131735-2360590182
Opcode ID: e299f301ba58e3974512ea147b69c0ab8b361c14f33f1e4db47deeb18b585b45
Instruction ID: 7a4ca26caa1ad19e3ca51edc9088f4422c47a30509b6cf5f866f09c2c3525297
Opcode Fuzzy Hash: e299f301ba58e3974512ea147b69c0ab8b361c14f33f1e4db47deeb18b585b45
Instruction Fuzzy Hash: 7C211A7120478085EB219F22E85439AB7A4F789BC4F988125AB8D4BBA9DF7EC545CB40

Function 0000000140059B50 Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0000000140059C3C
IsMenu.USER32 ref: 0000000140059C57
InsertMenuItemW.USER32 ref: 0000000140059CB7
DrawMenuBar.USER32 ref: 0000000140059CCB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID:
API String ID: 3076010158-0
Opcode ID: 2c73e5debd7e244f3c31b4e4a89df3bc7e9c70c129c4e4b6d35657a7abaab626
Instruction ID: 917fec017988fef56abe055cd823f839ebcf86a6f154d74bd08cbb7433713b39
Opcode Fuzzy Hash: 2c73e5debd7e244f3c31b4e4a89df3bc7e9c70c129c4e4b6d35657a7abaab626
Instruction Fuzzy Hash: 4E411936204BC886EB61CF26E49079E77A5F388BD4F554526EB9E43768CF39D884CB40

Function 000000014003F9B0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 000000014003FA3F
GetStockObject.GDI32 ref: 000000014003FA5C
SendMessageW.USER32 ref: 000000014003FA6F
ShowWindow.USER32 ref: 000000014003FA8C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: 16feacb9051f93f59c9de0ddcd8e45b25b4aa4e433a94c3d9eb474385539eeb1
Instruction ID: 464444ec84f9e64c74d1851dda20da2c94d8d532f49712159e2126cf60d38a2c
Opcode Fuzzy Hash: 16feacb9051f93f59c9de0ddcd8e45b25b4aa4e433a94c3d9eb474385539eeb1
Instruction Fuzzy Hash: 43211A76608BC48BE7A6CB1AE44479AB7A0F788784F144125EB8D43B64EB7CC484CB01

Function 000000014001A658 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A66D

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_flush.LIBCMT ref: 000000014001A696
_freebuf.LIBCMT ref: 000000014001A6A0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: d52712f65abe5414c80036b749fcf6bce3a88f816afc8cc23f7e6bd5b69dd452
Instruction ID: 74a1a66214e258ae0fff75802fb45dece77e3331ca4241226f052b4049861aed
Opcode Fuzzy Hash: d52712f65abe5414c80036b749fcf6bce3a88f816afc8cc23f7e6bd5b69dd452
Instruction Fuzzy Hash: 2301BC3271064042FF27ABB798153ED5251AB9E7F8F2D0324BB628B5E6CA3EC8019640

Function 000000014005EBB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

SetWindowPos.USER32 ref: 000000014005ECBA

Strings

, xrefs: 000000014005EC9C
SysTabControl32, xrefs: 000000014005EC46

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window
String ID: $SysTabControl32
API String ID: 2353593579-3143400907
Opcode ID: d8cd05d5d274badaecf08cb907e15fd0819d3c3504ba7bb8eb24ff0d4913b329
Instruction ID: f325b1a43e3f1ca24dba321bc450562db81203f7a9d0fbb56e73154e1a4af225
Opcode Fuzzy Hash: d8cd05d5d274badaecf08cb907e15fd0819d3c3504ba7bb8eb24ff0d4913b329
Instruction Fuzzy Hash: BC415D32214BC48AD764DF16E44478A7BA5F388BA4F544325EFA957BE4CB79C491CF00

Function 000000014003AD55 Relevance: 4.6, APIs: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

VariantInit.OLEAUT32 ref: 000000014003AD71
VariantCopy.OLEAUT32 ref: 000000014003AD7F
VariantClear.OLEAUT32 ref: 000000014003AD90

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Variant$ClearCopyInitmalloc
String ID:
API String ID: 3964690924-0
Opcode ID: c19214b59c987bb85d44b39fb212f9401f5a5e21c293124519ad10817ac7bf6a
Instruction ID: 620352a0a9eb58ef7726cdf4db399f251c2c5600ad371509ecf9e474b62ebd6b
Opcode Fuzzy Hash: c19214b59c987bb85d44b39fb212f9401f5a5e21c293124519ad10817ac7bf6a
Instruction Fuzzy Hash: C2513F72604A8486DB62CF16E4903AEB7E5F389BC4F15811AEB4A877B4DF79C885C701

Function 0000000140016C80 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000140016C98
SHGetDesktopFolder.SHELL32 ref: 0000000140016CB5
SHGetPathFromIDListW.SHELL32 ref: 0000000140016D18

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath
String ID:
API String ID: 2281215042-0
Opcode ID: f66ada0a04751082a289d8a9d123ff74693588918e9c7ec28e32210108a27eb8
Instruction ID: 41f203bda821145dabfd8d0135d020cf2123b8f75fb2e80f0458858aa8ac0405
Opcode Fuzzy Hash: f66ada0a04751082a289d8a9d123ff74693588918e9c7ec28e32210108a27eb8
Instruction Fuzzy Hash: 3621CC76308B8191EB61DB2AE48439EA361F789BC4F548025EB8D47B68DF39C549C704

Function 00000001400132D0 Relevance: 4.6, APIs: 3, Instructions: 58timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140007F70: Shell_NotifyIconW.SHELL32 ref: 0000000140008070

KillTimer.USER32 ref: 000000014001335E
SetTimer.USER32 ref: 0000000140013374
Shell_NotifyIconW.SHELL32 ref: 0000000140035D78

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 76ce2a7f95915aa69d27f0d316d4538ca747b91741cc3cd8e3229a273167aa2c
Instruction ID: 35c15e109eca429baa7ecc6693a94738b3d653263b8bb7780f408cd9509f28f2
Opcode Fuzzy Hash: 76ce2a7f95915aa69d27f0d316d4538ca747b91741cc3cd8e3229a273167aa2c
Instruction Fuzzy Hash: 8B315E716087C085F773DB26E0583ED6B95E349BC8F484126EB890B7B9CB7DC1858715

Function 0000000140050F10 Relevance: 4.5, APIs: 3, Instructions: 47COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 0000000140050F81
CreateAcceleratorTableW.USER32 ref: 0000000140050F96
GetForegroundWindow.USER32 ref: 0000000140050FA0

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID:
API String ID: 986409557-0
Opcode ID: 930c68c702f61deb6ee0870c75dbda0436f7010d402f5e8c7c85a2c61adb6f9f
Instruction ID: 5bf250f54c367977cd6b1f022f35ccb0e7eeae634d36d4474489cbe7f9262dd3
Opcode Fuzzy Hash: 930c68c702f61deb6ee0870c75dbda0436f7010d402f5e8c7c85a2c61adb6f9f
Instruction Fuzzy Hash: 24214C75614B4085EB2ADF17E88039973A0F78CBD5F945625FB1A43BB4DB39C880C745

Function 00000001400563D0 Relevance: 4.5, APIs: 3, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400563FE
GetParent.USER32 ref: 0000000140056411
InvalidateRect.USER32 ref: 0000000140056420

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: InvalidateMessageParentRectSend
String ID:
API String ID: 2900238980-0
Opcode ID: 8c9dc3c16222afdb63aa8ff1270aa947782604ffc65c901a48a12d6ae9ebf0a8
Instruction ID: f9fda22ac4e37e551100b2312bd93f01bf4bcfcb14dd208f8f9b7c65e752c13c
Opcode Fuzzy Hash: 8c9dc3c16222afdb63aa8ff1270aa947782604ffc65c901a48a12d6ae9ebf0a8
Instruction Fuzzy Hash: 92F04936204A4182EB61CF2BF9507D967A0EB8DBC4F189121FF4917728DE3AC485CB00

Function 0000000140017840 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000000,000000014001781E,?,?,?,?,?,?,0000000140013CE5), ref: 0000000140017872
RegQueryValueExW.KERNELBASE(?,?,?,?,00000000,000000014001781E,?,?,?,?,?,?,0000000140013CE5), ref: 0000000140017899
RegCloseKey.KERNELBASE(?,?,?,?,00000000,000000014001781E,?,?,?,?,?,?,0000000140013CE5), ref: 00000001400178A4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ba094e214b226322bf9816a123035e834dfdf86e1d88a38ded298d7131ace5da
Instruction ID: 828fc719722694f8dc259c279aef2313287fae413b69745da29f4c2b9d29afc4
Opcode Fuzzy Hash: ba094e214b226322bf9816a123035e834dfdf86e1d88a38ded298d7131ace5da
Instruction Fuzzy Hash: 2CF08C32214B8586EB108F22F84478AB7B5F7C8BD8F444122EB8847F28DF38C150CB00

Function 0000000140041880 Relevance: 3.8, APIs: 3, Instructions: 18COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140041895

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

free.LIBCMT ref: 00000001400418A6
free.LIBCMT ref: 00000001400418B7

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: bf8fbc4300c04368f1cfcf6431feba3e6e43f7b42836d7d4059ff60833047557
Instruction ID: 5a6d35cc1a59f5ccc77898a5104885818b33c0975ddda9c3056333b19116f8cc
Opcode Fuzzy Hash: bf8fbc4300c04368f1cfcf6431feba3e6e43f7b42836d7d4059ff60833047557
Instruction Fuzzy Hash: 7FE0ECB5B2356041FE5AAAA384953F812109FDDBC4F1D2539BF1A4F1A6CE2584414329

Function 0000000140085970 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

DestroyWindow.USER32 ref: 0000000140085AB8

Strings

static, xrefs: 00000001400859EA

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$CreateDestroyMessageObjectSendShowStock
String ID: static
API String ID: 3182005395-2160076837
Opcode ID: 4fcb6bc08ca69c9c6794abb52e3c39fb19c9814699030735ea8595bd7b0c7b61
Instruction ID: 70d867f52ce7dfcc2c51dba4c8b56c51099ace4e88ad7c835fa5108eb4084a98
Opcode Fuzzy Hash: 4fcb6bc08ca69c9c6794abb52e3c39fb19c9814699030735ea8595bd7b0c7b61
Instruction Fuzzy Hash: 38417E76218AC486D725DF12F4817CFB764F7887D0F504616EBAA43BA9DB78C481CB40

Function 000000014005FE20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

GetSysColor.USER32 ref: 000000014005FEEE

Strings

static, xrefs: 000000014005FE85

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectSendShowStock
String ID: static
API String ID: 4289693728-2160076837
Opcode ID: fcfb53483d2db02776ba0d62dac950a0dcca30755dd44132fd39f379cd23aaf1
Instruction ID: 58afccd5d4c75c9a55f3cf96af2ab940b1693467b0c74c21a25cc023f524698b
Opcode Fuzzy Hash: fcfb53483d2db02776ba0d62dac950a0dcca30755dd44132fd39f379cd23aaf1
Instruction Fuzzy Hash: 07213936608B84CAD721CF16E444B8AB7B9F78D7D0F608225EB9943B68DB39D841CF40

Function 0000000140015FA0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140037062

Part of subcall function 0000000140016300: GetCurrentDirectoryW.KERNEL32(00000000,00000000,000000014001600C), ref: 00000001400163B2
Part of subcall function 0000000140016300: GetFullPathNameW.KERNEL32 ref: 00000001400163CD
Part of subcall function 0000000140016300: SetCurrentDirectoryW.KERNEL32 ref: 0000000140016431

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0000000140036E0A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CurrentDirectory$FullNamePathfree
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 521740188-2806939583
Opcode ID: 4c4fd4c262aff9a898f56a2066c04a6cf9b204e9756e02232f736314df185647
Instruction ID: 3998a6c1e9ecb71fe04749f2d053d245d058868ab4792e3c1a4a8c74d1f02613
Opcode Fuzzy Hash: 4c4fd4c262aff9a898f56a2066c04a6cf9b204e9756e02232f736314df185647
Instruction Fuzzy Hash: A9818D3221468495EA62EB22F4903DFA761F7887C4F845026FB8E47AB6DB39C549CB00

Function 000000014001BEF8 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001BF1D

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: d41068826d5030606a64060baa57fe7a506d6c61fb92dd4cf74e171affa8f1a3
Instruction ID: d7d7a5fea3124961f4a3a9c54bcdf727cbcb775e43c9ee7958fe667951c7a980
Opcode Fuzzy Hash: d41068826d5030606a64060baa57fe7a506d6c61fb92dd4cf74e171affa8f1a3
Instruction Fuzzy Hash: 4F51AD3262078486EB679E26C8447A97791F78CBC8F198129EF490B7F6CB36D842C740

Function 0000000140025D70 Relevance: 3.1, APIs: 2, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140025D87

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: 1ea4db82b412b75c9de907b49ee3ac8eefcd4b0ea2d5eb81977a0ddffc6fffb6
Instruction ID: 3f2675d588d61dd038e10bc18534aa32838b916b8999a80aa44e6791fb7a6b93
Opcode Fuzzy Hash: 1ea4db82b412b75c9de907b49ee3ac8eefcd4b0ea2d5eb81977a0ddffc6fffb6
Instruction Fuzzy Hash: D641C33261464082EF6AAB3B95453EC37A0F71A7D9F244209FB6587AF1CB34CDA2C744

Function 000000014001A30C Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A334

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014001A367

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 3dcc761ff564583c199fd068860ce15a7d52153dbe00409bb36a5fa7116df214
Instruction ID: 385e42fe4cf7dbdb6a54aafa8dd506544a7ab6723db228a925bc07ac99aefb83
Opcode Fuzzy Hash: 3dcc761ff564583c199fd068860ce15a7d52153dbe00409bb36a5fa7116df214
Instruction Fuzzy Hash: 6211E93271435142F7769B7B64467AE6291A78E3D4F548724BF648BEE6CF7EC8004701

Function 000000014001A258 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A27B
_flush.LIBCMT ref: 000000014001A2A5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno_flush
String ID:
API String ID: 265556107-0
Opcode ID: 78c99182a1f79d19b8870b959cf4b8d8dd69381126424cc61e988b93b6ec15e6
Instruction ID: 4a30f460cf97c3d1416e86257a4ea83377484ca82bef023e4586373a3e500369
Opcode Fuzzy Hash: 78c99182a1f79d19b8870b959cf4b8d8dd69381126424cc61e988b93b6ec15e6
Instruction Fuzzy Hash: 1111903262065086EB669F6B944439D77A0A74A7E4F280314FF654B7F6CB3FDC418780

Function 00000001400502C0 Relevance: 3.1, APIs: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014005031E
InvalidateRect.USER32 ref: 0000000140050384

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 4f7312aabee1e672246cb0c82085769f154d377b1d96116dc4c35eb022b8ed42
Instruction ID: d1545f8b05375f5833f8e27446cc24f4d12f5e6aaa66b15d19e3ac7663a4e77a
Opcode Fuzzy Hash: 4f7312aabee1e672246cb0c82085769f154d377b1d96116dc4c35eb022b8ed42
Instruction Fuzzy Hash: 7B218872615A8086E711CF22D0483DD77A5F749BD4F588235EB680BAA4CB36C991CB40

Function 000000014002BC50 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,000000014001F5A6), ref: 000000014002BC64
FreeEnvironmentStringsW.KERNEL32(?,?,?,000000014001F5A6), ref: 000000014002BCBB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 637fe743ecf2fb82bdba797248508440db26461f8ce99dfd80d5ebb66b090bf2
Instruction ID: 1aab3a49ea1619e474e6304d29b2fa8e9589afaaecc6d63ccea5a62196c60be7
Opcode Fuzzy Hash: 637fe743ecf2fb82bdba797248508440db26461f8ce99dfd80d5ebb66b090bf2
Instruction Fuzzy Hash: 6601A232B0468085EE62AFA3A5553E9A2A0E79CFC0F5C4424FB4A07BA5DE38C9818700

Function 0000000140012B40 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0000000140012B64

Part of subcall function 00000001400029A0: PeekMessageW.USER32 ref: 0000000140002A4B

Sleep.KERNEL32 ref: 000000014003A822

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: d73f54b0ceb66d59be4aa1b9168402b02ce0ac72a8ed5856ca7716f65663cb65
Instruction ID: 1932635ab849a5eb4f087f2d225e8ec72bbeaf91ada3c3690db192377b6f7bd4
Opcode Fuzzy Hash: d73f54b0ceb66d59be4aa1b9168402b02ce0ac72a8ed5856ca7716f65663cb65
Instruction Fuzzy Hash: EFF01772604A4086EB49DF27E9853ED63A4EB8CBD4F088435EB0D873A6EE38C4918701

Function 00000001400151B0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 000000014003611A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 0-2684727018
Opcode ID: bac6c7a5b23a294c7acf647e231f1c0f101205cebc86f811efcf360bca205a48
Instruction ID: b73ee24d656044e0c8aef140d35de5f203c4f502ef1b5f60a1267a2bc71ced1b
Opcode Fuzzy Hash: bac6c7a5b23a294c7acf647e231f1c0f101205cebc86f811efcf360bca205a48
Instruction Fuzzy Hash: 1BF0307260460590EA22EB12D8413DA5720E7DC3C9FC91012B74D475B6EE38C74AC700

Function 0000000140022DBC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,000000014001F52B), ref: 0000000140022DCE
HeapSetInformation.KERNEL32 ref: 0000000140022DF8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: b2a0b9ca492723ce789c5159622cd5e3bbd39229d74136f8385c1c597e4ea285
Instruction ID: a0f867c09f61d01611427a8c38bd42a4b29cede9da5dd115139c9d897419512a
Opcode Fuzzy Hash: b2a0b9ca492723ce789c5159622cd5e3bbd39229d74136f8385c1c597e4ea285
Instruction Fuzzy Hash: 76E086B572AB8083FB9A9F66E8557D562A0F78C380F905429FB49437A4DF3CC145CB00

Function 000000014001FA24 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000000014001FA43

Part of subcall function 00000001400196D8: _FF_MSGBANNER.LIBCMT ref: 0000000140019708
Part of subcall function 00000001400196D8: HeapAlloc.KERNEL32(?,?,?,0000000140018927,?,?,?,?,?,?,?,0000000140036D1C), ref: 000000014001972D
Part of subcall function 00000001400196D8: _errno.LIBCMT ref: 0000000140019751
Part of subcall function 00000001400196D8: _errno.LIBCMT ref: 000000014001975C

Sleep.KERNEL32(?,?,00000000,0000000140021249,?,?,?,00000001400212F3,?,?,?,?,?,?,00000000,000000014001F7D8), ref: 000000014001FA5A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: a7821407ead68d9ea3c211ec50501fe145c16427b8c5c722b19e7d7a32b8c7b1
Instruction ID: 9492e7ce244a3451522088e93057084ae376ead6f0ec43d7023ade897b7b7608
Opcode Fuzzy Hash: a7821407ead68d9ea3c211ec50501fe145c16427b8c5c722b19e7d7a32b8c7b1
Instruction Fuzzy Hash: 35F02B32300B8486EA12AF17A4403ADB3A0E78CBD0F584224FB9D07775CF3DD8918B01

Function 0000000140017E30 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

K32EmptyWorkingSet.KERNEL32 ref: 0000000140017F86

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: EmptyWorking
String ID:
API String ID: 3204950828-0
Opcode ID: 048ac07befcd929308ab0c36a801946155e7bae4014a0889a215a34181f61ec7
Instruction ID: a63faee54199a23ff4fe8f4c2fe0c7af5788511d79710898ec8e594c50a29b2c
Opcode Fuzzy Hash: 048ac07befcd929308ab0c36a801946155e7bae4014a0889a215a34181f61ec7
Instruction Fuzzy Hash: EB41D672710B0485EB22CF5AD448BAE27B9F349B84F564456FB1D1B7A4DB32C882C340

Function 00000001400076A0 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::exception_ptr::_Current_exception.LIBCONCRT ref: 000000014003562A

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Current_exceptionmallocstd::exception_ptr::_
String ID:
API String ID: 1204381810-0
Opcode ID: a3b722e154be3292eaa0f4fdc3cbd02c44c280d9aeb6f7b5334f4741aff7f0b4
Instruction ID: 5d2ee5e7929a344ca8242c2dcfb27c07b85ec29112d17e9d5c8937aa8239a681
Opcode Fuzzy Hash: a3b722e154be3292eaa0f4fdc3cbd02c44c280d9aeb6f7b5334f4741aff7f0b4
Instruction Fuzzy Hash: 5F416976209B4482EB26DF16E5807A973A4F78CBC0F948525FBAE477B1DB38C591C300

Function 00000001400153B0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: bec6d1c2d1ac35d8f49bb2c5288e4dc94b4bee5f19173fe675a3c40cd65443f6
Instruction ID: 143ab65340c81b17b78616c2de51c6afb93fec3230d9fdd256e665550b3b2e29
Opcode Fuzzy Hash: bec6d1c2d1ac35d8f49bb2c5288e4dc94b4bee5f19173fe675a3c40cd65443f6
Instruction Fuzzy Hash: A331907230468086EB16EB27E5503EE77A0E78C7C4F448126BB998B7A6EE3DC551CB00

Function 0000000140012F60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0000000140013055

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8d26a221ecc03a9ee000b90a53d36922f87f5425bf550ec192c1ab350663b684
Instruction ID: e47fbe540f204e1cd928d91d0eaa10ba4e7678b491b2f8d3e8dba743bb3374be
Opcode Fuzzy Hash: 8d26a221ecc03a9ee000b90a53d36922f87f5425bf550ec192c1ab350663b684
Instruction Fuzzy Hash: 8A311A72608A4085EB12EF56F8843DAB7A4FB987D4F900116F78D476B6CB79C554CB40

Function 0000000140012BD0 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32 ref: 0000000140033D67

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: 029d3944e28f3267575acede34f2a783a30d636710457d7abb47ca3efb8210f4
Instruction ID: 55690ce585cb748322818670bc53a9b26810db78507a8c2f9330dae96850bd3b
Opcode Fuzzy Hash: 029d3944e28f3267575acede34f2a783a30d636710457d7abb47ca3efb8210f4
Instruction Fuzzy Hash: 2821F876214A4485EB628F1BE4843AA63A0F78CFC4F585122EF8D87BB8DF39C491C704

Function 000000014001A9BC Relevance: 1.6, APIs: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001AA05

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 0559c613b656783db794e5e05771ce0f10963d77abe93043b255c97811960b50
Instruction ID: 1079d2687407d2b6bef0f0ea3fd7f0e264d13b75431d778595db5ecd4b3569e8
Opcode Fuzzy Hash: 0559c613b656783db794e5e05771ce0f10963d77abe93043b255c97811960b50
Instruction Fuzzy Hash: C711CA3171078041E716DB636A013DA6255BB9EFD4F589725BF684BBE6CF3DC1018704

Function 000000014001A6E4 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A705

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: fd9cbafb8d0922ed45c5261aa59b5a9f6218c21d283dcbd40154f41be528ed70
Instruction ID: 1b30d8cd9e67e6a059263f280e687f6aa53739700f87796ebe63b1808f1caf75
Opcode Fuzzy Hash: fd9cbafb8d0922ed45c5261aa59b5a9f6218c21d283dcbd40154f41be528ed70
Instruction Fuzzy Hash: F3F0283230424142FB17973AA81539E6290AB9A3C8F6842247F154B5E2DF3DC9014600

Function 000000014001C0BC Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001C0DA

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: b7dfd3f7ece5d9337327a86fcf9a3e0115000eb747df5ef5c5c90405fc59d354
Instruction ID: 864cb8af18e6bcfdeb4753cac76a983eb4ddb11bd422a4d6935331f479d1d644
Opcode Fuzzy Hash: b7dfd3f7ece5d9337327a86fcf9a3e0115000eb747df5ef5c5c90405fc59d354
Instruction Fuzzy Hash: 14F0E93231038242FB16A77BA8127EE62915B8D3C8F5886347B214B9E3CF39C4404600

Function 0000000140050EA0 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0000000140050EFA

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: LongMessagePostWindow
String ID:
API String ID: 910078001-0
Opcode ID: 0c8433a5935dff18d31d6795709d920759a4f2f152c34221ae8141e9ba825dd1
Instruction ID: ca3df51cfb2188daa00cd6d688ceff6a3323fba829058fa40166255a5350911c
Opcode Fuzzy Hash: 0c8433a5935dff18d31d6795709d920759a4f2f152c34221ae8141e9ba825dd1
Instruction Fuzzy Hash: 9AF0A43261460086EB55DF1BE891B9933A0F78CBC4FA05611FB09477B0DA35C4818B00

Function 000000014005B950 Relevance: 1.5, APIs: 1, Instructions: 26windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014005B99E

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0aaf1e5352518af0c6ffda69c2c740a962e0740bdaf37a09b8d93af5e0c88465
Instruction ID: c47bf200e8fdda451de7ca043122d79e4c864c74126b3a4ad7db7ad9554aa475
Opcode Fuzzy Hash: 0aaf1e5352518af0c6ffda69c2c740a962e0740bdaf37a09b8d93af5e0c88465
Instruction Fuzzy Hash: 19F01736214A49D1DA11DF16E4403E9A360F7CCBD8F644412EF8D43735DE39C545C740

Function 0000000140073650 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0000000140073654

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

Part of subcall function 00000001400651E0: GetCursorPos.USER32 ref: 0000000140065203
Part of subcall function 00000001400651E0: ScreenToClient.USER32 ref: 0000000140065227
Part of subcall function 00000001400651E0: GetAsyncKeyState.USER32 ref: 0000000140065271
Part of subcall function 00000001400651E0: GetAsyncKeyState.USER32 ref: 0000000140065282

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: 072b01d94d8832f241fd7af3eead1a629e716a2b93c206b4035d6a4b70e68d12
Instruction ID: 5e41be8f200cf26f3956ef383eefe555e63a60c3ef09ef665884e3b9fcebb18b
Opcode Fuzzy Hash: 072b01d94d8832f241fd7af3eead1a629e716a2b93c206b4035d6a4b70e68d12
Instruction Fuzzy Hash: 23E086B8B0190580ED16B717E8853C51361F75DBD1F904512EA0D473F1EE3CC1958700

Function 0000000140046820 Relevance: 1.5, APIs: 1, Instructions: 15windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 000000014004684C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 168ed53145ff25ecaff81674e3bd08f08a64491d533b66250ee5ab1e501b01bb
Instruction ID: 31b42ea49f35d5faa8098192214f2df096d904ad1661da787bdb553ecade8063
Opcode Fuzzy Hash: 168ed53145ff25ecaff81674e3bd08f08a64491d533b66250ee5ab1e501b01bb
Instruction Fuzzy Hash: 63D0C27271434087EB148B55A805B4A7691F7C8384F840018A64C12B14CB3CC1044F00

Function 0000000140018908 Relevance: 1.3, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000000140018922

Part of subcall function 00000001400196D8: _FF_MSGBANNER.LIBCMT ref: 0000000140019708
Part of subcall function 00000001400196D8: HeapAlloc.KERNEL32(?,?,?,0000000140018927,?,?,?,?,?,?,?,0000000140036D1C), ref: 000000014001972D
Part of subcall function 00000001400196D8: _errno.LIBCMT ref: 0000000140019751
Part of subcall function 00000001400196D8: _errno.LIBCMT ref: 000000014001975C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$AllocHeapmalloc
String ID:
API String ID: 3607330408-0
Opcode ID: b0c631f6a38bcc50c6db012d53b8eb2045249c382fbf93ffede6e4b9199d3b65
Instruction ID: d340f5c00cdc5deab3e4fd7a34be2b5a0cdc158d8f191781a56e2e516e077d60
Opcode Fuzzy Hash: b0c631f6a38bcc50c6db012d53b8eb2045249c382fbf93ffede6e4b9199d3b65
Instruction Fuzzy Hash: 3D011A70211B0991FA27EF93E8403E42360F75C3C4F981625BB494B6B2DB3DD644CB01

Function 000000014003BEF8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 000000014003BEF8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 88cc0785623c20493924a8822fc74d35e426a3286e0225bcb30cfbbe54bc341d
Instruction ID: 0594ec5f0a5f67fea0409d0ede354871ca7f8482a16632ce181706436068c0e2
Opcode Fuzzy Hash: 88cc0785623c20493924a8822fc74d35e426a3286e0225bcb30cfbbe54bc341d
Instruction Fuzzy Hash: 88E01AB2509AC086F7A6CF2AF0847DEBBA0E749784F555049E397076A1CF7DE080CB45

Non-executed Functions

Function 00000001400695B0 Relevance: 74.0, APIs: 38, Strings: 4, Instructions: 453filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000000014006962F
DeleteObject.GDI32 ref: 000000014006964A
DestroyWindow.USER32 ref: 0000000140069661
GetDesktopWindow.USER32 ref: 0000000140069684
GetWindowRect.USER32 ref: 0000000140069692
SetRect.USER32 ref: 00000001400697F7
AdjustWindowRectEx.USER32 ref: 000000014006980B
CreateWindowExW.USER32 ref: 0000000140069876
GetClientRect.USER32 ref: 000000014006988B
CreateWindowExW.USER32 ref: 00000001400698FC
CreateFileW.KERNEL32 ref: 0000000140069932
GetFileSize.KERNEL32 ref: 000000014006994A
GlobalAlloc.KERNEL32 ref: 0000000140069958
GlobalLock.KERNEL32 ref: 0000000140069964
ReadFile.KERNEL32 ref: 0000000140069980
GlobalUnlock.KERNEL32 ref: 0000000140069989
CloseHandle.KERNEL32 ref: 0000000140069992
CreateStreamOnHGlobal.OLE32 ref: 00000001400699A7
OleLoadPicture.OLEAUT32 ref: 00000001400699CE
GlobalFree.KERNEL32 ref: 00000001400699E5
CopyImage.USER32 ref: 0000000140069A22
SendMessageW.USER32 ref: 0000000140069A51
SetWindowPos.USER32 ref: 0000000140069A91
ShowWindow.USER32 ref: 0000000140069D34

Strings

, xrefs: 0000000140069A6F
static, xrefs: 00000001400698D8, 0000000140069AEA
DISPLAY, xrefs: 0000000140069B00
AutoIt v3, xrefs: 0000000140069839

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteObject$AdjustAllocClientCloseCopyDesktopDestroyFreeHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2724474984-2373415609
Opcode ID: 4164bb3ced22008db81e9afab59b5730aff700940dba59af4b8a7231f0fb7cec
Instruction ID: 9a07deec045067fb5251e0d17d065117d76aa677994ae4e41597103bdaa712ca
Opcode Fuzzy Hash: 4164bb3ced22008db81e9afab59b5730aff700940dba59af4b8a7231f0fb7cec
Instruction Fuzzy Hash: 65226876214A8186EB65DF2AE89479AB7A1F38CBD4F108515EB8E83B74DF38C545CB00

Function 0000000140095370 Relevance: 70.6, APIs: 38, Strings: 2, Instructions: 602windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

GetWindowLongW.USER32 ref: 0000000140095442
SendMessageW.USER32 ref: 0000000140095470
SendMessageW.USER32 ref: 000000014009549E
GetKeyState.USER32 ref: 0000000140095554
GetKeyState.USER32 ref: 0000000140095568
SendMessageW.USER32 ref: 0000000140095585
GetKeyState.USER32 ref: 0000000140095591
SendMessageW.USER32 ref: 00000001400955BB
SendMessageW.USER32 ref: 000000014009564E
SendMessageW.USER32 ref: 000000014009567C
GetCursorPos.USER32 ref: 0000000140095715
ScreenToClient.USER32 ref: 0000000140095723
SendMessageW.USER32 ref: 0000000140095785
SendMessageW.USER32 ref: 00000001400957B9
SendMessageW.USER32 ref: 00000001400957F0
SendMessageW.USER32 ref: 0000000140095829
SendMessageW.USER32 ref: 000000014009584B
SendMessageW.USER32 ref: 0000000140095861
GetCursorPos.USER32 ref: 0000000140095887
ScreenToClient.USER32 ref: 0000000140095895
GetParent.USER32 ref: 00000001400958B7
SendMessageW.USER32 ref: 0000000140095923
SendMessageW.USER32 ref: 0000000140095960
ClientToScreen.USER32 ref: 00000001400959C9
TrackPopupMenuEx.USER32 ref: 0000000140095A07
SendMessageW.USER32 ref: 0000000140095A2C
SendMessageW.USER32 ref: 0000000140095A54
ClientToScreen.USER32 ref: 0000000140095AAE
TrackPopupMenuEx.USER32 ref: 0000000140095AEF
GetWindowLongW.USER32 ref: 0000000140095BAA
ReleaseCapture.USER32 ref: 0000000140095C2B
DefDlgProcW.USER32 ref: 0000000140095DE0

Strings

F, xrefs: 0000000140095A5A
@GUI_DRAGID, xrefs: 0000000140095D4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CursorMenuPopupTrack$CaptureParentProcRelease
String ID: @GUI_DRAGID$F
API String ID: 2508893801-4164748364
Opcode ID: fb8b783551ecde8b027475f317c8f230ecfadd36f3eefdd4d5709bae92c28627
Instruction ID: 728000abf484fce369728cd80490c48e112e1bddd30337868a909b565e8bf383
Opcode Fuzzy Hash: fb8b783551ecde8b027475f317c8f230ecfadd36f3eefdd4d5709bae92c28627
Instruction Fuzzy Hash: D552AF36205A8586EB61EB2BD4947EE7BA0F78CBD5F504512EB8943BB4DF38C495C700

Function 0000000140064770 Relevance: 60.0, APIs: 32, Strings: 2, Instructions: 479windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014006484C
SendMessageW.USER32 ref: 00000001400648A5

Strings

%d/%02d/%02d, xrefs: 0000000140064C60
P, xrefs: 0000000140064910

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$P
API String ID: 3850602802-3070753401
Opcode ID: 83ec8c0039ceabca3fa3fced7cfbe2a11b69e96acfd590ea1baf34fe0e8d11d8
Instruction ID: 9a738265a87f01508e4a397e5384e8996a40eddf186bb8e49adb9349f7cc23e0
Opcode Fuzzy Hash: 83ec8c0039ceabca3fa3fced7cfbe2a11b69e96acfd590ea1baf34fe0e8d11d8
Instruction Fuzzy Hash: 2512B37121468186F7A69F26EC947EE67A2F789BC0F604821FB4A57BB5DF3CC4458B00

Function 0000000140069000 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 275windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0000000140069055
SystemParametersInfoW.USER32 ref: 0000000140069112
SetRect.USER32 ref: 0000000140069156
AdjustWindowRectEx.USER32 ref: 0000000140069169
CreateWindowExW.USER32 ref: 00000001400691CB
GetClientRect.USER32 ref: 00000001400691E0
CreateWindowExW.USER32 ref: 0000000140069250
CreateDCW.GDI32 ref: 000000014006926C
GetStockObject.GDI32 ref: 000000014006927B
SelectObject.GDI32 ref: 0000000140069287
GetTextFaceW.GDI32 ref: 000000014006929B
GetDeviceCaps.GDI32 ref: 00000001400692A7
DeleteDC.GDI32 ref: 00000001400692B2
CreateFontW.GDI32 ref: 0000000140069317
SendMessageW.USER32 ref: 0000000140069331
CreateWindowExW.USER32 ref: 0000000140069392
SendMessageW.USER32 ref: 00000001400693B0
SendMessageW.USER32 ref: 00000001400693C8
CreateWindowExW.USER32 ref: 0000000140069428
GetStockObject.GDI32 ref: 0000000140069437
SendMessageW.USER32 ref: 000000014006944D
ShowWindow.USER32 ref: 000000014006945D

Strings

msctls_progress32, xrefs: 0000000140069387
d, xrefs: 000000014006914E
2, xrefs: 00000001400693FB
static, xrefs: 000000014006923B, 000000014006940F
DISPLAY, xrefs: 0000000140069256
7, xrefs: 000000014006941B
AutoIt v3, xrefs: 00000001400691A7

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: 2$7$AutoIt v3$DISPLAY$d$msctls_progress32$static
API String ID: 2910397461-2060845292
Opcode ID: 26d3fea1d52b4a7fcd0192db161ca5a97e872c640497ce0c67b31f6e66ccafb0
Instruction ID: a9fb078eb8271a67efd983614ce63579cbe0e3b67d8b9934631e4a0c1fcbdb85
Opcode Fuzzy Hash: 26d3fea1d52b4a7fcd0192db161ca5a97e872c640497ce0c67b31f6e66ccafb0
Instruction Fuzzy Hash: 03D13572214B818BEB11CF6AE88479ABBA5F78CBD4F504115EB8A43B74DF38C555CB00

Function 00000001400252D0 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140025321
_errno.LIBCMT ref: 0000000140025328

Strings

U, xrefs: 00000001400258DF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: f17c7409fd6f1305ebfd63a193f5a45a4aa281886a54e13cf2b38f3b845c4217
Instruction ID: 344956aae6395a7da4bdabf74ac75ef787710043ed1c85488b9f807f7862f7f8
Opcode Fuzzy Hash: f17c7409fd6f1305ebfd63a193f5a45a4aa281886a54e13cf2b38f3b845c4217
Instruction Fuzzy Hash: 9912F63221464186EB22AF26E4487EAB7A0F38CBD5F54411AFB8947BB5DF3DC845CB14

Function 0000000140065470 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 262windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400655D9
GetDesktopWindow.USER32 ref: 00000001400655EF
GetWindowRect.USER32 ref: 00000001400655FD
GetWindowLongW.USER32 ref: 000000014006566E
DestroyWindow.USER32 ref: 000000014006568A
CreateWindowExW.USER32 ref: 00000001400656E8
SendMessageW.USER32 ref: 0000000140065708
SendMessageW.USER32 ref: 0000000140065731
SendMessageW.USER32 ref: 000000014006574E
SendMessageW.USER32 ref: 000000014006576B
IsWindowVisible.USER32 ref: 000000014006578F
SendMessageW.USER32 ref: 00000001400657B2
SendMessageW.USER32 ref: 00000001400657D0
GetWindowRect.USER32 ref: 00000001400657F0
MonitorFromPoint.USER32 ref: 0000000140065817
GetMonitorInfoW.USER32 ref: 0000000140065833
CopyRect.USER32 ref: 000000014006584B
SendMessageW.USER32 ref: 00000001400658C9

Strings

(, xrefs: 0000000140065825
tooltips_class32, xrefs: 00000001400656DA
@, xrefs: 000000014006556A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($@$tooltips_class32
API String ID: 698492251-1054245302
Opcode ID: 4c70c4e12b495085e41502f1786a27a74d19ebfa89eb0387848b2412a9fdd613
Instruction ID: 3491717d3a2c8f742b1b4c88d725ba758e1f9dddadc39780648a4ce3520af55b
Opcode Fuzzy Hash: 4c70c4e12b495085e41502f1786a27a74d19ebfa89eb0387848b2412a9fdd613
Instruction Fuzzy Hash: 11C17F762046808AEB61DF2AE8547DE77A1F788BC9F544425EF8E47B69DF38C485CB00

Function 000000014007E010 Relevance: 30.2, APIs: 20, Instructions: 155clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000000014007E052
IsClipboardFormatAvailable.USER32 ref: 000000014007E05F
GetClipboardData.USER32 ref: 000000014007E06D
CloseClipboard.USER32 ref: 000000014007E07B
GlobalLock.KERNEL32 ref: 000000014007E0A0
CloseClipboard.USER32 ref: 000000014007E0AB
GlobalUnlock.KERNEL32 ref: 000000014007E0C6
IsClipboardFormatAvailable.USER32 ref: 000000014007E0D6
GetClipboardData.USER32 ref: 000000014007E0E5
GlobalLock.KERNEL32 ref: 000000014007E0F6
GlobalUnlock.KERNEL32 ref: 000000014007E135
CloseClipboard.USER32 ref: 000000014007E25E

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: c0b507db708e8bfe58f69cea012c595d023c63e578772427b80ccb776e854293
Instruction ID: 83198519a7593672fd1552ce02ddf1168a3ffc2b0b48ef5ac63973d95b08d745
Opcode Fuzzy Hash: c0b507db708e8bfe58f69cea012c595d023c63e578772427b80ccb776e854293
Instruction Fuzzy Hash: BC615E31301A8082EA62EB67E8543ED6362F78DBC0F954021FB4A477B5DE7DC98AC741

Function 0000000140027640 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 00000001400276B2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 00000001400276C8
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 0000000140027772
malloc.LIBCMT ref: 00000001400277E3
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 000000014002781A
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 000000014002783F
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 000000014002788F
malloc.LIBCMT ref: 00000001400278E2
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 000000014002791C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 000000014002795F
free.LIBCMT ref: 0000000140027970
free.LIBCMT ref: 000000014002797E
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 0000000140027A0D
malloc.LIBCMT ref: 0000000140027A7B
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 0000000140027AC4
free.LIBCMT ref: 0000000140027B0C
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,0000000140027BF1), ref: 0000000140027B2C
free.LIBCMT ref: 0000000140027B3E
free.LIBCMT ref: 0000000140027B50

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: d88c174ac1e0c241e79c1e5b8991af1bcb444650aad98657097e2e292d47a38c
Instruction ID: 17c2fe67eefb499ba7c5ced4fd26a23ff4c78a7f5379d8effcef1fbf33a2ec25
Opcode Fuzzy Hash: d88c174ac1e0c241e79c1e5b8991af1bcb444650aad98657097e2e292d47a38c
Instruction Fuzzy Hash: 3DF16D722046808AEB668F26E440BD977A1F78CBE8F544619FB5E57BE8DB38CD418700

Function 000000014005D710 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 137filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400169D0: GetFullPathNameW.KERNEL32 ref: 00000001400169F5

Part of subcall function 0000000140043750: GetFileAttributesW.KERNEL32 ref: 0000000140043754

FindFirstFileW.KERNEL32 ref: 000000014005D804
lstrcmpiW.KERNEL32 ref: 000000014005D8BF
DeleteFileW.KERNEL32 ref: 000000014005D8D1
MoveFileW.KERNEL32 ref: 000000014005D8EF
MoveFileW.KERNEL32 ref: 000000014005D904
CopyFileW.KERNEL32 ref: 000000014005D913
DeleteFileW.KERNEL32 ref: 000000014005D922
FindNextFileW.KERNEL32 ref: 000000014005D945
FindClose.KERNEL32 ref: 000000014005D95E
FindClose.KERNEL32 ref: 000000014005D96E

Strings

\*.*, xrefs: 000000014005D78B, 000000014005D7B1

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: File$Find$CloseDeleteMove$AttributesCopyFirstFullNameNextPathlstrcmpi
String ID: \*.*
API String ID: 1271585379-1173974218
Opcode ID: 9ccba4b190a0a9418007bc64a1ff9cdc7fa516cb3593b1daee45a707a26bc91d
Instruction ID: 60f53d042695af30dc5a83cacec9bebaa5fc9e4c5896a4dda348cd04f90f769b
Opcode Fuzzy Hash: 9ccba4b190a0a9418007bc64a1ff9cdc7fa516cb3593b1daee45a707a26bc91d
Instruction Fuzzy Hash: 03613132214A8691EA32DF16E8403DA7361F7897C4FD05113F78A43AE9EF7AC649C740

Function 0000000140041150 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 000000014004117E
GetFileAttributesW.KERNEL32 ref: 00000001400411BC
SetFileAttributesW.KERNEL32 ref: 00000001400411D6
FindNextFileW.KERNEL32 ref: 00000001400411EB
FindClose.KERNEL32 ref: 00000001400411F8
FindClose.KERNEL32 ref: 0000000140041216
FindFirstFileW.KERNEL32 ref: 000000014004122F
SetCurrentDirectoryW.KERNEL32 ref: 000000014004127F
SetCurrentDirectoryW.KERNEL32 ref: 00000001400412B5
FindNextFileW.KERNEL32 ref: 00000001400412C3
FindClose.KERNEL32 ref: 00000001400412D6

Strings

*.*, xrefs: 0000000140041228

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2b3c2fda741ad657fea1ada4a1caaf361a53db8617e5c9f0b3ee51964182b341
Instruction ID: e3bdafcf43c987d8ceab023587c442a3ab70332120cd08991579e36b5cb38a19
Opcode Fuzzy Hash: 2b3c2fda741ad657fea1ada4a1caaf361a53db8617e5c9f0b3ee51964182b341
Instruction Fuzzy Hash: B8419031204A4196EB629F57E9883E963A1F7CD7E4F908221FB69836F4DF78C549C700

Function 00000001400550E0 Relevance: 19.7, APIs: 13, Instructions: 161keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014005511A
GetKeyboardState.USER32 ref: 000000014005512E
PostMessageW.USER32 ref: 000000014005518B
PostMessageW.USER32 ref: 00000001400551B4
PostMessageW.USER32 ref: 00000001400551D9
PostMessageW.USER32 ref: 0000000140055200
PostMessageW.USER32 ref: 0000000140055225
SetKeyboardState.USER32 ref: 000000014005526A
keybd_event.USER32 ref: 0000000140055287
keybd_event.USER32 ref: 000000014005529D
keybd_event.USER32 ref: 00000001400552B4
keybd_event.USER32 ref: 00000001400552CA
keybd_event.USER32 ref: 00000001400552E0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessagePostkeybd_event$KeyboardState$Parent
String ID:
API String ID: 2502892551-0
Opcode ID: 87990029baa16f46f895555645904e6ef62e0f7e2816204bd0308b9074fc9f9c
Instruction ID: eccad09f2804820fea9e6f77cdbb516ee1ec3f01ff4c75237f50407c0cc0d23a
Opcode Fuzzy Hash: 87990029baa16f46f895555645904e6ef62e0f7e2816204bd0308b9074fc9f9c
Instruction Fuzzy Hash: 095106362156A003F3669B6BA5647EA2BE0F78EBC5F081515EF890BFA1CB3AC515C740

Function 0000000140079620 Relevance: 18.2, APIs: 12, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0000000140079724
GetMenuItemCount.USER32 ref: 00000001400797B6
DeleteMenu.USER32 ref: 0000000140079877
DeleteMenu.USER32 ref: 0000000140079887
DeleteMenu.USER32 ref: 0000000140079897
DeleteMenu.USER32 ref: 00000001400798A7
GetMenuItemCount.USER32 ref: 00000001400798B4
SetMenuItemInfoW.USER32 ref: 00000001400798F8
GetCursorPos.USER32 ref: 0000000140079906
SetForegroundWindow.USER32 ref: 000000014007990F
TrackPopupMenuEx.USER32 ref: 0000000140079934
PostMessageW.USER32 ref: 0000000140079945

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
String ID:
API String ID: 1441871840-0
Opcode ID: 97476830ca048d85e6150dd51ddafd595b1babfbbdda98b9ba8997652faeab80
Instruction ID: 1e41386b4f35843d74280deceda672538b1dcba4a13c970fd01b7f0cf74be108
Opcode Fuzzy Hash: 97476830ca048d85e6150dd51ddafd595b1babfbbdda98b9ba8997652faeab80
Instruction Fuzzy Hash: A0919A7221868086E76ACF27E4547DD77A1F78CBC8F598121EB4A57AB8CB3CC505CB40

Function 0000000140052490 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00000001400524BE
FindNextFileW.KERNEL32 ref: 000000014005251B
FindClose.KERNEL32 ref: 0000000140052528
FindClose.KERNEL32 ref: 0000000140052546
FindFirstFileW.KERNEL32 ref: 000000014005255F
SetCurrentDirectoryW.KERNEL32 ref: 00000001400525AF
SetCurrentDirectoryW.KERNEL32 ref: 00000001400525E5
FindNextFileW.KERNEL32 ref: 00000001400525F3
FindClose.KERNEL32 ref: 0000000140052606

Part of subcall function 0000000140043A00: CreateFileW.KERNEL32 ref: 0000000140043A35

Strings

*.*, xrefs: 0000000140052558

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c10d5695760d4316301d53df43b98dc4a8203f5a2bc72a644b238d45ec82efa0
Instruction ID: c83abfe67e304a4f1c3c34daf9a82ba4ed2682e82bcffad49aebdfae7086c7d4
Opcode Fuzzy Hash: c10d5695760d4316301d53df43b98dc4a8203f5a2bc72a644b238d45ec82efa0
Instruction Fuzzy Hash: 2241B231204A8191EF62DB1BE8983E96360FB8E7E4F904211FBA9476F4EF79C549C700

Function 00000001400412F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 94fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 000000014004131D
CreateDirectoryW.KERNEL32 ref: 0000000140041381
CreateFileW.KERNEL32 ref: 00000001400413B3
RemoveDirectoryW.KERNEL32 ref: 00000001400413C5
DeviceIoControl.KERNEL32 ref: 000000014004146E
CloseHandle.KERNEL32 ref: 000000014004147B
CloseHandle.KERNEL32 ref: 0000000140041486

Strings

\??\%s, xrefs: 0000000140041338
:, xrefs: 0000000140041365
\, xrefs: 0000000140041353

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
String ID: :$\$\??\%s
API String ID: 3827137101-3457252023
Opcode ID: b9189f52fba38b033c1dcae1586af9e704a13d9f9ae581a494e12a6ffc91abbd
Instruction ID: 168f88fefd50a2a91d0fd5a19ef0b0fce76bf4e6b4bc6b3ea27d9cfceac2beb1
Opcode Fuzzy Hash: b9189f52fba38b033c1dcae1586af9e704a13d9f9ae581a494e12a6ffc91abbd
Instruction Fuzzy Hash: 2C41AB72218A9192EB32EF56F4447DEB360F7C87E4F414121FB9A43AA8CB79C645CB40

Function 0000000140043060 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140043078
OpenProcessToken.ADVAPI32 ref: 000000014004308B
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400430AC
AdjustTokenPrivileges.ADVAPI32 ref: 00000001400430DC
GetLastError.KERNEL32 ref: 00000001400430E2
ExitWindowsEx.USER32 ref: 0000000140043100

Strings

SeShutdownPrivilege, xrefs: 00000001400430A3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 83a8fdc66c4410dae4e994ec0a2bd467059dbb7e7eb05512e5a65c2837b9644c
Instruction ID: 1d905c15c0cc8f9c49d134815bd0d3c676fab69afd38fe862b0be8432ebae03d
Opcode Fuzzy Hash: 83a8fdc66c4410dae4e994ec0a2bd467059dbb7e7eb05512e5a65c2837b9644c
Instruction Fuzzy Hash: DA216B72604B8186F7658F26B84539EB661F7CC784F455139FB8A43A79CF38C855CB04

Function 00000001400222AC Relevance: 15.7, APIs: 10, Instructions: 726COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400185FC: _getptd.LIBCMT ref: 0000000140018612

_errno.LIBCMT ref: 0000000140022317

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

DecodePointer.KERNEL32 ref: 0000000140022906
DecodePointer.KERNEL32 ref: 000000014002294A
DecodePointer.KERNEL32 ref: 0000000140022971
write_multi_char.LIBCMT ref: 0000000140022A07
write_multi_char.LIBCMT ref: 0000000140022A41
write_char.LIBCMT ref: 0000000140022A92
write_multi_char.LIBCMT ref: 0000000140022AEC
free.LIBCMT ref: 0000000140022B17

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer$write_multi_char$_errno_getptdfreewrite_char
String ID:
API String ID: 2334620807-0
Opcode ID: 8d1fc7f7eeba17d4e0c74e89ff9a7773f0a651cbf0944b72ceed6a89af073d38
Instruction ID: 45441668a0f4ed6bd227ec28e93b682d63a1fdcbcfeb111eb32bee8b1856874d
Opcode Fuzzy Hash: 8d1fc7f7eeba17d4e0c74e89ff9a7773f0a651cbf0944b72ceed6a89af073d38
Instruction Fuzzy Hash: 5452E33260868496FB728B96A4443FEB7A1F38D7C4F64491AFB4647AF4DA79CC50CB01

Function 00000001400596C0 Relevance: 15.2, APIs: 10, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140059770
SendMessageW.USER32 ref: 0000000140059784
GetWindowLongW.USER32 ref: 00000001400597B3
SendMessageW.USER32 ref: 00000001400597DD
SendMessageW.USER32 ref: 0000000140059875
SendMessageW.USER32 ref: 00000001400598D0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a1973251a1d02200d454ba11cf3710c729313f9f4d6683454e6198d4a99f3f60
Instruction ID: 0b54b48463d540c9bcd3c871880528857b67946493941cf9cd743ae1c26a840e
Opcode Fuzzy Hash: a1973251a1d02200d454ba11cf3710c729313f9f4d6683454e6198d4a99f3f60
Instruction Fuzzy Hash: B5818D76218A9582EB21DF2AE4547DA77A0F38CBD4F545112EB8E43BB4DF39C186CB00

Function 000000014006A500 Relevance: 13.6, APIs: 9, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000000014006A557
EmptyClipboard.USER32 ref: 000000014006A55D
GlobalAlloc.KERNEL32 ref: 000000014006A572
CloseClipboard.USER32 ref: 000000014006A62B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2d9620d7a1f9600c1f943dc23f7b52697a908126bcf2c7b69e39ec8e54a36836
Instruction ID: a3bf94ab97966422eb3e7d7050bc60e1dfd6716e5ed9f526cb4ee92d7871b0cf
Opcode Fuzzy Hash: 2d9620d7a1f9600c1f943dc23f7b52697a908126bcf2c7b69e39ec8e54a36836
Instruction Fuzzy Hash: F1314A32201A4082EB16EF56E8943AA7361EB8DBC4F548425FB4A47775DF3CC5558700

Function 00000001400840E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00000001400841CE
VariantCopy.OLEAUT32 ref: 00000001400841DA
VariantClear.OLEAUT32 ref: 00000001400841ED

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

VariantTimeToSystemTime.OLEAUT32 ref: 0000000140084242

Part of subcall function 000000014001930C: _errno.LIBCMT ref: 0000000140019325

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000000014008427A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Variant$Time$ClearCopyInitSystem_errnomalloc
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 3599330277-1568723262
Opcode ID: ea57b427a0f3ba8e31a92368419fa9da8deae008e67d67246e1143834a07e872
Instruction ID: 3c1173a99c85122bd8f0265e9e1e2618921fd9b3200f0e4c6f231ef978342b47
Opcode Fuzzy Hash: ea57b427a0f3ba8e31a92368419fa9da8deae008e67d67246e1143834a07e872
Instruction Fuzzy Hash: A8C1CF7720464085EB6A9F2BD0A43BE67A0F74DBC4F59A525F74A077B4CB39CA91C300

Function 00000001400907C0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0000000140090BBA
Not an Object type, xrefs: 000000014009084E
Conversion of parameters failed, xrefs: 0000000140090951

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
API String ID: 0-4206948668
Opcode ID: f584ac4ca2a0e1b0148c23b100fee310bf220beaa87864a855338b94f0c77a26
Instruction ID: bed83e1766132342390a0766ba1cc7770a65e17ae49490f06df4ef4954a42e27
Opcode Fuzzy Hash: f584ac4ca2a0e1b0148c23b100fee310bf220beaa87864a855338b94f0c77a26
Instruction Fuzzy Hash: 7BB1A132204B848AEA629F26E4407DEB7A1F78CBC4F944125FB8D57BA9DF78C545CB40

Function 0000000140091620 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 249comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 00000001400916B3
CLSIDFromProgID.OLE32 ref: 00000001400916D6
CoCreateInstance.OLE32 ref: 0000000140091727
CoInitializeSecurity.OLE32 ref: 00000001400917EA
CoCreateInstanceEx.OLE32 ref: 0000000140091A1F
CoSetProxyBlanket.OLE32 ref: 0000000140091A85

Strings

NULL Pointer assignment, xrefs: 0000000140091AB3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateInitializeInstance$BlanketFromProgProxySecurity
String ID: NULL Pointer assignment
API String ID: 628432406-2785691316
Opcode ID: 8675240a9f6ff99cc91903516df774b57535dff84b71b0788354e51fdd1d736b
Instruction ID: 77f78eda5953086dea4007cd99e066c6ed21df11dd3fff5dd3e7f21170204004
Opcode Fuzzy Hash: 8675240a9f6ff99cc91903516df774b57535dff84b71b0788354e51fdd1d736b
Instruction Fuzzy Hash: F0D10672208BC086DB72DB26E4907DAB7A5F7C8784F804516EB8D47BA9DF78C549CB40

Function 00000001400027A0 Relevance: 12.5, APIs: 8, Instructions: 458COMMON

Download Yara Rule

APIs

std::exception_ptr::_Current_exception.LIBCONCRT ref: 0000000140037CE9
VariantClear.OLEAUT32 ref: 0000000140037D06
std::exception_ptr::_Current_exception.LIBCONCRT ref: 0000000140037D2F
std::exception_ptr::_Current_exception.LIBCONCRT ref: 0000000140037D7B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Current_exceptionstd::exception_ptr::_$ClearVariant
String ID:
API String ID: 332225251-0
Opcode ID: d39f7079953ed73137c99f63ee4a730f8bf910d5797d4d98d59e3f828d78e890
Instruction ID: 31b36d0ee1cd6e2fdac15967972bb73727a1ce56cc4b574e7682adb4e99c1632
Opcode Fuzzy Hash: d39f7079953ed73137c99f63ee4a730f8bf910d5797d4d98d59e3f828d78e890
Instruction Fuzzy Hash: B6127D7221964086FA77EA27E0947EA63A4FB8D7C4F548212FB4E47AB6DF38C551C700

Function 0000000140067370 Relevance: 12.3, APIs: 8, Instructions: 339COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 0000000140067539
GetSystemDirectoryW.KERNEL32 ref: 0000000140067567
GetCurrentDirectoryW.KERNEL32 ref: 00000001400675AB
GetCurrentDirectoryW.KERNEL32 ref: 00000001400675D9
GetLastError.KERNEL32 ref: 00000001400677DA
CloseHandle.KERNEL32 ref: 000000014006781C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Directory$CurrentSystem$CloseErrorHandleLast
String ID:
API String ID: 1985256609-0
Opcode ID: 47d9be43964a578d249049df4b48fedb74f1beacf1253f88fe9b99816a1b2d0c
Instruction ID: a2fd946ae09bf3b2a4bcbbf7acbf9a895d0dc1e7509cb58d6e0bfa829d598841
Opcode Fuzzy Hash: 47d9be43964a578d249049df4b48fedb74f1beacf1253f88fe9b99816a1b2d0c
Instruction Fuzzy Hash: 7DE16932204A8081EB62DF26E8513EAA7A2F7C8BD4F544525BF5E8B7B9DF39C441C740

Function 000000014002B050 Relevance: 12.2, APIs: 8, Instructions: 228COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002B09B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 9ac473dd6cfae0c9c89445d0aebe92cf218283cc05050fb9e0b06e4c54391f23
Instruction ID: d1997ccd25930f81d8eba2ee0339f2e149a22da6f79c3c7fc9c7d66c6d64b71a
Opcode Fuzzy Hash: 9ac473dd6cfae0c9c89445d0aebe92cf218283cc05050fb9e0b06e4c54391f23
Instruction Fuzzy Hash: AD91863220478086EB728F16A4543AEB7A5F789BE4F544219FB9913AF5DB38CD91CB01

Function 00000001400270B0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014002F98F
RtlLookupFunctionEntry.KERNEL32 ref: 000000014002F9AE
RtlVirtualUnwind.KERNEL32 ref: 000000014002F9FA
IsDebuggerPresent.KERNEL32 ref: 000000014002FA6C
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002FA84
UnhandledExceptionFilter.KERNEL32 ref: 000000014002FA91
GetCurrentProcess.KERNEL32 ref: 000000014002FAAA
TerminateProcess.KERNEL32 ref: 000000014002FAB8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 0edd64cb9803f967ed20c10d554a4ab3018a42dcfe59f888d84efd305078bda4
Instruction ID: 0be52a74e45efd92516ea653374d142cb38f9b34e4de997e897f2686a4c8d230
Opcode Fuzzy Hash: 0edd64cb9803f967ed20c10d554a4ab3018a42dcfe59f888d84efd305078bda4
Instruction Fuzzy Hash: 45319B35619F8485EB529F96F8843AAA3B0F7887D4F50412AEB8D437B5DF78C4888B00

Function 00000001400787F0 Relevance: 10.8, APIs: 7, Instructions: 280COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32 ref: 00000001400788DE
SafeArrayAccessData.OLEAUT32 ref: 000000014007892A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ArraySafe$AccessDataVartype
String ID:
API String ID: 2857666278-0
Opcode ID: 52da563559987975dee47a06117f09e78d210d128d70aa0a6aef6731d9853c29
Instruction ID: a117c610dd53d33a9ddc6f80a655bfab3c4d1394f6afb0c6553209ab6173fdef
Opcode Fuzzy Hash: 52da563559987975dee47a06117f09e78d210d128d70aa0a6aef6731d9853c29
Instruction Fuzzy Hash: 23C16972254A8485EA729F1AE4843EE63A0F789BC0F489016EF8A977B5EF3CC541D341

Function 0000000140080760 Relevance: 9.8, Strings: 5, Instructions: 3597COMMON

Download Yara Rule

Strings

Q\E, xrefs: 0000000140082D2F
, xrefs: 0000000140083647
<, xrefs: 000000014008363F
ACCEPT, xrefs: 0000000140080CD3
DEFINE, xrefs: 00000001400812E5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: $<$ACCEPT$DEFINE$Q\E
API String ID: 0-145152736
Opcode ID: e132bef0ef3c5424f6fe1ad17daea4119c725b16ba450fa61eb5e5efe2164c90
Instruction ID: b4984b04a6a9c59961c9224db4e543a364cf715332857e1a42d4ec3edc3f3c89
Opcode Fuzzy Hash: e132bef0ef3c5424f6fe1ad17daea4119c725b16ba450fa61eb5e5efe2164c90
Instruction Fuzzy Hash: CF7337736086C08AE7768F2A94443EE7BA1F3997C4F148126EBC647BE5DB39C645CB01

Function 0000000140080020 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 367COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

VkKeyScanA.USER32 ref: 0000000140080211
VkKeyScanA.USER32 ref: 000000014008022B

Part of subcall function 0000000140030224: _errno.LIBCMT ref: 0000000140030236

Strings

off, xrefs: 000000014008014C
0%d, xrefs: 0000000140080193
down, xrefs: 0000000140080115

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Scan$_errnomalloc
String ID: 0%d$down$off
API String ID: 3798907516-2112978555
Opcode ID: 488ae4b5e363461bb05f2cc412ff2a7621869acfb6911dde2822c9e1b9d95277
Instruction ID: 8f1b1c42d7d896cb0926072b77a0264a2641ebf823565fb2609156f79882e737
Opcode Fuzzy Hash: 488ae4b5e363461bb05f2cc412ff2a7621869acfb6911dde2822c9e1b9d95277
Instruction Fuzzy Hash: 00E1FF33608A4086FBE69A2795643FF27A1F79E7C0F644014FB4647AB5D739CA819B30

Function 00000001400474F0 Relevance: 9.1, APIs: 6, Instructions: 76processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140047544
OpenProcessToken.ADVAPI32 ref: 0000000140047557
CreateEnvironmentBlock.USERENV ref: 000000014004756A
CloseHandle.KERNEL32 ref: 0000000140047577
CreateProcessWithLogonW.ADVAPI32 ref: 00000001400475E0
DestroyEnvironmentBlock.USERENV ref: 00000001400475F6

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4efd150af4fcc6165874354a59a684fb7bb068e96685822a85695c70c20cb91e
Instruction ID: 43e01d2fefbd4e02f726d46d6805291d15aad5a261fd9c5e73c47040ea6f4b8f
Opcode Fuzzy Hash: 4efd150af4fcc6165874354a59a684fb7bb068e96685822a85695c70c20cb91e
Instruction Fuzzy Hash: 60316D36208B8486EB25CF16F884B9AB7A5F389BC4F55412AEF8E03724CF79D445CB44

Function 000000014002E050 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400185FC: _getptd.LIBCMT ref: 0000000140018612

_errno.LIBCMT ref: 000000014002E0A5

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014002E0E4
_errno.LIBCMT ref: 000000014002E127

Strings

0, xrefs: 000000014002E08B
gfffffff, xrefs: 000000014002E411

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: 11d2aafb110474071d65bda3aeb66691b4083431d6af9e6945a9040631012abc
Instruction ID: 1db39ee2ea22e20f4bbf01101a9610a850cc18e5768466d638ba6e9e5b684f41
Opcode Fuzzy Hash: 11d2aafb110474071d65bda3aeb66691b4083431d6af9e6945a9040631012abc
Instruction Fuzzy Hash: 76B176737483C887EB628B2AD1453DE7BA5E35A7D0F14822AEB59077E2C639CD55C300

Function 000000014001E828 Relevance: 7.7, APIs: 5, Instructions: 233COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001E84B

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014001E88E
__tzset.LIBCMT ref: 000000014001E8AB
_isindst.LIBCMT ref: 000000014001E954

Part of subcall function 0000000140029A24: _errno.LIBCMT ref: 0000000140029A46

_isindst.LIBCMT ref: 000000014001E9A8

Part of subcall function 00000001400299F4: _lock.LIBCMT ref: 0000000140029A02

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$_isindst$DecodePointer__tzset_lock
String ID:
API String ID: 2552603377-0
Opcode ID: a907c764126602912269a7c16c51cea8aaca26e279e9b4d3d170b7dba2b29a45
Instruction ID: b063e019e09990f54e9e510d060844243672fb21ae2c3c70fdfdc30c1d9110c4
Opcode Fuzzy Hash: a907c764126602912269a7c16c51cea8aaca26e279e9b4d3d170b7dba2b29a45
Instruction Fuzzy Hash: E09107B271078547EB699F2AD4557DE6391E798BC4F448029FB098FBAAEF39D4008B00

Function 000000014008A800 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140075B00: inet_addr.WSOCK32 ref: 0000000140075B3D

socket.WSOCK32 ref: 000000014008A881
WSAGetLastError.WSOCK32 ref: 000000014008A8A4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 2270592e0769112adcaa9e0d64b514f0eb624ed0efa7f1f328d3b725ef109f78
Instruction ID: 1e4f372375d7632594186546d1d97a0e0249e8c37cc50fbfc227e61ec6c2bc36
Opcode Fuzzy Hash: 2270592e0769112adcaa9e0d64b514f0eb624ed0efa7f1f328d3b725ef109f78
Instruction Fuzzy Hash: 6A41BB7270065481FB26EF23B4117DEA790ABCEFE4F548125BF5A4BBA6DE39C1428740

Function 000000014001B82C Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001B870

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_errno.LIBCMT ref: 000000014001B89D
_errno.LIBCMT ref: 000000014001B8EB
_errno.LIBCMT ref: 000000014001B931
_errno.LIBCMT ref: 000000014001B94A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 223d288d6453d3bcef00a4f156df2324be7601a1fcb9cb7c5a84cfe808a29b69
Instruction ID: 48f94bc99277f4e48fca9e4abc63ca98034a17e9907a2b4cb2bfd7a3cf052559
Opcode Fuzzy Hash: 223d288d6453d3bcef00a4f156df2324be7601a1fcb9cb7c5a84cfe808a29b69
Instruction Fuzzy Hash: A931F23271079042FB779B2B99497EE2651A78D7E8F588219FB650BAF6CF398841C700

Function 000000014008C2F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000000014008C3B8
CoCreateInstance.OLE32 ref: 000000014008C3DE
CoUninitialize.OLE32 ref: 000000014008C606

Strings

.lnk, xrefs: 000000014008C33C, 000000014008C36F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: d33bfedf85814bfc54947c057ae94d277d37b32c53f1785abbc3c88ecefe74d9
Instruction ID: 5d5295c153d4da8834381fef148356006c8c823467d9188f8cb12cd372430268
Opcode Fuzzy Hash: d33bfedf85814bfc54947c057ae94d277d37b32c53f1785abbc3c88ecefe74d9
Instruction Fuzzy Hash: B6814972304A8181EB61DF2BE480B9AA761F7CABC4F409025EF8E47B69DF39C545CB40

Function 0000000140031614 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Strings

1#INF, xrefs: 0000000140031758
1#IND, xrefs: 0000000140031745
1#QNAN, xrefs: 0000000140031790
1#SNAN, xrefs: 0000000140031728

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: dfa32b0492a28e09866f285dfcbd811647c6c70afdbae71a1a0aca6a9e6dcafe
Instruction ID: 0137ca25ace397149a54434f3ef70bca9d625660b96616786ed6c7501a6fa7a8
Opcode Fuzzy Hash: dfa32b0492a28e09866f285dfcbd811647c6c70afdbae71a1a0aca6a9e6dcafe
Instruction Fuzzy Hash: 4A62DC736186808BE7268B2AE000BEFBBA1F3DC784F649115FB8547AA5D739D951CF00

Function 000000014002A260 Relevance: 4.9, APIs: 3, Instructions: 435COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002A2F9
_errno.LIBCMT ref: 000000014002A583
__tzset.LIBCMT ref: 000000014002A779

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$__tzset
String ID:
API String ID: 3587134695-0
Opcode ID: b8669ab790a7489438d76ea71914e87339b07bd7b818acfd001e614849f9c930
Instruction ID: 3dde3b42be37450d324be9c7c0fc5e0626ffee4be073d2862e01163e7960b1aa
Opcode Fuzzy Hash: b8669ab790a7489438d76ea71914e87339b07bd7b818acfd001e614849f9c930
Instruction Fuzzy Hash: 38027632604680CBE76A8F2A94943AD67A1F38E7C5F64402EFB4597AA5CF3CCD85C701

Function 0000000140057420 Relevance: 4.6, Strings: 3, Instructions: 840COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00000001400578EE
VUUU, xrefs: 0000000140057835
ERCP, xrefs: 0000000140057509

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU
API String ID: 0-1497356910
Opcode ID: 23f32585640f6bdbca2bb1b87279304e821237ea24ceb413dad428f557531016
Instruction ID: 815bd5003afa6549cf51d5a104bf9302ddf182174b94146b2760b696d194661f
Opcode Fuzzy Hash: 23f32585640f6bdbca2bb1b87279304e821237ea24ceb413dad428f557531016
Instruction Fuzzy Hash: 6082A0326086C48AEB76CB16B4447EEB7A1F38C780F144516EBD957BE5CB3AC881DB05

Function 000000014006F0C0 Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 000000014006F0DF
GetDiskFreeSpaceExW.KERNEL32 ref: 000000014006F16D
SetErrorMode.KERNEL32 ref: 000000014006F1C2

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 836ccb428d910adbde194fcbbd43551357310cca536aecad202f2d1d1e5be410
Instruction ID: 28b5aaf803d62b1642e337d033da22690c0dd21f7916b4f9792381e66bc6dc32
Opcode Fuzzy Hash: 836ccb428d910adbde194fcbbd43551357310cca536aecad202f2d1d1e5be410
Instruction Fuzzy Hash: B7313E72214A8582EB22DF26E4903AA7761F7C9BC8F408111FB8E47765DF38C5858700

Function 0000000140043770 Relevance: 4.5, APIs: 3, Instructions: 19fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 000000014004377C
FindFirstFileW.KERNEL32 ref: 000000014004378F
FindClose.KERNEL32 ref: 00000001400437A3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b22fb3a0715a1b586880db200e7c4ecdb464e4809298c77d28514c127117049a
Instruction ID: 42d94005bf4b416bfa79af7483b44afea1702d3469b5b780ec6f1b05c70ad234
Opcode Fuzzy Hash: b22fb3a0715a1b586880db200e7c4ecdb464e4809298c77d28514c127117049a
Instruction Fuzzy Hash: 59E0BFB0618600C2EE316B3AB8543D822507B9D7B5F545720F7BA472F0CB7CC5988604

Function 0000000140028404 Relevance: 3.2, APIs: 2, Instructions: 228COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000014002867B
RaiseException.KERNEL32 ref: 000000014002868C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2a40c51cb1579722dc7df1c521bd34491652beacd861a46ab227877f68ac8fa1
Instruction ID: 6e15391c603a1ffd5358fe07f9314664514806321338544215f293f6231594e9
Opcode Fuzzy Hash: 2a40c51cb1579722dc7df1c521bd34491652beacd861a46ab227877f68ac8fa1
Instruction Fuzzy Hash: BAB16E37625B9487EB66CF1AD48575DB7A0F388B84F159119EF9A83BB4CB39C841CB00

Function 000000014001B0AC Relevance: 3.2, APIs: 2, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001B984: _errno.LIBCMT ref: 000000014001B98D

ReadFile.KERNEL32(00000000), ref: 000000014001B1D3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FileRead_errno
String ID:
API String ID: 971700318-0
Opcode ID: c883b80902826961c5d125593e4b6357055a996dcc543b3efd54b394aca33ec5
Instruction ID: a4f62e1cd98f9a97718b67e20b5d94854c25c4d3d35b7f141f0e0baf6614c63e
Opcode Fuzzy Hash: c883b80902826961c5d125593e4b6357055a996dcc543b3efd54b394aca33ec5
Instruction Fuzzy Hash: D081CE32600A849AEB638B26D4443ED67A4F74DBD8F4D4215FB590BBF5DB3AC985C300

Function 000000014001D46C Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

tan, xrefs: 000000014001D557
!, xrefs: 000000014001D55E

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID: !$tan
API String ID: 2918714741-2428968949
Opcode ID: 3a4a8475762da512f022ce441af65110c61280ed671eef4d25333cd6132d5139
Instruction ID: ba6f11c9e90cfa9ad0ebb96e026d68206a266dd9814c336f314e053b0940baba
Opcode Fuzzy Hash: 3a4a8475762da512f022ce441af65110c61280ed671eef4d25333cd6132d5139
Instruction Fuzzy Hash: 9761C872A25F8445E673873694213EBB354AF9B3C4F109317BA1A3BEB5EB7D80834640

Function 00000001400233D0 Relevance: 2.2, APIs: 1, Instructions: 663COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002343A

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: b70b674c3cf58c22f7521cd20d7ea11672699ad0505f36fe9fad595bc84a2a24
Instruction ID: b68cfd5ab9dd470911173b7748abd515f73a33220fc0ab138d132efbf35fb5ad
Opcode Fuzzy Hash: b70b674c3cf58c22f7521cd20d7ea11672699ad0505f36fe9fad595bc84a2a24
Instruction Fuzzy Hash: 9442F77261468186EB769F1AD0547EDB7A1F3987C4F50402EFB8A87BE4D639CD84CB02

Function 0000000140042440 Relevance: 1.6, APIs: 1, Instructions: 120timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0000000140042467

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: f37e49baa16edcc26122d7ddff3ae8b80091bfeeb62e663d5795443f883994e1
Instruction ID: 71c78ca8aa94e74fe30bf786358e4e671d58f4b2ee1f09ef7e496bdcb8d3609a
Opcode Fuzzy Hash: f37e49baa16edcc26122d7ddff3ae8b80091bfeeb62e663d5795443f883994e1
Instruction Fuzzy Hash: 30417236744A8591EE26EB13E5543DAA360FB8CBC4F844125BF8D477AADB3DC254C708

Function 00000001400472A0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32 ref: 00000001400472DA

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ca517a55a53e5f5c0d00dc69f7a769235eb728fc389f8271b571ba05147067d7
Instruction ID: 1132f4d812c70ba4fc28cf18a7c27a160c68799d564b2776f79a4b0d41c9e22d
Opcode Fuzzy Hash: ca517a55a53e5f5c0d00dc69f7a769235eb728fc389f8271b571ba05147067d7
Instruction Fuzzy Hash: AAE04872718B84C7D7218F6AF48195EAB71F398BC0F558128DF8947B25CA3CC4558B04

Function 000000014005D450 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 000000014005D48D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 90168ee3d23eaeb68812dc389ecee54c8a8ddc9662ce14ac61a32bd3074fd40b
Instruction ID: b06a0c4948945cdf410f08d12445690765f154c64223f6d0a98a5ce11edf7344
Opcode Fuzzy Hash: 90168ee3d23eaeb68812dc389ecee54c8a8ddc9662ce14ac61a32bd3074fd40b
Instruction Fuzzy Hash: C8E04FF5A0415043F37B9A3A412ABF92642F3993C0E500103AB8607AF4CA3F96069E05

Function 000000014006A7C0 Relevance: 1.5, APIs: 1, Instructions: 23keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32 ref: 000000014006A7E6

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e3da47e5aa1b32c8bbf1f991a9063b6a518a10cedb0f93747e6b42c6b5a63616
Instruction ID: ec527bf5383cc17415bbd01df3bab4f6376454716b75b8677411075afdce43b1
Opcode Fuzzy Hash: e3da47e5aa1b32c8bbf1f991a9063b6a518a10cedb0f93747e6b42c6b5a63616
Instruction Fuzzy Hash: 33E0127231464086EB05AF73E8853EE62A1F79DBD4F648425EF09873A5DE7DC8D18740

Function 000000014002B81C Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002B827

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: afac7ca2b74bb08783c202bc80f1dbccd365a93ea7932a0dc6ff2265d64bb439
Instruction ID: ea8984486ffcbc6e0584c4fe155b0227ad7a4c4ca994d85898d8c236bd6eb803
Opcode Fuzzy Hash: afac7ca2b74bb08783c202bc80f1dbccd365a93ea7932a0dc6ff2265d64bb439
Instruction Fuzzy Hash: CFB01230B11401C2D605AF23EC853C012E0BB9C780FC00410D20982170DF3C85DBC700

Function 0000000140087430 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 000000014008744B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8a372c67c34c1ec0e9cc2de623fcfd51be1c908f996fb882675f869ced6579ff
Instruction ID: 79bc9243047b91ba7f7cafed6c5824dd10d5a88b946d46949f86e537ec4ebb0e
Opcode Fuzzy Hash: 8a372c67c34c1ec0e9cc2de623fcfd51be1c908f996fb882675f869ced6579ff
Instruction Fuzzy Hash: FCC04C7610AAC59DE6718F55E4943DD6721F7CC394F500401D7D903968DF79C198DB01

Function 0000000140047080 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014004703E), ref: 0000000140047088

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e5385ec19c3a2cba794ab328dbe0ff0c319d51f9ad28f467202138c632d0aad2
Instruction ID: e90dfcca73008405aa1caa4e6229fc93e2f4ed6fa05f56948e4e427e63f50343
Opcode Fuzzy Hash: e5385ec19c3a2cba794ab328dbe0ff0c319d51f9ad28f467202138c632d0aad2
Instruction Fuzzy Hash: D4C02BF1B00604C2FB9907A36C403942250F31CBC0F0400348F4C43330EC3C44C58700

Function 0000000140015720 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f828bc40b5398699b5dac1f15cb713f5ac5233867f3831ab85df54c9431331
Instruction ID: 55e6a3936c9fb0e7e0e59bc141d59d4b4a5ab0dec4814c3e921efc377099d06c
Opcode Fuzzy Hash: 99f828bc40b5398699b5dac1f15cb713f5ac5233867f3831ab85df54c9431331
Instruction Fuzzy Hash: 0412A577B785104BD71DCB15E892FA97762F394348749A12CAA17D3F44DA3DEE0ACA00

Function 00000001400891D0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55705531d0ee532db521d7b08bb3bca8dba651e06498e101943d2e186d081604
Instruction ID: aeeeb06cc52a51097d68356f1ab4f62a37449a484aa420c863cc736487f95c1c
Opcode Fuzzy Hash: 55705531d0ee532db521d7b08bb3bca8dba651e06498e101943d2e186d081604
Instruction Fuzzy Hash: 1EE1CD72304A9081EA62EF57E4407EE6760F7C8FC4F585016BF8E47BAAEE39C2448740

Function 0000000140012520 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcecbd32ae9dfa729b1b32a03bbcef956e3de2a7295d5f9e5a521d68dfcbd5ac
Instruction ID: 87deab0650f1699d25ef43cfeb71b8a02b33364d1ae54613cbe8dc82fbe62e60
Opcode Fuzzy Hash: dcecbd32ae9dfa729b1b32a03bbcef956e3de2a7295d5f9e5a521d68dfcbd5ac
Instruction Fuzzy Hash: 30D1AE36209680C6E777DF16E4803EE77A1F7A9780F608115EB894BAF5DB35D8A5CB00

Function 000000014002945C Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c97ef46e4fad3aed5ca7a11ed7e22cedefedf99ea94c187844a7f10a0a0c2eb
Instruction ID: 61c8e06a163a9ea62fc43dd353b68e354340dada47a5e3fb0f52e27ad096e322
Opcode Fuzzy Hash: 8c97ef46e4fad3aed5ca7a11ed7e22cedefedf99ea94c187844a7f10a0a0c2eb
Instruction Fuzzy Hash: 6F710572B105454BD35ECB2AF95179876D6E3EC384F589139FB46CBBA4EA38DE008B40

Function 0000000140052FF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: d2eb03a09a7bc0f4583daaabbec813682186745dd4bd52cef1f99c1a63f074a0
Instruction ID: 2c6d24f5e209d13f1d28db5efbe12cf23ab4403b37b94f56d3dd9fd447af0078
Opcode Fuzzy Hash: d2eb03a09a7bc0f4583daaabbec813682186745dd4bd52cef1f99c1a63f074a0
Instruction Fuzzy Hash: 3421753262450087FB1ACF37D851BD933B2B389784F44D625D7148B2ACCA3D950ACB55

Function 000000014002C2B0 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014002C2C5

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

free.LIBCMT ref: 000000014002C2CE
free.LIBCMT ref: 000000014002C2D7
free.LIBCMT ref: 000000014002C2E0
free.LIBCMT ref: 000000014002C2E9
free.LIBCMT ref: 000000014002C2F2
free.LIBCMT ref: 000000014002C2FA
free.LIBCMT ref: 000000014002C303
free.LIBCMT ref: 000000014002C30C
free.LIBCMT ref: 000000014002C315
free.LIBCMT ref: 000000014002C31E
free.LIBCMT ref: 000000014002C327
free.LIBCMT ref: 000000014002C330
free.LIBCMT ref: 000000014002C339
free.LIBCMT ref: 000000014002C342
free.LIBCMT ref: 000000014002C34B
free.LIBCMT ref: 000000014002C357
free.LIBCMT ref: 000000014002C363
free.LIBCMT ref: 000000014002C36F
free.LIBCMT ref: 000000014002C37B
free.LIBCMT ref: 000000014002C387
free.LIBCMT ref: 000000014002C393
free.LIBCMT ref: 000000014002C39F
free.LIBCMT ref: 000000014002C3AB
free.LIBCMT ref: 000000014002C3B7
free.LIBCMT ref: 000000014002C3C3
free.LIBCMT ref: 000000014002C3CF
free.LIBCMT ref: 000000014002C3DB
free.LIBCMT ref: 000000014002C3E7
free.LIBCMT ref: 000000014002C3F3
free.LIBCMT ref: 000000014002C3FF
free.LIBCMT ref: 000000014002C40B
free.LIBCMT ref: 000000014002C417
free.LIBCMT ref: 000000014002C423
free.LIBCMT ref: 000000014002C42F
free.LIBCMT ref: 000000014002C43B
free.LIBCMT ref: 000000014002C447
free.LIBCMT ref: 000000014002C453
free.LIBCMT ref: 000000014002C45F
free.LIBCMT ref: 000000014002C46B
free.LIBCMT ref: 000000014002C477
free.LIBCMT ref: 000000014002C483
free.LIBCMT ref: 000000014002C48F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 42a96f78dc716fe5779456e715ab2e43969e285b09ec4b61905bfc54cb7853cc
Instruction ID: 8b07a4fb9cb08d1988debfe545e87c9ef13ca11ef38d27fcb17d9a55d46193e4
Opcode Fuzzy Hash: 42a96f78dc716fe5779456e715ab2e43969e285b09ec4b61905bfc54cb7853cc
Instruction Fuzzy Hash: CA41753272169081EB46BB3BC8953EC1320EB8ABC4F446131BB5E6F1BBCE21C8458351

Function 0000000140051210 Relevance: 49.7, APIs: 33, Instructions: 212windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014005127F
SetTextColor.GDI32 ref: 000000014005128A
GetSysColorBrush.USER32 ref: 00000001400512A9
GetSysColor.USER32 ref: 00000001400512B4
SetBkColor.GDI32 ref: 00000001400512D5
SelectObject.GDI32 ref: 00000001400512E5
InflateRect.USER32 ref: 0000000140051309
GetSysColor.USER32 ref: 0000000140051314
CreateSolidBrush.GDI32 ref: 000000014005131C
FrameRect.USER32 ref: 0000000140051330
DeleteObject.GDI32 ref: 0000000140051339
InflateRect.USER32 ref: 000000014005138A
FillRect.USER32 ref: 00000001400513BD
GetWindowLongW.USER32 ref: 00000001400513E4
SendMessageW.USER32 ref: 0000000140051406
GetWindowTextW.USER32 ref: 000000014005143A

Part of subcall function 0000000140040110: GetSysColor.USER32 ref: 0000000140040156
Part of subcall function 0000000140040110: SetTextColor.GDI32 ref: 0000000140040161
Part of subcall function 0000000140040110: GetSysColorBrush.USER32 ref: 000000014004017B
Part of subcall function 0000000140040110: GetSysColor.USER32 ref: 0000000140040186
Part of subcall function 0000000140040110: GetSysColor.USER32 ref: 00000001400401A8
Part of subcall function 0000000140040110: CreatePen.GDI32 ref: 00000001400401BF
Part of subcall function 0000000140040110: SelectObject.GDI32 ref: 00000001400401D0
Part of subcall function 0000000140040110: SetBkColor.GDI32 ref: 00000001400401E0
Part of subcall function 0000000140040110: SelectObject.GDI32 ref: 00000001400401F3
Part of subcall function 0000000140040110: InflateRect.USER32 ref: 0000000140040219
Part of subcall function 0000000140040110: RoundRect.GDI32 ref: 0000000140040248
Part of subcall function 0000000140040110: GetWindowLongW.USER32 ref: 000000014004025C
Part of subcall function 0000000140040110: SendMessageW.USER32 ref: 0000000140040281

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelectTextWindow$CreateLongMessageSend$DeleteFillFrameRoundSolid
String ID:
API String ID: 3770480883-0
Opcode ID: b0d59566f75106652b162f574297c1ccc04d8aa480e14e0ec6e20a47ba6d7074
Instruction ID: b4f55efcc31009650635bf21e42473b1c08e8354483bf8c30f1bfdeaf81c1d0e
Opcode Fuzzy Hash: b0d59566f75106652b162f574297c1ccc04d8aa480e14e0ec6e20a47ba6d7074
Instruction Fuzzy Hash: 29915A36604A4083EB559F2BA8547EA6361F78DBE4F105215FFA643BA4DF39C949CB00

Function 0000000140040110 Relevance: 39.2, APIs: 26, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 0000000140040156
SetTextColor.GDI32 ref: 0000000140040161
GetSysColorBrush.USER32 ref: 000000014004017B
GetSysColor.USER32 ref: 0000000140040186
CreateSolidBrush.GDI32 ref: 0000000140040190
GetSysColor.USER32 ref: 00000001400401A8
CreatePen.GDI32 ref: 00000001400401BF
SelectObject.GDI32 ref: 00000001400401D0
SetBkColor.GDI32 ref: 00000001400401E0
SelectObject.GDI32 ref: 00000001400401F3
InflateRect.USER32 ref: 0000000140040219
RoundRect.GDI32 ref: 0000000140040248
GetWindowLongW.USER32 ref: 000000014004025C
SendMessageW.USER32 ref: 0000000140040281
GetWindowTextW.USER32 ref: 00000001400402BA
InflateRect.USER32 ref: 00000001400402DF
DrawFocusRect.USER32 ref: 00000001400402ED
GetSysColor.USER32 ref: 00000001400402FC
SetTextColor.GDI32 ref: 0000000140040307
DrawTextW.USER32 ref: 000000014004032F
SelectObject.GDI32 ref: 0000000140040345
DeleteObject.GDI32 ref: 000000014004034E
SelectObject.GDI32 ref: 000000014004035C
DeleteObject.GDI32 ref: 0000000140040367
SetTextColor.GDI32 ref: 0000000140040373
SetBkColor.GDI32 ref: 0000000140040383

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 49c7e73648f56c4760cd3afc6aef802a9b66124aeccb1c7a71057b73f80d5418
Instruction ID: 1f7023d95b14da9762c9d516a7de3f42be2159b8597aa391ada59dc55928c0ef
Opcode Fuzzy Hash: 49c7e73648f56c4760cd3afc6aef802a9b66124aeccb1c7a71057b73f80d5418
Instruction Fuzzy Hash: 9B611E36604A8186E7159F6BA8547AAB761F78DBE1F104225FF6A47BB4DF38C448CB00

Function 000000014002C808 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C845
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C861
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C889
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C892
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8A8
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8B1
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8C7
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8D0
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8EE
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C8F7
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C929
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C938
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C990
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C9B0
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000001,000000014002101C,?,?,?,?,?,00000001400210B0), ref: 000000014002C9C9

Strings

USER32.DLL, xrefs: 000000014002C83E
GetProcessWindowStation, xrefs: 000000014002C8E4
GetActiveWindow, xrefs: 000000014002C878
GetLastActivePopup, xrefs: 000000014002C897
GetUserObjectInformationA, xrefs: 000000014002C8B6
MessageBoxA, xrefs: 000000014002C857

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 008f0fb7fb83f3bdab71711707e0b8838f82ef197697a8ccf7576a84de9a8603
Instruction ID: 450cac106e5625e47963f4c73d1d8f3d61c13b8cd9b5e6c3b4483d4420a2949a
Opcode Fuzzy Hash: 008f0fb7fb83f3bdab71711707e0b8838f82ef197697a8ccf7576a84de9a8603
Instruction Fuzzy Hash: E3513B35622B4090FD57EBA7A858BE462A06B4DBC4F58012EBF5E477B1EE78C981C210

Function 000000014007EFF0 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 342COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000014007F107
IsWindow.USER32 ref: 000000014007F43F
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000000014007F468
GetDesktopWindow.USER32 ref: 000000014007F52A
EnumChildWindows.USER32 ref: 000000014007F53D
EnumWindows.USER32 ref: 000000014007F54F

Strings

ACTIVE, xrefs: 000000014007F1B3
INSTANCE, xrefs: 000000014007F34D
ALL, xrefs: 000000014007F37B
HANDLE, xrefs: 000000014007F1CC
REGEXPCLASS, xrefs: 000000014007F241
REGEXPTITLE, xrefs: 000000014007F1E5
CLASS, xrefs: 000000014007F220
LAST, xrefs: 000000014007F19A
TITLE, xrefs: 000000014007F3AE

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$EnumForegroundWindows$ChildDesktop
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 4293069593-1919597938
Opcode ID: 75b20e50fca3194b3f26a5036842e17986b2b4af5fc0d430136fb0d6078e4b1b
Instruction ID: 320ba1e08cad423b6b41b4fe4a1633144b2c2f51f48788708767cc447f72c694
Opcode Fuzzy Hash: 75b20e50fca3194b3f26a5036842e17986b2b4af5fc0d430136fb0d6078e4b1b
Instruction Fuzzy Hash: 82F16D72204A8592EA62EF27E4403EEB361F7897D4F804012FB9A476B6EF3DD509D740

Function 000000014008D480 Relevance: 25.7, APIs: 17, Instructions: 247COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 000000014008D4A4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: cb2cba76c64304099b8bb61ff010ac80786fd399a6b269ca9dab5d572eab8f45
Instruction ID: de76dd2000b810ea56e6a0d17ed5d1a7f43d8f009b41e0501cb61d1224fd623b
Opcode Fuzzy Hash: cb2cba76c64304099b8bb61ff010ac80786fd399a6b269ca9dab5d572eab8f45
Instruction Fuzzy Hash: 42B1603261468586EB65AF27E4903EE7360F789BC0F40812BEB4E477B5EF38C5598700

Function 000000014003217C Relevance: 24.3, APIs: 16, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400326BE), ref: 00000001400321E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400326BE), ref: 00000001400321FD
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001400326BE), ref: 0000000140032300

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 2d085da1167262e3f557380842c129a1b7e834dfbf2ea378fd779441936cdb7e
Instruction ID: 709663b6f081ec12db3498b94d3bbba0fe53990249ff72fb19715694a9bdbad8
Opcode Fuzzy Hash: 2d085da1167262e3f557380842c129a1b7e834dfbf2ea378fd779441936cdb7e
Instruction Fuzzy Hash: 79E1AE722046C09AEB739F66A8547EA3792F34DBD4F544625FB5A07BE8CB38CA45C700

Function 0000000140085380 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 166windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

DragQueryPoint.SHELL32 ref: 00000001400853BF

Part of subcall function 00000001400510A0: ClientToScreen.USER32 ref: 00000001400510E1
Part of subcall function 00000001400510A0: GetWindowRect.USER32 ref: 0000000140051172
Part of subcall function 00000001400510A0: PtInRect.USER32 ref: 0000000140051182

SendMessageW.USER32 ref: 0000000140085439
DragQueryFileW.SHELL32 ref: 000000014008544B
DragQueryFileW.SHELL32 ref: 0000000140085470
SendMessageW.USER32 ref: 00000001400854C7
SendMessageW.USER32 ref: 00000001400854E2
SendMessageW.USER32 ref: 00000001400854FB
SendMessageW.USER32 ref: 0000000140085520
DragFinish.SHELL32 ref: 0000000140085529
DefDlgProcW.USER32 ref: 0000000140085655

Strings

@GUI_DROPID, xrefs: 000000014008554D
@GUI_DRAGID, xrefs: 00000001400855A3
@GUI_DRAGFILE, xrefs: 00000001400855ED

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 46a164524242e04322e94807e2ed1970c25c140a9465a314f3dc7ab078467c14
Instruction ID: 33c84939ba223b02f7b284155c94f98a4ed90c4cb86f500d85c10a2d7602cf07
Opcode Fuzzy Hash: 46a164524242e04322e94807e2ed1970c25c140a9465a314f3dc7ab078467c14
Instruction Fuzzy Hash: 3A818272218A8192EB11EF16E4907DEB761F7887D5F904112FB4943AB9DF7DC64ACB00

Function 000000014006F440 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 122COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 000000014006F51E
mciSendStringW.WINMM ref: 000000014006F56B
mciSendStringW.WINMM ref: 000000014006F5B3
mciSendStringW.WINMM ref: 000000014006F5EC

Strings

close cd wait, xrefs: 000000014006F5CE
open , xrefs: 000000014006F52D
set cd door , xrefs: 000000014006F575
open, xrefs: 000000014006F4ED
close, xrefs: 000000014006F4C5
closed, xrefs: 000000014006F4DC, 000000014006F502
wait, xrefs: 000000014006F595
type cdaudio alias cd wait, xrefs: 000000014006F54D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: SendString$DriveType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1032284112-4113822522
Opcode ID: 26cf2643fa6b9cb3c8136d751ca73fdb02d051c55c88bc280afbaade1abdb876
Instruction ID: 5fa12246c6730787d6baeb6884e6d1aaf68b4e9379e6b8197f093f101aa3c8cf
Opcode Fuzzy Hash: 26cf2643fa6b9cb3c8136d751ca73fdb02d051c55c88bc280afbaade1abdb876
Instruction Fuzzy Hash: A4513B72218A4192EB11DF26E8913EAB361F7D87C4F904012F78E47A79DF39C655CB40

Function 0000000140054230 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 69sleeptimewindowCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000000014005423D
timeGetTime.WINMM ref: 0000000140054247
Sleep.KERNEL32 ref: 0000000140054263
EnumThreadWindows.USER32 ref: 000000014005428B
FindWindowExW.USER32 ref: 00000001400542B4
SetActiveWindow.USER32 ref: 00000001400542D7
SendMessageW.USER32 ref: 00000001400542EB

Part of subcall function 0000000140053FE0: GetWindowThreadProcessId.USER32 ref: 0000000140054019
Part of subcall function 0000000140053FE0: GetCurrentThreadId.KERNEL32 ref: 0000000140054021

SendMessageW.USER32 ref: 000000014005430B
Sleep.KERNEL32 ref: 0000000140054316
IsWindow.USER32 ref: 0000000140054323
EndDialog.USER32 ref: 0000000140054336

Part of subcall function 0000000140053FE0: GetWindowThreadProcessId.USER32 ref: 0000000140054001
Part of subcall function 0000000140053FE0: GetCurrentThreadId.KERNEL32 ref: 0000000140054009
Part of subcall function 0000000140053FE0: AttachThreadInput.USER32 ref: 000000014005402E

Strings

BUTTON, xrefs: 00000001400542A1

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Thread$Window$CurrentMessageProcessSendSleepTimetime$ActiveAttachDialogEnumFindInputWindows
String ID: BUTTON
API String ID: 1748615878-3405671355
Opcode ID: b18ef111e16c168cb331ca0064a482666dd7d293703a7d412b9ecbc2fbf1b57a
Instruction ID: a13aee43292f5f9235013f7bf9190f8a75e28ce593686bbc36b6701cde330bee
Opcode Fuzzy Hash: b18ef111e16c168cb331ca0064a482666dd7d293703a7d412b9ecbc2fbf1b57a
Instruction Fuzzy Hash: 16315C75200E1182FB22DFABE8947E92371AB8C7D5F954420FB0A47AB1CF398684C340

Function 0000000140055310 Relevance: 19.7, APIs: 13, Instructions: 159keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014005534A
GetKeyboardState.USER32 ref: 000000014005535E
SetKeyboardState.USER32 ref: 00000001400553B6
PostMessageW.USER32 ref: 00000001400553E2
PostMessageW.USER32 ref: 0000000140055406
PostMessageW.USER32 ref: 000000014005542C
PostMessageW.USER32 ref: 0000000140055451
PostMessageW.USER32 ref: 00000001400554A4
keybd_event.USER32 ref: 00000001400554BD
keybd_event.USER32 ref: 00000001400554D5
keybd_event.USER32 ref: 00000001400554EC
keybd_event.USER32 ref: 0000000140055503
keybd_event.USER32 ref: 000000014005551A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessagePostkeybd_event$KeyboardState$Parent
String ID:
API String ID: 2502892551-0
Opcode ID: c702cbae83f39ef6aabcae2a27e1063bdaa21856159fe81744417cb196227b5b
Instruction ID: 60f1eb8c535b79e2be96ecee7ddd3c3f297e9eea403a2e0f6f6f434fb2ebd399
Opcode Fuzzy Hash: c702cbae83f39ef6aabcae2a27e1063bdaa21856159fe81744417cb196227b5b
Instruction Fuzzy Hash: DF5107762055A002F3739B6AA474BEA3BE0B78DBDAF591114FF89077B5CA3AC541CB40

Function 00000001400681A0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 129registryCOMMON

Download Yara Rule

APIs

StringFromIID.OLE32 ref: 00000001400681DA
CoTaskMemFree.OLE32 ref: 0000000140068237
RegOpenKeyExW.ADVAPI32 ref: 000000014006825F
RegQueryValueExW.ADVAPI32 ref: 00000001400682A2
CLSIDFromString.OLE32 ref: 00000001400682DE
RegQueryValueExW.ADVAPI32 ref: 000000014006832E
LoadRegTypeLib.OLEAUT32 ref: 000000014006838A

Part of subcall function 0000000140019ED4: _errno.LIBCMT ref: 0000000140019E38

RegCloseKey.ADVAPI32 ref: 00000001400683BD

Strings

\TypeLib, xrefs: 0000000140068219
interface\, xrefs: 00000001400681F8
Version, xrefs: 0000000140068307

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FromQueryStringValue$CloseFreeLoadOpenTaskType_errno
String ID: Version$\TypeLib$interface\
API String ID: 2754250327-939221531
Opcode ID: 7cdab7e7c060869e0da0b0e5113d684bdf8d6276549272a82d91e2dd4a96a0b2
Instruction ID: ded8fa711316232823bb785af4d4ba1ebaf0d38ddd80f5090fc967ac4a27c7d4
Opcode Fuzzy Hash: 7cdab7e7c060869e0da0b0e5113d684bdf8d6276549272a82d91e2dd4a96a0b2
Instruction Fuzzy Hash: D2515B32214A8186EA21DB2AE4847CEB3A5F7D9BD4F504221FB8D47B78DF39C546CB00

Function 0000000140017070 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32 ref: 00000001400170A6
MapVirtualKeyW.USER32 ref: 00000001400170B4
MapVirtualKeyW.USER32 ref: 00000001400170C2
MapVirtualKeyW.USER32 ref: 00000001400170D2
MapVirtualKeyW.USER32 ref: 00000001400170E0
MapVirtualKeyW.USER32 ref: 00000001400170EE
GetKeyboardLayoutNameA.USER32 ref: 00000001400170FC
VkKeyScanA.USER32 ref: 0000000140017114

Strings

0809, xrefs: 0000000140017142
0409, xrefs: 0000000140017129
0002, xrefs: 00000001400339F0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Virtual$KeyboardLayoutNameScan
String ID: 0002$0409$0809
API String ID: 983989243-2507973371
Opcode ID: 494d48369ab01f52cbf30dd0b5ab5ee0bd0b45a40cf2f351d9aabff0a0d02b6a
Instruction ID: eaeac87d2d7ecf8d0615943011f481b10c867ec165a05e46c883da95e513004d
Opcode Fuzzy Hash: 494d48369ab01f52cbf30dd0b5ab5ee0bd0b45a40cf2f351d9aabff0a0d02b6a
Instruction Fuzzy Hash: 89519C71208A81A5FB13DB2AE8443DA3BF2E75D788F484015E7494B2BAEF79C509C705

Function 0000000140061550 Relevance: 18.2, APIs: 12, Instructions: 249fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001A30C: _errno.LIBCMT ref: 000000014001A334

_fread_nolock.LIBCMT ref: 00000001400616FB
_fread_nolock.LIBCMT ref: 0000000140061713
_fread_nolock.LIBCMT ref: 0000000140061732
_fread_nolock.LIBCMT ref: 0000000140061745
_fread_nolock.LIBCMT ref: 0000000140061765
_fread_nolock.LIBCMT ref: 0000000140061778
_fread_nolock.LIBCMT ref: 000000014006178B
_fread_nolock.LIBCMT ref: 000000014006179E

Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 0000000140061145
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 000000014006118E
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 00000001400611AE
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 00000001400611F7
Part of subcall function 0000000140061100: _fread_nolock.LIBCMT ref: 0000000140061217

_fread_nolock.LIBCMT ref: 000000014006182A
DeleteFileW.KERNEL32 ref: 0000000140061967

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _fread_nolock$DeleteFile_errno
String ID:
API String ID: 2242561482-0
Opcode ID: 099c10b1d2b511053cca40750197a2f51583681a5e10c3d506edf7bf82044c12
Instruction ID: 7317236c0e0686f9554fc2f0f770668f78f44ffe5f0f5c61f68980d327f7be48
Opcode Fuzzy Hash: 099c10b1d2b511053cca40750197a2f51583681a5e10c3d506edf7bf82044c12
Instruction Fuzzy Hash: DBB16776208AC595EA21DF52E8407DEB361F7C9BC4F944406FB8947AAADF3CC249CB44

Function 0000000140055550 Relevance: 18.2, APIs: 12, Instructions: 154keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 00000001400555DC
SetKeyboardState.USER32 ref: 000000014005563B
GetAsyncKeyState.USER32 ref: 000000014005564D
GetKeyState.USER32 ref: 000000014005565F
GetAsyncKeyState.USER32 ref: 0000000140055685
GetKeyState.USER32 ref: 0000000140055692
GetAsyncKeyState.USER32 ref: 00000001400556B4
GetKeyState.USER32 ref: 00000001400556C2
GetAsyncKeyState.USER32 ref: 00000001400556E9
GetKeyState.USER32 ref: 00000001400556F6
GetAsyncKeyState.USER32 ref: 000000014005571C
GetKeyState.USER32 ref: 0000000140055729

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 92184b8ba2d507ee925a694170ba5d4f1bf3991fbd5ba6f557ed84fe53d41b6a
Instruction ID: de29f8e0a99207526d1ce8d0c2cdd2499d0fd7bbc1a702fa6642df7d41fbc1a0
Opcode Fuzzy Hash: 92184b8ba2d507ee925a694170ba5d4f1bf3991fbd5ba6f557ed84fe53d41b6a
Instruction Fuzzy Hash: E151D63622459087FB5ADB2AA4653DE2362F75DFC9F640014FB46432B0CB3ACD46CB80

Function 000000014002066C Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400206B8

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C502
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C514
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C526
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C538
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C54A
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C55C
Part of subcall function 000000014002C4E4: free.LIBCMT ref: 000000014002C56E

free.LIBCMT ref: 00000001400206DA
free.LIBCMT ref: 00000001400206F2
free.LIBCMT ref: 00000001400206FE
free.LIBCMT ref: 0000000140020722
free.LIBCMT ref: 0000000140020736
free.LIBCMT ref: 0000000140020745
free.LIBCMT ref: 0000000140020751
free.LIBCMT ref: 000000014002077E
free.LIBCMT ref: 00000001400207A6
free.LIBCMT ref: 00000001400207C0

Strings

%.15g, xrefs: 0000000140020676

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: %.15g
API String ID: 1012874770-3684710030
Opcode ID: 6f7a7757b56b72e414d6a0ebd9c169ca5ba6902dba403406ba32f9c0e7587173
Instruction ID: 9a3007cb08923bfdda009dd1d7360c9cbef53d2145103472d6069d035108d37c
Opcode Fuzzy Hash: 6f7a7757b56b72e414d6a0ebd9c169ca5ba6902dba403406ba32f9c0e7587173
Instruction Fuzzy Hash: A4411F32A16B8084FF569F67C4943EC23A0EB8DBC4F485439AB1A4B2A6CF35D891C711

Function 000000014001F828 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000014001F847

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

free.LIBCMT ref: 000000014001F855
free.LIBCMT ref: 000000014001F863
free.LIBCMT ref: 000000014001F871
free.LIBCMT ref: 000000014001F87F
free.LIBCMT ref: 000000014001F88D
free.LIBCMT ref: 000000014001F89E
free.LIBCMT ref: 000000014001F8B6
_lock.LIBCMT ref: 000000014001F8C0
free.LIBCMT ref: 000000014001F8EE
_lock.LIBCMT ref: 000000014001F903
free.LIBCMT ref: 000000014001F94D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: ef9e044d46e35d22be352a5f83667f52ab4ec4e8efb8a0f4f211e77ef84ed374
Instruction ID: 144a0b7f2f31286478b4074085c9ee43f483ed07ab469889947d590054f9c79d
Opcode Fuzzy Hash: ef9e044d46e35d22be352a5f83667f52ab4ec4e8efb8a0f4f211e77ef84ed374
Instruction Fuzzy Hash: CE314D3131264044FE5BABA7D0A17F81351EF9EBD4F481125BB1A0B6F6CF36C8409312

Function 00000001400720B0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 228windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00000001400720F4
SendMessageTimeoutW.USER32 ref: 0000000140072213
GetClassNameW.USER32 ref: 0000000140072288
GetDlgCtrlID.USER32 ref: 00000001400722DF
GetWindowRect.USER32 ref: 0000000140072309
GetParent.USER32 ref: 000000014007232A
ScreenToClient.USER32 ref: 000000014007233B
GetClassNameW.USER32 ref: 00000001400723C4
GetWindowTextW.USER32 ref: 0000000140072402

Strings

%s%u, xrefs: 000000014007218B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
String ID: %s%u
API String ID: 1412819556-679674701
Opcode ID: 9682556f6bebd3d8e6072994d14b92f2d648d796f9358d8ba31495945f70c32d
Instruction ID: 158b3b39f145047add73953bad75bb487fbb5e349449c94e5c983fca0085dcf1
Opcode Fuzzy Hash: 9682556f6bebd3d8e6072994d14b92f2d648d796f9358d8ba31495945f70c32d
Instruction Fuzzy Hash: E4A1B27220478583EA66DB27F4447EEB3A1F7897C4F400015FB9A57AA9EB7CD645CB00

Function 0000000140045290 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 106windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,0000000140034110), ref: 00000001400452C8
LoadStringW.USER32 ref: 00000001400452E4
GetModuleHandleW.KERNEL32(?,0000000140034110), ref: 00000001400452EC
LoadStringW.USER32 ref: 0000000140045302

Part of subcall function 000000014001930C: _errno.LIBCMT ref: 0000000140019325

MessageBoxW.USER32 ref: 000000014004545E

Strings

Line %d (File "%s"):, xrefs: 000000014004535B
^ ERROR, xrefs: 00000001400453A3
Line %d:, xrefs: 000000014004534D
%s (%d) : ==> %s: %s %s, xrefs: 000000014004542B
Error: , xrefs: 00000001400453E9

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: HandleLoadModuleString$Message_errno
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 2078091845-2268648507
Opcode ID: 9977a73bd7e8f5b34ca262eab2b70e5362f2eedeb015b1262854764007e6d985
Instruction ID: 1c9124558d2d19ef4e6bc9186654b45b82e36532b1f4ed361783abd5deafe83a
Opcode Fuzzy Hash: 9977a73bd7e8f5b34ca262eab2b70e5362f2eedeb015b1262854764007e6d985
Instruction Fuzzy Hash: AC416C32315B8591EE22EB22E4947D97365F79CBC5F804026FB890B7BADE79C609C740

Function 00000001400683F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140068449
RegEnumKeyExW.ADVAPI32 ref: 0000000140068485
RegOpenKeyExW.ADVAPI32 ref: 00000001400684EE
RegQueryValueExW.ADVAPI32 ref: 0000000140068527
IIDFromString.OLE32 ref: 0000000140068568
RegCloseKey.ADVAPI32 ref: 0000000140068578
RegCloseKey.ADVAPI32 ref: 000000014006859A

Strings

(, xrefs: 0000000140068585
interface\, xrefs: 000000014006849B
interface, xrefs: 000000014006842D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseOpen$EnumFromQueryStringValue
String ID: ($interface$interface\
API String ID: 297354694-3327702407
Opcode ID: 3f114c0c5178b9e56fda104bfb37ef7459d836bb5a0e94708186758a1765110d
Instruction ID: 28677ac6b5f0e0c5be18d84be7ecf3b851dd713cd8372518bd7651f753dacacb
Opcode Fuzzy Hash: 3f114c0c5178b9e56fda104bfb37ef7459d836bb5a0e94708186758a1765110d
Instruction Fuzzy Hash: 16413E32214A8196EA61CB1AF8547CAB3A5F7CC794FA04211FB8D47B79DF39C655CB00

Function 00000001400437E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION ref: 0000000140043804
GetFileVersionInfoW.VERSION ref: 000000014004382E
VerQueryValueW.VERSION ref: 00000001400438B8

Strings

StringFileInfo\, xrefs: 0000000140043882
\VarFileInfo\Translation, xrefs: 00000001400438AE
04090000, xrefs: 00000001400438EF
%u.%u.%u.%u, xrefs: 0000000140043986
DefaultLangCodepage, xrefs: 0000000140043914

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2179348866-1459072770
Opcode ID: 2c5366c6c43de9a1321b19db33a13329d7480d04c77fe3cc0952cd2924b210d0
Instruction ID: 5ce2de8a0ea36e8fd6a7b7ef82b2f030d759b9607e79fc13a15354585515668c
Opcode Fuzzy Hash: 2c5366c6c43de9a1321b19db33a13329d7480d04c77fe3cc0952cd2924b210d0
Instruction Fuzzy Hash: 2D51F03130464085EE66EB23A4413EEA311F78EBD0F845126FF4A0B7AADE7AC646C704

Function 0000000140047620 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 106threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140047644
OpenThreadToken.ADVAPI32 ref: 000000014004765B
GetCurrentProcess.KERNEL32 ref: 0000000140047665
OpenProcessToken.ADVAPI32 ref: 0000000140047679
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400476CC
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400476EC
CloseHandle.KERNEL32 ref: 0000000140047781

Strings

SeIncreaseQuotaPrivilege, xrefs: 00000001400476E3
SeAssignPrimaryTokenPrivilege, xrefs: 00000001400476C3

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread
String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
API String ID: 2833215880-805462909
Opcode ID: 7ffd50ff2343eee53411b84a019919d89e65c3332e9a596673ff78e44ffb9ffb
Instruction ID: f3af09c5bb190377091230b29a57013d0924b33a88ab09c6f24b2af104aef2f3
Opcode Fuzzy Hash: 7ffd50ff2343eee53411b84a019919d89e65c3332e9a596673ff78e44ffb9ffb
Instruction Fuzzy Hash: 0241C332204A8196EB629F27E400BDA77A0F789BD4F854026EF8E43664DF38D649CB44

Function 000000014006F300 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 81COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 000000014006F322
GetDriveTypeW.KERNEL32 ref: 000000014006F389
SetErrorMode.KERNEL32 ref: 000000014006F420

Strings

Network, xrefs: 000000014006F3CB
CDROM, xrefs: 000000014006F3C2
Removable, xrefs: 000000014006F3DD
Fixed, xrefs: 000000014006F3D4
RAMDisk, xrefs: 000000014006F3B9
Unknown, xrefs: 000000014006F3B0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown
API String ID: 2907320926-706929342
Opcode ID: daab07e8c985696f637715a8198febf35013144fd4504743dafcea146b392d31
Instruction ID: af1bef719d61846af6e9475743f59197e1aad5a9bb156b093b860e3454300371
Opcode Fuzzy Hash: daab07e8c985696f637715a8198febf35013144fd4504743dafcea146b392d31
Instruction Fuzzy Hash: 9A315D72204A5082EB66DB17E8903E96762F78CBC4F909512FB4E47BB9DF78C685D700

Function 0000000140071130 Relevance: 15.2, APIs: 10, Instructions: 174windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00000001400711E4
SetMenuItemInfoW.USER32 ref: 0000000140071223
Sleep.KERNEL32 ref: 0000000140071236
GetMenuItemCount.USER32 ref: 0000000140071281
GetMenuItemID.USER32 ref: 000000014007129F
GetMenuItemID.USER32 ref: 00000001400712C5
GetMenuItemID.USER32 ref: 0000000140071308
CheckMenuRadioItem.USER32 ref: 0000000140071352
GetMenuItemInfoW.USER32 ref: 000000014007136D
SetMenuItemInfoW.USER32 ref: 000000014007139A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID:
API String ID: 1460738036-0
Opcode ID: f69ef5a3012e275947e5d516524cfb2d45e010425fe6d29b4685934f619dd009
Instruction ID: fda2a722c9f536d08b803548f4c7bbb90e112834612481e7afb566f1631880cd
Opcode Fuzzy Hash: f69ef5a3012e275947e5d516524cfb2d45e010425fe6d29b4685934f619dd009
Instruction Fuzzy Hash: 7A71D17221468096FB629F2BA5847EEA7A5B78CBC4F808011FB4647BB5CB3CC956C700

Function 0000000140016300 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 261COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,000000014001600C), ref: 00000001400163B2
GetFullPathNameW.KERNEL32 ref: 00000001400163CD
SetCurrentDirectoryW.KERNEL32 ref: 0000000140016431
SetCurrentDirectoryW.KERNEL32 ref: 000000014001663A

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

Part of subcall function 0000000140016050: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?,00000001400845F9), ref: 0000000140016087
Part of subcall function 0000000140016050: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?,00000001400845F9), ref: 00000001400160DE

Strings

_, xrefs: 0000000140016695
Unterminated string, xrefs: 0000000140034D29
Error opening the file, xrefs: 0000000140034C41
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0000000140034C10

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CurrentDirectory$ByteCharMultiWide$FullNamePathmalloc
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 3488002654-188983378
Opcode ID: 15b320750642c672c145264c579ef4a000cd74b6e19c3f4d54ae79f6e6e53260
Instruction ID: 1af16a3667b7dc2cc410e2f44962549814ee668dc452acd683b9a27b9fcf0743
Opcode Fuzzy Hash: 15b320750642c672c145264c579ef4a000cd74b6e19c3f4d54ae79f6e6e53260
Instruction Fuzzy Hash: 87C1943221968581EB72DB23E9443EEA365F7CD7C4F400512FB894BABADB7AC945C740

Function 000000014007A080 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

TEXT, xrefs: 000000014007A364
INSTANCE, xrefs: 000000014007A333
CLASSNN, xrefs: 000000014007A172
NAME, xrefs: 000000014007A243
REGEXPCLASS, xrefs: 000000014007A19A
CLASS, xrefs: 000000014007A14B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: 1e9125c67b3ada6ba4e79e6ab97e268edc4fd2dd8881cb79c92b8fec35e83c32
Instruction ID: 9e623df7e87a94373924c2dbe767dc01e8930609e6912f763405fbb7e1d4bbcc
Opcode Fuzzy Hash: 1e9125c67b3ada6ba4e79e6ab97e268edc4fd2dd8881cb79c92b8fec35e83c32
Instruction Fuzzy Hash: 46B1BF32214685A2FF5ADF22D5463E9B361F78A7C4F800012BB5A471B6EFBDC659C700

Function 000000014006E100 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 000000014006E2D4
SetCurrentDirectoryW.KERNEL32 ref: 000000014006E2E2
GetFileAttributesW.KERNEL32 ref: 000000014006E32F
SetFileAttributesW.KERNEL32 ref: 000000014006E344
SetCurrentDirectoryW.KERNEL32 ref: 000000014006E357
SetCurrentDirectoryW.KERNEL32 ref: 000000014006E369
SetCurrentDirectoryW.KERNEL32 ref: 000000014006E3B7

Strings

*.*, xrefs: 000000014006E36F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 4cec05aeae9129512035758054a417f42bf25a7416634dd3e13a061e87be96ec
Instruction ID: a030f4c4bc4e340075b6ea39e0d58bd15d95c1e139451ae0ceceae65d56143d2
Opcode Fuzzy Hash: 4cec05aeae9129512035758054a417f42bf25a7416634dd3e13a061e87be96ec
Instruction Fuzzy Hash: 9081A23261478281EB719F12D8983DE63A2F3887C4F648412FB4E476F5EB78C995C340

Function 000000014008C630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32 ref: 000000014008C794

Strings

network, xrefs: 000000014008C719
all, xrefs: 000000014008C6A5
ramdisk, xrefs: 000000014008C735
unknown, xrefs: 000000014008C751
cdrom, xrefs: 000000014008C6C2
removable, xrefs: 000000014008C6E1
fixed, xrefs: 000000014008C6FD

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: DriveType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 338552980-1000479233
Opcode ID: 10a637fbf7cfe25e87106f87b5514fe69afc4316bf76259362f093f0d976959b
Instruction ID: 4892605f173c8fdaa25bbb5fa62cc699f8b7fb117d634b75ae9c3581b0db6440
Opcode Fuzzy Hash: 10a637fbf7cfe25e87106f87b5514fe69afc4316bf76259362f093f0d976959b
Instruction Fuzzy Hash: E8615136214A4192EA62DB17E4807DEA371F79C7C8F944112BB8D476B6EF39CA49CB00

Function 0000000140045490 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,0000000140034C24,00000000,00000000,000000014001600C), ref: 00000001400454BB
LoadStringW.USER32 ref: 00000001400454D5
MessageBoxW.USER32 ref: 00000001400455A0

Part of subcall function 0000000140019D64: _errno.LIBCMT ref: 0000000140019D89

Strings

Line %d (File "%s"):, xrefs: 000000014004552F
Line %d:, xrefs: 0000000140045521
%s (%d) : ==> %s.: %s %s, xrefs: 00000001400454EB
Error: , xrefs: 0000000140045553
., xrefs: 0000000140045577

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: HandleLoadMessageModuleString_errno
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 34033046-4153970271
Opcode ID: 820f63fb0ecf6ca7051b1ecafc431849f4f2b9ac492c8ff5b160928d82f05987
Instruction ID: 5aa669781f5ea106ba370bae5b1fb43f8874b2983df11647a2cf92c1a9c41130
Opcode Fuzzy Hash: 820f63fb0ecf6ca7051b1ecafc431849f4f2b9ac492c8ff5b160928d82f05987
Instruction Fuzzy Hash: 0F313C31218A8191EB22EB12F8947D97325F758BC0F844026FB8D07AA9DF39C649C740

Function 0000000140056630 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140056643
GetClassNameW.USER32 ref: 000000014005665A

Part of subcall function 00000001400187BC: _errno.LIBCMT ref: 00000001400187D4

SendMessageW.USER32 ref: 00000001400566EA

Strings

details, xrefs: 0000000140056693
SHELLDLL_DefView, xrefs: 0000000140056660
smallicons, xrefs: 00000001400566AE
list, xrefs: 00000001400566C9
largeicons, xrefs: 0000000140056678

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ClassMessageNameParentSend_errno
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 2243316544-3381328864
Opcode ID: dca1999c7897a7f8e7ad9a039577972bcb516cf34faab6f7ca2cad55ffe2f513
Instruction ID: f2d167f43ca53fa12038f217fe8c2e1e149c614743d4e4b6ec0c10241274f132
Opcode Fuzzy Hash: dca1999c7897a7f8e7ad9a039577972bcb516cf34faab6f7ca2cad55ffe2f513
Instruction Fuzzy Hash: 4421517131854690FF22DB27E9543EA63A1A788BC8F108026EF0D4B6BAEE39C655C700

Function 00000001400327FC Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140032824

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

__wtomb_environ.LIBCMT ref: 000000014003291D
_errno.LIBCMT ref: 0000000140032927
free.LIBCMT ref: 0000000140032A19
SetEnvironmentVariableA.KERNEL32 ref: 0000000140032B64
_errno.LIBCMT ref: 0000000140032B72
free.LIBCMT ref: 0000000140032B80
free.LIBCMT ref: 0000000140032B8D
free.LIBCMT ref: 0000000140032B9F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID:
API String ID: 3451773520-0
Opcode ID: 53d226c17de322b016c28a19cc516a4456de75c18f4c0c83022da97ecf2d1f41
Instruction ID: a30ff842395eea07e4926f374df0446f8e05f679c80a941fe6fbc9a0845b944a
Opcode Fuzzy Hash: 53d226c17de322b016c28a19cc516a4456de75c18f4c0c83022da97ecf2d1f41
Instruction Fuzzy Hash: 7CA1E236701A4042FA63AB27A9103EB6391F74CBD8F548616FB5A4B7F5CF3988959301

Function 000000014005A5A0 Relevance: 13.7, APIs: 9, Instructions: 173COMMON

Download Yara Rule

APIs

InvalidateRect.USER32 ref: 000000014005A695

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ab721103f676c20aa8999dbed2b0885bef85401188c991ed8c4fd980f4b04c3c
Instruction ID: 79818213c7bdd26eefb0785cfd0465d845059a1320c86133faf3524f84b582b6
Opcode Fuzzy Hash: ab721103f676c20aa8999dbed2b0885bef85401188c991ed8c4fd980f4b04c3c
Instruction Fuzzy Hash: 0B61A43531564483FA66CB2B99847EE2760B78EBC0F248512FF4953BB5DE3EC5469B00

Function 0000000140085680 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

Part of subcall function 00000001400651E0: GetCursorPos.USER32 ref: 0000000140065203
Part of subcall function 00000001400651E0: ScreenToClient.USER32 ref: 0000000140065227
Part of subcall function 00000001400651E0: GetAsyncKeyState.USER32 ref: 0000000140065271
Part of subcall function 00000001400651E0: GetAsyncKeyState.USER32 ref: 0000000140065282

ImageList_DragLeave.COMCTL32 ref: 0000000140085704
ImageList_EndDrag.COMCTL32 ref: 000000014008570A
ReleaseCapture.USER32 ref: 0000000140085710
SetWindowTextW.USER32 ref: 00000001400857E6
SendMessageW.USER32 ref: 00000001400857FB

Strings

@GUI_DROPID, xrefs: 0000000140085829
@GUI_DRAGFILE, xrefs: 000000014008587C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 3721556410-2107944366
Opcode ID: 66adb2bfb16c4c9ad71688afd0650c12028353f0106694929eacc013c0bb9b2f
Instruction ID: 51d93ead8af010edd0bfe6b7105ed5fd1efa5d282d7477ed720b4cc401e5187b
Opcode Fuzzy Hash: 66adb2bfb16c4c9ad71688afd0650c12028353f0106694929eacc013c0bb9b2f
Instruction Fuzzy Hash: 0061AA36214A8286EB61EF16E8847DA7761F788BD5F900212FB4A13AB5DF39C585CB00

Function 000000014005B190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

SetWindowLongPtrW.USER32 ref: 000000014005B274
SetWindowLongPtrW.USER32 ref: 000000014005B28E
SendMessageW.USER32 ref: 000000014005B2BB
ShowWindow.USER32 ref: 000000014005B2DE
SetWindowPos.USER32 ref: 000000014005B32D

Strings

', xrefs: 000000014005B315

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: '
API String ID: 3688381893-1997036262
Opcode ID: f014e9c6dfb71e59ac3eeb8eefbb7fb796883d2a761af5f8a9861390d2e8f9c5
Instruction ID: f1c7f6783d3bc5e7cac886569237794dce23f5aba39d0c9fd7e64fb634dc65b7
Opcode Fuzzy Hash: f014e9c6dfb71e59ac3eeb8eefbb7fb796883d2a761af5f8a9861390d2e8f9c5
Instruction Fuzzy Hash: 3C51D336208A44C1E776DB2BA4957EE2BA0F38DBD4F544501EF5A437B4DA3AD942C700

Function 000000014005C650 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET ref: 000000014005C6B1
HttpOpenRequestW.WININET ref: 000000014005C6FD
InternetQueryOptionW.WININET ref: 000000014005C762
InternetSetOptionW.WININET ref: 000000014005C782
HttpSendRequestW.WININET ref: 000000014005C798
HttpQueryInfoW.WININET ref: 000000014005C7E9

Part of subcall function 0000000140051E30: GetLastError.KERNEL32 ref: 0000000140051E4C

Strings

, xrefs: 000000014005C7DE

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
String ID:
API String ID: 1291720006-3916222277
Opcode ID: a566e48f0363e72b43e417d706de7366f2ab49c69cbb633bcdaa59a3bec41a29
Instruction ID: 4512a116ec5086c090f31aeb69c9bd270e48586d574499e2180d614d27683103
Opcode Fuzzy Hash: a566e48f0363e72b43e417d706de7366f2ab49c69cbb633bcdaa59a3bec41a29
Instruction Fuzzy Hash: C55181326147858AEB61CB12E454BEEB3A1F78DBC8F544022EF8907B65DF39C459CB40

Function 00000001400445D0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400187BC: _errno.LIBCMT ref: 00000001400187D4

LoadIconW.USER32 ref: 0000000140044691

Strings

warning, xrefs: 0000000140044676
blank, xrefs: 0000000140044605
question, xrefs: 0000000140044640
info, xrefs: 0000000140044625
stop, xrefs: 000000014004465B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: IconLoad_errno
String ID: blank$info$question$stop$warning
API String ID: 2916566271-404129466
Opcode ID: 578d9c8944904c804782a305f51f4301e190eb9589e7cb631833b93add1c9005
Instruction ID: 4521118d0da61b2cef3e7498f6bcecc8594d9f12e4b9f26d3bfde5a0dffa555d
Opcode Fuzzy Hash: 578d9c8944904c804782a305f51f4301e190eb9589e7cb631833b93add1c9005
Instruction Fuzzy Hash: 82215C3120878091EB66AB17E4403EA6362B39D7C4F664435FF49077B6DBBDD890C706

Function 00000001400420D0 Relevance: 12.0, APIs: 8, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00000001400420E9
VariantClear.OLEAUT32 ref: 00000001400420F6
VariantClear.OLEAUT32 ref: 0000000140042103
VariantClear.OLEAUT32 ref: 0000000140042110
VariantClear.OLEAUT32 ref: 000000014004211D
VariantClear.OLEAUT32 ref: 0000000140042127
VariantClear.OLEAUT32 ref: 0000000140042134
VariantClear.OLEAUT32 ref: 0000000140042141

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3f177f2e05eb5b4e4af0bb14e7ff3740854978524cce031e0ebe3adc87388b09
Instruction ID: 77904a91f918d551a4e9879198c1ab35730394ab54acfba456e15547fcf5b338
Opcode Fuzzy Hash: 3f177f2e05eb5b4e4af0bb14e7ff3740854978524cce031e0ebe3adc87388b09
Instruction Fuzzy Hash: 2D01443122498ED2EB42AF37E8543D97B64F79AB89F484035E74A4B079DF34C84AC354

Function 00000001400584F0 Relevance: 10.7, APIs: 7, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140058260: DeleteObject.GDI32 ref: 00000001400582BD
Part of subcall function 0000000140058260: ExtCreatePen.GDI32 ref: 0000000140058307
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 000000014005831A
Part of subcall function 0000000140058260: BeginPath.GDI32 ref: 0000000140058333
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 0000000140058361

SetPixel.GDI32 ref: 00000001400585EF
Rectangle.GDI32 ref: 0000000140058688
MoveToEx.GDI32 ref: 000000014005869E
AngleArc.GDI32 ref: 00000001400586EF
LineTo.GDI32 ref: 00000001400586FD
CloseFigure.GDI32 ref: 0000000140058706
Ellipse.GDI32 ref: 000000014005877B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: ab2f7d23ff055d6fcb9baee0b8aea1a0ddd5de4ce58c168536b127fc3c96c434
Instruction ID: 440b798c229a937cd25fa25f2269feda0a98d84925787f4f5e9e42b2d496818d
Opcode Fuzzy Hash: ab2f7d23ff055d6fcb9baee0b8aea1a0ddd5de4ce58c168536b127fc3c96c434
Instruction Fuzzy Hash: B9919D722186848BE776CF16E444B9ABBA0F389BD4F445109FF8A13BA5DB39D546CF00

Function 000000014007C5E0 Relevance: 10.7, APIs: 7, Instructions: 203registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32 ref: 000000014007C726
RegOpenKeyExW.ADVAPI32 ref: 000000014007C785
RegDeleteValueW.ADVAPI32 ref: 000000014007C7F2
RegCloseKey.ADVAPI32 ref: 000000014007C852
RegCloseKey.ADVAPI32 ref: 000000014007C8DC

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Close$ConnectDeleteOpenRegistryValue
String ID:
API String ID: 1762992421-0
Opcode ID: 5de0bd725930cb11fb27ec8f78a2c34bd8ccb8d525622236ddff0edad118dff4
Instruction ID: 4ceb132776b653923f66244e72f10461d38396a16d9eff0eea3077b9aed00fa4
Opcode Fuzzy Hash: 5de0bd725930cb11fb27ec8f78a2c34bd8ccb8d525622236ddff0edad118dff4
Instruction Fuzzy Hash: 36915F72328A8485EB61DF26E4917EE6361F789BC0F408416FB8E87A66CF39C555CB40

Function 0000000140050570 Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400505B3
GetWindowLongW.USER32 ref: 000000014005063D
SendMessageW.USER32 ref: 0000000140050683
SendMessageW.USER32 ref: 00000001400506B2
GetWindowLongW.USER32 ref: 00000001400506C9
SetWindowLongPtrW.USER32 ref: 00000001400506ED

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: LongMessageSendWindow
String ID:
API String ID: 3360111000-0
Opcode ID: ad0261938798bc5e4a534e0e750e8781ca9e3ec59fdcfa25101fa5b9e63e0033
Instruction ID: 0706e1a808117a2cb8884eb702324a94a12dc14d2d99e8368017fbbaa30e3ce5
Opcode Fuzzy Hash: ad0261938798bc5e4a534e0e750e8781ca9e3ec59fdcfa25101fa5b9e63e0033
Instruction Fuzzy Hash: E1410236255A9581EB25CF1BE9907A977A1F3C8FD4F644211EB1E47BB4CF3AC8918301

Function 0000000140053690 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00000001400536B7
CreatePipe.KERNEL32 ref: 00000001400536F2
GetStdHandle.KERNEL32 ref: 0000000140053707
CreateFileW.KERNEL32 ref: 000000014005375B
~SyncLockT.VCCORLIB ref: 000000014005378D

Strings

nul, xrefs: 0000000140053739

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateHandle$FileLockPipeSync
String ID: nul
API String ID: 3087477490-2873401336
Opcode ID: 1ba7d7e733bfaf5f2644e33e1198b58ce882156c47f9708a8dc0f33037ae8ad2
Instruction ID: a658fcd7ed67aec0375bc38062b74b648f782480dfa2149e1461b62beaf8494e
Opcode Fuzzy Hash: 1ba7d7e733bfaf5f2644e33e1198b58ce882156c47f9708a8dc0f33037ae8ad2
Instruction Fuzzy Hash: 1A314D72614A0982EB228B26E4147EA23A0B75DBF8F544718FBB9077F4DB7EC4458740

Function 00000001400537A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00000001400537C5
CreatePipe.KERNEL32 ref: 0000000140053800
GetStdHandle.KERNEL32 ref: 0000000140053813
CreateFileW.KERNEL32 ref: 0000000140053867
~SyncLockT.VCCORLIB ref: 0000000140053899

Strings

nul, xrefs: 0000000140053845

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateHandle$FileLockPipeSync
String ID: nul
API String ID: 3087477490-2873401336
Opcode ID: c82ee7c9f24bdc3b5c9aafed061de953079ab855d2cf62d5ceba594b807f0cbd
Instruction ID: e8030097f2dc1946c54fac4ceba1dedf3e37d218a291983f01a424825aa40858
Opcode Fuzzy Hash: c82ee7c9f24bdc3b5c9aafed061de953079ab855d2cf62d5ceba594b807f0cbd
Instruction Fuzzy Hash: 4B318FB1614B4982FB268B26E4143A963A0BB8DBF8F504714FB79077E5DF3EC4058740

Function 00000001400211E8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014002120F

Part of subcall function 0000000140020E54: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00000001400210B0,?,?,?,?,0000000140021214,?,?,?,00000001400212F3), ref: 0000000140020F17

Part of subcall function 0000000140018A10: ExitProcess.KERNEL32 ref: 0000000140018A1F

Part of subcall function 000000014001FA24: malloc.LIBCMT ref: 000000014001FA43
Part of subcall function 000000014001FA24: Sleep.KERNEL32(?,?,00000000,0000000140021249,?,?,?,00000001400212F3,?,?,?,?,?,?,00000000,000000014001F7D8), ref: 000000014001FA5A

_errno.LIBCMT ref: 0000000140021251
_lock.LIBCMT ref: 0000000140021265
free.LIBCMT ref: 0000000140021287
_errno.LIBCMT ref: 000000014002128C
LeaveCriticalSection.KERNEL32(?,?,?,00000001400212F3,?,?,?,?,?,?,00000000,000000014001F7D8), ref: 00000001400212B2

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: c96f470f61e433ff1d967da93f153254ccaf3dd8c8ed3d972f48f01616ddc94e
Instruction ID: 5e32005ff4eb50b56bc0b79fe555f02270a5893e8c5ae4fc4c9a7e997324dc27
Opcode Fuzzy Hash: c96f470f61e433ff1d967da93f153254ccaf3dd8c8ed3d972f48f01616ddc94e
Instruction Fuzzy Hash: FD219D3161064182F663AB93A4443EA23A5EBED7C4F544128FB46876E6CF38CC948341

Function 0000000140043160 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32 ref: 0000000140043180
gethostname.WSOCK32 ref: 0000000140043197
gethostbyname.WSOCK32 ref: 00000001400431A1
inet_ntoa.WSOCK32 ref: 00000001400431FD
WSACleanup.WSOCK32 ref: 0000000140043232

Strings

0.0.0.0, xrefs: 00000001400431CD

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 348263315-3771769585
Opcode ID: f4e18f34c4358c25edf2a8ff663b67603b27169fac9407bc2fc86324afd05ba3
Instruction ID: 968079aca6cd486708a65a1c4036f613f73c2b676602d8a0103b6b58aa032a44
Opcode Fuzzy Hash: f4e18f34c4358c25edf2a8ff663b67603b27169fac9407bc2fc86324afd05ba3
Instruction Fuzzy Hash: 45215C3130468481FA76AB63E5913ED6361AB9C7C0F905122BF490B6FADE7DC6458B14

Function 00000001400471C0 Relevance: 10.6, APIs: 7, Instructions: 51threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046FC0: GetProcessHeap.KERNEL32 ref: 0000000140046FC4

GetCurrentProcess.KERNEL32 ref: 00000001400471EF
GetCurrentProcess.KERNEL32 ref: 00000001400471F8
DuplicateHandle.KERNEL32 ref: 000000014004721C
GetCurrentProcess.KERNEL32 ref: 0000000140047222
GetCurrentProcess.KERNEL32 ref: 000000014004722B
DuplicateHandle.KERNEL32 ref: 0000000140047251
CreateThread.KERNEL32 ref: 0000000140047278

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Process$Current$DuplicateHandle$CreateHeapThread
String ID:
API String ID: 3687779319-0
Opcode ID: 5ba2ea57d17b23fcf8d9358a165c4dbdb860a120cf48001cce228cf202b39c28
Instruction ID: b5684ffb80be4098f10a2f1e4953b29f2b7887ac2f557aa3afcfa5f3c5f832b9
Opcode Fuzzy Hash: 5ba2ea57d17b23fcf8d9358a165c4dbdb860a120cf48001cce228cf202b39c28
Instruction Fuzzy Hash: 28210876514B8087E7119F66E44839A7760F389BD6F454119EF8903B65DF3CC249CB44

Function 000000014008E1C0 Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014007F5E0: IsWindow.USER32 ref: 000000014007F62B

GetMenu.USER32 ref: 000000014008E24C
GetMenuItemCount.USER32 ref: 000000014008E275
GetMenuStringW.USER32 ref: 000000014008E2A5
GetMenuItemID.USER32 ref: 000000014008E30E
GetSubMenu.USER32 ref: 000000014008E31F
PostMessageW.USER32 ref: 000000014008E395

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Menu$Item$CountMessagePostStringWindow
String ID:
API String ID: 3481743490-0
Opcode ID: bb4f670a99e464478fbf082a5ad55ce4bc19da9eef938eff389ea036c952732c
Instruction ID: 635701b7551cdb3c71edcf00bcef08e1dc9bb3143c7a724e153b4fdd0ce706bc
Opcode Fuzzy Hash: bb4f670a99e464478fbf082a5ad55ce4bc19da9eef938eff389ea036c952732c
Instruction Fuzzy Hash: C5517D3230468086EB66EF17E8447EEA7A4F78DBD4F444421BF8A577A6DF38C6818700

Function 000000014002044C Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014002046B

Part of subcall function 0000000140020088: _getptd.LIBCMT ref: 0000000140020092

Part of subcall function 0000000140020144: GetOEMCP.KERNEL32 ref: 000000014002016E

Part of subcall function 000000014001FA24: malloc.LIBCMT ref: 000000014001FA43
Part of subcall function 000000014001FA24: Sleep.KERNEL32(?,?,00000000,0000000140021249,?,?,?,00000001400212F3,?,?,?,?,?,?,00000000,000000014001F7D8), ref: 000000014001FA5A

free.LIBCMT ref: 00000001400204F7

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

_lock.LIBCMT ref: 000000014002052F
free.LIBCMT ref: 00000001400205DF
free.LIBCMT ref: 000000014002060F
_errno.LIBCMT ref: 0000000140020614

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: 8ff17e622c29b8de5d2046a920bddfc35118928f9875a0b2d51c970e41b6f824
Instruction ID: 8ed5dfb0b3bbcf63d7c09a2a93ac69fb71be2a5f4e3b875c2269226ad1279f0a
Opcode Fuzzy Hash: 8ff17e622c29b8de5d2046a920bddfc35118928f9875a0b2d51c970e41b6f824
Instruction Fuzzy Hash: CF517172600B8086E7569B67E4403EAB7A1F79DBD4F14421AFB9A477B6CB78CC41CB10

Function 0000000140059000 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040510: GetWindowLongPtrW.USER32 ref: 000000014004052D

BeginPaint.USER32 ref: 0000000140059049
GetWindowRect.USER32 ref: 00000001400590BB
ScreenToClient.USER32 ref: 00000001400590E4
SetViewportOrgEx.GDI32 ref: 00000001400590FF
Rectangle.GDI32 ref: 0000000140059169
EndPaint.USER32 ref: 00000001400591C1

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 3194b080c7df2b7ebc1a71f3a66dc3246617f44d0543e252109aa9614c146328
Instruction ID: 46ecf230fff1a486456c40586f1a2d952eef527681aca0d0f80661434d67bd19
Opcode Fuzzy Hash: 3194b080c7df2b7ebc1a71f3a66dc3246617f44d0543e252109aa9614c146328
Instruction Fuzzy Hash: 0F519D36214B918AEB21DF27E8487DA77A0F388BD4F544125EF6907BA5CF3AC9458B40

Function 000000014001C23C Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001C265

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_getptd.LIBCMT ref: 000000014001C2A5
CreateThread.KERNEL32 ref: 000000014001C2E3
GetLastError.KERNEL32 ref: 000000014001C2F5
free.LIBCMT ref: 000000014001C300
ResumeThread.KERNEL32 ref: 000000014001C332

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Thread$CreateDecodeErrorLastPointerResume_errno_getptdfree
String ID:
API String ID: 4249098642-0
Opcode ID: 526b5957826d1b01d0b31a5701d75ba6af42389b930556506b3c7d0d86122c31
Instruction ID: b743655ba3397e17f2108b0e17856310ffa00c8f894248fcd0c63c45afbd1db1
Opcode Fuzzy Hash: 526b5957826d1b01d0b31a5701d75ba6af42389b930556506b3c7d0d86122c31
Instruction Fuzzy Hash: BF218131211B8086EB569BA7A5417DD7290BB4CBD0F184629BF6907BE6DF39C4108300

Function 000000014002F6D8 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000014002F706

Part of subcall function 0000000140030A94: CreateFileA.KERNEL32 ref: 0000000140030ABD

WriteConsoleW.KERNEL32 ref: 000000014002F732
GetLastError.KERNEL32 ref: 000000014002F74D
GetConsoleOutputCP.KERNEL32 ref: 000000014002F75F
WideCharToMultiByte.KERNEL32 ref: 000000014002F792
WriteConsoleA.KERNEL32 ref: 000000014002F7B8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 4b7f7081cf3c44c14dcb4bfcf007d2921f261ea3bd48b08fa75c9646548b36b4
Instruction ID: 9376c8e5b2b8aadb00075756022f1e3285aada0649fdbda0e557f6c1ad28d592
Opcode Fuzzy Hash: 4b7f7081cf3c44c14dcb4bfcf007d2921f261ea3bd48b08fa75c9646548b36b4
Instruction Fuzzy Hash: 34310932218A4582EB52DF66E4143A663B0E7897F4F500319F76947AF4DBB8C945DB00

Function 000000014005E140 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 000000014005E181
GetDeviceCaps.GDI32 ref: 000000014005E192
GetDeviceCaps.GDI32 ref: 000000014005E1A2
ReleaseDC.USER32 ref: 000000014005E1AF
MulDiv.KERNEL32 ref: 000000014005E1C3
MulDiv.KERNEL32 ref: 000000014005E1D6

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 344333f7b07d3095856b37051708a4f1206ba8449119e25c1078466e355cb992
Instruction ID: 5f231f0b18b35bdc6bd023420baead0f928a3c528a5ec12b72d3a1464f13ec67
Opcode Fuzzy Hash: 344333f7b07d3095856b37051708a4f1206ba8449119e25c1078466e355cb992
Instruction Fuzzy Hash: 8E115E75710B508AEB09DF66A84835A76A2F78CFC1F148029EF4A47BA5DF3DC801C704

Function 0000000140058390 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140058260: DeleteObject.GDI32 ref: 00000001400582BD
Part of subcall function 0000000140058260: ExtCreatePen.GDI32 ref: 0000000140058307
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 000000014005831A
Part of subcall function 0000000140058260: BeginPath.GDI32 ref: 0000000140058333
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 0000000140058361

MoveToEx.GDI32 ref: 00000001400583DE
LineTo.GDI32 ref: 00000001400583ED
MoveToEx.GDI32 ref: 00000001400583FF
LineTo.GDI32 ref: 000000014005840E
EndPath.GDI32 ref: 0000000140058420
StrokePath.GDI32 ref: 0000000140058430

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: ef9c147e76c687219620544fe7aafc96d98f0057b6a7a7bd37fd9f1270c65317
Instruction ID: b3490caea7568cb8add0e6ee3440e9f7574128c316902cf6f24e2106077bd438
Opcode Fuzzy Hash: ef9c147e76c687219620544fe7aafc96d98f0057b6a7a7bd37fd9f1270c65317
Instruction Fuzzy Hash: F6119E3532069282F7158B1BB818BD97B60FB89BD4F485511EF1203BB0CFB9C889CB40

Function 000000014001F780 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0000000140020C01,?,?,?,?,0000000140019776,?,?,?,0000000140018927), ref: 000000014001F78A
FlsGetValue.KERNEL32(?,?,?,0000000140020C01,?,?,?,?,0000000140019776,?,?,?,0000000140018927), ref: 000000014001F798
SetLastError.KERNEL32(?,?,?,0000000140020C01,?,?,?,?,0000000140019776,?,?,?,0000000140018927), ref: 000000014001F7F0

Part of subcall function 000000014001FA90: Sleep.KERNEL32(?,?,?,000000014001F7B3,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001FAD5

FlsSetValue.KERNEL32(?,?,?,0000000140020C01,?,?,?,?,0000000140019776,?,?,?,0000000140018927), ref: 000000014001F7C4
free.LIBCMT ref: 000000014001F7E7

Part of subcall function 000000014001F6CC: _lock.LIBCMT ref: 000000014001F71C
Part of subcall function 000000014001F6CC: _lock.LIBCMT ref: 000000014001F73C

GetCurrentThreadId.KERNEL32 ref: 000000014001F7D8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 9d4d2d9982d89b6385ccc8b6d86932fe5950d620a9a2152ea353dda8eb706add
Instruction ID: 1a5f8c09d0ba321fd81f389886759326ddb03da19d0194de673600e449f04133
Opcode Fuzzy Hash: 9d4d2d9982d89b6385ccc8b6d86932fe5950d620a9a2152ea353dda8eb706add
Instruction Fuzzy Hash: 15014434205B4182FB17AF7BA4543F96291AB4C7E0F184624FB264B3F6EE3CC444D610

Function 000000014006F780 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151shareCOMMON

Download Yara Rule

APIs

WNetUseConnectionW.MPR ref: 000000014006F8B2

Strings

LPT, xrefs: 000000014006F7F8
*, xrefs: 000000014006F829
*, xrefs: 000000014006F953
*, xrefs: 000000014006F83A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Connection
String ID: *$*$*$LPT
API String ID: 1722446006-1879499292
Opcode ID: dd745dea707afe2c307b2f564db85dd2f723e8466ad2614e3bba197f5a6669e8
Instruction ID: 6b9a8050798a24b5280e6102e4d772cd19ccd928de4c15d0014323c390ab1e1c
Opcode Fuzzy Hash: dd745dea707afe2c307b2f564db85dd2f723e8466ad2614e3bba197f5a6669e8
Instruction Fuzzy Hash: 2D51C13220468095EB62DB17E8947EE67A2F789BD0F208815FF4D0B7A5DF75C481C700

Function 00000001400503A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140050468
LoadLibraryW.KERNEL32 ref: 0000000140050475
SendMessageW.USER32 ref: 0000000140050493
DestroyWindow.USER32 ref: 00000001400504A1

Strings

SysAnimate32, xrefs: 000000014005042C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1abdfb938aec0e01c0fc04d7fdb33439ca826fcd1751bdaa7036f3d3c41956e7
Instruction ID: 9fbb15ac0085dc3de819db33869d8796ea941e3f8245dbe0c98e011f8ffd97c7
Opcode Fuzzy Hash: 1abdfb938aec0e01c0fc04d7fdb33439ca826fcd1751bdaa7036f3d3c41956e7
Instruction Fuzzy Hash: E4316F7220569087EB61DF26E48079E77A1F389BE0F504615FB9947BA8DB3DC845CF40

Function 000000014002C4E4 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014002C502

Part of subcall function 00000001400198F8: RtlFreeHeap.NTDLL(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 000000014001990E
Part of subcall function 00000001400198F8: _errno.LIBCMT ref: 0000000140019918
Part of subcall function 00000001400198F8: GetLastError.KERNEL32(?,?,00000000,000000014001F7EC,?,?,?,0000000140020C01,?,?,?,?,0000000140019776), ref: 0000000140019920

free.LIBCMT ref: 000000014002C514
free.LIBCMT ref: 000000014002C526
free.LIBCMT ref: 000000014002C538
free.LIBCMT ref: 000000014002C54A
free.LIBCMT ref: 000000014002C55C
free.LIBCMT ref: 000000014002C56E

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c7b6812ee0931a26b1d29c1b3d094af4d7c81a48c8b2cbc634e1b4c2c3a9e714
Instruction ID: 162fde003655eaeb578c2fe56de70f52f26702f9221a9558181e48492f8daf0b
Opcode Fuzzy Hash: c7b6812ee0931a26b1d29c1b3d094af4d7c81a48c8b2cbc634e1b4c2c3a9e714
Instruction Fuzzy Hash: 0501C576620D6091EB92EBA7D492BF82360E78DBC0F841401B71F9B9B6CE75D8C08312

Function 0000000140073780 Relevance: 7.7, APIs: 5, Instructions: 208windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140073AA5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 55252951109a0c8608fbe7c42b26baee2d8054ee1ff143c1ab2667d4da9ec042
Instruction ID: fa24312d91335974dedd97362a8f6b0a8a78b85d24116c7968ba4275b26df56f
Opcode Fuzzy Hash: 55252951109a0c8608fbe7c42b26baee2d8054ee1ff143c1ab2667d4da9ec042
Instruction Fuzzy Hash: AA916D7660468595FBA68F17D4853EE27A1F38DBD4F645132FB8A877B4CA38C481C342

Function 0000000140028768 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001400287A2
_set_statfp.LIBCMT ref: 00000001400287C0
_set_statfp.LIBCMT ref: 00000001400287E9
_set_statfp.LIBCMT ref: 00000001400289A8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 96cf2b8c7795dc6e05e97eb80ef0a94d90a236180543177a51fffb864edb12e4
Instruction ID: 6bd732c433e5b84a74b4d8c871d04a5e14d5b1ea9c19ed02a3ca33343899ad14
Opcode Fuzzy Hash: 96cf2b8c7795dc6e05e97eb80ef0a94d90a236180543177a51fffb864edb12e4
Instruction Fuzzy Hash: 5351F43A615D4885F637DF36A8503EAA360BB597D0F58820DBF96275F0EF348C868B01

Function 00000001400757C0 Relevance: 7.6, APIs: 5, Instructions: 142libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014007583D
GetProcAddress.KERNEL32 ref: 00000001400758F4
GetProcAddress.KERNEL32 ref: 0000000140075918
GetProcAddress.KERNEL32 ref: 000000014007596F
FreeLibrary.KERNEL32 ref: 0000000140075991

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: e84f40430b85bc046d41e94b1ed097989502e253f87c23d08a599b2437c381d4
Instruction ID: 9a5e752445b581816eea43dcef6ecc35ba82b668d7db829d968f7e5f5598ceed
Opcode Fuzzy Hash: e84f40430b85bc046d41e94b1ed097989502e253f87c23d08a599b2437c381d4
Instruction Fuzzy Hash: 45514636210A8482EA22EF27E8917ED63A5F78DBC4F458412FB8E477A6DF38C541C340

Function 000000014007C100 Relevance: 7.6, APIs: 5, Instructions: 139registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32 ref: 000000014007C23C
RegOpenKeyExW.ADVAPI32 ref: 000000014007C27D
RegEnumValueW.ADVAPI32 ref: 000000014007C2E3
RegCloseKey.ADVAPI32 ref: 000000014007C32F
RegCloseKey.ADVAPI32 ref: 000000014007C33F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Close$ConnectEnumOpenRegistryValue
String ID:
API String ID: 1413298697-0
Opcode ID: ed4c473b2fd20b758d58922a2fe7540fbf4f5c1cbea3d60bcf8f0213d002e71e
Instruction ID: cfc5665aea3a325789cdf31f08433024ff9a234f3ce6e0bfb158ab6bce2e0dba
Opcode Fuzzy Hash: ed4c473b2fd20b758d58922a2fe7540fbf4f5c1cbea3d60bcf8f0213d002e71e
Instruction Fuzzy Hash: 6D610A72218A8581EB61DB66F4517DEA364F7C97C4F408126FB8D47AAADF3CC549CB00

Function 000000014007C380 Relevance: 7.6, APIs: 5, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32 ref: 000000014007C4A8
RegOpenKeyExW.ADVAPI32 ref: 000000014007C4E9
RegEnumKeyExW.ADVAPI32 ref: 000000014007C552
RegCloseKey.ADVAPI32 ref: 000000014007C588
RegCloseKey.ADVAPI32 ref: 000000014007C598

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Close$ConnectEnumOpenRegistry
String ID:
API String ID: 3776047136-0
Opcode ID: 559ec7fcede113a896ec75aa68be989d1142a0b832c0bd4fb9a6ae8ad85fca3e
Instruction ID: 10788de8f2d0ea7cb8e7e7d0cda9093736e0c02fb67fb4caabceb214ae5532be
Opcode Fuzzy Hash: 559ec7fcede113a896ec75aa68be989d1142a0b832c0bd4fb9a6ae8ad85fca3e
Instruction Fuzzy Hash: 8F512D32218A8581EB61DB66F4517EEA764F7C9BD4F404112BB8D47ABACF7CC585CB00

Function 000000014007D810 Relevance: 7.6, APIs: 5, Instructions: 132networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 000000014007D8D0
WSAGetLastError.WSOCK32 ref: 000000014007D8DA

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

__WSAFDIsSet.WSOCK32 ref: 000000014007D907
#16.WSOCK32 ref: 000000014007D920
WSAGetLastError.WSOCK32 ref: 000000014007D9BF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorLast$mallocselect
String ID:
API String ID: 3549979093-0
Opcode ID: 650a729477236237a562f73fdfe359701e326ad9f04a91d755e2f037c0baa14d
Instruction ID: 9971d02817a7a3d5c1839799a0224627de05c7fbfae65be65248aff813707e4f
Opcode Fuzzy Hash: 650a729477236237a562f73fdfe359701e326ad9f04a91d755e2f037c0baa14d
Instruction Fuzzy Hash: A551A33271464082EBA5EB27E4547EE73A5E789BD0F548223FF99477EADE38C5418700

Function 00000001400651E0 Relevance: 7.6, APIs: 5, Instructions: 103keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140065203
ScreenToClient.USER32 ref: 0000000140065227
GetAsyncKeyState.USER32 ref: 0000000140065271
GetAsyncKeyState.USER32 ref: 0000000140065282
GetWindowLongW.USER32 ref: 00000001400652DF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 683444be45b974d96882ca4d97d60832c6d2aaa71f28c22b3f848ed8b10da3c1
Instruction ID: 77fb16ad26f6edb18f02381a5f69527e88a9d2a1d7b36c12fece34c78d8c01e7
Opcode Fuzzy Hash: 683444be45b974d96882ca4d97d60832c6d2aaa71f28c22b3f848ed8b10da3c1
Instruction Fuzzy Hash: 5441DF362046808BD76AAB76D9443DEB751F799BE4F244614FFA8077E4CB78D864CB00

Function 000000014006D450 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 000000014006D4E1
GetPrivateProfileSectionW.KERNEL32 ref: 000000014006D512
WritePrivateProfileSectionW.KERNEL32 ref: 000000014006D556
WritePrivateProfileStringW.KERNEL32 ref: 000000014006D576
WritePrivateProfileStringW.KERNEL32 ref: 000000014006D588

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8327f882b7dce6d235507ba09db23577f09e435ada635fa2d55841bd77459e45
Instruction ID: b4e061bdd564d407787b29aebf5f88e16d800b9f30588eed674e939f63238dce
Opcode Fuzzy Hash: 8327f882b7dce6d235507ba09db23577f09e435ada635fa2d55841bd77459e45
Instruction Fuzzy Hash: E3415A32614A8182EB25DF27E8947DA6365F78CBD4F948422EB8D87B65CF39C541C710

Function 00000001400184D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 00000001400184FD
DecodePointer.KERNEL32(?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 000000014001850C

Part of subcall function 000000014001FC24: _errno.LIBCMT ref: 000000014001FC2D

EncodePointer.KERNEL32(?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 0000000140018589

Part of subcall function 000000014001FB14: realloc.LIBCMT ref: 000000014001FB3F
Part of subcall function 000000014001FB14: Sleep.KERNEL32(?,?,00000000,0000000140018579,?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 000000014001FB5B

EncodePointer.KERNEL32(?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 0000000140018598
EncodePointer.KERNEL32(?,?,?,00000001400185E5,?,?,?,?,0000000140018979), ref: 00000001400185A4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: b99867acffb28a9b7b9cf8f88a247ad3ee66aca2c2c08ab72e30faf17da8c597
Instruction ID: 2331aaf70dccf361abdf9cd899ca5f2284bc77e7e8a7ad6957bf3bbcd8b2cb61
Opcode Fuzzy Hash: b99867acffb28a9b7b9cf8f88a247ad3ee66aca2c2c08ab72e30faf17da8c597
Instruction Fuzzy Hash: 48214F31305A4451FE26EB63E5443EAA292F75CBC4F844826BF4D0F7B6EA7AC581C344

Function 000000014006A260 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014006A292
GetForegroundWindow.USER32 ref: 000000014006A2AB
GetDC.USER32 ref: 000000014006A2F3
GetPixel.GDI32 ref: 000000014006A304
ReleaseDC.USER32 ref: 000000014006A33B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c18733ffcbc94db06105f8f27e6e9dd54efbb4857f75460f41cd7119dd3ae091
Instruction ID: 422bfa28d94c9d37a711dc90eab8764aff4ad857c11b6804721b8aab2583250c
Opcode Fuzzy Hash: c18733ffcbc94db06105f8f27e6e9dd54efbb4857f75460f41cd7119dd3ae091
Instruction Fuzzy Hash: 38213B76704A4082EB05EF67E8943DAA3A1F7CDBD4F148426EF4A47766CE39C881C740

Function 0000000140058260 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00000001400582BD
ExtCreatePen.GDI32 ref: 0000000140058307
SelectObject.GDI32 ref: 000000014005831A
BeginPath.GDI32 ref: 0000000140058333
SelectObject.GDI32 ref: 0000000140058361

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: 020fd284651e3b930a7ac165a90970fa5dc189dc6aac745ec1cf7d95f406fcb3
Instruction ID: 49b032af1517ae84fa68da4b70f104b0cd86519d841796c277cf35020f292a81
Opcode Fuzzy Hash: 020fd284651e3b930a7ac165a90970fa5dc189dc6aac745ec1cf7d95f406fcb3
Instruction Fuzzy Hash: 73316B75615B4086F7A6EF17A85879A7BA0B38CBD2F800619FF55137B0CB39C984CB80

Function 000000014001B4E8 Relevance: 7.6, APIs: 5, Instructions: 68threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001B513

Part of subcall function 0000000140020B28: DecodePointer.KERNEL32 ref: 0000000140020B4F

_getptd.LIBCMT ref: 000000014001B553
CreateThread.KERNEL32 ref: 000000014001B5A8
GetLastError.KERNEL32 ref: 000000014001B5B3
free.LIBCMT ref: 000000014001B5BE

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateDecodeErrorLastPointerThread_errno_getptdfree
String ID:
API String ID: 220819306-0
Opcode ID: e02c22c479a756b37ba2469e1c731f4d0bd423cafc8dcaa8bd25d4ac19e6b59a
Instruction ID: 8f4a7281d0a72e7e770f36814ae9b0ea45fda667290fc46c4c267b9622348bae
Opcode Fuzzy Hash: e02c22c479a756b37ba2469e1c731f4d0bd423cafc8dcaa8bd25d4ac19e6b59a
Instruction Fuzzy Hash: 1821A471204B8086FB16DBA7A9417DAB291FB8CBD0F484225BF5947BE6CF38C451C700

Function 00000001400557C0 Relevance: 7.5, APIs: 5, Instructions: 41keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00000001400557DE
MapVirtualKeyW.USER32 ref: 00000001400557F4
keybd_event.USER32 ref: 0000000140055805
MapVirtualKeyW.USER32 ref: 0000000140055817
keybd_event.USER32 ref: 0000000140055829

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Virtualkeybd_event$State
String ID:
API String ID: 3147574602-0
Opcode ID: 828b1a686058fc7467b87be3b73a36709185aab2671f1600af9c90cb0382e608
Instruction ID: 3420c94aa151237230069d0d2bb29bf8f0df179eea33fd69134cc4bb75a8dd66
Opcode Fuzzy Hash: 828b1a686058fc7467b87be3b73a36709185aab2671f1600af9c90cb0382e608
Instruction Fuzzy Hash: AF01A7367109508AEB599B27B8517DE27A1BBCCBC5F895021BF4603765CF3DC448C740

Function 0000000140071720 Relevance: 7.5, APIs: 5, Instructions: 37windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014007173C
GetWindowTextW.USER32 ref: 0000000140071757
MessageBeep.USER32 ref: 000000014007176C
KillTimer.USER32 ref: 000000014007178F
EndDialog.USER32 ref: 00000001400717AF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 34d19474ccc83c20d2c372e6b18cd51a176d14692bd16f6e303955c68e089f1a
Instruction ID: a95008af8cc038cb3db71b6bef4e4df3ee121304bcbbceb4870921ffef5a3e7b
Opcode Fuzzy Hash: 34d19474ccc83c20d2c372e6b18cd51a176d14692bd16f6e303955c68e089f1a
Instruction Fuzzy Hash: 5811447120494481EB669F6AF4543E92370F7CCBC4F448121AB8A476F8DF7CC589C740

Function 000000014003F360 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

EndPath.GDI32 ref: 000000014003F37C
StrokeAndFillPath.GDI32 ref: 000000014003F396
StrokePath.GDI32 ref: 000000014003F3A1
SelectObject.GDI32 ref: 000000014003F3B6
DeleteObject.GDI32 ref: 000000014003F3CB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c674af027f64a49aa64d2cee8f841560f52de351d3aca5c88f548ef7f2b19f27
Instruction ID: cd3a0714f1bf63fba1df0d7bf89016d9c76374090cfb4c42ffa201f884d63b27
Opcode Fuzzy Hash: c674af027f64a49aa64d2cee8f841560f52de351d3aca5c88f548ef7f2b19f27
Instruction Fuzzy Hash: 25011E79214B4581FB5B5B1BA8587EA2761778DBE6F544215FA22072F4CB7CC9C49200

Function 0000000140053490 Relevance: 7.5, APIs: 5, Instructions: 32synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000001400538F5,?,?,?,?,?,?,?,0000000140002DFD), ref: 00000001400534C1
TerminateThread.KERNEL32(?,?,?,00000001400538F5,?,?,?,?,?,?,?,0000000140002DFD), ref: 00000001400534CD
WaitForSingleObject.KERNEL32(?,?,?,00000001400538F5,?,?,?,?,?,?,?,0000000140002DFD), ref: 00000001400534DC
~SyncLockT.VCCORLIB ref: 00000001400534E6

Part of subcall function 0000000140041FC0: CloseHandle.KERNEL32(?,?,?,00000001400534EB,?,?,?,00000001400538F5,?,?,?,?,?,?,?,0000000140002DFD), ref: 0000000140041FD1

LeaveCriticalSection.KERNEL32(?,?,?,00000001400538F5,?,?,?,?,?,?,?,0000000140002DFD), ref: 00000001400534F2

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
String ID:
API String ID: 3142591903-0
Opcode ID: 06c5797fb216afd1ef8b01a56a011ca6c90a5c1e5dc56e9c30e18d03a68b046a
Instruction ID: b41c0e860228252f824f003e70e6e7f03c6688cad32c3a29bf35ce4dd6fa9a4d
Opcode Fuzzy Hash: 06c5797fb216afd1ef8b01a56a011ca6c90a5c1e5dc56e9c30e18d03a68b046a
Instruction Fuzzy Hash: 35012836604B8497EB02DB1AE88439D3360F788B84F540525EB4A47B64CF38D4AAC740

Function 00000001400564A0 Relevance: 7.5, APIs: 5, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 00000001400564BD
GetCurrentThreadId.KERNEL32 ref: 00000001400564C5
GetWindowThreadProcessId.USER32 ref: 00000001400564D8
GetCurrentThreadId.KERNEL32 ref: 00000001400564E0
AttachThreadInput.USER32 ref: 00000001400564ED

Part of subcall function 0000000140046820: SendMessageTimeoutW.USER32 ref: 000000014004684C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Thread$CurrentProcessWindow$AttachInputMessageSendTimeout
String ID:
API String ID: 179993514-0
Opcode ID: 6d1f94df5bd98506c383369e41fceae3703619efcf037e416b08c53206745705
Instruction ID: 7bdfe62d9f2b8a6b891889737f07aeaf02079cd4eb28c0ea49a0230bac6ce5c6
Opcode Fuzzy Hash: 6d1f94df5bd98506c383369e41fceae3703619efcf037e416b08c53206745705
Instruction Fuzzy Hash: A6F01274B6061082FF569BBB7D593E963916B9DBC1F445034AF03433B1DD7E84968B01

Function 000000014006E630 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000000014006E6D3
CoCreateInstance.OLE32 ref: 000000014006E6F6
CoUninitialize.OLE32 ref: 000000014006E710

Strings

.lnk, xrefs: 000000014006E669, 000000014006E6C0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 977feaa21511c50ecd8c4848db3b4b31ece1c9603ffec97a63a85134f913db5b
Instruction ID: df1647bc3ed66ebc5922ed305f87f368052ab95e703e8a9a4c4da2d464aefdf6
Opcode Fuzzy Hash: 977feaa21511c50ecd8c4848db3b4b31ece1c9603ffec97a63a85134f913db5b
Instruction Fuzzy Hash: 81A13576604B8482DB51EF26E48439EABA1F7C9BD4F648412EF8D47B69DF39C488C740

Function 000000014005F2F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

SendMessageW.USER32 ref: 000000014005F3E4
SetWindowPos.USER32 ref: 000000014005F40D
SendMessageW.USER32 ref: 000000014005F444

Strings

SysMonthCal32, xrefs: 000000014005F377

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSendWindow$CreateObjectShowStock
String ID: SysMonthCal32
API String ID: 3887885108-1439706946
Opcode ID: b96c076ef22ac4373642610b27fb090997c555d56efef221208e4f290e86db98
Instruction ID: 4777b1be074072386f5ec9814b1ed55efe674061b2c8079d2b8e44aa0b821c1a
Opcode Fuzzy Hash: b96c076ef22ac4373642610b27fb090997c555d56efef221208e4f290e86db98
Instruction Fuzzy Hash: 34418F3621478086E731DF16E48079AB7A5F38CBE4F904216EB9953BA9DB7DC481CF40

Function 000000014005F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

SendMessageW.USER32 ref: 000000014005F6E1
SendMessageW.USER32 ref: 000000014005F6F5
MoveWindow.USER32 ref: 000000014005F722

Strings

Listbox, xrefs: 000000014005F657

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSendWindow$CreateMoveObjectShowStock
String ID: Listbox
API String ID: 3566057971-2633736733
Opcode ID: f2b2ec02d9d5bf133f75c2b999a3d38fad0de14c7a0980620f615af746dc0a1d
Instruction ID: fb293a2162744cf136f899a6064634baddc61431ed1a00149635ef9d7f48794b
Opcode Fuzzy Hash: f2b2ec02d9d5bf133f75c2b999a3d38fad0de14c7a0980620f615af746dc0a1d
Instruction Fuzzy Hash: 20315C3620878486E761DF16F480B9AB7A5F38C7E0F504225EB9953BA8DB79C881CB40

Function 000000014005C3D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET ref: 000000014005C408
HttpSendRequestW.WININET ref: 000000014005C44D
HttpQueryInfoW.WININET ref: 000000014005C49E

Part of subcall function 0000000140051E30: GetLastError.KERNEL32 ref: 0000000140051E4C

Strings

, xrefs: 000000014005C493

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
String ID:
API String ID: 3705125965-3916222277
Opcode ID: 41acc68e243a85b5bd68afe880c3fcc4704447c801eeff676b274b9fe8814776
Instruction ID: 96f0c54efb6abfa11ea6d0d97aa88384563199f4c06df3352b4d228f659cc689
Opcode Fuzzy Hash: 41acc68e243a85b5bd68afe880c3fcc4704447c801eeff676b274b9fe8814776
Instruction Fuzzy Hash: A931C232625A8146FB71DB12E465BEA63A1F799BC4F145021FB4D47BAADF3DC4058B00

Function 000000014002B3CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002B43D
_errno.LIBCMT ref: 000000014002B44B
_errno.LIBCMT ref: 000000014002B48C

Strings

P, xrefs: 000000014002B49B

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID: P
API String ID: 2918714741-3110715001
Opcode ID: a9d7d30aae668081e4e0fdb72a2f3b77e3297016e5f5885ffa30675a4aa44ebe
Instruction ID: 60b18ea0688ab6bd2005d56775865bd493fa868972a27d87fdd049c00dea9b80
Opcode Fuzzy Hash: a9d7d30aae668081e4e0fdb72a2f3b77e3297016e5f5885ffa30675a4aa44ebe
Instruction Fuzzy Hash: B321D37220578041FB67AB1B95903EDA2A5AB5D7E4F584728BFB407BE7DB38CC518700

Function 000000014005D5A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400169D0: GetFullPathNameW.KERNEL32 ref: 00000001400169F5

lstrcmpiW.KERNEL32 ref: 000000014005D5DA
MoveFileW.KERNEL32 ref: 000000014005D60E
SHFileOperationW.SHELL32 ref: 000000014005D6C3

Strings

\*.*, xrefs: 000000014005D64A

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: File$FullMoveNameOperationPathlstrcmpi
String ID: \*.*
API String ID: 1148786053-1173974218
Opcode ID: ce7e220b90531933c9419ed7ef8d5f21c5639afd484ad1aaaa8c621dffb5f8d4
Instruction ID: f9185174340df95a9cafd5dd2f27f395f6f0bf672f376a3b7eb02d49a3557a8a
Opcode Fuzzy Hash: ce7e220b90531933c9419ed7ef8d5f21c5639afd484ad1aaaa8c621dffb5f8d4
Instruction Fuzzy Hash: FD31097211868596DE71DF26E4903DAB361F799380F841027F3CD47AA9EB39C54ECB04

Function 0000000140020088 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140020092
_lock.LIBCMT ref: 00000001400200C0
free.LIBCMT ref: 00000001400200F7

Strings

%.15g, xrefs: 000000014002008D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _getptd_lockfree
String ID: %.15g
API String ID: 3892346632-3684710030
Opcode ID: e5a4058900a762db17865bc405f8590881451cce4a3d9188b9619ba9f5aea233
Instruction ID: 9b145b8d00767204385eae4f75380ab46b046795b17e33941710be258d716601
Opcode Fuzzy Hash: e5a4058900a762db17865bc405f8590881451cce4a3d9188b9619ba9f5aea233
Instruction Fuzzy Hash: 5A11193221174082FA969B96E5817F972A0F79C7C4F084229FB5D077B6DF38C894D701

Function 00000001400010C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,000000014000111E,?,?,?,00000001400010AE), ref: 00000001400010DA
GetProcAddress.KERNEL32(?,?,?,?,000000014000111E,?,?,?,00000001400010AE), ref: 00000001400010F2

Strings

kernel32.dll, xrefs: 00000001400010D3
IsWow64Process, xrefs: 00000001400010E8

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 1930a99bdd14f4ae9cebd40c27fde28e95aaeacff4212950f6f5f3c8a6f67992
Instruction ID: a43c769206d21fde2fb15bfc7eb4836e21fce8543727497c55acc8b1876d02d0
Opcode Fuzzy Hash: 1930a99bdd14f4ae9cebd40c27fde28e95aaeacff4212950f6f5f3c8a6f67992
Instruction Fuzzy Hash: EAE07575602B41D1EE269F5AF8553D832A0FB8CB98F440226AB9D47764DFBCC69A8700

Function 00000001400405A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000001400405B7
GetProcAddress.KERNEL32 ref: 00000001400405CF

Strings

kernel32.dll, xrefs: 00000001400405B0
GetSystemWow64DirectoryW, xrefs: 00000001400405C5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 882457441ba4adc708df364e306e01e2dca67ea336b3fd679c73f194fb890576
Instruction ID: 52e6ba27a9a30508ca72b21118955397447982c72af9458411123896b055b9aa
Opcode Fuzzy Hash: 882457441ba4adc708df364e306e01e2dca67ea336b3fd679c73f194fb890576
Instruction Fuzzy Hash: EEE04670602F0181FF168BAAE4543D822A0EB2CB88F440022EB1A27370EF78C5A9C700

Function 00000001400407E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00000001400407F7
GetProcAddress.KERNEL32 ref: 000000014004080F

Strings

ICMP.DLL, xrefs: 00000001400407F0
IcmpSendEcho, xrefs: 0000000140040805

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: bdc4c2c3865cb2b4902a4a68966913b31967f48a2924ec78b2745c3c7122d7f5
Instruction ID: d4afd379505d4127ca0e68cec346dd4359611d3d17164a968e592cfbd32d82f6
Opcode Fuzzy Hash: bdc4c2c3865cb2b4902a4a68966913b31967f48a2924ec78b2745c3c7122d7f5
Instruction Fuzzy Hash: A2E04631602B0492FF1A8BA6E8583D422A0AB1CB98F444124EB8A0B374EF38C59A8340

Function 0000000140040820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000000140040837
GetProcAddress.KERNEL32 ref: 000000014004084F

Strings

IcmpCloseHandle, xrefs: 0000000140040845
ICMP.DLL, xrefs: 0000000140040830

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 702d291099b897d2aa7184afa4b47caca12c33732b65345b7bce7d06f737d317
Instruction ID: 984df16fa9d3343eab8811d8feebed10ba55697f2581f5e9990703712636ea72
Opcode Fuzzy Hash: 702d291099b897d2aa7184afa4b47caca12c33732b65345b7bce7d06f737d317
Instruction Fuzzy Hash: 7CE0B631602B04A2FF1A9BA6E8583D422E0A71CB94F450529EB9917370EF7CC5998740

Function 00000001400761B0 Relevance: 6.2, APIs: 4, Instructions: 224COMMON

Download Yara Rule

APIs

UnregisterHotKey.USER32 ref: 0000000140076398
std::exception_ptr::_Current_exception.LIBCONCRT ref: 00000001400763B4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Current_exceptionUnregisterstd::exception_ptr::_
String ID:
API String ID: 413334626-0
Opcode ID: 80e3867cbac19e77ae6696a6b32e62074499e66a665b3710d0d867a0b9683d93
Instruction ID: 63ce756c315f44fedbae8e2024d2970320bb53c503dfdb5c15f9b0bc94853346
Opcode Fuzzy Hash: 80e3867cbac19e77ae6696a6b32e62074499e66a665b3710d0d867a0b9683d93
Instruction Fuzzy Hash: 89A15A36601A8482EB66EF26E4907EE73A4F789BC4F548016EF8E47766DF39C955C300

Function 0000000140027380 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400211E8: _FF_MSGBANNER.LIBCMT ref: 000000014002120F

_lock.LIBCMT ref: 00000001400273BE
_lock.LIBCMT ref: 0000000140027417
EnterCriticalSection.KERNEL32 ref: 0000000140027456
LeaveCriticalSection.KERNEL32 ref: 0000000140027466

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CriticalSection_lock$EnterLeave
String ID:
API String ID: 2641352136-0
Opcode ID: 99e99b871545480cf621e80854f712511f6c18be2ab6ff8bacbf45ec91ae6741
Instruction ID: 3329d72810a0a486e3887c047b8341276d76476b17ed419fbf5b2a99fe43e7bc
Opcode Fuzzy Hash: 99e99b871545480cf621e80854f712511f6c18be2ab6ff8bacbf45ec91ae6741
Instruction Fuzzy Hash: 2E51BF32204B8086EB169F26E4447EAAB95F7987E8F445219FB6E473F0DB78C954C701

Function 000000014007A5D0 Relevance: 6.1, APIs: 4, Instructions: 125windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014007A651
_itow.LIBCMT ref: 000000014007A69A

Part of subcall function 00000001400725D0: SendMessageW.USER32 ref: 000000014007266C

SendMessageW.USER32 ref: 000000014007A738
_itow.LIBCMT ref: 000000014007A7A9

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$_itow
String ID:
API String ID: 200223408-0
Opcode ID: 7405cc30efe2aadcf732334646a6a075f8d61dd5e9e0647a48d200e4b66c98e6
Instruction ID: 7b8e2058eee8b1ce9d99ebf43ff0e1d61be86b153ce5bccdc27d8a2169b4f1a0
Opcode Fuzzy Hash: 7405cc30efe2aadcf732334646a6a075f8d61dd5e9e0647a48d200e4b66c98e6
Instruction Fuzzy Hash: 84515076618B8082EA66DB16E4513DEA364F7CEBD0F544021FF8907BAADE7CC545CB10

Function 00000001400510A0 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00000001400510E1
GetWindowRect.USER32 ref: 0000000140051172
PtInRect.USER32 ref: 0000000140051182
MessageBeep.USER32 ref: 00000001400511ED

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: da75d14d1ec25b56f4abad874c4a80529f239b61d9cc1788c08e1530c59769a6
Instruction ID: 2d6ed4a72094f01f06163cd6642ebf956fb1b8b1afb0ee5edccaea34816dfe95
Opcode Fuzzy Hash: da75d14d1ec25b56f4abad874c4a80529f239b61d9cc1788c08e1530c59769a6
Instruction Fuzzy Hash: E5419F36205A4582EB12DF2BD8803E977A5F7C8BD9F104121EF8D436B0DB3AC482C704

Function 0000000140056180 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001400561A6
SendMessageW.USER32 ref: 00000001400561D1
SendMessageW.USER32 ref: 0000000140056216
CharUpperBuffW.USER32 ref: 000000014005623C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow
String ID:
API String ID: 2796087071-0
Opcode ID: a026f616a54129ec98917a97539acc8597392b759933cae0f41e27fbfc5da1c0
Instruction ID: 8bb2dd8833cf904abd145be6c25f684929c0f4592ab4d99e9b1a220e249640fb
Opcode Fuzzy Hash: a026f616a54129ec98917a97539acc8597392b759933cae0f41e27fbfc5da1c0
Instruction Fuzzy Hash: 8A21C232704AC04AEB61DB2BA9043AA2791F38DFE0F484221FF5A677A5DE39D440C304

Function 00000001400432B0 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00000001400432FC
GetLastError.KERNEL32 ref: 0000000140043307
CreateDirectoryW.KERNEL32 ref: 0000000140043319

Part of subcall function 00000001400432B0: CreateDirectoryW.KERNEL32 ref: 0000000140043370

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 49b606543cb9bfe3c3f076896e9e4485dc564bb742646c3367f243c8761c2680
Instruction ID: 00b282bdd05803176f0b712dc4d6f92fd9b604819c6db98ecf40c4546d0070fe
Opcode Fuzzy Hash: 49b606543cb9bfe3c3f076896e9e4485dc564bb742646c3367f243c8761c2680
Instruction Fuzzy Hash: 2521C13160454091FA72AB26A4403EE62A1BB9CBD0F956121FB8A876F5CF3CCB45C744

Function 0000000140068820 Relevance: 6.1, APIs: 4, Instructions: 63networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 0000000140068899
__WSAFDIsSet.WSOCK32 ref: 00000001400688AA
accept.WSOCK32 ref: 00000001400688BB
WSAGetLastError.WSOCK32 ref: 00000001400688CF

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 5e90838cee0273443acfd81d04efca1bced391ef76bfcb3bd0a7954f13ac70fb
Instruction ID: 4aac6911de41f2c02516ffd374a3bb351256c04097330844b9d0bd19e06c9260
Opcode Fuzzy Hash: 5e90838cee0273443acfd81d04efca1bced391ef76bfcb3bd0a7954f13ac70fb
Instruction Fuzzy Hash: C921CF3231068086E7A5DF2AF98579EB790E7887C0F949120BF8987B99DF38C1518B40

Function 0000000140054350 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000014005438F

Part of subcall function 000000014001B4E8: _errno.LIBCMT ref: 000000014001B513

MessageBoxW.USER32 ref: 00000001400543D2
WaitForSingleObject.KERNEL32 ref: 00000001400543EC
CloseHandle.KERNEL32 ref: 00000001400543F5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait_errno
String ID:
API String ID: 3330887357-0
Opcode ID: 1853c2b4d5dc6eb379982b61ff54dfab4c3ba3c683ea7c7dbfff3d6938cc13d1
Instruction ID: 1b1490656ab13622a56423e252063c5629246046879242a4f092b2132a64b46f
Opcode Fuzzy Hash: 1853c2b4d5dc6eb379982b61ff54dfab4c3ba3c683ea7c7dbfff3d6938cc13d1
Instruction Fuzzy Hash: D7218C32608B809AE712CF67B84038AB6A0F789BD4F444225BF9943BB5CF3CC544C700

Function 0000000140051720 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140051768
RegCloseKey.ADVAPI32 ref: 000000014005178D
RegDeleteKeyW.ADVAPI32 ref: 000000014005179F
RegEnumKeyExW.ADVAPI32 ref: 00000001400517E5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseDeleteEnumOpen
String ID:
API String ID: 4142876296-0
Opcode ID: 00f4cf7511f3782dc80ee645fcfa0c06a590a782d5953bf3fd39d590df808c85
Instruction ID: 820d68888e04e3434db7844f88bfac3771f4d499ca9806d99a059e70633116a3
Opcode Fuzzy Hash: 00f4cf7511f3782dc80ee645fcfa0c06a590a782d5953bf3fd39d590df808c85
Instruction Fuzzy Hash: E5216A32A08AC996EB71CB16F4887EA63B0F7C97C8F505115EB9907A68DF3DC449DB00

Function 000000014001F6A4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000014001FA19,?,?,00000000,000000014001F556), ref: 000000014001F6B3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001FA19), ref: 0000000140021182
free.LIBCMT ref: 000000014002118B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014001FA19), ref: 00000001400211AB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 5e65d756a972c1c3cf02f94cdc710080212075ceac2f0265cf987920dad9c86a
Instruction ID: 1610b5c0c453f9854d96308b1fea6b3a18cd53beb6f951f4d2116ffa520e594a
Opcode Fuzzy Hash: 5e65d756a972c1c3cf02f94cdc710080212075ceac2f0265cf987920dad9c86a
Instruction Fuzzy Hash: 9C117C31605A4086FB1A9F97E9543E87360F79DBD4F584219FB6507BB6CB38C8A2CB01

Function 0000000140040460 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140040482
ScreenToClient.USER32 ref: 00000001400404A2
ScreenToClient.USER32 ref: 00000001400404D2
InvalidateRect.USER32 ref: 00000001400404F5

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8afdc3e5baf2e4d2179bbcd18de14bc388d36b719c5b2bae0df55aa9d10ff990
Instruction ID: a2b0ae2c8876a6b38db260dc4fd5e3651fb8b6bc34d74a20727bddb4d6e8fffe
Opcode Fuzzy Hash: 8afdc3e5baf2e4d2179bbcd18de14bc388d36b719c5b2bae0df55aa9d10ff990
Instruction Fuzzy Hash: 44117AB76186458ADB21CF2AE44464ABBB1F38DBD8F148116FF9947B28DA3DC954CF00

Function 000000014001C1A4 Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 000000014001C1B9
FlsSetValue.KERNEL32 ref: 000000014001C1D0
GetLastError.KERNEL32 ref: 000000014001C1D9
ExitThread.KERNEL32 ref: 000000014001C1E1

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Value$ErrorExitLastThread
String ID:
API String ID: 2675828980-0
Opcode ID: 072e62e0cc7db1bd2869643e48ac97ca367f1b9d34d629735be77b72d3ae8b1b
Instruction ID: d8779f9143c0da5954bf17ffc4bb4503a05f8e99e0d5eb4c2cf5419304d1c710
Opcode Fuzzy Hash: 072e62e0cc7db1bd2869643e48ac97ca367f1b9d34d629735be77b72d3ae8b1b
Instruction Fuzzy Hash: FE012434211B4185FE17ABB7A8097E82294EB9DBC4F040434BB4C8F3B3EE3AC8448310

Function 0000000140058450 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140058260: DeleteObject.GDI32 ref: 00000001400582BD
Part of subcall function 0000000140058260: ExtCreatePen.GDI32 ref: 0000000140058307
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 000000014005831A
Part of subcall function 0000000140058260: BeginPath.GDI32 ref: 0000000140058333
Part of subcall function 0000000140058260: SelectObject.GDI32 ref: 0000000140058361

MoveToEx.GDI32 ref: 000000014005849C
LineTo.GDI32 ref: 00000001400584AE
EndPath.GDI32 ref: 00000001400584C0
StrokePath.GDI32 ref: 00000001400584D0

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: c4cc0982b4a95651a193822a6a98e4c6bd6a5ef815766d39b453c0ed45f31134
Instruction ID: b0dc5b37359479101a0418e8e5713fe74c4d279849e5ce281c58f900abd88c18
Opcode Fuzzy Hash: c4cc0982b4a95651a193822a6a98e4c6bd6a5ef815766d39b453c0ed45f31134
Instruction Fuzzy Hash: 3F019A3931479182F7568B1BF81979AABA0B78ABD4F580514EF5103BB5CB79C880CB40

Function 000000014002722C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140027235
_errno.LIBCMT ref: 000000014002723D

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c267702eec9b3eee53a61e191f12b171e1ac2a91c44a94ac823755d2d137ecc2
Instruction ID: 94bc2615e07330a9e72ea67cae4b6bc7ba730eca6e6fd3e02367c5d499af0127
Opcode Fuzzy Hash: c267702eec9b3eee53a61e191f12b171e1ac2a91c44a94ac823755d2d137ecc2
Instruction Fuzzy Hash: 2A01F2B221874485FF1BAB66C8557EC626197AA7E5F60830CFB2D07BF3CB3848088610

Function 00000001400873D2 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32 ref: 00000001400873AA
ReleaseDC.USER32 ref: 00000001400873C7
GetDesktopWindow.USER32 ref: 00000001400873D2
GetDC.USER32 ref: 00000001400873DE

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3f34394226932560d14599769183fbc6f11346e0135bbd86e823fb02c55fc01b
Instruction ID: 3626e69365fcbd22b38cf485dce33f875ca616bd00d96252de4bd7ef0e36c622
Opcode Fuzzy Hash: 3f34394226932560d14599769183fbc6f11346e0135bbd86e823fb02c55fc01b
Instruction Fuzzy Hash: E4F01D7270568485EA06DB6BA9093D96294B74CBE5F448021EF4A57775EF3DC586C200

Function 000000014008738D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000000014008738D
GetDC.USER32 ref: 0000000140087399
GetDeviceCaps.GDI32 ref: 00000001400873AA
ReleaseDC.USER32 ref: 00000001400873C7

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 663669a65a76b113adc37a015a78afabd3b768727dab4dae13358617f20d812d
Instruction ID: 6b7626350cfd95ae1990dda629e8c06425b4c191b7bfa77dcd1ecaea011b0167
Opcode Fuzzy Hash: 663669a65a76b113adc37a015a78afabd3b768727dab4dae13358617f20d812d
Instruction Fuzzy Hash: 2CF03A7230168486EB06DF2BA8093D96294B74CFE5F448021EF4A57775EF3DC586C300

Function 0000000140047170 Relevance: 6.0, APIs: 4, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000000014004717F
UnloadUserProfile.USERENV ref: 000000014004718D
CloseHandle.KERNEL32 ref: 0000000140047197
CloseHandle.KERNEL32 ref: 00000001400471A0

Part of subcall function 00000001400470B0: GetProcessHeap.KERNEL32 ref: 00000001400470BD
Part of subcall function 00000001400470B0: HeapFree.KERNEL32 ref: 00000001400470CB

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c8b1013e588252686478a81e741aa9e3fb1fd1fced28a3c40e2bd3c97a041c81
Instruction ID: ab2e82a3d6cc36cc72a50de687fcfc05a2c6faa9d17d6773562e72e4e34849d9
Opcode Fuzzy Hash: c8b1013e588252686478a81e741aa9e3fb1fd1fced28a3c40e2bd3c97a041c81
Instruction Fuzzy Hash: AEE07536210A0082FB06AB7BE8953A93360AB8CFA5F045521AF2A473B4CE38C4958311

Function 000000014008F120 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212comCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018908: malloc.LIBCMT ref: 0000000140018922

OleSetContainedObject.OLE32 ref: 000000014008F378

Strings

AutoIt3GUI, xrefs: 000000014008F2AC
Container, xrefs: 000000014008F2B6

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: ContainedObjectmalloc
String ID: AutoIt3GUI$Container
API String ID: 330771721-3941886329
Opcode ID: 646bb728b9beaf85c5b7c2fa69e88744852ef6229705d87b86c0250e38601ae5
Instruction ID: 36ac4b5e3e13125600d94040ef129a52aa7fbd1c3105ea127b5c650463c7dd44
Opcode Fuzzy Hash: 646bb728b9beaf85c5b7c2fa69e88744852ef6229705d87b86c0250e38601ae5
Instruction Fuzzy Hash: 53A11477200B8982EB65CF2AD4503AE33A4F798B98F548126EF4E877A5DF39C945C340

Function 0000000140067130 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32 ref: 0000000140067284
CloseHandle.KERNEL32 ref: 0000000140067319

Strings

@, xrefs: 0000000140067256

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseExecuteHandleShell
String ID: @
API String ID: 283469938-2766056989
Opcode ID: ae6a564b597233e9ed2ee6c7df8b12fb1516471262dddbcbe24606b62a8967ab
Instruction ID: fbccb8cd7eba08c9fd1fede3552cebc2aff3460dfb5a1908f72b2ff7badbb7b6
Opcode Fuzzy Hash: ae6a564b597233e9ed2ee6c7df8b12fb1516471262dddbcbe24606b62a8967ab
Instruction Fuzzy Hash: 7451183260468081EA21EF27E8957DAB7A6F7C9BC4F648812FF4D4B766DE39C841C740

Function 000000014005F750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F9B0: CreateWindowExW.USER32 ref: 000000014003FA3F
Part of subcall function 000000014003F9B0: GetStockObject.GDI32 ref: 000000014003FA5C
Part of subcall function 000000014003F9B0: SendMessageW.USER32 ref: 000000014003FA6F
Part of subcall function 000000014003F9B0: ShowWindow.USER32 ref: 000000014003FA8C

SendMessageW.USER32 ref: 000000014005F848
SendMessageW.USER32 ref: 000000014005F85C

Strings

Combobox, xrefs: 000000014005F80F

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: MessageSend$Window$CreateObjectShowStock
String ID: Combobox
API String ID: 269107984-2096851135
Opcode ID: 1e17126c7b056a4df32dcf91d39a9facdace4e0f54512b4f2cc5ecd330734fde
Instruction ID: e300980219f8985ddc7967a6870a05f4c7b54afa03a190dad948785b233a897a
Opcode Fuzzy Hash: 1e17126c7b056a4df32dcf91d39a9facdace4e0f54512b4f2cc5ecd330734fde
Instruction Fuzzy Hash: AC3141767147808AE760DF26E440B9AB7A5F79D7D0F604215EB9943BA4DB39D840CF40

Function 0000000140030688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014003069E
_errno.LIBCMT ref: 00000001400306E0

Strings

1, xrefs: 0000000140030730

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 71ffad8b2ac5ceac5c8ff4a3b0de500716937bc27bcfc6d0f17f3e1c7302b392
Instruction ID: 4a1c470e52ffa2e87615b9e173a251e4ea712432c5b203add07fe4f5770151f5
Opcode Fuzzy Hash: 71ffad8b2ac5ceac5c8ff4a3b0de500716937bc27bcfc6d0f17f3e1c7302b392
Instruction Fuzzy Hash: 9121F57262E2C086FB6B8B2AC4353DE6B90974D7C4F988011F745076E7DB3D9900CB11

Function 0000000140052100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000140052168
InternetSetOptionW.WININET ref: 000000014005219E

Strings

<local>, xrefs: 000000014005214C

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 629215c5edb7e231a08a8a6a77fe871c9ac27d5dbe68b59b06140a914ad16519
Instruction ID: 6901838b60fbe06e9b9a94f5fd0623215cd89e7f5baaa7a46a90c203c6f5bbaf
Opcode Fuzzy Hash: 629215c5edb7e231a08a8a6a77fe871c9ac27d5dbe68b59b06140a914ad16519
Instruction Fuzzy Hash: FA11E932501AC482FB66CB12D0047FE3361FB6BB49F544026EB490BAA4DB37C486CB44

Function 00000001400403B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0000000140040435
CloseHandle.KERNEL32 ref: 0000000140040446

Strings

, xrefs: 0000000140040412

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-3916222277
Opcode ID: ec3a26160aa634ce45ebbb57167085e5d0d0a6fbbfa2d4b775cb2884f8b4b2e0
Instruction ID: 28010274b44fa1e956ac3f03a607f5917cae9998e248d469665ba7fad74a6966
Opcode Fuzzy Hash: ec3a26160aa634ce45ebbb57167085e5d0d0a6fbbfa2d4b775cb2884f8b4b2e0
Instruction Fuzzy Hash: 96115E32608B408AE7569F17F944B9AB7A2F789BC4F485215FB4D47A79CF39C095CB00

Function 0000000140051680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 0000000140051692
PostMessageW.USER32 ref: 00000001400516A9

Part of subcall function 0000000140042E20: QueryPerformanceCounter.KERNEL32 ref: 0000000140042E39
Part of subcall function 0000000140042E20: QueryPerformanceFrequency.KERNEL32 ref: 0000000140042E48
Part of subcall function 0000000140042E20: Sleep.KERNEL32 ref: 0000000140042E50
Part of subcall function 0000000140042E20: QueryPerformanceCounter.KERNEL32 ref: 0000000140042E5B

Strings

Shell_TrayWnd, xrefs: 0000000140051689

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: PerformanceQuery$Counter$FindFrequencyMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 352592371-2988720461
Opcode ID: 2d7f8c8a5a4ee63675cab8ad9d6e6203ea583a0929ccb3bbb7e2c28fc1bd1015
Instruction ID: ad6f979a34d6f8f08fb65ffdcd4644e147a205ae069dd6bf77924abcf4d7f63a
Opcode Fuzzy Hash: 2d7f8c8a5a4ee63675cab8ad9d6e6203ea583a0929ccb3bbb7e2c28fc1bd1015
Instruction Fuzzy Hash: 88E0177071144482FB1AABB3FC96BE622919BACBD1F9450319B064BAA0DE3C85868B10

Function 00000001400516D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00000001400516E2
PostMessageW.USER32 ref: 00000001400516F9

Part of subcall function 0000000140042E20: QueryPerformanceCounter.KERNEL32 ref: 0000000140042E39
Part of subcall function 0000000140042E20: QueryPerformanceFrequency.KERNEL32 ref: 0000000140042E48
Part of subcall function 0000000140042E20: Sleep.KERNEL32 ref: 0000000140042E50
Part of subcall function 0000000140042E20: QueryPerformanceCounter.KERNEL32 ref: 0000000140042E5B

Strings

Shell_TrayWnd, xrefs: 00000001400516D9

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: PerformanceQuery$Counter$FindFrequencyMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 352592371-2988720461
Opcode ID: bced536a8068e5fbb1e412a72b2027b03e46ff5afd9815ffd353c41eddc1a4f5
Instruction ID: d9bb80b7de06c2d08d7952e2b92eba21473f08368b5a070f78bd79df4ba2a7af
Opcode Fuzzy Hash: bced536a8068e5fbb1e412a72b2027b03e46ff5afd9815ffd353c41eddc1a4f5
Instruction Fuzzy Hash: 9BE0177471044482FB1AABB3FC66BE626919BECBD1F4450329B064BAE0DE3C85868B10

Function 00000001400415C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00000001400415D6
GetTempFileNameW.KERNEL32 ref: 00000001400415EE

Strings

aut, xrefs: 00000001400415DC

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1c51d7a683b747dd1de1e442f6f3fc1f7cda9d0c3212992f1dab1e6d4cddffe2
Instruction ID: bb7548fba60a7623e425cbc5e3fde3ed3ba2ea57dd26511989cafeaa21685963
Opcode Fuzzy Hash: 1c51d7a683b747dd1de1e442f6f3fc1f7cda9d0c3212992f1dab1e6d4cddffe2
Instruction Fuzzy Hash: 96D05EF162090983EB224B6AE494BD56321F79D78CF844011AB89076649A3CC39ECF10

Function 00000001400477C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00000001400477DA

Strings

Error allocating memory., xrefs: 00000001400477CB
AutoIt, xrefs: 00000001400477C4

Memory Dump Source

Source File: 00000000.00000002.12972656094.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.12972644685.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972692353.0000000140099000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972706897.00000001400AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972717783.00000001400B1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972728205.00000001400C7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.12972761682.00000001400C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_BEncode Editor.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 883f6d4cccd8ff2deb33c8f5cda20d62b1a23c0eb2386e4a1f6750bc8d57a982
Instruction ID: fa14ca8aafecd7ed355ccf4047c4a21a61a1812d37eb39852dc70680f56d6540
Opcode Fuzzy Hash: 883f6d4cccd8ff2deb33c8f5cda20d62b1a23c0eb2386e4a1f6750bc8d57a982
Instruction Fuzzy Hash: 2AD012B020260881F71A6B22E842BC42720A70C3C8F800807AA0A072B1CEBAC28AC380

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BEncode Editor.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: BEncode Editor.exePID: 7420, Parent PID: 724

General

Chronological Activities

Disassembly

Analysis Process: BEncode Editor.exePID: 7420, Parent PID: 724COMMON

Windows Analysis Report
BEncode Editor.exe

Function 00000001400448A0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122
threadkeyboardwindowCOMMON

Function 0000000140086450 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 270
windowtimeCOMMON

Function 0000000140012DD0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142
windowCOMMON

Function 000000014002664C Relevance: 15.1, APIs: 10, Instructions: 106
COMMONLIBRARYCODE

Function 00000001400083E0 Relevance: 608.4, APIs: 2, Strings: 399, Instructions: 6936
COMMON

Function 0000000140063890 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 187
windowlibraryCOMMON

Function 00000001400643E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190
windowCOMMON

Function 000000014003F7C0 Relevance: 21.1, APIs: 14, Instructions: 118
filecommemoryCOMMON

Function 00000001400174D0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56
windowregistryCOMMON

Function 0000000140064F70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160
windowCOMMON

Function 000000014005F110 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
windowCOMMON

Function 0000000140017370 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 72
windowregistryCOMMON

Function 0000000140061300 Relevance: 16.6, APIs: 11, Instructions: 140
COMMON

Function 0000000140007800 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 213
COMMON

Function 00000001400133A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150
windowtimeregistryCOMMON