Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Analysis ID:	1520349
MD5:	c3c547a2f7ba40a8ccc74c64f56f74bf
SHA1:	3499ffe761db6d8a1f3d506e3cc3497e18f0a5ff
SHA256:	be1650866941ac704ce9dd90f87276c3b9f008f25040e8ac78f3cc2c62233124
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe" MD5: C3C547A2F7BA40A8CCC74C64F56F74BF)

csrss2.exe (PID: 1544 cmdline: C:\Users\user\AppData\Local\Temp\csrss2.exe MD5: A38A05E4A9DBFC6E7B6608B7F48D909C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046E165 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046E165
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0040EA40 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040EA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00416E10 FindFirstFileA,FindClose,	0_2_00416E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00405B20 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_00405B20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00427270 FindFirstFileA,FindNextFileA,FindClose,	2_2_00427270
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00425BC0 FindFirstFileA,FindClose,	2_2_00425BC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00494017 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00494017
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041ECD0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_0041ECD0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00415DC0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00415DC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000000h]		0_2_00422152
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 4x nop then push FFFFFFFFh		2_2_00416422

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_00422070 ioctlsocket,recvfrom,

0_2_00422070

Source: csrss2.exe.0.dr	String found in binary or memory: http://38.147.172.248:8080/apii.php
Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0042B120 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042B120

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0042B120 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0042B120
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0043A3A0 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0043A3A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0042B280 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042B280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0047283F GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_0047283F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00470D18 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00470D18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00416FC0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00416FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004152A0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	0_2_004152A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00429980 GetKeyState,GetKeyState,GetKeyState,CopyRect,	0_2_00429980
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004986A6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_004986A6
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004248D0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	2_2_004248D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00496BB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_00496BB0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00438C00 GetKeyState,GetKeyState,GetKeyState,CopyRect,	2_2_00438C00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00425D70 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_00425D70

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004024A0 NtQueryInformationProcess,CloseHandle,		2_2_004024A0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0040102A NtQuerySystemInformation,		2_2_0040102A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004580E0	0_2_004580E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004461B0	0_2_004461B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0043C240	0_2_0043C240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046A249	0_2_0046A249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0044A20E	0_2_0044A20E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045023E	0_2_0045023E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004202E0	0_2_004202E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004422A0	0_2_004422A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045A350	0_2_0045A350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00466326	0_2_00466326
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045048E	0_2_0045048E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00410540	0_2_00410540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004425B0	0_2_004425B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0044A640	0_2_0044A640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004488E0	0_2_004488E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00456950	0_2_00456950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004429E0	0_2_004429E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0044AB10	0_2_0044AB10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00446C70	0_2_00446C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0040CCE0	0_2_0040CCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0044AD40	0_2_0044AD40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00438D20	0_2_00438D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00450F90	0_2_00450F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0040F050	0_2_0040F050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00439050	0_2_00439050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00449120	0_2_00449120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004391E0	0_2_004391E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00419310	0_2_00419310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00447460	0_2_00447460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045F420	0_2_0045F420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00451430	0_2_00451430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0043B493	0_2_0043B493
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0043D650	0_2_0043D650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00449639	0_2_00449639
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00417680	0_2_00417680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0044B780	0_2_0044B780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004357A0	0_2_004357A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00433840	0_2_00433840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00449AF6	0_2_00449AF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00445C70	0_2_00445C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00459DD0	0_2_00459DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00449DE1	0_2_00449DE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00425D80	0_2_00425D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00455EB0	0_2_00455EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045BF20	0_2_0045BF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00449F94	0_2_00449F94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046FFB9	0_2_0046FFB9
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004600D0	2_2_004600D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00448150	2_2_00448150
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0047E1D0	2_2_0047E1D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00458240	2_2_00458240
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004482E0	2_2_004482E0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00428390	2_2_00428390
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00426430	2_2_00426430
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00460570	2_2_00460570
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00456580	2_2_00456580
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0044A593	2_2_0044A593
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0044C750	2_2_0044C750
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00458759	2_2_00458759
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004207D0	2_2_004207D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004847B0	2_2_004847B0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00472890	2_2_00472890
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0047E890	2_2_0047E890
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0045A8A0	2_2_0045A8A0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00444950	2_2_00444950
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00442A20	2_2_00442A20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00472AC0	2_2_00472AC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00458C16	2_2_00458C16
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00454D90	2_2_00454D90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0045EEF0	2_2_0045EEF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00468EF0	2_2_00468EF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0046EEF0	2_2_0046EEF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041CF70	2_2_0041CF70
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00458F01	2_2_00458F01
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00464FF0	2_2_00464FF0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0046B040	2_2_0046B040
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00435000	2_2_00435000
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004590B4	2_2_004590B4
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00467200	2_2_00467200
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004552D0	2_2_004552D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041F2E0	2_2_0041F2E0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0044B340	2_2_0044B340
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0045F36E	2_2_0045F36E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0046F310	2_2_0046F310
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0045932E	2_2_0045932E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004513C0	2_2_004513C0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00469470	2_2_00469470
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00411480	2_2_00411480
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0042F570	2_2_0042F570
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0045F5BE	2_2_0045F5BE
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004516D0	2_2_004516D0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00459760	2_2_00459760
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00457A00	2_2_00457A00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00465A90	2_2_00465A90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0048BAB6	2_2_0048BAB6
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0048FB7C	2_2_0048FB7C
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00451B00	2_2_00451B00
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00459C30	2_2_00459C30
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0047DCC0	2_2_0047DCC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00455D90	2_2_00455D90
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00495E51	2_2_00495E51
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00459E60	2_2_00459E60
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00447E20	2_2_00447E20

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy) 113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\csrss2.exe 113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: String function: 004418D0 appears 81 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: String function: 00441A60 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: String function: 004600A8 appears 92 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: String function: 00441CE0 appears 77 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: String function: 0046F079 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: String function: 00485D88 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: String function: 004509F0 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: String function: 00494F11 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: String function: 00450B80 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: String function: 00450E00 appears 77 times

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.winEXE@7/3@0/0

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Code function: 2_2_0040297D LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,

2_2_0040297D

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Code function: 2_2_00403953 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_00403953

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Code function: 2_2_00410BB0 LoadTypeLib,GetUserDefaultLCID,LHashValOfNameSys,RegisterTypeLib,CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,CoCreateInstance,

2_2_00410BB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0046E7ED __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_0046E7ED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

File created: C:\Users\user\AppData\Local\Temp\csrss1.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Process created: C:\Users\user\AppData\Local\Temp\csrss2.exe C:\Users\user\AppData\Local\Temp\csrss2.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Process created: C:\Users\user\AppData\Local\Temp\csrss2.exe C:\Users\user\AppData\Local\Temp\csrss2.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Static file information: File size 1613824 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0040E2D0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_0040E2D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_004600A8 push eax; ret	0_2_004600C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045E8F0 push eax; ret	0_2_0045E91E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041CA28 push ss; retn 0041h	2_2_0041CA29
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00483C70 push eax; ret	2_2_00483C9E
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00485D88 push eax; ret	2_2_00485DA6

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	File created: C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	File created: C:\Users\user\AppData\Local\Temp\csrss2.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00412080 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	0_2_00412080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00416490 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	0_2_00416490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00412750 IsIconic,IsZoomed,	0_2_00412750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0040CCE0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	0_2_0040CCE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0045CF60 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0045CF60
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004822DF IsIconic,GetWindowPlacement,GetWindowRect,	2_2_004822DF
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041CF70 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	2_2_0041CF70
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00425AC0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	2_2_00425AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	API coverage: 2.9 %
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	API coverage: 2.8 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046E165 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046E165
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0040EA40 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040EA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00416E10 FindFirstFileA,FindClose,	0_2_00416E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_00405B20 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_00405B20
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00427270 FindFirstFileA,FindNextFileA,FindClose,	2_2_00427270
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00425BC0 FindFirstFileA,FindClose,	2_2_00425BC0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00494017 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_00494017
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0041ECD0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	2_2_0041ECD0
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_00415DC0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	2_2_00415DC0

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0040E2D0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_0040E2D0

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0040102A mov edx, dword ptr fs:[00000030h]	2_2_0040102A
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004012E5 mov eax, dword ptr fs:[00000030h]	2_2_004012E5
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_004013C9 mov ebx, dword ptr fs:[00000030h]	2_2_004013C9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_004346B0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

0_2_004346B0

Source: C:\Users\user\AppData\Local\Temp\csrss2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046902D SetUnhandledExceptionFilter,	0_2_0046902D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	Code function: 0_2_0046903F SetUnhandledExceptionFilter,	0_2_0046903F
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0048EA4D SetUnhandledExceptionFilter,	2_2_0048EA4D
Source: C:\Users\user\AppData\Local\Temp\csrss2.exe	Code function: 2_2_0048EA5F SetUnhandledExceptionFilter,	2_2_0048EA5F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0046060A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_0046060A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_0046060A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_0046060A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Code function: 0_2_00477D1A GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_00477D1A

Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	66%	ReversingLabs	Win32.Trojan.Midie
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\csrss2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)	50%	ReversingLabs	Win32.Infostealer.Babar
C:\Users\user\AppData\Local\Temp\csrss2.exe	50%	ReversingLabs	Win32.Infostealer.Babar

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
http://38.147.172.248:8080/apii.php	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.0.dr	false	URL Reputation: safe	unknown
http://38.147.172.248:8080/apii.php	csrss2.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520349
Start date and time:	2024-09-27 08:33:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Detection:	MAL
Classification:	mal68.winEXE@7/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\csrss2.exe	2.exe	Get hash	malicious	Bdaejec	Browse
C:\Users\user\AppData\Local\Temp\csrss2.exe	xpKZwKFN9W.exe	Get hash	malicious	Bdaejec	Browse
C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)	2.exe	Get hash	malicious	Bdaejec	Browse
	xpKZwKFN9W.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\csrss2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	913408
Entropy (8bit):	6.342927646017908
Encrypted:	false
SSDEEP:	12288:v5mcnXTgXcH3y4gE94PDheqjwLpL/duo6F+tdjBgj3V6XEHNYEu0l8+zXw:v55ksXy4gE47he4wtL/xExlzX
MD5:	A38A05E4A9DBFC6E7B6608B7F48D909C
SHA1:	72013C52A8D0572C803F7F7240D84C4819E307C7
SHA-256:	113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0
SHA-512:	FF43AD96878BC040001B685F8E71B2B50C9CCA4F627700334689C353D6BDFA34BBD8324C7342ABEFB9CC2BC842D3A2A728122350D8FCD44CC1F0582D33CAAB03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: 2.exe, Detection: malicious, Browse Filename: xpKZwKFN9W.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=3..\]..\]..\].v@S..\]..@Q..\]..CN..\]..CN..\]..\\..^]..zW.%\]..zV..\]..CV..\]..CW..\]..\]..\].2Z[..\].Rich.\].........PE..L....a.f.............................&....... ....@.........................................................................hD....................................................................................... ..$............................text...F........................... ..`.rdata...H... ...P... ..............@..@.data...H>...p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\csrss2.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	913408
Entropy (8bit):	6.342927646017908
Encrypted:	false
SSDEEP:	12288:v5mcnXTgXcH3y4gE94PDheqjwLpL/duo6F+tdjBgj3V6XEHNYEu0l8+zXw:v55ksXy4gE47he4wtL/xExlzX
MD5:	A38A05E4A9DBFC6E7B6608B7F48D909C
SHA1:	72013C52A8D0572C803F7F7240D84C4819E307C7
SHA-256:	113528ADBBF5F74519D59A556E232E43F87E067EBE229CE0698BB9CD2A3656B0
SHA-512:	FF43AD96878BC040001B685F8E71B2B50C9CCA4F627700334689C353D6BDFA34BBD8324C7342ABEFB9CC2BC842D3A2A728122350D8FCD44CC1F0582D33CAAB03
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: 2.exe, Detection: malicious, Browse Filename: xpKZwKFN9W.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=3..\]..\]..\].v@S..\]..@Q..\]..CN..\]..CN..\]..\\..^]..zW.%\]..zV..\]..CV..\]..CW..\]..\]..\].2Z[..\].Rich.\].........PE..L....a.f.............................&....... ....@.........................................................................hD....................................................................................... ..$............................text...F........................... ..`.rdata...H... ...P... ..............@..@.data...H>...p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.39113595572983
Encrypted:	false
SSDEEP:	6144:ul4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN1xOBSqa:u4vF0MYQUMM6VFYLxU
MD5:	6E5D362D46CD7ADF5700366E3E262A40
SHA1:	6516F8E71DD2409D8BC5ECA5D806E7BF54C0CE68
SHA-256:	D3A5449577FF572FE4F9C1F5A1B3D2DB4E36DB7AC94AA360858EF0CFCF2502F9
SHA-512:	2E721C1688B1BC2894450B7B73018F078413280B91C9FAA54BE4FAE40F2ED5D7323C745199490FA0E43FD47516A49DB00A8CF65E1B4342FD7721F93D24076F33
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.G.................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.380968074399036
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
File size:	1'613'824 bytes
MD5:	c3c547a2f7ba40a8ccc74c64f56f74bf
SHA1:	3499ffe761db6d8a1f3d506e3cc3497e18f0a5ff
SHA256:	be1650866941ac704ce9dd90f87276c3b9f008f25040e8ac78f3cc2c62233124
SHA512:	e54a7b6b63857eacd8082f8f6f540749e02a40afa726dd17624c9f8177697c940927b4aeeae9a989288d36135a2a5c3b9851f19ddda82d0c284eab0d200bb561
SSDEEP:	24576:YBbdrmZoGk/52SCUAO55ksXy4gE47he4wtL/xExlzXyDK:Or3/5PkO553eEQwtqx1
TLSH:	1075AE71B6D2C0F7C509293018A6A73AAB759F464F15CFC7D364EE6C2C322D2A937129
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...U...U...U.p.[...U..._.H.U...Y...U...F...U...F...U...T...U...^...U...^...U..._...U...U...U.4.S...U.Rich..U................

File Icon


Icon Hash:	33e88eaaaa96cc31

Static PE Info

General

Entrypoint:	0x45d345
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x660566DE [Thu Mar 28 12:47:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	245788be5f7374c2353736518c2959b3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00564A18h
push 0046218Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0047C368h]
xor edx, edx
mov dl, ah
mov dword ptr [00594330h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0059432Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00594328h], ecx
shr eax, 10h
mov dword ptr [00594324h], eax
push 00000001h
call 00007FED54F93D58h
pop ecx
test eax, eax
jne 00007FED54F8EFDAh
push 0000001Ch
call 00007FED54F8F098h
pop ecx
call 00007FED54F93B03h
test eax, eax
jne 00007FED54F8EFDAh
push 00000010h
call 00007FED54F8F087h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FED54F93931h
call dword ptr [0047C348h]
mov dword ptr [00595A04h], eax
call 00007FED54F937EFh
mov dword ptr [005942A0h], eax
call 00007FED54F93598h
call 00007FED54F934DAh
call 00007FED54F92791h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0047C2F4h]
call 00007FED54F9346Bh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FED54F8EFD8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16bc90	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x196000	0x908c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7c000	0x6b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7aeaa	0x7b000	6bd0d81f8ef5f6b99e67ac6a8259d9c4	False	0.5594015974339431	data	6.580166948575232	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7c000	0xf1f8c	0xf2000	49cfb90753523be678c1d70d02c00b21	False	0.44575235666322316	data	6.263293355807824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16e000	0x27a08	0x12000	b9689d5ae9a79907b5e71e3a962e488e	False	0.3091362847222222	data	5.061264310840605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x196000	0x908c	0xa000	00b6451ea53de677558ec8e32da2f797	False	0.32431640625	data	5.604920514048709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x196b9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x196ba8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x196bc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x196d14	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x196e48	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x196f7c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x1970b0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x197164	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x1973ac	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x1974f0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x197648	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x1977a0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x1978f8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x197a50	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x197ba8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x197d00	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x197e58	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x197fb0	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x198594	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x19864c	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x1987b8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x1988fc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x198be4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x198d0c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.3735238545111006
RT_MENU	0x19cf34	0xc	data	Chinese	China	1.5
RT_MENU	0x19cf40	0x284	data	Chinese	China	0.5
RT_DIALOG	0x19d1c4	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x19d25c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x19d3d8	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x19d4d4	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x19d5c0	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x19de70	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x19df24	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x19dff0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x19e0a4	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x19e188	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x19e314	0x50	data	Chinese	China	0.85
RT_STRING	0x19e364	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x19e390	0x78	data	Chinese	China	0.925
RT_STRING	0x19e408	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x19e5cc	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x19e6f8	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x19e840	0x40	data	Chinese	China	0.65625
RT_STRING	0x19e880	0x64	data	Chinese	China	0.73
RT_STRING	0x19e8e4	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x19eabc	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x19ebd0	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x19ebf4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x19ec08	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x19ec1c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x19ec40	0x14	data			1.25
RT_GROUP_ICON	0x19ec54	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x19ec68	0x14	data	Chinese	China	1.25
RT_VERSION	0x19ec7c	0x240	data	Chinese	China	0.5746527777777778
RT_MANIFEST	0x19eebc	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
KERNEL32.dll	lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, DuplicateHandle, lstrcpynA, SetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, GetCurrentProcess, GetWindowsDirectoryA, GetSystemDirectoryA, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, SetStdHandle, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetACP, HeapSize, TerminateProcess, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RaiseException, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, GetFileAttributesA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, GlobalDeleteAtom, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, InterlockedIncrement
USER32.dll	GetScrollPos, WaitForInputIdle, wsprintfA, CloseClipboard, GetClipboardData, OpenClipboard, SetClipboardData, EmptyClipboard, GetSystemMetrics, GetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, IsWindow, PostMessageA, GetTopWindow, GetParent, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, DestroyMenu, IsChild, ReleaseDC, IsRectEmpty, FillRect, GetDC, SetCursor, LoadCursorA, SetCursorPos, SetActiveWindow, GetSysColor, SetWindowLongA, GetWindowLongA, RedrawWindow, EnableWindow, IsWindowVisible, OffsetRect, PtInRect, DestroyIcon, IntersectRect, InflateRect, SetRect, SetScrollPos, SetScrollRange, GetScrollRange, SetCapture, GetCapture, ReleaseCapture, GetForegroundWindow, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, UnregisterClassA, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, LoadStringA, GetSysColorBrush, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer
GDI32.dll	GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, GetObjectA, CreatePen, SetStretchBltMode, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, GetStockObject, CreateFontIndirectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, LineTo, CreateRectRgnIndirect, SetBkColor, PatBlt, GetTextMetricsA, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtSelectClipRgn
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutReset, waveOutPause, waveOutWrite, waveOutPrepareHeader, waveOutUnprepareHeader
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegSetValueExA, RegQueryValueA, RegCreateKeyExA
SHELL32.dll	ShellExecuteA, Shell_NotifyIconA, SHGetSpecialFolderPathA
ole32.dll	OleInitialize, OleUninitialize, CLSIDFromString
OLEAUT32.dll	UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib
COMCTL32.dll	ImageList_Destroy
WS2_32.dll	recv, getpeername, accept, recvfrom, ioctlsocket, WSAAsyncSelect, closesocket, inet_ntoa, WSACleanup
comdlg32.dll	GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA, ChooseColorA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	02:34:18
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe"
Imagebase:	0x400000
File size:	1'613'824 bytes
MD5 hash:	C3C547A2F7BA40A8CCC74C64F56F74BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:34:18
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\csrss2.exe
Imagebase:	0x400000
File size:	913'408 bytes
MD5 hash:	A38A05E4A9DBFC6E7B6608B7F48D909C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.6%
Total number of Nodes:	531
Total number of Limit Nodes:	35

Executed Functions

Function 004346B0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 004346D9
OleInitialize.OLE32(00000000), ref: 00434715
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00434733
SetCurrentDirectoryA.KERNEL32(02435B88,?), ref: 0043478D
LoadCursorA.USER32(00000000,00007F00), ref: 004347E8
GetStockObject.GDI32(00000005), ref: 00434809
GetCurrentThreadId.KERNEL32 ref: 00434831

Strings

_EL_HideOwner, xrefs: 00434813

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: _EL_HideOwner
API String ID: 3783217854-1487855678
Opcode ID: bf77c0e266fddce255b92f93d9e42d0d664630020060d230df2ada2fe191263e
Instruction ID: 7dc7717077a9dc65f35e55b49dc1d4990063de77b39a9fb233cf71de07771aea
Opcode Fuzzy Hash: bf77c0e266fddce255b92f93d9e42d0d664630020060d230df2ada2fe191263e
Instruction Fuzzy Hash: C8E1A370A002059BDB14EF65DCC1BEE77B4BF88308F14416EE909AB291DB78A945CB99

Function 0046E165 Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0046E16A
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 0046E188
lstrcpynA.KERNEL32(?,?,00000104), ref: 0046E197
GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0046E1CB
CharUpperA.USER32(?), ref: 0046E1DC
FindFirstFileA.KERNEL32(?,?), ref: 0046E1F2
FindClose.KERNEL32(00000000), ref: 0046E1FE
lstrcpyA.KERNEL32(?,?), ref: 0046E20E

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: d79022c053938d5c1cbb51540a3ce24aca5dfbc781795838f8da0f59ed3ac53a
Instruction ID: ffa1ed3da34ef481c3378161db130fa50378d3c5604040de466e6a65651f0bf1
Opcode Fuzzy Hash: d79022c053938d5c1cbb51540a3ce24aca5dfbc781795838f8da0f59ed3ac53a
Instruction Fuzzy Hash: 7D21B371900019BBCB109FA6DC48EEF7FBCEF05764F00816AF519E2161E7348A85CBA5

Function 00477D1A Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,00477D15), ref: 00477D91
GetProcessVersion.KERNELBASE(00000000,?,?,?,00477D15), ref: 00477DCE
LoadCursorA.USER32(00000000,00007F02), ref: 00477DFC
LoadCursorA.USER32(00000000,00007F00), ref: 00477E07

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: ec170aae96355a3e002fa72321e11e1a83c514515b652213ee7c063ebdcd9822
Instruction ID: dc68b1ec348273b1acb72d1859e620db99da15c977c5cd3457f3e48e8b15f42a
Opcode Fuzzy Hash: ec170aae96355a3e002fa72321e11e1a83c514515b652213ee7c063ebdcd9822
Instruction Fuzzy Hash: EF118CB1A00B508FD7249F3A888456ABBE5FB487057404D3FE18BC7B90D778E480CB54

Function 0046F20F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0046F214
GetPropA.USER32(?,AfxOldWndProc423), ref: 0046F22C
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0046F28A

Part of subcall function 0046EDF7: GetWindowRect.USER32(?,?), ref: 0046EE1C
Part of subcall function 0046EDF7: GetWindow.USER32(?,00000004), ref: 0046EE39

SetWindowLongA.USER32(?,000000FC,?), ref: 0046F2BA
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0046F2C2
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0046F2C9
GlobalDeleteAtom.KERNEL32(00000000), ref: 0046F2D0

Part of subcall function 0046EDD4: GetWindowRect.USER32(?,?), ref: 0046EDE0

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0046F324

Strings

AfxOldWndProc423, xrefs: 0046F222, 0046F22A, 0046F2C0, 0046F2C8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 60c5a127e8fd9275610d85d3f28b980cd955b05f06ba2a2be38befa6861a03ee
Instruction ID: aa41280426a56df726f57f3f8599dc66d276eff7b7a5ea3bc6d0123b2e450574
Opcode Fuzzy Hash: 60c5a127e8fd9275610d85d3f28b980cd955b05f06ba2a2be38befa6861a03ee
Instruction Fuzzy Hash: BC31B432800119BBCF01DFA5ED49DFF7BB8EF05710F00002AF541A2151E7398955DBAA

Function 00476EA3 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00593F68,00593F3C,00000000,?,00593F4C,00593F4C,0047723E,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000), ref: 00476EB2
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,00593F4C,00593F4C,0047723E,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000), ref: 00476F07
GlobalHandle.KERNEL32(008524F8), ref: 00476F10
GlobalUnlock.KERNEL32(00000000), ref: 00476F19
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00476F2B
GlobalHandle.KERNEL32(008524F8), ref: 00476F42
GlobalLock.KERNEL32(00000000), ref: 00476F49
LeaveCriticalSection.KERNEL32(0045D425,?,?,00593F4C,00593F4C,0047723E,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000), ref: 00476F4F
GlobalLock.KERNEL32(00000000), ref: 00476F5E
LeaveCriticalSection.KERNEL32(?), ref: 00476FA7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: fe3fe725812a12adecb107197d32ce5e2e7fce5cfd3335e4dee0c5ae182bba2a
Instruction ID: f747e359475ce8c9b1581be01f49a75805150bfd2d6aa505ed9c34c774d1237f
Opcode Fuzzy Hash: fe3fe725812a12adecb107197d32ce5e2e7fce5cfd3335e4dee0c5ae182bba2a
Instruction Fuzzy Hash: 7331A1752007059FD7209F28EC89A6AB7EAFF44305B014A3EF85AC3661E775EC448B14

Function 00411BC0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cea9e19cda4bc26314378b1d824103f3460595dd5ed0adcf71a23a98fef7a2
Instruction ID: 737df60b6793935aa10769ca411607aef96b188e0e9e23676dea4984d4c101a6
Opcode Fuzzy Hash: 78cea9e19cda4bc26314378b1d824103f3460595dd5ed0adcf71a23a98fef7a2
Instruction Fuzzy Hash: 72B1AE706047009FD724CF65D884BABB7E6BBC4744F50892EF696873A0D778E881CB5A

Function 00401750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401807
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040181F
WaitForInputIdle.USER32(?,000003E8), ref: 00401831
CloseHandle.KERNEL32(?), ref: 00401842
CloseHandle.KERNEL32(?), ref: 00401849

Strings

D, xrefs: 00401769

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleWait$CreateIdleInputObjectProcessSingle
String ID: D
API String ID: 2811420030-2746444292
Opcode ID: 260b1660031c8caa39629544eb4e0af045549af82e908b9e64c2b6a31d48fca7
Instruction ID: 3abceb7ab1b7d8f7e5fb38879a4bbfa70a3417de6ced97604b130447af121a14
Opcode Fuzzy Hash: 260b1660031c8caa39629544eb4e0af045549af82e908b9e64c2b6a31d48fca7
Instruction Fuzzy Hash: 9E317F796043019BD720CB28C884A6BB7F9EF95714F24492FF546E73A0E778D885878B

Function 004736BB Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 004736C8
GetSystemMetrics.USER32(0000000C), ref: 004736CF
GetDC.USER32(00000000), ref: 004736E8
GetDeviceCaps.GDI32(00000000,00000058), ref: 004736F9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00473701
ReleaseDC.USER32(00000000,00000000), ref: 00473709

Part of subcall function 00477D3A: GetSystemMetrics.USER32(00000002), ref: 00477D4C
Part of subcall function 00477D3A: GetSystemMetrics.USER32(00000003), ref: 00477D56

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 19e1b99c95a021bf0c78f7a2206177118abd78d0e05e5cb018d16ce16a3cc80a
Instruction ID: cdde0639501a6584868a0311345b9d162013f8c827414f9ca8b5fec4a38af719
Opcode Fuzzy Hash: 19e1b99c95a021bf0c78f7a2206177118abd78d0e05e5cb018d16ce16a3cc80a
Instruction Fuzzy Hash: F4F0B430640700ABE2306FB28C89F6B77A4EF80756F00842EF649862D0DAB49844CFA9

Function 00411AA0 Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 00411B48
SendMessageA.USER32(?,00000080,00000000,?), ref: 00411B5A
DestroyCursor.USER32(?), ref: 00411B6D
DestroyCursor.USER32(?), ref: 00411B7A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDestroyMessageSend
String ID:
API String ID: 3501257726-0
Opcode ID: 1a80595715a00e3d7d11e604dea4f23654a04729ce936796193868492dec4869
Instruction ID: dbce75b9d5423587eb62aba0130eee9967ff935160e03c71e958cf7268992266
Opcode Fuzzy Hash: 1a80595715a00e3d7d11e604dea4f23654a04729ce936796193868492dec4869
Instruction Fuzzy Hash: A3311C716043016FE720DF65D880BA7B3E8AF84714F50882EFA9597350E678F8498B66

Function 0046F5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0047720A: TlsGetValue.KERNEL32(00593F4C,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000,?,0046B321,00000000,00000000,00000000,00000000), ref: 00477249

GetCurrentThreadId.KERNEL32 ref: 0046F602
SetWindowsHookExA.USER32(00000005,0046F3EA,00000000,00000000), ref: 0046F612

Strings

<?Y, xrefs: 0046F5E7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID: <?Y
API String ID: 933525246-2555971210
Opcode ID: 07ef82b21536ea5752b5a3eafcc42cea72b27effa7907510bcc8b74313931c53
Instruction ID: d8e96b21ec4c7d187624f3937bdf0f6fb7bda9c7e73f183439dfa4bc1a3acdef
Opcode Fuzzy Hash: 07ef82b21536ea5752b5a3eafcc42cea72b27effa7907510bcc8b74313931c53
Instruction Fuzzy Hash: BCE06531A40B009ED7305BA2A805B1776E4EB94711F10453FE18986241E374A8458F7E

Function 0046EF47 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0046EF4C

Part of subcall function 0047720A: TlsGetValue.KERNEL32(00593F4C,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000,?,0046B321,00000000,00000000,00000000,00000000), ref: 00477249

Strings

<?Y, xrefs: 0046EF57

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologValue
String ID: <?Y
API String ID: 3700342317-2555971210
Opcode ID: dd581c04d2628a91250669e57a1a5586d1872630925d243e4dc25b41755658b4
Instruction ID: fdd5aa2f6bee59cb8b3ae47bdfb39085589079f65b903faa227188bc98daff8b
Opcode Fuzzy Hash: dd581c04d2628a91250669e57a1a5586d1872630925d243e4dc25b41755658b4
Instruction Fuzzy Hash: 85218C76900209EFCF15DF55C481AEE7BB9FF48314F00806AF819AB241E378AE45CBA5

Function 0046DE39 Relevance: 3.1, APIs: 2, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046E165: __EH_prolog.LIBCMT ref: 0046E16A
Part of subcall function 0046E165: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 0046E188
Part of subcall function 0046E165: lstrcpynA.KERNEL32(?,?,00000104), ref: 0046E197

CreateFileA.KERNELBASE(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?,?), ref: 0046DF14
GetLastError.KERNEL32 ref: 0046DF26

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
String ID:
API String ID: 1034715445-0
Opcode ID: 4e6a6c6aedbbf6f6a1d39231d72fdf8ae48534ce2d517917df4f6cc577eea68d
Instruction ID: cca54fbabbdd08d1257dba1eca78ef21ab3a446a3519bb93802ddcb32e4eaa04
Opcode Fuzzy Hash: 4e6a6c6aedbbf6f6a1d39231d72fdf8ae48534ce2d517917df4f6cc577eea68d
Instruction Fuzzy Hash: 17313B72F00B059BEB249E55CC46BAB77A5AB90314F24892FF026CF2D0E67DDD44864A

Function 00477A6C Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0047373D,00000000,00000000,00000000,00000000,?,00000000,?,0046B321,00000000,00000000,00000000,00000000,0045D425), ref: 00477A75
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0046B321,00000000,00000000,00000000,00000000,0045D425,00000000), ref: 00477A7C

Part of subcall function 00477ACF: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00477B00
Part of subcall function 00477ACF: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00477BA1
Part of subcall function 00477ACF: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00477BCE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: dbff44918467a8c239b82b4fb8b668d39e1942f7f9966cab074987c84d4fb655
Instruction ID: eca1de7f78a1a68ba7737a0a763d7c64c50a993f22d42e6691c238739daf23d9
Opcode Fuzzy Hash: dbff44918467a8c239b82b4fb8b668d39e1942f7f9966cab074987c84d4fb655
Instruction Fuzzy Hash: 1EF087719082119FE710AF24C044A893BE5AF48710F0AC48FB48C8B3A2CB78D940CBAA

Function 0046DF90 Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,0040190F,-00000010,?,?,00001011,00000000), ref: 0046DFAB
GetLastError.KERNEL32(?,?,0040190F,-00000010,?,?,00001011,00000000), ref: 0046DFB8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 735033e922b302d670b9744d0155b65705561e0f91300bc8af511751426ade20
Instruction ID: c7c9ff61002aafe83cce8cc2c74c657226963b4be6db910ab01bc13552bf9d72
Opcode Fuzzy Hash: 735033e922b302d670b9744d0155b65705561e0f91300bc8af511751426ade20
Instruction Fuzzy Hash: DAF0A736A002047BCB211F85DC04E97BB68EF85730F10C12BF92E95660E675A8508B64

Function 00462126 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0045D3A3,00000001), ref: 00462137

Part of subcall function 00461FDE: GetVersionExA.KERNEL32 ref: 00461FFD

HeapDestroy.KERNEL32 ref: 00462176

Part of subcall function 00465AD5: HeapAlloc.KERNEL32(00000000,00000140,0046215F,000003F8), ref: 00465AE2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: c1e711c85a842b6f52a763c4f57fb636ea05ec63718b9e68dd89b068696c0485
Instruction ID: e764b3db49083ba9c714404d956640c755c2a77ef6178304d9acece569d43f29
Opcode Fuzzy Hash: c1e711c85a842b6f52a763c4f57fb636ea05ec63718b9e68dd89b068696c0485
Instruction Fuzzy Hash: 4DF0E5B064C3016ADB201771AD4576B35D4D752345F11443BF504C51A5FBA889C1AA0B

Function 00418330 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 0041834B
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 0041835D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ImageLoad
String ID:
API String ID: 306446377-0
Opcode ID: 57fc8992f683322152a4e5ebe39a2366ac8074bfa42dfb5ab26b5292f80ca674
Instruction ID: 58b6b964901f80bf30ec01d93ceaf2ecc3c4b81f0817759a37632a8df117d7c4
Opcode Fuzzy Hash: 57fc8992f683322152a4e5ebe39a2366ac8074bfa42dfb5ab26b5292f80ca674
Instruction Fuzzy Hash: 27E0ED323813117BD620CE5A8C85F9BF7A9EB8DB10F100819B344AB1D1C2F1A44586A9

Function 0047248F Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004724A2
SetWindowsHookExA.USER32(000000FF,004727E7,00000000,00000000), ref: 004724B2

Part of subcall function 0047729F: __EH_prolog.LIBCMT ref: 004772A4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: c4f68596c5cb22cc1479a918be39629c159a8070d42251ee0644ff03d1a2e0ba
Instruction ID: eb5d1d7dee8d28e861bb88a780ccaf4bd85d5d3b2b217c9e747a7e6877978645
Opcode Fuzzy Hash: c4f68596c5cb22cc1479a918be39629c159a8070d42251ee0644ff03d1a2e0ba
Instruction Fuzzy Hash: DEF0A731904610ABDB613BB0BE0DB953B91AB00314F15CA5EF26D6A1D2CA6C5C848B6D

Function 0046F9AB Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0046F9D2
CallWindowProcA.USER32(?,?,?,?,?), ref: 0046F9E7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 911f91257d6e5876f5e423268e458899aa537bc100b9c73d4c9b653106a869cb
Instruction ID: 862713bd796df5741b63616f4f5255ae0446d909609c73a92666ce894cec1a61
Opcode Fuzzy Hash: 911f91257d6e5876f5e423268e458899aa537bc100b9c73d4c9b653106a869cb
Instruction Fuzzy Hash: 9AF03036100208FFCF118F94EC44E9A7BB9FF08350B14842AF989C6130D732E864EB44

Function 0045EC35 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0045ED1C

Part of subcall function 004648C4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045FB18,00000009,00000000,00000000,00000001,00461F6F,00000001,00000074,?,?,00000000,00000001), ref: 00464901
Part of subcall function 004648C4: EnterCriticalSection.KERNEL32(?,?,?,0045FB18,00000009,00000000,00000000,00000001,00461F6F,00000001,00000074,?,?,00000000,00000001), ref: 0046491C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: f2d47f45b4efbc11bed158e35aac7cb3b41fe0771b67de109df5d32186dbc1c1
Instruction ID: 3283f39343d7c914fc8f5fbf2516420ce90e45ab8d1797a9b0d743ab533ddcc5
Opcode Fuzzy Hash: f2d47f45b4efbc11bed158e35aac7cb3b41fe0771b67de109df5d32186dbc1c1
Instruction Fuzzy Hash: 0E210871A00205ABDB14EF66DC42B9E77B4EB00724F24411BFC11EB2C2E778EE499A5D

Function 0046F66E Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00434831,?,?,?,?,?,?,?,?,?), ref: 0046F70C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7b249ccd12829f57e03b2592bbd598163f2c8723e83f093d3f4d0d9efd3cff3f
Instruction ID: 5ff5b6740d2e7ebfe7b04687bd216eb562e1fa3553412237c23eb5576377c0ea
Opcode Fuzzy Hash: 7b249ccd12829f57e03b2592bbd598163f2c8723e83f093d3f4d0d9efd3cff3f
Instruction Fuzzy Hash: BF31BD79A00219AFCF01DFA8D844ADEBBF1BF4C304F01406AF949E7210E7359A519F95

Function 0046F1BE Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705f8b1df7eb0ec59fc86126f926ab578b146450790474295153ce7e4870ac72
Instruction ID: 50e5f108c63f6398e597a565a06cfe1b64e6446ece90ac846b73c483e318e9bc
Opcode Fuzzy Hash: 705f8b1df7eb0ec59fc86126f926ab578b146450790474295153ce7e4870ac72
Instruction Fuzzy Hash: 94F01C36001219FBCF129E91ED00DEF3B69BF053A0F008466FA9455051D73A9965EFAB

Function 00472F42 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 00472F59

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 4c268c7bca02edb5538b379b32cb5b72d0a4d0cde320d72f11fa87a785a5eec4
Instruction ID: ed64005f479a1cc6478972e6c6dbe5e08bcfdc7236020d8b81a0bb65e89181f4
Opcode Fuzzy Hash: 4c268c7bca02edb5538b379b32cb5b72d0a4d0cde320d72f11fa87a785a5eec4
Instruction Fuzzy Hash: 6ED0A7720083629BC711DF508808C8FBBE4FF58310B058C0EF48853111C324D844D765

Non-executed Functions

Function 00425D80 Relevance: 92.5, APIs: 47, Strings: 5, Instructions: 1494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

DPtoLP.GDI32 ref: 00425E9B
GetClientRect.USER32(?,?), ref: 00425EA9
DPtoLP.GDI32(?,?,00000002), ref: 00425EC1
IntersectRect.USER32(?,?,?), ref: 00425F60
LPtoDP.GDI32(?,?,00000002), ref: 00425FA1
IntersectRect.USER32(?,?,?), ref: 00425FFE
LPtoDP.GDI32(?,?,00000002), ref: 0042603F
CreateRectRgnIndirect.GDI32(?), ref: 0042606A
IntersectRect.USER32(?,?,?), ref: 0042609E
LPtoDP.GDI32(?,?,00000002), ref: 004260DF
CreateRectRgnIndirect.GDI32(?), ref: 00426105
CreateRectRgnIndirect.GDI32(?), ref: 00426134
GetCurrentObject.GDI32(?,00000006), ref: 00426150
GetCurrentObject.GDI32(?,00000001), ref: 00426169
GetCurrentObject.GDI32(?,00000002), ref: 00426182

Part of subcall function 00473AB0: SetBkMode.GDI32(?,?), ref: 00473AC9
Part of subcall function 00473AB0: SetBkMode.GDI32(?,?), ref: 00473AD7

Part of subcall function 004708A2: GetScrollPos.USER32(00000000,004098C3), ref: 004708C0

Part of subcall function 004259B0: CreateFontIndirectA.GDI32(00000000), ref: 00425A02

FillRgn.GDI32(?,?,?), ref: 00426362
IntersectRect.USER32(?,?,?), ref: 00426447
IsRectEmpty.USER32(?), ref: 00426452
LPtoDP.GDI32(?,?,00000002), ref: 0042646F
CreateRectRgnIndirect.GDI32(?), ref: 0042647A
CombineRgn.GDI32(?,?,?,00000004), ref: 004264AB
DPtoLP.GDI32(?,?,00000002), ref: 004264C9

Part of subcall function 00473B97: SetMapMode.GDI32(?,?), ref: 00473BB0
Part of subcall function 00473B97: SetMapMode.GDI32(?,?), ref: 00473BBE

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00426508
IntersectRect.USER32(?,?,?), ref: 0042659B
IsRectEmpty.USER32(?), ref: 004265E1
SelectObject.GDI32(?,?), ref: 0042661C
DPtoLP.GDI32(?,?,00000001), ref: 004266A8
LPtoDP.GDI32(?,?,00000001), ref: 004267C7
DPtoLP.GDI32(?,?,00000001), ref: 004267E5

Part of subcall function 00473EC5: MoveToEx.GDI32(?,?,?,?), ref: 00473EE7
Part of subcall function 00473EC5: MoveToEx.GDI32(?,?,?,?), ref: 00473EFB

Part of subcall function 00473F11: MoveToEx.GDI32(?,?,?,00000000), ref: 00473F2B
Part of subcall function 00473F11: LineTo.GDI32(?,?,?), ref: 00473F3C

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

Part of subcall function 00429070: GetCurrentObject.GDI32(?), ref: 0042913B
Part of subcall function 00429070: LPtoDP.GDI32(?,00000000,00000001), ref: 00429188

IntersectRect.USER32(?,00000000,?), ref: 00426932
IsRectEmpty.USER32(00000000), ref: 0042693D
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00426984
LPtoDP.GDI32(?,00000000,00000002), ref: 00426999
CreateRectRgnIndirect.GDI32(00000000), ref: 004269A4
CombineRgn.GDI32(?,?,?,00000004), ref: 004269D5
LPtoDP.GDI32(?,?,00000001), ref: 00426A04
DPtoLP.GDI32(?,?,00000001), ref: 00426A22
wsprintfA.USER32 ref: 00426AC0
SelectObject.GDI32(?,?), ref: 00426AE8
IntersectRect.USER32(?,?,?), ref: 00427058
IsRectEmpty.USER32(?), ref: 00427063
LPtoDP.GDI32(?,?,00000002), ref: 00427080
CreateRectRgnIndirect.GDI32(?), ref: 0042708B
CombineRgn.GDI32(?,?,?,00000004), ref: 004270BC

Part of subcall function 00428730: SetRectEmpty.USER32(?), ref: 004287AA

Part of subcall function 00428730: GetSysColor.USER32(0000000F), ref: 004288DB
Part of subcall function 00428730: IntersectRect.USER32(?,?,?), ref: 00428933

GetSysColor.USER32(0000000F), ref: 00426246

Part of subcall function 0047443D: __EH_prolog.LIBCMT ref: 00474442
Part of subcall function 0047443D: CreateSolidBrush.GDI32(?), ref: 0047445F

Part of subcall function 004743ED: __EH_prolog.LIBCMT ref: 004743F2
Part of subcall function 004743ED: CreatePen.GDI32(?,?,?), ref: 00474415

CreateRectRgnIndirect.GDI32(?), ref: 00425FC6

Part of subcall function 00427580: CopyRect.USER32(?,00000000), ref: 004275F7
Part of subcall function 00427580: IsRectEmpty.USER32(?), ref: 00427602
Part of subcall function 00427580: GetClientRect.USER32(00000000,?), ref: 00427641
Part of subcall function 00427580: DPtoLP.GDI32(?,?,00000002), ref: 00427653
Part of subcall function 00427580: LPtoDP.GDI32(?,?,00000002), ref: 00427690

FillRect.USER32(?,?,?), ref: 004273B9

Strings

0U, xrefs: 00426FD2
0U, xrefs: 00426FF5
$U, xrefs: 0042622D, 00426236
0U, xrefs: 00425FAE
0U, xrefs: 004260EC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Create$IndirectIntersectObject$Empty$CurrentModeSelect$CombineH_prologMove$ClientColorFill$BeginBrushClipCopyFontLinePaintScrollSolidwsprintf
String ID: $U$0U$0U$0U$0U
API String ID: 3726329589-744944660
Opcode ID: fd55539d8e9d0be04a316b75fc55277049a014196200026f1373fce0d960f248
Instruction ID: 2382179bb3bec39e3088f6de629557b8051ec990bb99aeb1fecee40378afaa7f
Opcode Fuzzy Hash: fd55539d8e9d0be04a316b75fc55277049a014196200026f1373fce0d960f248
Instruction Fuzzy Hash: 1ED245712083849FD324DF65D895BAFB7E9BBC8708F40891EF58A83241DB74A905CB66

Function 0040CCE0 Relevance: 53.5, APIs: 29, Strings: 1, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040CD52
IsIconic.USER32(?), ref: 0040CD8A
SetActiveWindow.USER32(?,?,?), ref: 0040CDB3
IsWindow.USER32(?), ref: 0040CDDD
IsWindow.USER32(?), ref: 0040D0AE
DestroyAcceleratorTable.USER32(?), ref: 0040D1FE
DestroyMenu.USER32(?), ref: 0040D209
DestroyAcceleratorTable.USER32(?), ref: 0040D223
DestroyMenu.USER32(?), ref: 0040D232
DestroyAcceleratorTable.USER32(?), ref: 0040D292
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,000007D9,00000000,00000000), ref: 0040D2A1
SetParent.USER32(?,?), ref: 0040D323
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?), ref: 0040D43B
IsWindow.USER32(?), ref: 0040D56C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0040D581
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0040D59E
DestroyAcceleratorTable.USER32(?), ref: 0040D5EC
IsWindow.USER32(?), ref: 0040D661
IsWindow.USER32(?), ref: 0040D6B1
IsWindow.USER32(?), ref: 0040D701
IsWindow.USER32(?), ref: 0040D73E
IsWindow.USER32(?), ref: 0040D7C1
GetParent.USER32(?), ref: 0040D7CF
GetFocus.USER32 ref: 0040D810

Part of subcall function 0040CBD0: IsWindow.USER32(?), ref: 0040CC4B
Part of subcall function 0040CBD0: GetFocus.USER32 ref: 0040CC55
Part of subcall function 0040CBD0: IsChild.USER32(?,00000000), ref: 0040CC67

IsWindow.USER32(?), ref: 0040D86F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0040D884
IsWindow.USER32(00000000), ref: 0040D897
GetFocus.USER32 ref: 0040D8A1
SetFocus.USER32(00000000), ref: 0040D8AC

Strings

d, xrefs: 0040CCF3

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
String ID: d
API String ID: 3681805233-2564639436
Opcode ID: 64605fc8a706d207b40e7dd27f36a94d0214d30dd7cb755858b5d5b7fdc38a4e
Instruction ID: 0836b578af340327014fcdf87757c3f88aad1474350067afe424bfd1ce89d7c8
Opcode Fuzzy Hash: 64605fc8a706d207b40e7dd27f36a94d0214d30dd7cb755858b5d5b7fdc38a4e
Instruction Fuzzy Hash: 5C728271A043019BD320DF65C881B6FB7E9AF84744F14492EF949A7381DB78EC45CBAA

Function 004152A0 Relevance: 50.0, APIs: 23, Strings: 5, Instructions: 986windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 004152D9
TranslateAcceleratorA.USER32(?,?,?,?), ref: 00415333
IsChild.USER32(?,?), ref: 00415364
GetFocus.USER32 ref: 004154BF
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00415549
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 004155B8
IsChild.USER32(?,00000000), ref: 00415661
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00415632

Part of subcall function 0040AC40: IsChild.USER32(?,?), ref: 0040ACBD
Part of subcall function 0040AC40: GetParent.USER32(?), ref: 0040ACD7

IsWindow.USER32(?), ref: 00415F39

Strings

hlp, xrefs: 00415BDD
9, xrefs: 0041582E
Z, xrefs: 0041583C
0, xrefs: 00415829
A, xrefs: 00415833

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
String ID: 0$9$A$Z$hlp
API String ID: 3372979518-114186910
Opcode ID: 996f1bca7a72a54c08858c716ee04ed718da5bd23b3804ab07b55c0433efeb1b
Instruction ID: 5421057320e89469389b281ab8c0016d0e91f13dad389e7cb8866f440faeb05d
Opcode Fuzzy Hash: 996f1bca7a72a54c08858c716ee04ed718da5bd23b3804ab07b55c0433efeb1b
Instruction Fuzzy Hash: C072AC70604741DBEB24DE24C885BEBB3A5ABC4344F10492EF9559B3C1DB78EC85CB6A

Function 00438D20 Relevance: 32.8, Strings: 26, Instructions: 305COMMON

Download Yara Rule

Strings

psca, xrefs: 00438E48
rtrp, xrefs: 00438FA6
intent outside defined range, xrefs: 00438E0F
length does not match profile, xrefs: 00438D59
lcmn, xrefs: 00438F40
Gray color space not permitted on RGB PNG, xrefs: 00438F04
invalid ICC profile color space, xrefs: 00438EC0
baL, xrefs: 00438FF0
rtnm, xrefs: 00438F57
rncs, xrefs: 00438FAD
tag count too large, xrefs: 00439024
invalid signature, xrefs: 00438E4F
unexpected ICC PCS encoding, xrefs: 00438FFE
PCS illuminant is not D50, xrefs: 00438E74
YARG, xrefs: 00438EAE
unrecognized ICC profile class, xrefs: 00438FBB
BGR, xrefs: 00438EB5
tsba, xrefs: 00438F49
unexpected DeviceLink ICC profile class, xrefs: 00438F64
ZYX, xrefs: 00438FF7
unexpected NamedColor ICC profile class, xrefs: 00438F9A
invalid embedded Abstract ICC profile, xrefs: 00438F81
caps, xrefs: 00438FB4
knil, xrefs: 00438F50
RGB color space not permitted on grayscale PNG, xrefs: 00438EE0
invalid rendering intent, xrefs: 00438DED

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
API String ID: 0-319498373
Opcode ID: 2905f23be0aadd555d4f083b706d27a3916bcdef7c2a7308b05a5d4935e99ad3
Instruction ID: 9a88f4a476e960faf7dfa4e0b6e07f1e5f560a30c6e23f3c5f732f339ef2fd10
Opcode Fuzzy Hash: 2905f23be0aadd555d4f083b706d27a3916bcdef7c2a7308b05a5d4935e99ad3
Instruction Fuzzy Hash: 3D9179E360425017DB08EE289C9297BBB96EFDD311F0D94AEF889CA343D819CA059675

Function 00416490 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0041649C
IsZoomed.USER32(?), ref: 004164AA
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004164D4
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004164E7
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004164F5
FreeLibrary.KERNEL32(00000000), ref: 0041652B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00416541
IsWindow.USER32(?), ref: 0041656E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0041657B

Strings

User32.dll, xrefs: 004164C9
MonitorFromWindow, xrefs: 004164E1
GetMonitorInfoA, xrefs: 004164ED
H, xrefs: 00416518

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 65bf2e5695f09e9af5e3d073d2108bc16b99e0b25834ab566c17907b7851288b
Instruction ID: 0b9707ee54deeb08d829228e66a9ae5c2e70968e2f7cb8b71405f1fed5b1e50f
Opcode Fuzzy Hash: 65bf2e5695f09e9af5e3d073d2108bc16b99e0b25834ab566c17907b7851288b
Instruction Fuzzy Hash: 27318271700301AFD7209FA5DC89F6B77A9EF84B00F00842DF90997294EB78E94587A9

Function 0040F050 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040F075
IsWindow.USER32(000203E6), ref: 0040F091
SendMessageA.USER32(000203E6,000083E7,0040E981,00000000), ref: 0040F0AA
ExitProcess.KERNEL32 ref: 0040F0BF
FreeLibrary.KERNEL32(?), ref: 0040F1A3
FreeLibrary.KERNEL32 ref: 0040F1F7
DestroyCursor.USER32(00040191), ref: 0040F247
DestroyCursor.USER32(000301F1), ref: 0040F25E
IsWindow.USER32(000203E6), ref: 0040F275
DestroyCursor.USER32(?), ref: 0040F324
WSACleanup.WS2_32 ref: 0040F36F

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 2560087610-0
Opcode ID: ca13b2a7c1d3a0d348ee05149ac7612ad84d202d0e3b32a511ce5bd18a21bacc
Instruction ID: 5e558769e659314473020508c7860101e70df7a3db26742674a3cd77f2ade60f
Opcode Fuzzy Hash: ca13b2a7c1d3a0d348ee05149ac7612ad84d202d0e3b32a511ce5bd18a21bacc
Instruction Fuzzy Hash: F9B19C706007019BD720DF75C8C5BABB3E5BF48310F00493EE99AA7691DB34B948CB48

Function 0042B120 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0042B197
GlobalLock.KERNEL32(00000000), ref: 0042B1B3
GlobalUnlock.KERNEL32(00000000), ref: 0042B1D5
OpenClipboard.USER32(00000000), ref: 0042B1DD
GlobalFree.KERNEL32(00000000), ref: 0042B1E9
EmptyClipboard.USER32 ref: 0042B1F1
SetClipboardData.USER32(?,00000000), ref: 0042B203
CloseClipboard.USER32 ref: 0042B209

Strings

HU, xrefs: 0042B21B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID: HU
API String ID: 453615576-2765453656
Opcode ID: fe532c815fbc28874a0e784374c20f277ba26e783e52801a2f11df1169ce2f98
Instruction ID: f46e3924aadf28e85b854615875ebb5fbb7f88b6189a4649a2c9fdd705187343
Opcode Fuzzy Hash: fe532c815fbc28874a0e784374c20f277ba26e783e52801a2f11df1169ce2f98
Instruction Fuzzy Hash: 1F31C071304311AFD314EF65EC89A2FB7E8EB94750F444A2EB85A93291CB78D844CB65

Function 00412080 Relevance: 15.4, APIs: 10, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422908671713649137bffeb4693c1dfad65172a6a1ae69ceefe0810de54e60ed
Instruction ID: 4c5383ac7adb399100470308d792a4c25d234b3f9c25702742f440132d2f285a
Opcode Fuzzy Hash: 422908671713649137bffeb4693c1dfad65172a6a1ae69ceefe0810de54e60ed
Instruction Fuzzy Hash: 40C1F1767006045FD310EF79EC81AABB3A1FB84314F10492FE546C7382D77AE9A58799

Function 0040E2D0 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0057B5B8), ref: 0040E337
LoadLibraryA.KERNEL32(?,?,0058B908), ref: 0040E429
LoadLibraryA.KERNEL32(?,?), ref: 0040E46F
LoadLibraryA.KERNEL32(?,?,0058B810,00000001), ref: 0040E4B7
LoadLibraryA.KERNEL32(00000001), ref: 0040E4CD
GetProcAddress.KERNEL32(00000000,?), ref: 0040E4DF
FreeLibrary.KERNEL32(00000000), ref: 0040E572

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: d0500ad11c5d4daf68dffdd1b7eeca758a8050915531c4abcd592bcdaef84893
Instruction ID: 7121fead7ee39e03deaaa6fbf8943f81423b92cb251e76bce8e442c48423003f
Opcode Fuzzy Hash: d0500ad11c5d4daf68dffdd1b7eeca758a8050915531c4abcd592bcdaef84893
Instruction Fuzzy Hash: 4BA1D471A00701ABD314DF66D881B6BF7A4BF94314F044E2EF85997381EB38E915CB9A

Function 0046E7ED Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046E7F2
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0046E82A
LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 0046E832

Part of subcall function 0046F62C: UnhookWindowsHookEx.USER32(?), ref: 0046F651

LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0046E83F
IsWindowEnabled.USER32(?), ref: 0046E872
EnableWindow.USER32(?,00000000), ref: 0046E880
EnableWindow.USER32(?,00000001), ref: 0046E90E
GetActiveWindow.USER32 ref: 0046E919
SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 0046E927

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 16d23f9a4649a71a037411dbf039850ca4c9ea84f2d58370b0089a8ec85b4ed8
Instruction ID: 013a374b91c96899ce6df876ebc1b074e20f9a81669987dba13d24777a364225
Opcode Fuzzy Hash: 16d23f9a4649a71a037411dbf039850ca4c9ea84f2d58370b0089a8ec85b4ed8
Instruction Fuzzy Hash: 1F41C2749006049FCB21AF6AC849ABFB7F5EF44715F10052FE402A32A1EB795D41CBAA

Function 00410540 Relevance: 12.9, APIs: 8, Instructions: 865COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 5793a01402834b3b8fca201d16430cd6ac6333f552c8325aef0a6d46a03ded3c
Instruction ID: ebe93629c0d5e0ddca514dd48411264592f8b7776cb31c108b97b9e192f6c5a3
Opcode Fuzzy Hash: 5793a01402834b3b8fca201d16430cd6ac6333f552c8325aef0a6d46a03ded3c
Instruction Fuzzy Hash: BA621A716043019FD724DF25C880BABB7E5AFC8318F14492EF94A97391DB78EC85875A

Function 00405B20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046D4AE: InterlockedIncrement.KERNEL32(-000000F4), ref: 0046D4C3

FindFirstFileA.KERNEL32(?,?,*.*), ref: 00405BBA

Part of subcall function 0046B3C0: __EH_prolog.LIBCMT ref: 0046B3C5

Part of subcall function 0046D739: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046D74D

SendMessageA.USER32 ref: 00405C60
FindNextFileA.KERNEL32(?,00000010), ref: 00405C6C
FindClose.KERNEL32(?), ref: 00405C7F
SendMessageA.USER32(?,00001102,00000002,?), ref: 00405C91

Strings

*.*, xrefs: 00405BA2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
String ID: *.*
API String ID: 2486832813-438819550
Opcode ID: b14d4ca623971263c4d3f8ecaccfd9f4e5aea8176f68167e47dafb50fb028554
Instruction ID: e7dd8f39c47b3809a1ef7a32e21a6b0ef6c76d45867f01ad915559d6ea729d9b
Opcode Fuzzy Hash: b14d4ca623971263c4d3f8ecaccfd9f4e5aea8176f68167e47dafb50fb028554
Instruction Fuzzy Hash: 6441B071608341ABD314DF65C885B9BB7E8FB84714F00892EF595972D0EB78E908CB16

Function 0042B280 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0042B2AD
GetClipboardData.USER32(?), ref: 0042B2C6
CloseClipboard.USER32 ref: 0042B2D2
GlobalSize.KERNEL32(00000000), ref: 0042B308
GlobalLock.KERNEL32(00000000), ref: 0042B310
GlobalUnlock.KERNEL32(00000000), ref: 0042B328
CloseClipboard.USER32 ref: 0042B32E

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
String ID:
API String ID: 2237123812-0
Opcode ID: d188b2e2400d24cc11756e8a84f6d658775fa12af0bc103aecd983e3745636cc
Instruction ID: b612d92194b5b1cede6ab452e6436d180c31aa6801e67f7b9728ac3e901ba333
Opcode Fuzzy Hash: d188b2e2400d24cc11756e8a84f6d658775fa12af0bc103aecd983e3745636cc
Instruction Fuzzy Hash: 05219E713002119BDA10EB65E888E7FB7A9EF88354F44452EF909D3250EB29A84487AA

Function 0043D650 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

unexpected 8-bit transformation, xrefs: 0043D6C9
unexpected bit depth, xrefs: 0043D723
lost rgb to gray, xrefs: 0043D680
unknown interlace type, xrefs: 0043D6E7
unexpected compose, xrefs: 0043D694
lost/gained channels, xrefs: 0043D6B0

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: 1d9438d30d6a9070d287c170565bc8bc7bfdd50797c5903f3efa16800c56510f
Instruction ID: caeaf0dece7752c2c94c0b455d794318c947c58388676041392fa09aaf3652c4
Opcode Fuzzy Hash: 1d9438d30d6a9070d287c170565bc8bc7bfdd50797c5903f3efa16800c56510f
Instruction Fuzzy Hash: C712C371A083418BC718DF28E89066AB7E2BFCC314F14553EF99987381D779E946CB86

Function 00422152 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

, xrefs: 00422195
PU, xrefs: 0042225A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $PU
API String ID: 0-4237030340
Opcode ID: 79425c5a52d112ac25e09ca22803fc99a67dec934f478ce4ff94a986f535d1ec
Instruction ID: 2eb18a7385b7fb54e0bf47501ff5ec44c138ea05f72d08ffc0d839ebd8f3522a
Opcode Fuzzy Hash: 79425c5a52d112ac25e09ca22803fc99a67dec934f478ce4ff94a986f535d1ec
Instruction Fuzzy Hash: 20316D71208341ABD314DF14C950F6BB7B8FB95724F404A2EF996932A0D778E905CB5A

Function 0040EA40 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040EA92
FindClose.KERNEL32 ref: 0040EAA1
FindFirstFileA.KERNEL32(?,?), ref: 0040EAAD
FindClose.KERNEL32(00000000), ref: 0040EB0B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: e5e47e465eed267dc788e03e70ab213971a7da261aac1eda3ad7b698aaf13593
Instruction ID: 1e06717c2bee65f5099596b94771d8c5d86a4014e6385821ec345abf0581f497
Opcode Fuzzy Hash: e5e47e465eed267dc788e03e70ab213971a7da261aac1eda3ad7b698aaf13593
Instruction Fuzzy Hash: 5121EA32B047159BD231CA66C8446777394BBC8724F150E3AED26B73D0E73DEC554A49

Function 00470D18 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

GetKeyState.USER32(00000010), ref: 00470D3C
GetKeyState.USER32(00000011), ref: 00470D45
GetKeyState.USER32(00000012), ref: 00470D4E
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00470D64

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 5d815fb7e60dc004ecf2f94e2a58f8514dc063aed8a6aade97a577798663579c
Instruction ID: f24d3d08a7f1c9aef2b6106c6bed74b6086b969b6db1b50068dea5eb1a693e1f
Opcode Fuzzy Hash: 5d815fb7e60dc004ecf2f94e2a58f8514dc063aed8a6aade97a577798663579c
Instruction Fuzzy Hash: F6F05C72341B4666E63032E51C42FE611150F40FD4F04803FFB08FE1E689D9AC42027C

Function 00419310 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 638COMMON

Download Yara Rule

Strings

`U, xrefs: 00419A2D
`U, xrefs: 00419AC4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `U$`U
API String ID: 0-1493358242
Opcode ID: 4bdd5d1c4d3e8502a4d530c5926a4b90d4696e3d822f56221963d0c0d57cb593
Instruction ID: f2171e8026fd594d933548e15f833312d6bba556433dc4db49ed365ef9ef6031
Opcode Fuzzy Hash: 4bdd5d1c4d3e8502a4d530c5926a4b90d4696e3d822f56221963d0c0d57cb593
Instruction Fuzzy Hash: 0C32B371E04205DFDB14DFA8C891BEEB7B1BF48314F24426AE816A7381D738AD85CB95

Function 00445C70 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row size calculation error, xrefs: 00445CEB
internal row width error, xrefs: 00445CFD
invalid user transform pixel depth, xrefs: 00445EE9
internal row logic error, xrefs: 00445CB5

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 66909ddf0376cc52cedc0f6f9a533e9826badae28b9a04538de844c4245ac86c
Instruction ID: f0b2726e9a7904f915a0292ac514df5d5359bd370223f0a85b9cf140dc641753
Opcode Fuzzy Hash: 66909ddf0376cc52cedc0f6f9a533e9826badae28b9a04538de844c4245ac86c
Instruction Fuzzy Hash: 9EF169326087554FEB24DF28D9902BFBBD1AFD6300F59496FD88587303E62A9C49C786

Function 00422070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 004220A2
recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 004220F0

Strings

PU, xrefs: 00422128

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ioctlsocketrecvfrom
String ID: PU
API String ID: 217199969-4098204955
Opcode ID: d1597209cb3d7a3ad58ff81cd96a8137e2518fb2b45a71f2d18bb0a798b2237c
Instruction ID: 7ff09d67e73da0b36f3010ff28d1abf9359d7605aeacb49402799e070c63e542
Opcode Fuzzy Hash: d1597209cb3d7a3ad58ff81cd96a8137e2518fb2b45a71f2d18bb0a798b2237c
Instruction Fuzzy Hash: 1D216F70204201ABD314DF24C985F6BB7E4AB98B54F108B2EF19A932E0D778AC41CB5A

Function 0043B493 Relevance: 5.2, Strings: 4, Instructions: 248COMMON

Download Yara Rule

Strings

color map overflow (BAD internal error), xrefs: 0043BF69
ga-alpha color-map: too few entries, xrefs: 0043B4B7
bad background index (internal error), xrefs: 0043C00F
bad data option (internal error), xrefs: 0043BF18

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$ga-alpha color-map: too few entries
API String ID: 0-3354706714
Opcode ID: 4de78bcbbb49b2fd1b14bc63157f81b04bf09797f372c10624bba063325780e7
Instruction ID: 1d1c8ef8a39757117d917f944e4bcfd87d56d9abb481dc6e58a97bdadef07cc4
Opcode Fuzzy Hash: 4de78bcbbb49b2fd1b14bc63157f81b04bf09797f372c10624bba063325780e7
Instruction Fuzzy Hash: 1791E2B2A083418BD308CF18D89166BBBE5EFD9314F08592EF489D7391D778D845CB9A

Function 00429980 Relevance: 4.8, APIs: 3, Instructions: 308keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 004299A0
GetKeyState.USER32(00000011), ref: 004299B0
CopyRect.USER32(00000000,00000000), ref: 00429A85

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State$CopyRect
String ID:
API String ID: 4142901696-0
Opcode ID: f81ab1629c013798a2cb8a84246d1f39986c61ae71b344c0a3f2c95ea948de3a
Instruction ID: e06ee1fde42f04c5cda31cc13d71592c98fd0d91e77ca9ba2709a25ef06ee273
Opcode Fuzzy Hash: f81ab1629c013798a2cb8a84246d1f39986c61ae71b344c0a3f2c95ea948de3a
Instruction Fuzzy Hash: E0A1BE703043219BD628CA15E885F7FB3E9FBC4B04F90491FF54697380DAA9EC45876A

Function 0046060A Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00460617
GetSystemTime.KERNEL32(?), ref: 00460621
GetTimeZoneInformation.KERNEL32(?), ref: 00460676

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: d0cae27ffc99c861d97230ae413b37b0c19349c29e588f68ec69656daedb1b8e
Instruction ID: 5ba478a0c63a64db872d1c79b7483c8b2fd996efa40791fcd4c9aac167c2f501
Opcode Fuzzy Hash: d0cae27ffc99c861d97230ae413b37b0c19349c29e588f68ec69656daedb1b8e
Instruction Fuzzy Hash: F821A169900106E9CF20AFA8D8049FF73B9AB58B10F400643F811E6190F37C8DD6DB6A

Function 00416FC0 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00416FF1
GetKeyState.USER32(00000010), ref: 00417006
GetKeyState.USER32(00000012), ref: 0041701B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d501dd4e57e2986dd7d6d9d47a36566bcf85bcb5c911eaf55401bfc17ec0307b
Instruction ID: 518eaa8e5ed85aa329c01bba16f22c61e24ad3abbeac52cea235accfb3332521
Opcode Fuzzy Hash: d501dd4e57e2986dd7d6d9d47a36566bcf85bcb5c911eaf55401bfc17ec0307b
Instruction Fuzzy Hash: 4701A23FD4836515EB241668A518BF24E610748B54FA70077D60D372C1C58C8CC7639A

Function 0045CF60 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaa5f99a1650931726ad1a8c812f96173399fcb42ebe323525c99e2ebe2ae49
Instruction ID: 74b2f45596ea5345719cdca509f30a5b7817bc794d8aa4a8c044c3ef4fffe0eb
Opcode Fuzzy Hash: bcaa5f99a1650931726ad1a8c812f96173399fcb42ebe323525c99e2ebe2ae49
Instruction Fuzzy Hash: A1F03633604209EFCF015F61CD8896E7B7AAB00345B048027FC06D50A2DB39DA599B59

Function 0047283F Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00472866
GetKeyState.USER32(00000011), ref: 0047286F
GetKeyState.USER32(00000012), ref: 00472878

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 335cff438ffa1a85095b999eaabb64d98a3c1274b8003c9757bf1115e83d4d47
Instruction ID: f59a1cc475caa26c390fb952869e3f0d22c41246400016680f72e567691a7645
Opcode Fuzzy Hash: 335cff438ffa1a85095b999eaabb64d98a3c1274b8003c9757bf1115e83d4d47
Instruction Fuzzy Hash: B6E093365212579FDF0CB2448F00FD566505F007D4F0AC667E64C6B091C6E59442976F

Function 004391E0 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

known incorrect sRGB profile, xrefs: 004393BE
copyright violation: edited ICC profile ignored, xrefs: 00439377
out-of-date sRGB profile with no signature, xrefs: 004393D6

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-1307623137
Opcode ID: b334e3c8c149b8576784a0e43f83ddd8b97c6e8509bee8e4be0c20c015023751
Instruction ID: 76634344a15775b2e3387cb6662c3a388eb86769f645248d1d5025baa3d4f326
Opcode Fuzzy Hash: b334e3c8c149b8576784a0e43f83ddd8b97c6e8509bee8e4be0c20c015023751
Instruction Fuzzy Hash: C25139B27083910BDB28CE394C5136BBBD26FDD344F09986DE8DAC7741E564E8058764

Function 0046FFB9 Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046FFBE
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00470171

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 774f5a58b2f921c8e453989544032ad5d004d782389477b8777ea223199f1dda
Instruction ID: 1892f71f3dc80b0c7c15f0df4ea2fe2625e03778b4a8a27b9a5f684215294307
Opcode Fuzzy Hash: 774f5a58b2f921c8e453989544032ad5d004d782389477b8777ea223199f1dda
Instruction Fuzzy Hash: 19E18B70601209EBDB14DF55DC80AFE77A9EF04314F10C41AF81DAA292D739DE12EB6A

Function 00447460 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

invalid background gamma type, xrefs: 00447C6C
libpng does not support gamma+background+rgb_to_gray, xrefs: 004478EC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: fb2c7f0bff4b91996fb1bbe2687ff80e30943513033f156455d64c11de3e98e6
Instruction ID: fa9330a0b4e58579a43fd5ab3f04020e47fbee88594955d20b751ba40485611d
Opcode Fuzzy Hash: fb2c7f0bff4b91996fb1bbe2687ff80e30943513033f156455d64c11de3e98e6
Instruction Fuzzy Hash: 0C624C7550CB824AE3319B34C8417F7FBE5AF5A304F08496ED5EA8B342E739A806C759

Function 00412750 Relevance: 3.2, APIs: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00412880

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 225bf0c01d802e79f40d68e16c5ebca8d49b93c936e5d0f20b2fcb796b887937
Instruction ID: 4e1d5e89b99061498ec71931fd2fdb13d2ae41fe088d4524ca1c437a1b223e64
Opcode Fuzzy Hash: 225bf0c01d802e79f40d68e16c5ebca8d49b93c936e5d0f20b2fcb796b887937
Instruction Fuzzy Hash: 1081AB76214711CBD350CF2CD480B8AB7E5FB99300F10886EE59ACB350D3B6E896CB65

Function 00416E10 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00416E20
FindClose.KERNEL32(00000000), ref: 00416E2C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c5b76f0b9a25351297d35e88b5f49eb7ec3fdf5f656eec184a4ce2c2664a7b87
Instruction ID: 69531bcb379b3f8b7b4eb8a031b03106eb548d01da2ccbc7ec3c0d85be67d22b
Opcode Fuzzy Hash: c5b76f0b9a25351297d35e88b5f49eb7ec3fdf5f656eec184a4ce2c2664a7b87
Instruction Fuzzy Hash: 76D0A7748001009BD3119BB8DD4C6BB335CA744310FC40B79B93CC12F0F63EC8988615

Function 0043C240 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

color-map index out of range, xrefs: 0043C28F
bad encoding (internal error), xrefs: 0043C3ED

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: a2a6fdd194ecc00184ed60b6b7ce2e915c8ac91163766d6818549d77b7dec4f2
Instruction ID: 6e2c297eee93e4d41121920e841bda9ade2a11cc81076d1adce7b8a515e603cd
Opcode Fuzzy Hash: a2a6fdd194ecc00184ed60b6b7ce2e915c8ac91163766d6818549d77b7dec4f2
Instruction Fuzzy Hash: A5F1F272A083128BC718DF28D89166AB7D1FFDC304F05567EE889E7390E639E905CB95

Function 00446C70 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Row has too many bytes to allocate in memory, xrefs: 00446F3C
VUUU, xrefs: 00446D88

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Row has too many bytes to allocate in memory$VUUU
API String ID: 0-4092465491
Opcode ID: 3fca5b2ab8d2e0febc3f3465d98f9c20f0c6e9ccfaa904bba3ceff41621dd51f
Instruction ID: f5748644f6fdf557c0662e56d194a93075cfa2eb8da5291248e92132a90ef7dc
Opcode Fuzzy Hash: 3fca5b2ab8d2e0febc3f3465d98f9c20f0c6e9ccfaa904bba3ceff41621dd51f
Instruction Fuzzy Hash: D89129B6B04E404BF7298A38DC553F777D2AB9A304F19492ED5A7C7391D63CA844C31A

Function 004202E0 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00420524
MTrk, xrefs: 0042045C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: 2e31b6c5f287fc93a8f52cdcf65df8c2fd312951c64435f0a47bd99e07f9b9c7
Instruction ID: cbac051c374512d8597428c271696fae5a8de7fc5d56eeb9ce90eafc359af5ad
Opcode Fuzzy Hash: 2e31b6c5f287fc93a8f52cdcf65df8c2fd312951c64435f0a47bd99e07f9b9c7
Instruction Fuzzy Hash: 2B91D471B003159FD718CF29D88056AB7E2EFD8304B54853EE84ACB752EA38ED45CB59

Function 00439050 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

ICC profile tag start not a multiple of 4, xrefs: 00439119
ICC profile tag outside profile, xrefs: 00439168

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
API String ID: 0-2051163487
Opcode ID: 52c65ec38e124f4aa170af1a29b4911807f2d46f0c2f6b68d2527b8f85c02253
Instruction ID: 004bd33b32aae08a39b1855e543759c60c41469b5e30f263d85f68f44ac3f215
Opcode Fuzzy Hash: 52c65ec38e124f4aa170af1a29b4911807f2d46f0c2f6b68d2527b8f85c02253
Instruction Fuzzy Hash: 803125B370879107EB2CCA2D5C606A7BBD3ABC9204F0DD52DE4DEC3301E8609909C758

Function 00433840 Relevance: 2.5, APIs: 1, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41526ecb0da4343402d923182363847d89e3fd3012dacb3614f2ebe1cb4428e8
Instruction ID: 7a10c972895338cf8c0b69a86e14b7de0ef7fc3ed09ff9d658c7cf5b96366901
Opcode Fuzzy Hash: 41526ecb0da4343402d923182363847d89e3fd3012dacb3614f2ebe1cb4428e8
Instruction Fuzzy Hash: 50926571604B418FD328CF29C0906A7FBE2EF99304F24992ED5DB87B61D639B849CB45

Function 0046902D Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00068FE7), ref: 00469032

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bb1db4e9749572a7fefb261cc49864dd24c7afed6e9c917a711ddb4853473711
Instruction ID: cb0cd4b0d5fe7add25350a2c641bab58f68cc76558d66b36931f86ed887ce73d
Opcode Fuzzy Hash: bb1db4e9749572a7fefb261cc49864dd24c7afed6e9c917a711ddb4853473711
Instruction Fuzzy Hash: EAA002B4583300DF9B146FA1BD8DD043BB2E755712752117FA805C1666EF740885AF5A

Function 0046903F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00469044

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d53cabb9ef25933fe04968d32fa2a15f9e0b22e749111497f64906c2ee3a4e28
Instruction ID: 61f340a3c351f212869e6b449b94465ad55e28e2f33cedcb9edb617a8527a6d3
Opcode Fuzzy Hash: d53cabb9ef25933fe04968d32fa2a15f9e0b22e749111497f64906c2ee3a4e28
Instruction Fuzzy Hash:

Function 004357A0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction ID: 56a808b02a8b59a8f203e2b98f2a1c04bca73a0c85eaa1889603d5d5d5e7701a
Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction Fuzzy Hash: 0252B9767447095BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8ED0A8655

Function 0045023E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd038b82f57a21acf285aa36a47d7d502f5c7db8a43ea3c156bf5e243b3c147
Instruction ID: 0a334cbdc3b8b628b0601ee8a7d6fb4e9e2a33be2a2d9c85187333a5cf01eb85
Opcode Fuzzy Hash: 2bd038b82f57a21acf285aa36a47d7d502f5c7db8a43ea3c156bf5e243b3c147
Instruction Fuzzy Hash: 811262B56047018FCB18CF18D99062BB7E6EFC9301F14896EE8858B346E775DC49CB96

Function 0045048E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e930f2efec7a35f184c77fe988135943b4df1e15384c65261797de9189a12f
Instruction ID: 059c272aa622ba3bf5c20b36e70f4def3b724ae6bfcd1c8d463696bad67c4ad1
Opcode Fuzzy Hash: 09e930f2efec7a35f184c77fe988135943b4df1e15384c65261797de9189a12f
Instruction Fuzzy Hash: F21262B56047018FCB18CF18D99062BB7E6EFC9301F14896EE8858B346E775DC49CB96

Function 004580E0 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a84ebf25ed854a94c92b28d32f7ce583251af80d61df949c62e919b6ad4957a
Instruction ID: a0aa8925a50b2de0ce816461152da8a7b9626f225c86add95bae8575c8cdfa39
Opcode Fuzzy Hash: 6a84ebf25ed854a94c92b28d32f7ce583251af80d61df949c62e919b6ad4957a
Instruction Fuzzy Hash: D1125F746087018FC708CF29D590A2ABBE1FF88305F14896EE88AD7752DB34E909CF59

Function 0046A249 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b6bd75438c44fda35a754995330388714fa08e23841bac530a72d47cb8b749
Instruction ID: f16bb6f81a829255993842f88fd849965e5a61f810869eed8fb88dfd262e0314
Opcode Fuzzy Hash: 18b6bd75438c44fda35a754995330388714fa08e23841bac530a72d47cb8b749
Instruction Fuzzy Hash: 65E1D030D44A09DEEB25CA64C8153BE7BB1BB14304F68005BD842B6392F77D89A6DF1B

Function 0044A640 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c4b275c09e270baff7e234a35935b217308967dc10a053295fd26784226129
Instruction ID: c73b9ef6ece5839b87ab0772a03b124422d492cc29988daeefb1c17e1ff48cff
Opcode Fuzzy Hash: c7c4b275c09e270baff7e234a35935b217308967dc10a053295fd26784226129
Instruction Fuzzy Hash: 73C1342528E6814FE7198A6CA4E92BBFFD1DB5A311B0D85FEC9C5CB323C515840AC355

Function 0044AD40 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction ID: 724bad7f1318466cf828b3cad48990475e64c3c29515312b20371047e6a7f683
Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction Fuzzy Hash: 18D1C76154D6D24BE726CE2884A03A7FFD1EFA6304F188ADED4D44F342D36A984DC396

Function 00459DD0 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: de5c028fc032d35f532157045c7b728452fd3db76608f67440317baf7b3bcb24
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: 9BF19C725092408FC309CF18D5989E27BE2FFA8714B1F42FAD8499B363D7369845CB96

Function 004425B0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f55149194c2bd466ce155edf3b28c0b58f28096fa158bf0dae170ab87580cba
Instruction ID: 123b4fc71a9e9158769df35b65fe3e02809a0779b75fd50bff0e3c81d44d61bc
Opcode Fuzzy Hash: 8f55149194c2bd466ce155edf3b28c0b58f28096fa158bf0dae170ab87580cba
Instruction Fuzzy Hash: 65E114B5600A018FD334CF1AD590A22FBE2FF89310B65C96EE49ACB761D735E846CB50

Function 00449120 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction ID: a6e9583d8d89b371362cc591c61e82d3465e36ace469a14eba51b2ab2df794fa
Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction Fuzzy Hash: C4D1B23560C7828FD725CF29C4902A7FBE1EF9A300F0889ADE5D98B356D234D806DB95

Function 00449639 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1c034930a86735f07ad7a4e6a3997f317f74a666e86a65b209da8ae0424b37
Instruction ID: dcebc2c1b58203d9b78d9dcfd7d693988cc063e5137503ab07e6d90b8bdf52d7
Opcode Fuzzy Hash: 1c1c034930a86735f07ad7a4e6a3997f317f74a666e86a65b209da8ae0424b37
Instruction Fuzzy Hash: 5EB17A2638A2828BFB156A3C90613F77BA1EB96320F5C147ED5DAC7342D11E8D09E315

Function 004461B0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83bb471395f92948eefac0f3e2ecc05917627e8656d920977f72cb37b43e7bb
Instruction ID: 5bc60037148ddc1baaa23cfb381cf78fed8148916a63af783f61756a9054113b
Opcode Fuzzy Hash: e83bb471395f92948eefac0f3e2ecc05917627e8656d920977f72cb37b43e7bb
Instruction Fuzzy Hash: BBD1BD72A097429FD704CF18C49026EFBE1FBDA314F554A2EE89587354D338E90ACB86

Function 00451430 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817d6ab377c15fc95253f80c94213e317f42b0e00ddae6d6bb8d560163885352
Instruction ID: 9a88a4e7130a059ddc724ccd066f29bd8a72ab66979b66c231bb4e58973a4eb1
Opcode Fuzzy Hash: 817d6ab377c15fc95253f80c94213e317f42b0e00ddae6d6bb8d560163885352
Instruction Fuzzy Hash: 56D10679210B418FD324CF29C980AA7B7E5FF89309B18892ED8D787B52DA35F845CB44

Function 00417680 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a7f8036a7eac5941fd39973aa455ee4334823e53ee61648a1c19aa165ac7e1
Instruction ID: f4a47a03bf3a13ec41ebc13238438421b67e87390db880e541b54e2294c614b0
Opcode Fuzzy Hash: d6a7f8036a7eac5941fd39973aa455ee4334823e53ee61648a1c19aa165ac7e1
Instruction Fuzzy Hash: 54C1DD3160C6814FD725DE19C0687EBBBF2AF81744F68885FE19147392D23CAD89CB4A

Function 0045BF20 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678e6a3f9b739d39df4957aa3013df88dfddcc06cbb0c33a05e9441e0a0d35ae
Instruction ID: b98291c9a150c4b09466b1cbd1cc145f47bd87eb1562562f0b52c328a0b07804
Opcode Fuzzy Hash: 678e6a3f9b739d39df4957aa3013df88dfddcc06cbb0c33a05e9441e0a0d35ae
Instruction Fuzzy Hash: 01C1B4756087518FC718CF2CD59012AFBE2FBD8310F194A6EE8DA93752C774A819CB89

Function 0044A20E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction ID: 33af66a4166228d4b40d5d06d14eec60d00d7e0b2705da0fb40bb77fa44fdfdc
Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction Fuzzy Hash: DAC1D03520C7824BD72DDB3894A55FBBFE2AFAA300B1DD5BDC48A8B393D9255409C741

Function 0045A350 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ccba7b35eed1294a6e17dcc3612a0a091caf694af0f36f6aa8b0f875eb304b
Instruction ID: a715775b3d0f58585ec0af5cf48049b5237f7e1a13626620fd3a6595cd840bb5
Opcode Fuzzy Hash: 21ccba7b35eed1294a6e17dcc3612a0a091caf694af0f36f6aa8b0f875eb304b
Instruction Fuzzy Hash: FBD19B756082518FC319CF18E9D88E27BE1BFA8740F0E42F9C98A8B323D7769845CB55

Function 00450F90 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867f0a3b179d3f6361d2116f73cdc0e21fe887cf958a9fdf1c4f00b705647d74
Instruction ID: b8eb5a0017eedcb8c5aa04e40cfefeebf9fb15e50dc057ecf2a0ef79d825a0bd
Opcode Fuzzy Hash: 867f0a3b179d3f6361d2116f73cdc0e21fe887cf958a9fdf1c4f00b705647d74
Instruction Fuzzy Hash: 80B13A35214B418FC324CF29C990AA7B3E6BF89704B18896EE8CBC7B52D675F845CB44

Function 00466326 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 78aba647b24857950d79295699158fbb78c0e16a933d5f42c97393e18381b2f2
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: E6B19A75A0020ADFDB15CF04D5D0AA9BBA1FF58318F25C1AED81A4B386D735EE42CB94

Function 00456950 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: 437477c38ee08af3b2c94fe9e00ae3b64f7914841f588ca2fd4c3571dd3bae4e
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 48A1F675A087418FC314CF29C49086AFBF2BFC8714F198A6DE99997325E770E945CB82

Function 0044AB10 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction ID: 4b7e5bd001fcb224a0566fa0a319db3f4c44910e8ac0a5a253267aee508f7038
Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction Fuzzy Hash: 2771D83594C6828BE711CF28C484266FFD2EBA6304F0CC69EC8C99F356D625E909C7D2

Function 00449F94 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction ID: 2ffe543e5a3152aeaddf73026a0bfe0f6374db9b5cb4a32ef588b1de75c41cd3
Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction Fuzzy Hash: B471212024D7C24BD7298B2888A52F7BFE1AFA7301F5C96EED8D64F392C4165409C722

Function 004488E0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420e00adad8b5213bad73b1f25c9bee86da3cccdecdf3f432271785e9c215a7c
Instruction ID: 1394b8f588b6e583fdf47c70a34b6584878ffc4506d80b6e610298ee4ef990ea
Opcode Fuzzy Hash: 420e00adad8b5213bad73b1f25c9bee86da3cccdecdf3f432271785e9c215a7c
Instruction Fuzzy Hash: 345113312087514FE306CF6E989016EFBD29BCA314F1C8EAEC9D9D7712DA75D8098786

Function 00455EB0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 1bcf9370d6f2df1ae97da2e2e0d1ecd580af3a8b4dcb5a0816d9f42334951b25
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 6A81F73954A7819FC711CF29C4D04A6FBE2BF9E204F5C999DE9C50B317C231A91ACB92

Function 00449DE1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction ID: 9e5c48be5b83b849e3f63dcf90d8bcd26eb987803b6ba09800ca58ed641ab8fb
Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction Fuzzy Hash: 924128363192838BD718DE3C84512F7FBA1AF9A300B6847BED895C7782D529990AD750

Function 00449AF6 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: 3e4fe0b3b13923afe2abd05916bef55cbd219f07f9078e36b59610f3a6212c53
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: 0B51BC2920DBE14AD71A973C54A96F7FFE29F6B301B4E90EEC4DA8B323C5165408D760

Function 0044B780 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abed94980ad6d6d606a3d4abf692058976142787ecd39f41e5e0699303d0d10
Instruction ID: ddb2af253c569768d5a36ae55b9899b6556d463836d6db89f3eff8c897ff4f7e
Opcode Fuzzy Hash: 8abed94980ad6d6d606a3d4abf692058976142787ecd39f41e5e0699303d0d10
Instruction Fuzzy Hash: 5841AF72700E450BE768DA2AD8A01EBB7D3DBD6301B28C86BC19E8B725D635A444CBC4

Function 004429E0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: 6340b46de767b693a520bd5b61eff4e88f6059d0dfd967ad3723b5996c6929dc
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: BB312D3374558203F72DCE2F9CA12BAEAD34FC522872DD47E99C597356ECF944168104

Function 004422A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3227e40a5b5d8956a96953cac1783b1602908f16a73741ee63bffe10ed653420
Instruction ID: ce882cc6f2d761b007eb2a37d20f4416aa9f17d9f0713a6d775e60092e55fdc0
Opcode Fuzzy Hash: 3227e40a5b5d8956a96953cac1783b1602908f16a73741ee63bffe10ed653420
Instruction Fuzzy Hash: CE3197227B619207E354CEBD9C80677F693A7DA306B6CD77CD584C7A4AC4BDD80B9204

Function 0045F420 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: cdfe7205e6d4447d3b89639be691ce07f1b5899c1e485b9176a34f465187e95b
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 4A117DA324504143DA04CA2AD4B02B7A396DBF732372C827BC8C14F35BD529984E890E

Function 00432CA0 Relevance: 80.0, APIs: 53, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00432CC2

Part of subcall function 00418460: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041846F

SetStretchBltMode.GDI32(00000000,00000000), ref: 00432CD5
CreateCompatibleDC.GDI32(00000000), ref: 00432CE2
CreateCompatibleDC.GDI32(00000000), ref: 00432CE7
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00432D38
SelectObject.GDI32(00000000,00000000), ref: 00432D4C
SelectObject.GDI32(?,?), ref: 00432D76
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 00432D98
SelectObject.GDI32(?,?), ref: 00432DA8
SelectObject.GDI32(?,?), ref: 00432DB4
GetTickCount.KERNEL32 ref: 00432E02
SelectObject.GDI32(?,?), ref: 00432E3A
SelectObject.GDI32(00000000,00000000), ref: 00432E56
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00432E7B
SelectObject.GDI32(00000000,?), ref: 00432E87
DeleteObject.GDI32(00000000), ref: 00432E8E
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00432ED2
SelectObject.GDI32(00000000,00000000), ref: 00432EDE
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00432F03
SelectObject.GDI32(00000000,?), ref: 00432F0F
SelectObject.GDI32(00000000,?), ref: 00432F17
CreateCompatibleDC.GDI32(00000000), ref: 00432F2C
CreateCompatibleDC.GDI32(00000000), ref: 00432F35
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00432F4B
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00432F63
SelectObject.GDI32(00000000,?), ref: 00432F73
SelectObject.GDI32(00000000,?), ref: 00432F83
SetBkColor.GDI32(00000000,?), ref: 00432F95
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00432FB6
SetBkColor.GDI32(00000000,?), ref: 00432FC2
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 00432FDF
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00433004
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00433021
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00433046
SelectObject.GDI32(00000000,?), ref: 00433052
DeleteObject.GDI32(00000000), ref: 00433059
SelectObject.GDI32(00000000,?), ref: 00433065
DeleteObject.GDI32(00000000), ref: 0043306C
DeleteDC.GDI32(00000000), ref: 00433079
DeleteDC.GDI32(00000000), ref: 0043307C
SelectObject.GDI32(00000000,?), ref: 004330B5
DeleteObject.GDI32(?), ref: 004330BC
IsWindow.USER32(?), ref: 004330C6
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043312A
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00433154
SelectObject.GDI32(?,?), ref: 00433164
Sleep.KERNEL32(0000000A), ref: 004331B0
GetTickCount.KERNEL32 ref: 004331B6
DeleteObject.GDI32(00000000), ref: 004331E3
DeleteDC.GDI32(00000000), ref: 004331F0
DeleteDC.GDI32(?), ref: 004331F7
ReleaseDC.USER32(?,00000000), ref: 004331FE

Part of subcall function 004327E0: GetClientRect.USER32(?,?), ref: 00432807
Part of subcall function 004327E0: __ftol.LIBCMT ref: 004328DE
Part of subcall function 004327E0: __ftol.LIBCMT ref: 004328F1

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID:
API String ID: 1975044605-0
Opcode ID: dd587583b5f7321c3e0d973e7e385aceaebbce6ef839b65f006107fa99c55597
Instruction ID: 1d23b282ff17e16f8b55ead6d9570715abbf427fe9199ac5b26d8e653a7dfc16
Opcode Fuzzy Hash: dd587583b5f7321c3e0d973e7e385aceaebbce6ef839b65f006107fa99c55597
Instruction Fuzzy Hash: C002E8B1204740AFD324DFA5CD85F6BB7E9FB88B04F10491DF69A93290C7B4E8448B69

Function 00431650 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 356windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417B90: SendMessageA.USER32(?,00000143,00000000,?), ref: 00417BB3

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 004316A9
GetProfileStringA.KERNEL32(devices,00000000,0058C1B4,?,00001000), ref: 004316E8
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 0043172A
SendMessageA.USER32(?,00000143,00000000), ref: 004317EB
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00431828
SendMessageA.USER32(?,0000014E,?,00000000), ref: 004318CB
wsprintfA.USER32 ref: 004318E4
wsprintfA.USER32 ref: 0043190A
wsprintfA.USER32 ref: 00431930
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00431963
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 0043198E
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 004319A4
SendMessageA.USER32(?,0000014E,?,00000000), ref: 004319BB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 004319FF
wsprintfA.USER32 ref: 00431A12
wsprintfA.USER32 ref: 00431A3C
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00431A62
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00431AA3
wsprintfA.USER32 ref: 00431AB4

Strings

device, xrefs: 0043169F
none, xrefs: 00431768
devices, xrefs: 004316E3, 00431725
,,,, xrefs: 0043169A, 0043171F
windows, xrefs: 004316A4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$wsprintf$ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 2373861888-528626633
Opcode ID: 6ce68da7e7be3ad049c3ebbcd37278b7b7e5e336328f0444b4754724cf592a22
Instruction ID: ad91e35982ab6c9e8b5a7447b091add166fa4daff187208ef83f019d19c1e58c
Opcode Fuzzy Hash: 6ce68da7e7be3ad049c3ebbcd37278b7b7e5e336328f0444b4754724cf592a22
Instruction Fuzzy Hash: DEC1D271244705ABD624EB74DC82FEB73E8AF88708F00491DF55A971D1EA78F604CB69

Function 00440A30 Relevance: 38.0, APIs: 25, Instructions: 452windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 00440AB8

Part of subcall function 004763B5: SetBkColor.GDI32(?,?), ref: 004763C4
Part of subcall function 004763B5: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004763F6

GetSysColor.USER32(00000014), ref: 00440AF0
InflateRect.USER32(?,000000FF,000000FF), ref: 00440B22
GetSysColor.USER32(00000016), ref: 00440B3B
GetSysColor.USER32(0000000F), ref: 00440B4B
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00440B84
GetDeviceCaps.GDI32(?), ref: 00440D8E
RealizePalette.GDI32(?), ref: 00440DB1
GetSysColor.USER32(00000014), ref: 00440DC9
GetSysColor.USER32(0000000F), ref: 00440DDB
GetSysColor.USER32(0000000F), ref: 00440A91

Part of subcall function 0047638B: SetBkColor.GDI32(?,?), ref: 00476395
Part of subcall function 0047638B: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004763AB

GetSysColor.USER32(0000000F), ref: 00440BE8
InflateRect.USER32(?,000000FF,000000FF), ref: 00440C21
GetSysColor.USER32(00000016), ref: 00440C36
GetSysColor.USER32(0000000F), ref: 00440C42
InflateRect.USER32(?,?,?), ref: 00440C83
GetSysColor.USER32(00000010), ref: 00440C87
Rectangle.GDI32(?,?,?,?,?), ref: 00440CCE
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00440D09
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00440E10
GetSysColor.USER32(00000010), ref: 00440E6D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00440E74
InflateRect.USER32(?,?,?), ref: 00440EB3
Rectangle.GDI32(?,?,?,?,?), ref: 00440ED1
GetDeviceCaps.GDI32(?,00000026), ref: 00440F07

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
String ID:
API String ID: 3119264602-0
Opcode ID: ef083a328b32c2774f82b2303e77a89693913cd5008d408b1a8f867e13831c47
Instruction ID: 1fd43d95b8bd1dfff5faafada65e00cbec971e5443a6ff3913d4874729e2894d
Opcode Fuzzy Hash: ef083a328b32c2774f82b2303e77a89693913cd5008d408b1a8f867e13831c47
Instruction Fuzzy Hash: 34F16C71204701AFD714DF64C895E7BB7E9FB88704F008A2EF65A87291DBB4E805CB96

Function 0041D9C0 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 366windowCOMMON

Download Yara Rule

APIs

CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041DA4C
CreateCompatibleDC.GDI32(?), ref: 0041DA5E
CreateCompatibleDC.GDI32(?), ref: 0041DA67
SelectObject.GDI32(00000000,?), ref: 0041DA76
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041DA89
SelectObject.GDI32(?,00000000), ref: 0041DA99
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041DAB9
SelectObject.GDI32(00000000,?), ref: 0041DAC5
DeleteDC.GDI32(00000000), ref: 0041DAD2
SelectObject.GDI32(?,?), ref: 0041DADA
DeleteDC.GDI32(?), ref: 0041DAE1
DeleteObject.GDI32(?), ref: 0041DAE7
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041DB1D

Strings

(, xrefs: 0041DBCC
hU, xrefs: 0041DD1E
(, xrefs: 0041DD7F
, xrefs: 0041DBE3

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateObject$Select$BitmapCompatibleDelete
String ID: $($($hU
API String ID: 1878064223-752959516
Opcode ID: 542a8c608a3d1e6cbabd4d4e569e9c7f02f3391655d288e93a4b6722c5f654d4
Instruction ID: 06bc893c7ab6dda47376b69edb485481a8ce9426a5df7c3572e283ee7e593779
Opcode Fuzzy Hash: 542a8c608a3d1e6cbabd4d4e569e9c7f02f3391655d288e93a4b6722c5f654d4
Instruction Fuzzy Hash: E6D138B1A043019FD714CF65D884AABBBE9EFC8310F10492EF59697350D774E884CBA6

Function 0040DDF0 Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0040DE7F
GetWindowRect.USER32(?,?), ref: 0040DED6
GetParent.USER32(?), ref: 0040DEE6
GetParent.USER32(?), ref: 0040DF19
GlobalSize.KERNEL32(00000000), ref: 0040DF63
GlobalLock.KERNEL32(00000000), ref: 0040DF6B
IsWindow.USER32(?), ref: 0040DF84
GetTopWindow.USER32(?), ref: 0040DFC1
GetWindow.USER32(00000000,00000002), ref: 0040DFDA
SetParent.USER32(?,?), ref: 0040E006
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0040E051
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0040E060
GetParent.USER32(?), ref: 0040E073
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0040E08C
GetWindowLongA.USER32(?,000000F0), ref: 0040E094
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040E0C4
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 0040E0D2
IsWindow.USER32(?), ref: 0040E11E
GetFocus.USER32 ref: 0040E128
SetFocus.USER32(?,00000000), ref: 0040E140
GlobalUnlock.KERNEL32(00000000), ref: 0040E14B
GlobalFree.KERNEL32(00000000), ref: 0040E152

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID:
API String ID: 300820980-0
Opcode ID: 2d664c09765202c18b6c3f19ae8687b839f915fa0868579dd2296ad25a1baaea
Instruction ID: 860ff45512fb2416b80c9ae0a0b36df644e122ee06b670ce371120940304ba5b
Opcode Fuzzy Hash: 2d664c09765202c18b6c3f19ae8687b839f915fa0868579dd2296ad25a1baaea
Instruction Fuzzy Hash: E5A14BB1604301AFD724DFA5CC85B2BB7E9BF88704F10892DF945AB391DB78E8058B59

Function 00435380 Relevance: 31.7, APIs: 21, Instructions: 205COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 00435395
EnterCriticalSection.KERNEL32(?), ref: 004353B8
LeaveCriticalSection.KERNEL32(?), ref: 004353C6
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 004353E8
waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00435431
waveOutWrite.WINMM(?,?,00000020), ref: 0043543E
EnterCriticalSection.KERNEL32(?), ref: 00435448
LeaveCriticalSection.KERNEL32(?), ref: 00435456
EnterCriticalSection.KERNEL32(?), ref: 00435485
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004354A3
LeaveCriticalSection.KERNEL32(?), ref: 004354AA
waveOutPause.WINMM(?), ref: 004354B9
waveOutReset.WINMM(?), ref: 004354C3
waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 004354E1
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00435506
EnterCriticalSection.KERNEL32(0058C1D8), ref: 0043551C
LeaveCriticalSection.KERNEL32(0058C1D8), ref: 00435578
CloseHandle.KERNEL32(?), ref: 004355A6
CloseHandle.KERNEL32(?), ref: 004355AC
CloseHandle.KERNEL32(?), ref: 004355B2
DeleteCriticalSection.KERNEL32(?), ref: 004355B8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
String ID:
API String ID: 361331667-0
Opcode ID: ee27f14b8fb3a4c4be890e0b8986c57377cb29dd931af669e3dd7b466ca761d0
Instruction ID: ec345b6ab8e1084b8a2c7d69158ae2afa8957906f4cf7fbfb2c057ce05f515d6
Opcode Fuzzy Hash: ee27f14b8fb3a4c4be890e0b8986c57377cb29dd931af669e3dd7b466ca761d0
Instruction Fuzzy Hash: DE71B071600619AFDB14DF68DC88AAE7BA9FF4C704F04542AFD09E7251C678ED41CB98

Function 0041B5E0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183windowmemoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 0041B634
GetObjectA.GDI32(?,00000018,?), ref: 0041B647
SelectPalette.GDI32(?,00000000,00000000), ref: 0041B6A2
RealizePalette.GDI32(?), ref: 0041B6AC
GlobalAlloc.KERNEL32(00000002,00000028), ref: 0041B6B6
SelectPalette.GDI32(?,?,00000000), ref: 0041B6CC
GlobalLock.KERNEL32(00000000), ref: 0041B6D4
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041B703
GlobalUnlock.KERNEL32(00000000), ref: 0041B759
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0041B762
GlobalLock.KERNEL32(00000000), ref: 0041B76F
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041B792
SelectPalette.GDI32(?,?,00000000), ref: 0041B7A5
GlobalUnlock.KERNEL32(00000000), ref: 0041B7AC
GlobalFree.KERNEL32(00000000), ref: 0041B7B3

Part of subcall function 0047414A: __EH_prolog.LIBCMT ref: 0047414F
Part of subcall function 0047414A: ReleaseDC.USER32(?,00000000), ref: 0047416E

Strings

(, xrefs: 0041B65A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Palette$Select$AllocBitsLockObjectUnlock$FreeH_prologRealizeReleaseStock
String ID: (
API String ID: 3986717603-3887548279
Opcode ID: 105855d59a8419582d6933b48a4948a6b6321b5c4bb26083a5d7d27e37c95813
Instruction ID: 8a0acfed53bd76dd7f8957e16eba59b73984cc84a35ae81fea26785226ead8f0
Opcode Fuzzy Hash: 105855d59a8419582d6933b48a4948a6b6321b5c4bb26083a5d7d27e37c95813
Instruction Fuzzy Hash: CF615C725043409FC320DF64CC85B6BB7E9FB89710F14492DFA9997291CB78E845CBA6

Function 0046F3EA Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0047720A: TlsGetValue.KERNEL32(00593F4C,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000,?,0046B321,00000000,00000000,00000000,00000000), ref: 00477249

CallNextHookEx.USER32(?,00000003,?,?), ref: 0046F414
GetClassLongA.USER32(?,000000E6), ref: 0046F45B
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_00076590), ref: 0046F487
lstrcmpiA.KERNEL32(?,ime), ref: 0046F496
GetWindowLongA.USER32(?,000000FC), ref: 0046F509
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0046F52A

Strings

AfxOldWndProc423, xrefs: 0046F56B, 0046F570, 0046F57B, 0046F583, 0046F58C
ime, xrefs: 0046F490
<?Y, xrefs: 0046F3F5

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: <?Y$AfxOldWndProc423$ime
API String ID: 3731301195-2917762568
Opcode ID: 9b1718356810d65e4444506a245e6c0505b6f392424c2276cebef8ea0a2fea52
Instruction ID: 7da3e0d563dee1a97a28de71f1d61922aa29d89c85b581b58e7d5848f26e95ed
Opcode Fuzzy Hash: 9b1718356810d65e4444506a245e6c0505b6f392424c2276cebef8ea0a2fea52
Instruction Fuzzy Hash: 6351A271500215BBCB119F64EC48B6B7BA8FF04364F10412AF956A7291E738DD49CB99

Function 00404AA0 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 384windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

IsRectEmpty.USER32(?), ref: 00404AE5
GetCurrentObject.GDI32(?,00000002), ref: 00404B2A
GetCurrentObject.GDI32(?,00000001), ref: 00404B3D
GetClientRect.USER32 ref: 00404BC2
CreatePen.GDI32(-00000003,00000000,?), ref: 00404BDE
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00404CA2

Part of subcall function 004742B2: __EH_prolog.LIBCMT ref: 004742B7
Part of subcall function 004742B2: EndPaint.USER32(?,?,?,?,004039F3), ref: 004742D4

Strings

gfff, xrefs: 00404E12

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
String ID: gfff
API String ID: 3506841274-1553575800
Opcode ID: d8af68df56a87d5e543ab4f4e1fd029a40e552db3df5261b9bd04ade697cbae6
Instruction ID: f18dd277f1c5335b34f6a03ecfe75f4380890662af344cb4bc02f08e458af581
Opcode Fuzzy Hash: d8af68df56a87d5e543ab4f4e1fd029a40e552db3df5261b9bd04ade697cbae6
Instruction Fuzzy Hash: C3E18EB11083409BC314DF55C884A6FB7E8FBC8714F104A2EF69997280DB38E949CBA6

Function 00413640 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00413671
GetWindowRect.USER32(?,?), ref: 0041369E
BeginPath.GDI32(?), ref: 00413727
MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 00413740
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 0041374F
MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 00413777
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00413786
EndPath.GDI32(?), ref: 004137A1
PathToRegion.GDI32(?), ref: 004137AC

Strings

gfff, xrefs: 0041387A
gfff, xrefs: 0041386A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Path$Window$BeginRectRegion
String ID: gfff$gfff
API String ID: 3989698161-3084402119
Opcode ID: d1d19c2e6d73b45689caebb94939527745f7e5fb3630965e47abb31e0be2259e
Instruction ID: dbb926bb19dde321f576b2ceb203b82cabb6dfd7847714089a9568d47888ffca
Opcode Fuzzy Hash: d1d19c2e6d73b45689caebb94939527745f7e5fb3630965e47abb31e0be2259e
Instruction Fuzzy Hash: 2381E4B16043419BD314DF65CC85ABBBBE8FBC4705F04892EF98A83390DB38A944C766

Function 0041DE00 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 305windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00418460: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0041846F

SetStretchBltMode.GDI32(?,00000000), ref: 0041DE14
CreateCompatibleDC.GDI32(?), ref: 0041DE99
CreateCompatibleDC.GDI32(?), ref: 0041DEB1
GetObjectA.GDI32(?,00000018,?), ref: 0041DEF2
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0041DF08
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041DF66
StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041DFBF
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 0041DFF9
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041E033
CreateCompatibleDC.GDI32(?), ref: 0041E0AB
SelectObject.GDI32(00000000,?), ref: 0041E0B8
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 0041E0FB
SelectObject.GDI32(00000000,?), ref: 0041E107
DeleteDC.GDI32(00000000), ref: 0041E10E
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 0041E14D

Strings

tU, xrefs: 0041E081

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Stretch$Create$CompatibleObject$Select$BitmapDeleteDisplayDrawEnumIconModeSettings
String ID: tU
API String ID: 1298110373-3221499103
Opcode ID: bc3caba1e20f1c48cedbed4a6acaeaa9d65b15494ad614d43bda1814fb1b55bf
Instruction ID: d49266b04de6e6ee86d3688d5b597824cd262d2f434be7a6f83329094d6d4523
Opcode Fuzzy Hash: bc3caba1e20f1c48cedbed4a6acaeaa9d65b15494ad614d43bda1814fb1b55bf
Instruction Fuzzy Hash: A5B159B1204704AFD310DB65CC85FABB3E9FB88715F108A1DFA9987290D734ED418BA6

Function 00471019 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

GetParent.USER32(?), ref: 00471044
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00471067
GetWindowRect.USER32(?,?), ref: 00471080
GetWindowLongA.USER32(00000000,000000F0), ref: 00471093
CopyRect.USER32(?,?), ref: 004710E0
CopyRect.USER32(?,?), ref: 004710EA
GetWindowRect.USER32(00000000,?), ref: 004710F3
CopyRect.USER32(?,?), ref: 0047110F

Strings

@, xrefs: 00471082
(, xrefs: 004710AB

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 6a66360eb437173e25e0fc3904fe49d47061970b48f76cdb8b7da5acbb2f616c
Instruction ID: 8323726afa2ee627f76d9d9e928750e13a919d43d94d920ce0027f91dbeee915
Opcode Fuzzy Hash: 6a66360eb437173e25e0fc3904fe49d47061970b48f76cdb8b7da5acbb2f616c
Instruction Fuzzy Hash: 10517572900259AFDB10DBBCCC85EEE7BBDAF48310F15812AF905F7291D634AD458B58

Function 00431CE0 Relevance: 25.9, APIs: 17, Instructions: 351windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046FADD: GetWindowTextLengthA.USER32(?), ref: 0046FAEA
Part of subcall function 0046FADD: GetWindowTextA.USER32(?,00000000,00000000), ref: 0046FB02

__ftol.LIBCMT ref: 00431D56
__ftol.LIBCMT ref: 00431DAC
__ftol.LIBCMT ref: 00431E02
__ftol.LIBCMT ref: 00431E58
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00431E79
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00431E93
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431F5B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431F8D
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431FAA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00431FCA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00431FE4
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431FFC
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043201B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432084
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004320E9
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043212B

Part of subcall function 004718A5: GetDlgItem.USER32(?,?), ref: 004718B3

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432157

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__ftol$TextWindow$ItemLength
String ID:
API String ID: 2143175130-0
Opcode ID: 3e336365755444f812858d2bda222a26553e8ddf11a28b1aeac15fb91c775f42
Instruction ID: d116b707c45aeeaa5ad9cec5ecaf12f0e4d7c81a28a5e284604fc680c81aac70
Opcode Fuzzy Hash: 3e336365755444f812858d2bda222a26553e8ddf11a28b1aeac15fb91c775f42
Instruction Fuzzy Hash: 70D1F1B1540B01ABD324EB31DC42FAB73A4AF44701F10492EF59A972E1DB79F449CB5A

Function 0046BEAD Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 119registryclipboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047720A: TlsGetValue.KERNEL32(00593F4C,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000,?,0046B321,00000000,00000000,00000000,00000000), ref: 00477249

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 0046BF05
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 0046BF11
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 0046BF1D
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 0046BF29
RegisterClipboardFormatA.USER32(commdlg_help), ref: 0046BF35
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 0046BF41

Part of subcall function 0047183C: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0047186B

SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0046C034

Strings

commdlg_ShareViolation, xrefs: 0046BF07
commdlg_SetRGBColor, xrefs: 0046BF37
commdlg_ColorOK, xrefs: 0046BF1F
commdlg_help, xrefs: 0046BF2B
<?Y, xrefs: 0046BEC3
commdlg_LBSelChangedNotify, xrefs: 0046BF00
commdlg_FileNameOK, xrefs: 0046BF13

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClipboardFormatRegister$LongMessageSendValueWindow
String ID: <?Y$commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 3913284445-2861060712
Opcode ID: ba72f21e3addb3eaaea33043562ff024d7ba4bcb5fd4ee184fd037c829f3b221
Instruction ID: 264dbda2676dcdfc34e4b7d171a7340903629a01b4995e25868b6638888dbaa9
Opcode Fuzzy Hash: ba72f21e3addb3eaaea33043562ff024d7ba4bcb5fd4ee184fd037c829f3b221
Instruction Fuzzy Hash: 71419C30600204EBCF249FA5DC84ABF3BA1FB54780F01042BF88997260E7789C85DF9A

Function 0045CE32 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0045CF6B), ref: 0045CE54
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0045CE6C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045CE7D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0045CE8E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0045CE9F
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0045CEB0
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045CEC1

Strings

MonitorFromPoint, xrefs: 0045CE99
MonitorFromRect, xrefs: 0045CE88
USER32, xrefs: 0045CE4F
GetSystemMetrics, xrefs: 0045CE66
MonitorFromWindow, xrefs: 0045CE77
EnumDisplayMonitors, xrefs: 0045CEAA
GetMonitorInfoA, xrefs: 0045CEBB

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 5792cff30ff56fdbaad73a1e210973063950a2c157c96aea8c4131c37708cb52
Instruction ID: b9a27aab995821e5b52be04a14feeb30a1977ebedde33a7eb37415c61b751759
Opcode Fuzzy Hash: 5792cff30ff56fdbaad73a1e210973063950a2c157c96aea8c4131c37708cb52
Instruction Fuzzy Hash: B1112971E44215FEC3118F65EDC142ABAB5B26D741312083FE405D2691D7784689EEAC

Function 0043EB90 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 0043E0E0: GetWindowExtEx.GDI32(?,?), ref: 0043E103

MulDiv.KERNEL32(?,00000064,?), ref: 0043EC4B
GetClientRect.USER32(?,?), ref: 0043ECD9
DPtoLP.GDI32(?,?,00000002), ref: 0043ECEE
OffsetRect.USER32 ref: 0043ED3D
Rectangle.GDI32(?,?,?,?,?), ref: 0043ED7B
FillRect.USER32(?,?,?), ref: 0043EDD3
FillRect.USER32(?,00000032,?), ref: 0043EE16
LPtoDP.GDI32(?,?,00000002), ref: 0043EEBF
IsRectEmpty.USER32(?), ref: 0043EEC6
CreateRectRgnIndirect.GDI32(?), ref: 0043EF0A

Part of subcall function 00473E01: SelectClipRgn.GDI32(?,00000000), ref: 00473E23
Part of subcall function 00473E01: SelectClipRgn.GDI32(?,?), ref: 00473E39

LPtoDP.GDI32(?,?,00000001), ref: 0043EF4A
DPtoLP.GDI32(?,?,00000001), ref: 0043EF71

Strings

2, xrefs: 0043ED35

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
String ID: 2
API String ID: 2521159323-450215437
Opcode ID: 19d82c246861346cd849db0ddba63a565b5c0e587fdcc0329e10547b01545428
Instruction ID: 7fbe23b8d103ef78a4a17ef6e1b28c94257456a2bddb4bbde17fb0d593653c63
Opcode Fuzzy Hash: 19d82c246861346cd849db0ddba63a565b5c0e587fdcc0329e10547b01545428
Instruction Fuzzy Hash: 04E109B16087409FD324DF69C880B6BB7E5BBC8704F408A2EF59A87391DB74E944CB56

Function 00423C70 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 282COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 00423CEF
GetProfileStringA.KERNEL32(devices,00000000,0058C140,?,00001000), ref: 00423D23
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 00423DAA

Strings

device, xrefs: 00423CE5
devices, xrefs: 00423D1E, 00423DA5
,,,, xrefs: 00423CE0, 00423D9F
none, xrefs: 00423DE0
windows, xrefs: 00423CEA

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 1468043044-528626633
Opcode ID: 7cd819da13493d09501a6ac86398e97772cdac24f613bab68bb5b5340a6372ea
Instruction ID: cf32b70290add9ae406fc274ce0c85d3b806c11e5c9662369b05f86ad885afea
Opcode Fuzzy Hash: 7cd819da13493d09501a6ac86398e97772cdac24f613bab68bb5b5340a6372ea
Instruction Fuzzy Hash: C9B198702083819FD320DF65D881FABB7E4BF95759F400A1DF89993291D7789A08CB67

Function 004304E0 Relevance: 22.8, APIs: 15, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00430516

Part of subcall function 0047443D: __EH_prolog.LIBCMT ref: 00474442
Part of subcall function 0047443D: CreateSolidBrush.GDI32(?), ref: 0047445F

FillRect.USER32(?,?,00000000), ref: 00430554
GetSystemMetrics.USER32(0000002E), ref: 0043057D
GetSystemMetrics.USER32(0000002D), ref: 00430583
DrawFrameControl.USER32(?,?,00000003,?), ref: 004305F6
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00430609
InflateRect.USER32(?,00FFFFFD,00000001), ref: 00430624
GetSysColor.USER32(0000000F), ref: 00430648
Rectangle.GDI32(?,?,?,?,?), ref: 0043069B
OffsetRect.USER32(?,00000001,00000001), ref: 00430705
GetSysColor.USER32(00000014), ref: 0043070B
OffsetRect.USER32(?,000000FF,000000FF), ref: 00430733
GetSysColor.USER32(00000010), ref: 00430739
InflateRect.USER32(?,000000FF,000000FF), ref: 00430782
DrawFocusRect.USER32(?,?), ref: 00430791

Part of subcall function 0046FADD: GetWindowTextLengthA.USER32(?), ref: 0046FAEA
Part of subcall function 0046FADD: GetWindowTextA.USER32(?,00000000,00000000), ref: 0046FB02

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
String ID:
API String ID: 4239342997-0
Opcode ID: de7509f90be1fcbbe2ac5db2b10500258fbb80cb9ac1beefccf70b46ee16c168
Instruction ID: 6bff747af92ec6cd7f4f1b08d0b03c3496351bc64acf6dff5775a453b038f5fa
Opcode Fuzzy Hash: de7509f90be1fcbbe2ac5db2b10500258fbb80cb9ac1beefccf70b46ee16c168
Instruction Fuzzy Hash: 8FA19874208345AFC304DF64C899A6BBBE8FF88714F004A1DF99987390DBB4E945CB96

Function 00434FA0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043510B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00435120
InitializeCriticalSection.KERNEL32(?), ref: 0043514B
CreateThread.KERNEL32(00000000,00000000,00435380,?,00000004,?), ref: 00435180
EnterCriticalSection.KERNEL32(0058C1D8), ref: 00435192
LeaveCriticalSection.KERNEL32(0058C1D8,?,?,?), ref: 00435345
ResumeThread.KERNEL32(?), ref: 00435353
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00435365

Strings

RIFF, xrefs: 00434FB4, 00434FC8
data, xrefs: 00435045
fmt , xrefs: 00435024
WAVE, xrefs: 00434FE1, 00434FF8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt
API String ID: 1802393137-4212202414
Opcode ID: a713bab20069daee333b35b5275bd3d1b9d8ee7e6e56d94da00593f7e4d97f72
Instruction ID: aaba8e8e2621b337c63c34cdf278c2692e8b19ce922774d06ddb53800a540bed
Opcode Fuzzy Hash: a713bab20069daee333b35b5275bd3d1b9d8ee7e6e56d94da00593f7e4d97f72
Instruction Fuzzy Hash: DCB124B1A007005BD714DF24DC85B2B7BE5FB88318F14462EFD1AA7381E679E905CB99

Function 0042A820 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0042A83E
SetCapture.USER32(?,?,?,?,?,?,?,?,?,0047A698,000000FF,0042A07D,?,?,?,?), ref: 0042A85B

Part of subcall function 004740D8: __EH_prolog.LIBCMT ref: 004740DD
Part of subcall function 004740D8: GetDC.USER32(00000000), ref: 00474106

Part of subcall function 0043E0E0: GetWindowExtEx.GDI32(?,?), ref: 0043E103

Part of subcall function 00474006: GetWindowExtEx.GDI32(?,?), ref: 00474017
Part of subcall function 00474006: GetViewportExtEx.GDI32(?,?), ref: 00474024
Part of subcall function 00474006: MulDiv.KERNEL32(?,00000000,00000000), ref: 00474049
Part of subcall function 00474006: MulDiv.KERNEL32(?,00000000,00000000), ref: 00474064

Part of subcall function 00473B97: SetMapMode.GDI32(?,?), ref: 00473BB0
Part of subcall function 00473B97: SetMapMode.GDI32(?,?), ref: 00473BBE

Part of subcall function 00473B0C: SetROP2.GDI32(?,?), ref: 00473B25
Part of subcall function 00473B0C: SetROP2.GDI32(?,?), ref: 00473B33

Part of subcall function 00473AB0: SetBkMode.GDI32(?,?), ref: 00473AC9
Part of subcall function 00473AB0: SetBkMode.GDI32(?,?), ref: 00473AD7

Part of subcall function 004743ED: __EH_prolog.LIBCMT ref: 004743F2
Part of subcall function 004743ED: CreatePen.GDI32(?,?,?), ref: 00474415

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

GetCapture.USER32 ref: 0042A921
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042A940
DispatchMessageA.USER32(?), ref: 0042A981
DispatchMessageA.USER32(?), ref: 0042A99D
ScreenToClient.USER32(?,?), ref: 0042A9E4
GetCapture.USER32 ref: 0042AA0C
ReleaseCapture.USER32 ref: 0042AA34
ReleaseCapture.USER32 ref: 0042AA90
DPtoLP.GDI32 ref: 0042AAD4
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0042AB5D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042ABEB

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID:
API String ID: 453157188-0
Opcode ID: eabb0102c9d1f6682f4e2b3e847ca37b58867bf52bcb8f1e2399c1d2684e0f65
Instruction ID: b6ceaeeb5c2b8a6e7b79671e6752084911b57cad74f9638a108f2dbfd0263abd
Opcode Fuzzy Hash: eabb0102c9d1f6682f4e2b3e847ca37b58867bf52bcb8f1e2399c1d2684e0f65
Instruction Fuzzy Hash: 72B1BF71304710AFD314EB25D885E6FB7E9AF84704F904A0EF69683291DB78E944CB6B

Function 00414F40 Relevance: 19.7, APIs: 13, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00414F8A

Part of subcall function 00471B0E: IsWindowEnabled.USER32(?), ref: 00471B18

IsWindow.USER32(?), ref: 0041502B
GetParent.USER32(?), ref: 00415046
IsWindowVisible.USER32(?), ref: 0041505A
SetActiveWindow.USER32(?), ref: 0041507B
IsWindow.USER32(?), ref: 00415098
UpdateWindow.USER32(?), ref: 004150A6
IsWindow.USER32(?), ref: 004150AD
IsWindow.USER32(?), ref: 00415108
IsWindow.USER32(?), ref: 00415162
GetFocus.USER32 ref: 00415176
IsWindow.USER32(00000000), ref: 00415183
IsChild.USER32(?,00000000), ref: 00415192

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Parent$ActiveChildEnabledFocusUpdateVisible
String ID:
API String ID: 983273251-0
Opcode ID: 3a05d3b130514010e4d451c6caf3159d34ad0a2f2c1796c42c7407d98218ca76
Instruction ID: f0ba76b0078c82e302ea2cc1857a39bca4710db039f240eb272367fa35ab1d59
Opcode Fuzzy Hash: 3a05d3b130514010e4d451c6caf3159d34ad0a2f2c1796c42c7407d98218ca76
Instruction Fuzzy Hash: B4519471A00745DBD7209FB6D880ADBBBA9FB84344F00452FF959D2350D738E885CBA9

Function 0040EC40 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0058B738,00000000), ref: 0040ED24
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,00571C48,?,?,?,?,?,?,00000000,0058B738,00000000), ref: 0040ED61
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 0040ED97
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,0058B738,00000000), ref: 0040EDA2
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,0058B738,00000000), ref: 0040EDB0
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0040EEBD
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 0040EEF2
CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,0058B738,00000000), ref: 0040EFB7
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 0040EFD3

Strings

DllRegisterServer, xrefs: 0040ED89
DllUnregisterServer, xrefs: 0040ED90, 0040ED95

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 2476498075-2931954178
Opcode ID: 5f65aff9959f3b03ab95e4fa3f3d45327609bb3d2fee07170618560befa2e7e8
Instruction ID: 6cc966047f4f15ccbae558f7d55082f89f8b708c0a9cda54510f351736900a4a
Opcode Fuzzy Hash: 5f65aff9959f3b03ab95e4fa3f3d45327609bb3d2fee07170618560befa2e7e8
Instruction Fuzzy Hash: A2B196B1E0020AABDB10DFA5C845BEE7778EF54314F14892EF815A72C1DB78AE05C7A5

Function 0041A700 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 0041A85F
GetWindowRect.USER32(?), ref: 0041A889
GetStockObject.GDI32(00000005), ref: 0041A8B7
LoadCursorA.USER32(00000000,00007F00), ref: 0041A8C5
GetWindowRect.USER32(?,?), ref: 0041A933
GetWindowRect.USER32(?,?), ref: 0041A944
GetWindowRect.USER32(?,?), ref: 0041A959
GetSystemMetrics.USER32(00000001), ref: 0041A96F
GetWindowRect.USER32(?,?), ref: 0041A9FA
OffsetRect.USER32(?,00000000,00000001), ref: 0041AA14

Strings

dU, xrefs: 0041A820

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
String ID: dU
API String ID: 3805611468-2699344733
Opcode ID: 82e9cf0a5788139b56d7e35dba33e3aa370cd9b356566ee98f43f9d51addc34e
Instruction ID: 93fc36d1f9df36f09be03cb1cda0c926931666c014609a1c3a4fc40ec835d423
Opcode Fuzzy Hash: 82e9cf0a5788139b56d7e35dba33e3aa370cd9b356566ee98f43f9d51addc34e
Instruction Fuzzy Hash: 72A1B1706047019FD724DF79C885FABB7E5AFC4708F00891EF16A87290EB78E9458B5A

Function 00469F51 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0056512C,00000001,0056512C,00000001,00000000,024311BC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045DA63), ref: 00469F8F
CompareStringA.KERNEL32(00000000,00000000,00565128,00000001,00565128,00000001), ref: 00469FAC
CompareStringA.KERNEL32(0044EA86,00000000,00000000,00000000,0045DA63,00000000,00000000,024311BC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045DA63), ref: 0046A00A
GetCPInfo.KERNEL32(00000000,00000000,00000000,024311BC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045DA63,00000000), ref: 0046A05B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0046A0DA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046A13B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046A14E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046A19A
CompareStringW.KERNEL32(0044EA86,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046A1B2

Strings

,QV, xrefs: 00469F85
(QV, xrefs: 00469FA2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: (QV$,QV
API String ID: 1651298574-772822661
Opcode ID: 9b2b768774e94ca02ef28fe3b29159c131e97f4460298f495e96cdee429b038e
Instruction ID: 1a370ef4f0b77ea36abf16a301fd41545f09ef267a1b0435e33cd44f0e44a7db
Opcode Fuzzy Hash: 9b2b768774e94ca02ef28fe3b29159c131e97f4460298f495e96cdee429b038e
Instruction Fuzzy Hash: 3671AA71900649AFCF218F909C819EF7BBAFB06304F14412BF911A2261E3398C65DF9B

Function 00406520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130stringprocessCOMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 004065B8
lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 004065F7
lstrlenA.KERNEL32(?), ref: 0040664C
lstrcatA.KERNEL32(00000000,00571C5C), ref: 00406695
lstrcatA.KERNEL32(00000000,?), ref: 0040669D
WinExec.KERNEL32(?,?), ref: 004066A5

Part of subcall function 0046D739: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046D74D

Strings

open, xrefs: 004065B1
"%1", xrefs: 0040661B
.htm, xrefs: 004065D0
mailto:, xrefs: 00406586
\shell\open\command, xrefs: 004065F1

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
String ID: "%1"$.htm$\shell\open\command$mailto:$open
API String ID: 51986957-2182632014
Opcode ID: 23381233c950055f2029869789a95f8aa9650aa87c7427c15915f46be9ba4a79
Instruction ID: c32fd37c84976e097f6adea3ee57663c281623d09e5f2a5afaba4f1c51edb3d7
Opcode Fuzzy Hash: 23381233c950055f2029869789a95f8aa9650aa87c7427c15915f46be9ba4a79
Instruction Fuzzy Hash: 71411971644702ABC310DF65DD85FABB7E8AF94750F01492DF959632C0E738AC14CB6A

Function 00413A20 Relevance: 18.4, APIs: 12, Instructions: 354COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 00413A6E
GetClientRect.USER32(?,?), ref: 00413B09
CreateRectRgn.GDI32 ref: 00413B7A
CombineRgn.GDI32(?,?,0055E4A4,00000004), ref: 00413BAB
SetRect.USER32(?,00000000,?,?,?), ref: 00413C02
IntersectRect.USER32(?,?,?), ref: 00413C0F
IsRectEmpty.USER32(?), ref: 00413C3A
__ftol.LIBCMT ref: 00413D18
__ftol.LIBCMT ref: 00413D25
CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 00413D7E
CombineRgn.GDI32(?,?,0055E4A4,00000004), ref: 00413DAF

Part of subcall function 0041DE00: SetStretchBltMode.GDI32(?,00000000), ref: 0041DE14
Part of subcall function 0041DE00: CreateCompatibleDC.GDI32(?), ref: 0041DE99
Part of subcall function 0041DE00: CreateCompatibleDC.GDI32(?), ref: 0041DEB1
Part of subcall function 0041DE00: GetObjectA.GDI32(?,00000018,?), ref: 0041DEF2
Part of subcall function 0041DE00: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0041DF08

FillRgn.GDI32(?,?,00000000), ref: 00413E2C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Create$CombineCompatible__ftol$BitmapClientEmptyFillIntersectModeObjectStretch
String ID:
API String ID: 3212946024-0
Opcode ID: a3789b7dc96da1ee2f95e1468d346bf679207a0b84609d1fa0dc1bd7439265f8
Instruction ID: fd5e53245430c8c77482bc1511e64ee18d316e76031718f8814d59861cef15e1
Opcode Fuzzy Hash: a3789b7dc96da1ee2f95e1468d346bf679207a0b84609d1fa0dc1bd7439265f8
Instruction Fuzzy Hash: 84D18CB16083409FC714CF29C885AAFBBE8BFC4355F148A1EF88993251D734E945CBA6

Function 0041CFC0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 0041D066

Part of subcall function 0041CD90: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041CE79
Part of subcall function 0041CD90: OffsetRect.USER32(?,?,?), ref: 0041CE86
Part of subcall function 0041CD90: IntersectRect.USER32(?,?,?), ref: 0041CEA2
Part of subcall function 0041CD90: IsRectEmpty.USER32(?), ref: 0041CEAD

InflateRect.USER32(?,?,?), ref: 0041D0D9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0041D2DD
GetClipRgn.GDI32(?,00000000), ref: 0041D2EC
CreatePolygonRgn.GDI32 ref: 0041D36A
SelectClipRgn.GDI32(?,?), ref: 0041D44D
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0041D470
SelectClipRgn.GDI32(?,?), ref: 0041D4F1
DeleteObject.GDI32(?), ref: 0041D507

Strings

gfff, xrefs: 0041D1CD

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: gfff
API String ID: 1105800552-1553575800
Opcode ID: e55e0e88bac9b4a7b66c933ff74d9b7c8c8ca4e0889cd06daa640797ee29c88e
Instruction ID: 4c5b31a3560a4b52bd21037a6102543ca0fd7fbe470205ba33f695c68a77004a
Opcode Fuzzy Hash: e55e0e88bac9b4a7b66c933ff74d9b7c8c8ca4e0889cd06daa640797ee29c88e
Instruction Fuzzy Hash: A2F117B46083419FD324CF29C980BABBBE5BBC8304F108A2EF99987350D774E945CB56

Function 00427580 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 004275F7
IsRectEmpty.USER32(?), ref: 00427602
GetClientRect.USER32(00000000,?), ref: 00427641
DPtoLP.GDI32(?,?,00000002), ref: 00427653
LPtoDP.GDI32(?,?,00000002), ref: 00427690
CreateRectRgnIndirect.GDI32(?), ref: 004276A8
OffsetRect.USER32(?,?,?), ref: 004276CD
LPtoDP.GDI32(?,?,00000002), ref: 004276DF

Part of subcall function 004743ED: __EH_prolog.LIBCMT ref: 004743F2
Part of subcall function 004743ED: CreatePen.GDI32(?,?,?), ref: 00474415

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

Part of subcall function 00473998: GetStockObject.GDI32(?), ref: 004739A1
Part of subcall function 00473998: SelectObject.GDI32(?,00000000), ref: 004739BB
Part of subcall function 00473998: SelectObject.GDI32(?,00000000), ref: 004739C6

Part of subcall function 00473B0C: SetROP2.GDI32(?,?), ref: 00473B25
Part of subcall function 00473B0C: SetROP2.GDI32(?,?), ref: 00473B33

Rectangle.GDI32(?,?,?,?,?), ref: 00427753

Part of subcall function 00473E01: SelectClipRgn.GDI32(?,00000000), ref: 00473E23
Part of subcall function 00473E01: SelectClipRgn.GDI32(?,?), ref: 00473E39

Part of subcall function 004743D7: DeleteObject.GDI32(00000000), ref: 004743E6

Part of subcall function 0047414A: __EH_prolog.LIBCMT ref: 0047414F
Part of subcall function 0047414A: ReleaseDC.USER32(?,00000000), ref: 0047416E

Strings

0U, xrefs: 004276B8, 004276C0

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
String ID: 0U
API String ID: 2841338838-1836569174
Opcode ID: e57d0a8603eca3c709205c6eefec10d5b43d958c3c27476e7de949145d89c4ac
Instruction ID: 60f9c2a8fd05bfeafbd91b4d21b21c937fe05e8f6779eae8b66ea67ed252274c
Opcode Fuzzy Hash: e57d0a8603eca3c709205c6eefec10d5b43d958c3c27476e7de949145d89c4ac
Instruction Fuzzy Hash: 2F614B712083409FC314DF65C895A6BBBE9EFC8708F408A1DF59A83291DB74E908CB56

Function 0046E509 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046E50E
GetSystemMetrics.USER32(0000002A), ref: 0046E5BF
GlobalLock.KERNEL32(?), ref: 0046E649
CreateDialogIndirectParamA.USER32(?,?,?,Function_0006E351,00000000), ref: 0046E67B

Strings

MS Shell Dlg, xrefs: 0046E5CD
Helv, xrefs: 0046E5F3
MS Sans Serif, xrefs: 0046E5E0

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2364537584-2894235370
Opcode ID: a54e8dcd5e2c419e55461566da516ebbd6de95a74b3dcaf259643ff26d491ecd
Instruction ID: f07931cc41e203ee660ee7bdba1ce60dc2d27f4c054e8648ea3a3d901b00ef05
Opcode Fuzzy Hash: a54e8dcd5e2c419e55461566da516ebbd6de95a74b3dcaf259643ff26d491ecd
Instruction Fuzzy Hash: F2617E3590021AEFCF14EFA5C9859EEBBF1BF14305F10402FE505A7291EB388A45DB9A

Function 0041B920 Relevance: 16.8, APIs: 11, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041B95D
MulDiv.KERNEL32(?,?,00000064), ref: 0041B992
MulDiv.KERNEL32(?,?,00000064), ref: 0041B9BD
GetDeviceCaps.GDI32 ref: 0041B9F7
GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041BA31
CreatePalette.GDI32(00000000), ref: 0041BA3C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041BA9C
CreateCompatibleDC.GDI32(?), ref: 0041BACF
CreateCompatibleDC.GDI32(?), ref: 0041BB08
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041BB6B
GlobalFree.KERNEL32(00000000), ref: 0041BC33

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$Compatible$Palette$BitmapCapsDeviceEntriesFreeGlobalObjectStretchSystem
String ID:
API String ID: 3563226738-0
Opcode ID: 5a229b17712cd128737ceb7553c67b54f961623676c52a433a59880266928c9d
Instruction ID: f00e57a9fdf398430c22ff75251e6e811667f11c5b327b3491123e8820e43b06
Opcode Fuzzy Hash: 5a229b17712cd128737ceb7553c67b54f961623676c52a433a59880266928c9d
Instruction Fuzzy Hash: D79194B15083449FC310EF65C885BAFB7E8EF95704F104A1EF69983281DB78E949CB96

Function 00440500 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 0044057F
GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 004405A4
GetWindowRect.USER32(?,?), ref: 0044062E
SetRect.USER32(00000080,?,?,?,?), ref: 00440663
SetRect.USER32(00000070,?,?,?,?), ref: 004406A8
SetRect.USER32(00000060,?,?,?,?), ref: 0044071B
GetSystemMetrics.USER32(00000001), ref: 00440746
GetSystemMetrics.USER32(00000000), ref: 0044074C
OffsetRect.USER32(00000080,00000000,00000000), ref: 00440764
OffsetRect.USER32(00000080,00000000,00000000), ref: 00440772
OffsetRect.USER32(00000080,00000000,00000000), ref: 00440784

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
String ID:
API String ID: 1551820068-0
Opcode ID: bdbd30859a7f38f632842d5dd2a8e69ca22ee8c60dee00c9fcbefe7064145d10
Instruction ID: 0e3fd248eb9c91e6162bd7668c8f5a5815df0b50ffe4e5fba63a312711a6f987
Opcode Fuzzy Hash: bdbd30859a7f38f632842d5dd2a8e69ca22ee8c60dee00c9fcbefe7064145d10
Instruction Fuzzy Hash: 01913671200B059FD318CF69C985E6AF7EAFB88700F048A2DA99AC7754EB74FC158B54

Function 00432970 Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043299E
FillRect.USER32(?,?,00000000), ref: 004329FE
FillRect.USER32(?,?,00000000), ref: 00432A6E

Part of subcall function 0047443D: __EH_prolog.LIBCMT ref: 00474442
Part of subcall function 0047443D: CreateSolidBrush.GDI32(?), ref: 0047445F

FillRect.USER32(?,?,00000000), ref: 00432AE5
CreateCompatibleDC.GDI32(?), ref: 00432B0D
SelectObject.GDI32(00000000,?), ref: 00432B23
SetStretchBltMode.GDI32(?,00000000), ref: 00432B55
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00432B88
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00432BB3
SelectObject.GDI32(00000000,?), ref: 00432BBF
DeleteDC.GDI32(00000000), ref: 00432BCC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID:
API String ID: 1645634290-0
Opcode ID: e341973afcb61a37879507e8e63b566850dab641066801466fbc1f04bf24edcb
Instruction ID: 12eda3004e23066b5e598c197581997ac64ee351cf5c831b222d573e7f95bd33
Opcode Fuzzy Hash: e341973afcb61a37879507e8e63b566850dab641066801466fbc1f04bf24edcb
Instruction Fuzzy Hash: 01611A71204741AFD724DF65CA90FABB7F8BB88704F00891EF99A93280DB74E805CB65

Function 00409080 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 004090B9
GetCurrentObject.GDI32(?,00000002), ref: 00409103
GetCurrentObject.GDI32(?,00000006), ref: 0040914D
GetTextColor.GDI32(?), ref: 0040918C
GetBkMode.GDI32(?), ref: 004091B6
GetBkColor.GDI32(?), ref: 004091D5
GetBkMode.GDI32(?), ref: 004091F8
GetBkColor.GDI32(?), ref: 00409217
GetROP2.GDI32(?), ref: 0040923F
GetStretchBltMode.GDI32(?), ref: 00409260
GetPolyFillMode.GDI32(?), ref: 0040928C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Mode$ColorCurrentObject$FillPolyStretchText
String ID:
API String ID: 544274770-0
Opcode ID: a89121301523814f72ad9d9b0451a9e431cb207b9a2da041709979de2f595e1c
Instruction ID: c6e646ea132d0984b22d403ed1ca204e083b853566b63967a8c7b2a0bf69f7a2
Opcode Fuzzy Hash: a89121301523814f72ad9d9b0451a9e431cb207b9a2da041709979de2f595e1c
Instruction Fuzzy Hash: D8515171210A029BC764DBB4C889BABB3A5FF84301F144A2DE15F97292DF34BC85CB58

Function 0042FE00 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

GetClientRect.USER32(?,?), ref: 0042FE3D
CreateCompatibleBitmap.GDI32 ref: 0042FE72
CreateCompatibleDC.GDI32(?), ref: 0042FEA2

Part of subcall function 00473981: SelectObject.GDI32(?,?), ref: 00473989

PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042FEDA
GetObjectA.GDI32(00000000,00000018,?), ref: 0042FEF5
CreateCompatibleDC.GDI32(?), ref: 0042FF00
SelectObject.GDI32(00000000,00000000), ref: 0042FF10
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0042FF33
SelectObject.GDI32(00000000,?), ref: 0042FF3F
DeleteDC.GDI32(00000000), ref: 0042FF42
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042FF6B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CompatibleCreateSelect$BeginBitmapClientDeleteH_prologPaintRect
String ID:
API String ID: 1593221388-0
Opcode ID: 14e44dbc75dc91f073db19ee82a371587038255f9e0fd5daa03e60b08b7ea2da
Instruction ID: b8ec2f9bd30ae30219f36ade9decb5dc1022e6581e7251c1b7f5f51cd773de38
Opcode Fuzzy Hash: 14e44dbc75dc91f073db19ee82a371587038255f9e0fd5daa03e60b08b7ea2da
Instruction Fuzzy Hash: B8513171208381AFD310DFA5DC85F6BBBE8FBC9704F40492DB69983281D778A804CB66

Function 00417DF0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 181windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

IsRectEmpty.USER32(?), ref: 00417E3D
GetSysColor.USER32(0000000F), ref: 00417E4E

Part of subcall function 0047443D: __EH_prolog.LIBCMT ref: 00474442
Part of subcall function 0047443D: CreateSolidBrush.GDI32(?), ref: 0047445F

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00417E98
GetClientRect.USER32(?,?), ref: 00417EB1
LoadBitmapA.USER32(?,?), ref: 00417EE8
GetObjectA.GDI32(?,00000018,?), ref: 00417F37
CreateCompatibleDC.GDI32(?), ref: 00417F5D
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00417FEF

Strings

(U, xrefs: 00417F05

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateH_prologRectSelect$BeginBitmapBrushClientClipColorCompatibleEmptyLoadPaintSolid
String ID: (U
API String ID: 1390316934-1038552597
Opcode ID: 6da4dfe7508205f485b1b218e3472883b75608b9af41697a4920dbf38dae55e6
Instruction ID: cca992674808e9fa9016e4764a6c828e1ac149d38e2801069fc7038f8b569296
Opcode Fuzzy Hash: 6da4dfe7508205f485b1b218e3472883b75608b9af41697a4920dbf38dae55e6
Instruction Fuzzy Hash: CD6129712083819FD324DF65C855FABBBE8FBC4715F048A1DB59993281DB78A908CB62

Function 00403E80 Relevance: 15.4, APIs: 10, Instructions: 430COMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

IsRectEmpty.USER32(?), ref: 00403EC7
GetClientRect.USER32(?,?), ref: 00403EDF
InflateRect.USER32(?,?,?), ref: 00403F9D
IntersectRect.USER32(?,?,?), ref: 00404007
CreateRectRgn.GDI32(?,?,?,?), ref: 00404021
FillRgn.GDI32(?,?,?), ref: 004041E0
GetCurrentObject.GDI32(?,00000006), ref: 0040425F

Part of subcall function 00473998: GetStockObject.GDI32(?), ref: 004739A1
Part of subcall function 00473998: SelectObject.GDI32(?,00000000), ref: 004739BB
Part of subcall function 00473998: SelectObject.GDI32(?,00000000), ref: 004739C6

OffsetRect.USER32(?,00000001,00000001), ref: 0040433D
OffsetRect.USER32(?,00000002,00000002), ref: 004043D1
OffsetRect.USER32(?,00000001,00000001), ref: 00404384

Part of subcall function 00473B68: SetTextColor.GDI32(?,?), ref: 00473B82
Part of subcall function 00473B68: SetTextColor.GDI32(?,?), ref: 00473B90

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID:
API String ID: 4264835570-0
Opcode ID: 2cdba0e2688f99be49b0f729c17775395dbdb491fa5356c5401ae5dc8534aa94
Instruction ID: e63b11cc4c9c8052e0c1257189e2daada09eba87f1c000f6e76d51caa2ec69ca
Opcode Fuzzy Hash: 2cdba0e2688f99be49b0f729c17775395dbdb491fa5356c5401ae5dc8534aa94
Instruction Fuzzy Hash: 0A025DB1508380DFC324DF55C884AABB7E5BFD4304F00492EF59A97291DB74E949CB56

Function 00408650 Relevance: 15.3, APIs: 10, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040868F
CreateCompatibleBitmap.GDI32 ref: 004086EB
CreateCompatibleDC.GDI32(?), ref: 0040871B
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 004087B0
SetRect.USER32(?,00000000,00000000,00000001,?), ref: 004087D9

Part of subcall function 00404530: __ftol.LIBCMT ref: 00404655
Part of subcall function 00404530: __ftol.LIBCMT ref: 00404662

FillRgn.GDI32(?,?,?), ref: 00408856
PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 004088C9

Part of subcall function 004027B0: GetSysColor.USER32(0000000F), ref: 004027BD

Part of subcall function 0047443D: __EH_prolog.LIBCMT ref: 00474442
Part of subcall function 0047443D: CreateSolidBrush.GDI32(?), ref: 0047445F

GetObjectA.GDI32(?,00000018,?), ref: 00408945
CreateCompatibleDC.GDI32(?), ref: 00408983
BitBlt.GDI32(?,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 004089E2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$CompatibleRect$__ftol$BitmapBrushClientColorFillH_prologObjectSolid
String ID:
API String ID: 2289681609-0
Opcode ID: 2165239b26606edfc16c9d9b5d63b8536bff4491c26b07b2bbe3cae4788c335b
Instruction ID: 3e7cd09153c1db125bbc0597a478d78268f691fa68f8b0f02049bd05733dd862
Opcode Fuzzy Hash: 2165239b26606edfc16c9d9b5d63b8536bff4491c26b07b2bbe3cae4788c335b
Instruction Fuzzy Hash: F8C1A4712083419FC724DF65C985BABB7E8AFD4704F00892EF589D3291DB78E948CB66

Function 00408240 Relevance: 15.2, APIs: 10, Instructions: 198windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

GetClientRect.USER32(?,?), ref: 0040828E
IntersectRect.USER32(?,?,?), ref: 004082A6
IsRectEmpty.USER32(?), ref: 004082D6
GetObjectA.GDI32(?,00000018,?), ref: 0040830D
CreateCompatibleDC.GDI32(?), ref: 00408333
IntersectRect.USER32(?,?,?), ref: 00408388
IsRectEmpty.USER32(?), ref: 00408393
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 004083D1
DPtoLP.GDI32(?,?,00000002), ref: 00408456
IsWindow.USER32(?), ref: 004084B8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$EmptyIntersect$BeginClientClipCompatibleCreateH_prologObjectPaintWindow
String ID:
API String ID: 29348440-0
Opcode ID: 21458bcbf5741bb22da00dbbe7b45892308f6915585ee58f5efd82ebb10b49bf
Instruction ID: 3dd7d4c8437f1567277c748929c6c156a112390a713ebf9cf8285d0ddee150f4
Opcode Fuzzy Hash: 21458bcbf5741bb22da00dbbe7b45892308f6915585ee58f5efd82ebb10b49bf
Instruction Fuzzy Hash: 7A812EB1508741DFC324DF65C984AABB7E9FBC8704F008E2EF59A93250DB34A909CB56

Function 00418FC0 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00418FDD
GetWindowRect.USER32(?,?), ref: 00418FEC
IntersectRect.USER32(?,?,?), ref: 00419045
EqualRect.USER32(?,?), ref: 00419075
GetWindowRect.USER32(?,?), ref: 00419093
OffsetRect.USER32(?,?,?), ref: 0041910A
OffsetRect.USER32(?,?,00000000), ref: 00419124
OffsetRect.USER32(?,?,00000000), ref: 0041913C
OffsetRect.USER32(?,00000000,?), ref: 00419156
OffsetRect.USER32(?,00000000,?), ref: 0041916E

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: 3fedc33b6e4dbe99fa45f1ec799a75b4ac32bb51b9b975cec3a4aefab7860c11
Instruction ID: 31cb529158b1ce917625a482966571203a003f2d4a8299637141eec85287d073
Opcode Fuzzy Hash: 3fedc33b6e4dbe99fa45f1ec799a75b4ac32bb51b9b975cec3a4aefab7860c11
Instruction Fuzzy Hash: A8511D75608302AFD708CF28C99496FBBE9ABC8744F004A2EF985D3354D675ED45CB52

Function 00430890 Relevance: 15.1, APIs: 10, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002E), ref: 004308A1
GetSystemMetrics.USER32(0000002D), ref: 004308A7
GetSystemMetrics.USER32(0000000A), ref: 004308AD
GetSystemMetrics.USER32(0000000A), ref: 004308B8
GetSystemMetrics.USER32(00000009), ref: 004308C6
GetSystemMetrics.USER32(00000009), ref: 004308D2
GetWindowRect.USER32(?,?), ref: 004308F7
GetParent.USER32(?), ref: 004308FD
GetWindowRect.USER32(?,00000000), ref: 00430922
SetRect.USER32(?,?,00000000,?,?), ref: 00430954

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$Rect$Window$Parent
String ID:
API String ID: 3457858938-0
Opcode ID: b36ba893e340fe90a3fe21150cd646c20406741aea9b9cbf96e9bd2497249f9e
Instruction ID: 31174b0f21c1667fea8fea341ead38e8c525679ec5c7a5f0f83e17cde5926081
Opcode Fuzzy Hash: b36ba893e340fe90a3fe21150cd646c20406741aea9b9cbf96e9bd2497249f9e
Instruction Fuzzy Hash: 3F213571A043095BD708EF68DC9597F77A9EBC8700F004A2EB945D7281D774ED098BA6

Function 00475B7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047729F: __EH_prolog.LIBCMT ref: 004772A4

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 00475BC4
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00475BD3
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00475BEC
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00475C14
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00475C23
SendMessageA.USER32(?,00000198,?,?), ref: 00475C39
PtInRect.USER32(?,000000FF,?), ref: 00475C45

Strings

,?Y, xrefs: 00475B94

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$H_prologLongRectWindow
String ID: ,?Y
API String ID: 2846605207-2222958074
Opcode ID: 3fd9acee4ffa7aaa99f116899a8bd4994e41011a5a7e297eec1b2f4bc06e75a4
Instruction ID: d57ef2c66e8a560f9799a86bdc1fc245cf390c55a55a00ca589d0ca1e8aa97a3
Opcode Fuzzy Hash: 3fd9acee4ffa7aaa99f116899a8bd4994e41011a5a7e297eec1b2f4bc06e75a4
Instruction Fuzzy Hash: FD314770A00608FFDB01DFA4CC81DAEB7B9EB04348B20846AF515AB2A1D774AE42DB14

Function 004735E6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00473602
GetStockObject.GDI32(0000000D), ref: 0047360A
GetObjectA.GDI32(00000000,0000003C,?), ref: 00473617
GetDC.USER32(00000000), ref: 00473626
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0047363D
MulDiv.KERNEL32(?,00000048,00000000), ref: 00473649
ReleaseDC.USER32(00000000,00000000), ref: 00473654

Strings

System, xrefs: 004735FB, 0047366A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 3256490b8f3fd879a477d20503836ae316725fc2914addead144a83dafee1e20
Instruction ID: 38fa7433372131123fbb4085f8b21be7366f0730343ff0f0d8f03c16c3dd033a
Opcode Fuzzy Hash: 3256490b8f3fd879a477d20503836ae316725fc2914addead144a83dafee1e20
Instruction Fuzzy Hash: 22117771A40218FBEB109F95CC45FAE7BA8AB14745F008029F609E7290D7749E4197A9

Function 00469711 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,004623C1,?,Microsoft Visual C++ Runtime Library,00012010,?,00564EA4,?,00564EF4,?,?,?,Runtime Error!Program: ), ref: 00469723
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046973B
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046974C
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00469759

Strings

GetLastActivePopup, xrefs: 0046974E
MessageBoxA, xrefs: 00469735
user32.dll, xrefs: 0046971E
GetActiveWindow, xrefs: 00469746

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 56be3bfb9e53489abf722f786c74c77d5cff83ff1102bdd25359f59fbb3afeee
Instruction ID: 0ff68822130abef57acc3b8f1f3d0fae602090471275b8b9960b090fe6be3db2
Opcode Fuzzy Hash: 56be3bfb9e53489abf722f786c74c77d5cff83ff1102bdd25359f59fbb3afeee
Instruction Fuzzy Hash: 1C015E317502029F87119FF69DC4F2B3EADAB68682706046BA506C2221E6B48C46AF66

Function 004714EF Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004717E9,?,00020000), ref: 004714F8
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00471501
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00471515
#17.COMCTL32 ref: 00471530
#17.COMCTL32 ref: 0047154C
FreeLibrary.KERNEL32(00000000), ref: 00471558

Strings

InitCommonControlsEx, xrefs: 0047150D
COMCTL32.DLL, xrefs: 004714F1, 004714F7, 004714FE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 0e606bcbc0a300b6f5f107f810ed0e23d488b39fd0faf2a0ee30b733fc74201c
Instruction ID: f89499dcced83c710ad690e02e5eabce57a75e43109d0d09199da11a6169b335
Opcode Fuzzy Hash: 0e606bcbc0a300b6f5f107f810ed0e23d488b39fd0faf2a0ee30b733fc74201c
Instruction Fuzzy Hash: 37F0CD72700212AB87115FAC9C8855F77A9EFC4751705843AF80FE3220DB24DE0147B9

Function 00414750 Relevance: 13.9, APIs: 9, Instructions: 387windowCOMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00414788
GetParent.USER32(?), ref: 00414819
IsWindow.USER32(?), ref: 0041494B
IsWindowVisible.USER32(?), ref: 0041495D

Part of subcall function 00471B0E: IsWindowEnabled.USER32(?), ref: 00471B18

GetParent.USER32(?), ref: 004149AE
IsChild.USER32(?,?), ref: 004149CE
GetParent.USER32(?), ref: 00414B77
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00414B94
IsWindow.USER32(?), ref: 00414BEF

Part of subcall function 0040AC40: IsChild.USER32(?,?), ref: 0040ACBD
Part of subcall function 0040AC40: GetParent.USER32(?), ref: 0040ACD7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ParentWindow$Child$EnabledMessageSendVisible
String ID:
API String ID: 2452671399-0
Opcode ID: 4ba34b6f64240b9470d4a64ebb24891374e3b883d6d46f480bc0a5a505a15fa3
Instruction ID: 389bf7f147d9efa8b1ad055d8b6b3614f53cc74b1db6157621d72d2658f4e005
Opcode Fuzzy Hash: 4ba34b6f64240b9470d4a64ebb24891374e3b883d6d46f480bc0a5a505a15fa3
Instruction Fuzzy Hash: 24E1AE716043418FC724DF25C880BABB7A4BFC4704F054A2EF98697391DB78E985CB9A

Function 00404530 Relevance: 13.8, APIs: 9, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 0041D9C0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041DA4C
Part of subcall function 0041D9C0: CreateCompatibleDC.GDI32(?), ref: 0041DA5E
Part of subcall function 0041D9C0: CreateCompatibleDC.GDI32(?), ref: 0041DA67
Part of subcall function 0041D9C0: SelectObject.GDI32(00000000,?), ref: 0041DA76
Part of subcall function 0041D9C0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041DA89
Part of subcall function 0041D9C0: SelectObject.GDI32(?,00000000), ref: 0041DA99
Part of subcall function 0041D9C0: BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041DAB9
Part of subcall function 0041D9C0: SelectObject.GDI32(00000000,?), ref: 0041DAC5
Part of subcall function 0041D9C0: DeleteDC.GDI32(00000000), ref: 0041DAD2
Part of subcall function 0041D9C0: SelectObject.GDI32(?,?), ref: 0041DADA
Part of subcall function 0041D9C0: DeleteDC.GDI32(?), ref: 0041DAE1

__ftol.LIBCMT ref: 00404655
__ftol.LIBCMT ref: 00404662
CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 004046D4
CombineRgn.GDI32(?,?,0055DFA8,00000004), ref: 004046FA
SetRect.USER32(?,00000000,?,?,?), ref: 00404746
IntersectRect.USER32(?,?,?), ref: 0040475E
IsRectEmpty.USER32(?), ref: 00404789
CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 0040482E
CombineRgn.GDI32(?,?,0055DFA8,00000004), ref: 00404854

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$Rect$ObjectSelect$Compatible$BitmapCombineDelete__ftol$EmptyIntersect
String ID:
API String ID: 909876544-0
Opcode ID: 575ee8cf861b3492818cf92324e4a3f5e90626fcefdf3f7a111f757215517431
Instruction ID: eeed85ff5ec35486fd6b706f043bec9db0f4271598dfed1e2a849305750fbdf3
Opcode Fuzzy Hash: 575ee8cf861b3492818cf92324e4a3f5e90626fcefdf3f7a111f757215517431
Instruction Fuzzy Hash: A6A17EB16083419FC324DF69C884A5BBBE9FBC8344F508E2DF59597290EB74D848CB96

Function 004657C4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0056512C,00000001,00000000,00000000,76F8E860,00594698,?,?,?,0045EFDD,?,?,?,00000000), ref: 00465806
LCMapStringA.KERNEL32(00000000,00000100,00565128,00000001,00000000,00000000,?,?,0045EFDD,?,?,?,00000000,00000001), ref: 00465822
LCMapStringA.KERNEL32(?,?,?,0045EFDD,?,?,76F8E860,00594698,?,?,?,0045EFDD,?,?,?,00000000), ref: 0046586B
MultiByteToWideChar.KERNEL32(?,00594699,?,0045EFDD,00000000,00000000,76F8E860,00594698,?,?,?,0045EFDD,?,?,?,00000000), ref: 004658A3
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0045EFDD,?,00000000,?,?,0045EFDD,?), ref: 004658FB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0045EFDD,?), ref: 00465911
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0045EFDD,?), ref: 00465944
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0045EFDD,?), ref: 004659AC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 5e6b151d5ba608c74bd527101dcb81815da87c380720f4e22a0f704f142fe7ff
Instruction ID: 938c1bc3d4a2cb62404a1abe026533ddce6ebb03db8d2bbdabd6139221da7851
Opcode Fuzzy Hash: 5e6b151d5ba608c74bd527101dcb81815da87c380720f4e22a0f704f142fe7ff
Instruction Fuzzy Hash: 4A516C71900609EFCF218F95CC85AAF7FB8FB49754F10412AF914A2260E3398D65DB66

Function 00418D60 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00418D66
ClientToScreen.USER32(?,?), ref: 00418DA3
OffsetRect.USER32(?,?,?), ref: 00418DCC
GetParent.USER32(?), ref: 00418DD2

Part of subcall function 00473F46: ScreenToClient.USER32(?,00000000), ref: 00473F5A
Part of subcall function 00473F46: ScreenToClient.USER32(?,00000008), ref: 00473F63

GetClientRect.USER32(?,?), ref: 00418DF5
OffsetRect.USER32(?,?,00000000), ref: 00418E13
OffsetRect.USER32(?,?,00000000), ref: 00418E2B
OffsetRect.USER32(?,00000000,?), ref: 00418E49
OffsetRect.USER32(?,00000000,?), ref: 00418E69

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Offset$Client$Screen$CaptureParent
String ID:
API String ID: 838496554-0
Opcode ID: ebd1b9ca0a1af20d3d330a57fd57c063c0679091b67a1c5c4395da53a0e6d57a
Instruction ID: 9862576fcbc7962d57de1233f82462ca4ab3b4f721f93959e0dbf798e42fbdf9
Opcode Fuzzy Hash: ebd1b9ca0a1af20d3d330a57fd57c063c0679091b67a1c5c4395da53a0e6d57a
Instruction Fuzzy Hash: 5C41E7B5208301AFD718DF68D994D6BB7E9ABC8704F008A1DF986C3251DA74ED488B66

Function 00416590 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 004165AA
GetTopWindow.USER32(?), ref: 004165B0
IsWindowVisible.USER32(00000000), ref: 004165C1
GetWindowLongA.USER32(00000000,000000EC), ref: 004165D2
GetClientRect.USER32(00000000,?), ref: 00416625
IntersectRect.USER32(?,?,?), ref: 0041663A
IsRectEmpty.USER32(?), ref: 00416645
InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 00416656
GetWindow.USER32(00000000,00000002), ref: 0041665B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
String ID:
API String ID: 938479747-0
Opcode ID: 2f8a4dc8889b6d38a0147022f60c0516530ee7c8c2a0787cb610c737cede3001
Instruction ID: 724a7294ae81765b576e1c4a980933ae056dcfbbb26581238ba684a3cee78488
Opcode Fuzzy Hash: 2f8a4dc8889b6d38a0147022f60c0516530ee7c8c2a0787cb610c737cede3001
Instruction Fuzzy Hash: E521A071100312ABC310DF25DCC5CABB7ADFF88344B044A2EF545D3200DB34EA898BAA

Function 0046BA85 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041AB89,?,-00000001,00000000,?,?,?,00576BB0), ref: 0046BA8F
GetFocus.USER32 ref: 0046BAAA

Part of subcall function 0046F62C: UnhookWindowsHookEx.USER32(?), ref: 0046F651

IsWindowEnabled.USER32(?), ref: 0046BAD3
EnableWindow.USER32(?,00000000), ref: 0046BAE5
GetOpenFileNameA.COMDLG32(?,?), ref: 0046BB10
GetSaveFileNameA.COMDLG32(?,?), ref: 0046BB17
EnableWindow.USER32(?,00000001), ref: 0046BB2E
IsWindow.USER32(?), ref: 0046BB34
SetFocus.USER32(?), ref: 0046BB42

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: ec52b54416980db4099b8a927dbbcbe6d250542b4252f6f37546f652850f69b5
Instruction ID: dce8b546c0a5864cf9efacefb4a3296727c8a8e7dd1961506af2c59222efa456
Opcode Fuzzy Hash: ec52b54416980db4099b8a927dbbcbe6d250542b4252f6f37546f652850f69b5
Instruction Fuzzy Hash: FE219271210704ABDB21AF72EC86B6B77E9EF40704F00442FF596C2651EB79E881879A

Function 0041B170 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0041B2EE
AppendMenuA.USER32(?,?,00000000,?), ref: 0041B451
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0041B489
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041B4A7
AppendMenuA.USER32(?,?,00000000,?), ref: 0041B505
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041B52A
AppendMenuA.USER32(?,?,?,?), ref: 0041B572
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041B597

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: a0cb8b174e2fb1fef294967359ef4ce9b3024d59b8daae9d371e57987d957936
Instruction ID: ee1b234dfa5392e185e51ddfbdef5d58c2bc8dc33404d6732789ba7902ca89a9
Opcode Fuzzy Hash: a0cb8b174e2fb1fef294967359ef4ce9b3024d59b8daae9d371e57987d957936
Instruction Fuzzy Hash: F3D1AC71A043009BD714DF19C884B6BB7E8EF89714F14492EF88993382E779EC85CB96

Function 0046229D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0046230A
GetStdHandle.KERNEL32(000000F4,00564EA4,00000000,00000000,00000000,?), ref: 004623E0
WriteFile.KERNEL32(00000000), ref: 004623E7

Strings

..., xrefs: 0046235C
<program name unknown>, xrefs: 0046231A
Runtime Error!Program: , xrefs: 00462370
Microsoft Visual C++ Runtime Library, xrefs: 004623B6

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: c184ab27b2f9b885e637504fabf82c101ba3bcaf898881ea996e17dc87e4910a
Instruction ID: daeaf83c8adb5e6ed68da5d8085d39f3c2f0b6ca2e90e8b908dcacb82b2194a0
Opcode Fuzzy Hash: c184ab27b2f9b885e637504fabf82c101ba3bcaf898881ea996e17dc87e4910a
Instruction Fuzzy Hash: C431C372A00208AFDF209671DE85F9A376CBB81304F10049BF94897240F7B8EEC48B57

Function 004222A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 004222E4

Strings

%s:%d, xrefs: 0042235E
P, xrefs: 004222DC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: aa9424a84d6285e5836a5d18130e74547461ba4570d8bcba179fffb9443bde4d
Instruction ID: f6205da7017a71dc2d64839b4853ae3ee8eb9e59d47d8c522f1e5bc03e42ed7c
Opcode Fuzzy Hash: aa9424a84d6285e5836a5d18130e74547461ba4570d8bcba179fffb9443bde4d
Instruction Fuzzy Hash: D33184312046116FD320EB28EC98DBB73E8BFD5724F104A2DF5A5922D0E6B4980A8765

Function 0045B460 Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0045B7B8
__ftol.LIBCMT ref: 0045B7D5
__ftol.LIBCMT ref: 0045B7F1
__ftol.LIBCMT ref: 0045B80B
__ftol.LIBCMT ref: 0045B829
__ftol.LIBCMT ref: 0045B847
__ftol.LIBCMT ref: 0045B863
__ftol.LIBCMT ref: 0045B87D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 5c18187fd1d2cc6556ab9aae26445c8e42adb9d3ae6f66a54355a56a4a7f04d3
Instruction ID: f8939593d9dd7cae759a93db1626615d866e599dd2c4dde5f375275d0176ad18
Opcode Fuzzy Hash: 5c18187fd1d2cc6556ab9aae26445c8e42adb9d3ae6f66a54355a56a4a7f04d3
Instruction Fuzzy Hash: 3ED132B2908342DFD301AF21D48925ABBF0FFD5744FA60999E0D56626AE331C578CB87

Function 0043DF10 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 0043DF28
GetDeviceCaps.GDI32(?,0000005A), ref: 0043DF31
GetDeviceCaps.GDI32(?,0000006E), ref: 0043DF42
GetDeviceCaps.GDI32(?,0000006F), ref: 0043DF5F
GetDeviceCaps.GDI32(?,00000070), ref: 0043DF74
GetDeviceCaps.GDI32(?,00000071), ref: 0043DF89
GetDeviceCaps.GDI32(?,00000008), ref: 0043DF9E
GetDeviceCaps.GDI32(?,0000000A), ref: 0043DFB3

Part of subcall function 0043DCF0: __ftol.LIBCMT ref: 0043DCF5

Part of subcall function 0043DD20: __ftol.LIBCMT ref: 0043DD25

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: e6bd5959ba5f69b512a701d2bf7f686a05b41df3ad6e8568bb572d96a4791fce
Instruction ID: e979ff6575df0b49c6b55ae1d9ac7ebe7751a319409f946135cffb5329f04c4f
Opcode Fuzzy Hash: e6bd5959ba5f69b512a701d2bf7f686a05b41df3ad6e8568bb572d96a4791fce
Instruction Fuzzy Hash: A9513670508741ABD300EF6AE885A6FBBE4FFC9704F01495DFA84962A0DB71D924CB96

Function 00461BF5 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045D3DB), ref: 00461C10
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045D3DB), ref: 00461C24
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045D3DB), ref: 00461C50
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045D3DB), ref: 00461C88
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045D3DB), ref: 00461CAA
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0045D3DB), ref: 00461CC3
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045D3DB), ref: 00461CD6
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00461D14

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 806761ad900c234669fa59131c2518efff95927d8e19bd85dcd52de25615eca0
Instruction ID: 71f6f8188fb802bf71a84c29fcaac0af9f80cbe2096effb8335fd420499e6fde
Opcode Fuzzy Hash: 806761ad900c234669fa59131c2518efff95927d8e19bd85dcd52de25615eca0
Instruction Fuzzy Hash: 543144B29842652FDB207BBA5CC483F769CE745344729043FF546C3231F6299C8587AB

Function 0042FD20 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 0042FDF1

Part of subcall function 00471B0E: IsWindowEnabled.USER32(?), ref: 00471B18

GetClientRect.USER32(?,?), ref: 0042FD47
PtInRect.USER32(?,?,?), ref: 0042FD5C
ClientToScreen.USER32(?,?), ref: 0042FD6D
WindowFromPoint.USER32(?,?), ref: 0042FD7D
ReleaseCapture.USER32 ref: 0042FD97
GetCapture.USER32 ref: 0042FDB1
SetCapture.USER32(?), ref: 0042FDBC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
String ID:
API String ID: 3076215760-0
Opcode ID: e2445ec543a2a35fa1ea22765d59b3dc287a4b444f303e71d5e82e281357ae81
Instruction ID: 69dd46df5d9a98a89e68062107248c0a98e34fa317df67d619fb71003880cdb4
Opcode Fuzzy Hash: e2445ec543a2a35fa1ea22765d59b3dc287a4b444f303e71d5e82e281357ae81
Instruction Fuzzy Hash: D321D8352002105BD310EB29E859E7F73B9FFC4704F84493EF88692241E639D849CB69

Function 00471F1A Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00471F3A
lstrcmpA.KERNEL32(?,?), ref: 00471F46
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00471F58
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00471F7B
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00471F83
GlobalLock.KERNEL32(00000000), ref: 00471F90
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00471F9D
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00471FBB

Part of subcall function 00474D9F: GlobalFlags.KERNEL32(?), ref: 00474DA9
Part of subcall function 00474D9F: GlobalUnlock.KERNEL32(?), ref: 00474DC0
Part of subcall function 00474D9F: GlobalFree.KERNEL32(?), ref: 00474DCB

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 1c53d452d978edc07232322e358651f80990358e3ae11e5bdafdeb3161ad3cdf
Instruction ID: 52c064dfd70bf830835a03c07d81e5307200440771bc28f7afb3dd660c96f267
Opcode Fuzzy Hash: 1c53d452d978edc07232322e358651f80990358e3ae11e5bdafdeb3161ad3cdf
Instruction Fuzzy Hash: 90114F75500204BEDB215BB6CC86EFFBAAEEB85744F00441EFA0DD1162D7399D419768

Function 00406400 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040641C
PtInRect.USER32(?,?,?), ref: 00406431
ReleaseCapture.USER32 ref: 00406441
InvalidateRect.USER32(?,00000000,00000000), ref: 0040644F
GetCapture.USER32 ref: 0040645F
SetCapture.USER32(?), ref: 0040646A
InvalidateRect.USER32(?,00000000,00000000), ref: 0040648B
SetCapture.USER32(?), ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureRect$Invalidate$ClientRelease
String ID:
API String ID: 3559558096-0
Opcode ID: d76674c7b3421a83801a238b3e55522f6f9dbe4d75d059821c37839901765a66
Instruction ID: b0267089ba469498aefce1deb66ab5ccf4758c7a2754aba843b3b5722497b1ec
Opcode Fuzzy Hash: d76674c7b3421a83801a238b3e55522f6f9dbe4d75d059821c37839901765a66
Instruction Fuzzy Hash: 2D114C75500710AFD320AF68DC89FAB77A8FB44304F00892EF58A97250E635A8458B58

Function 0040A630 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040A66D
GetParent.USER32(?), ref: 0040A67F
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040A6A7
GetWindowRect.USER32(?,?), ref: 0040A731
InvalidateRect.USER32(?,?,00000001,?), ref: 0040A754
GetWindowRect.USER32(?,?), ref: 0040A91C
InvalidateRect.USER32(?,?,00000001,?), ref: 0040A93D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: b84b5b0ee8688ece7c984f628aae87317f24dbffcb7c430141b8a8eb03178ad2
Instruction ID: 772bbe539e693b5456ebbd3faf5ea3ad0eef2d20e57ce84bbdc55b2932d24abc
Opcode Fuzzy Hash: b84b5b0ee8688ece7c984f628aae87317f24dbffcb7c430141b8a8eb03178ad2
Instruction Fuzzy Hash: 2891C8716003019BD720EF258845B6B73E4AF84718F144A2EF949AB3D2E77CED15879A

Function 0043F490 Relevance: 10.8, APIs: 7, Instructions: 260windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043F4BD
GetParent.USER32(?), ref: 0043F4C9
GetClientRect.USER32(?,?), ref: 0043F4DA

Part of subcall function 00473F82: ClientToScreen.USER32(00402FD8,?), ref: 00473F96
Part of subcall function 00473F82: ClientToScreen.USER32(00402FD8,?), ref: 00473F9F

GetParent.USER32(?), ref: 0043F4EC

Part of subcall function 00473F46: ScreenToClient.USER32(?,00000000), ref: 00473F5A
Part of subcall function 00473F46: ScreenToClient.USER32(?,00000008), ref: 00473F63

Part of subcall function 004740D8: __EH_prolog.LIBCMT ref: 004740DD
Part of subcall function 004740D8: GetDC.USER32(00000000), ref: 00474106

SendMessageA.USER32 ref: 0043F51F

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

GetTextExtentPoint32A.GDI32(?,00579128,00000001,?), ref: 0043F54C
EqualRect.USER32(?,?), ref: 0043F70A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
String ID:
API String ID: 98060165-0
Opcode ID: e2e73e43bf596677974a093ed77485aa1f54708da54f6df0cb7d0ca5c628897b
Instruction ID: 9f8960cf5b9b598a8e5c41b2a5e92bd4df140a3f991e110dba9992b07e2e2aaa
Opcode Fuzzy Hash: e2e73e43bf596677974a093ed77485aa1f54708da54f6df0cb7d0ca5c628897b
Instruction Fuzzy Hash: 55918F716083059FC718DF28C881A6BB7E5FBC8704F145A2EF586C3351D778D94A8B56

Function 0041CD90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041CE79
OffsetRect.USER32(?,?,?), ref: 0041CE86
IntersectRect.USER32(?,?,?), ref: 0041CEA2
IsRectEmpty.USER32(?), ref: 0041CEAD
OffsetRect.USER32(?,?,?), ref: 0041CEEA

Strings

2, xrefs: 0041CE36

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Offset$EmptyIntersect
String ID: 2
API String ID: 765610062-450215437
Opcode ID: 856676322cc87eadc76800dadd8e89c2bd8f81aee8fc1e6d6ff62fcef8dc792b
Instruction ID: b639661ce2126a6f29948f966750420d4169efcc8e130ac04a9e6b258cf358b4
Opcode Fuzzy Hash: 856676322cc87eadc76800dadd8e89c2bd8f81aee8fc1e6d6ff62fcef8dc792b
Instruction Fuzzy Hash: 0D6114752083419FC714CF69C884AABBBE6BBC8744F148A2EF58987360D734E945CF56

Function 0042B690 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0042B6CF
CreateFontIndirectA.GDI32(00000028), ref: 0042B738
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0042B77F

Strings

(, xrefs: 0042B724
$U, xrefs: 0042B74F, 0042B753
$U, xrefs: 0042B852

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateExtentFontIndirectPoint32Textwsprintf
String ID: $U$$U$(
API String ID: 3175173087-3145007484
Opcode ID: 23dc1e4947769e3975da94a8f1c62c4a9615f05cb84e243d907a6d4a8ebeab02
Instruction ID: 7ffbde8b53f0b7a9efe951fb815f9a14ff4a3991dd49756476bfeec9efd5f634
Opcode Fuzzy Hash: 23dc1e4947769e3975da94a8f1c62c4a9615f05cb84e243d907a6d4a8ebeab02
Instruction Fuzzy Hash: FD51C0742043458FC328DF28D885B6BB7E5FFC8304F044A1EE49A83381DBB5A949CB96

Function 00475E2A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 00475E4E
GetParent.USER32(?), ref: 00475E55

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00475EA8
SendMessageA.USER32(0000AC84,00000111,?,?), ref: 00475EF9
SendMessageA.USER32(?,00000185,00000000,00000000), ref: 00475F84

Strings

, xrefs: 00475E2B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$LongParentWindow
String ID:
API String ID: 779260966-3916222277
Opcode ID: d6e0d5734720f9f46bb5db37b8cee8d4e0f657cb151a165e4569858ab58d3053
Instruction ID: ec4c8e7721478603c4e3f43c67c51fecbb42d39b7d8be2d989ddbf90162672eb
Opcode Fuzzy Hash: d6e0d5734720f9f46bb5db37b8cee8d4e0f657cb151a165e4569858ab58d3053
Instruction Fuzzy Hash: 193110B0310B146FCA247B768C80DBF769DDF45748B11893EF54ADA1D1DE99DC024678

Function 00431AE0 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431AFB

Part of subcall function 00471B29: EnableWindow.USER32(?,?), ref: 00471B37

Part of subcall function 004718A5: GetDlgItem.USER32(?,?), ref: 004718B3

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431B35
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431B4C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431B9D
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431BD7
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431C04
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00431C3A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$EnableItemWindow
String ID:
API String ID: 607626308-0
Opcode ID: d08347c32c0fefdae88059e6da2d8eb24a24b4fb996dadd68c88354ba81c978e
Instruction ID: 2606fcc43fed3c51768a9dc6b648451ffc3888707b0cc3f7f8319d32c1273c3f
Opcode Fuzzy Hash: d08347c32c0fefdae88059e6da2d8eb24a24b4fb996dadd68c88354ba81c978e
Instruction Fuzzy Hash: 6F31D6717C071063E638A6798C96FFB51A99BC6B04F10451EB21FAF1E2DDA8B844C75C

Function 00471324 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00471358
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00471381
UpdateWindow.USER32(?), ref: 0047139D
SendMessageA.USER32(?,00000121,00000000,?), ref: 004713C3
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 004713E2
UpdateWindow.USER32(?), ref: 00471425
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00471458

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: b15b9ebccd25f91d9cbff9c5f58e65ecaed3724655796d7593e9d1810b6966ca
Instruction ID: 421f407d1cf7592b66544ddd84cc965d2cce808687cd7c0a01aed19b718383dd
Opcode Fuzzy Hash: b15b9ebccd25f91d9cbff9c5f58e65ecaed3724655796d7593e9d1810b6966ca
Instruction Fuzzy Hash: 9841B5305043419BD7209F2AC884E5BBAE8FFC1B44F10C91EF899962A1D779D945CB5A

Function 0045C300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,?,00000000), ref: 0045C38B
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0045C3AA
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0045C3C1
GetTempPathA.KERNEL32(00000104,00000000), ref: 0045C3D8

Strings

\, xrefs: 0045C405
\, xrefs: 0045C3FE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryPath$FolderSpecialSystemTempWindows
String ID: \$\
API String ID: 2721284240-164819647
Opcode ID: 342771f0dd9f6c39b84032ef5ecf8de576da68ebe68cd404c704c171f3486d35
Instruction ID: 267429cff3e602a6dd2ba2eae476700be0b74c614f49ad401b1ab18184aee53a
Opcode Fuzzy Hash: 342771f0dd9f6c39b84032ef5ecf8de576da68ebe68cd404c704c171f3486d35
Instruction Fuzzy Hash: 5C31C0B55083049EEB308664C8C5B7F7690D752706F14C92FFD86C6283E6BDC889975B

Function 00477F7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00477FAC
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00477FCF
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00477FEE
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00477FFE
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00478008

Strings

software, xrefs: 00477F96

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 57c58fabdda05263ff4c911e52f62c94ddcb2bf210b0e48b6559c02098286cf9
Instruction ID: c9fa7ad2e58a3e34781c2afdc49c10dec3991cbf649203fb48700edfbbe91815
Opcode Fuzzy Hash: 57c58fabdda05263ff4c911e52f62c94ddcb2bf210b0e48b6559c02098286cf9
Instruction Fuzzy Hash: 2011B372900158FBCB21DBDACD88DEFFFBCEF85704B1140AAE508A2121D6719A51DBA4

Function 0045CFCB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0045D009
GetSystemMetrics.USER32(00000000), ref: 0045D021
GetSystemMetrics.USER32(00000001), ref: 0045D028
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0045D04C

Strings

B, xrefs: 0045CFEA
DISPLAY, xrefs: 0045D046

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 5c074300f412b65ef7ae12cff8d6e4160bea3a831f6771d3604d4e28bc5c6484
Instruction ID: 3a9a6a15179586da1d8d4f8b0f201349c9711ae5bdea07ee705157bc574325a1
Opcode Fuzzy Hash: 5c074300f412b65ef7ae12cff8d6e4160bea3a831f6771d3604d4e28bc5c6484
Instruction Fuzzy Hash: 5711A372900324EBCF219F649C8499B7FA8FF06B56F004067FC099E182D675D949CBA9

Function 00473677 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00473683
GetSysColor.USER32(00000010), ref: 0047368A
GetSysColor.USER32(00000014), ref: 00473691
GetSysColor.USER32(00000012), ref: 00473698
GetSysColor.USER32(00000006), ref: 0047369F
GetSysColorBrush.USER32(0000000F), ref: 004736AC
GetSysColorBrush.USER32(00000006), ref: 004736B3

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 88b427234f5995cf6f400de130e5a756254f438b8e9feacb51e6d3178a6e90b8
Instruction ID: dd13331998f46afb8e19652bced7bcc016fe99935806bf54ad8394b9c30ad518
Opcode Fuzzy Hash: 88b427234f5995cf6f400de130e5a756254f438b8e9feacb51e6d3178a6e90b8
Instruction Fuzzy Hash: 2EF01C719417489BD730BF729D49B47BAE4FFC4B10F02192ED2858BA90E6B5B440DF44

Function 00414CD0 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00414D21
IsWindow.USER32(?), ref: 00414D36
IsChild.USER32(?,?), ref: 00414D47
SetFocus.USER32(?), ref: 00414D58
IsWindow.USER32(?), ref: 00414E50
IsWindowVisible.USER32(?), ref: 00414E5E

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: 2ace03cbef4a8e687705191a93cd80367969ed0ad81a3ecb89da95922548b92b
Instruction ID: c34150b20ca7c6db2ca534bad171e6ab71addc40bb4e56f1d87f78561c1c27b3
Opcode Fuzzy Hash: 2ace03cbef4a8e687705191a93cd80367969ed0ad81a3ecb89da95922548b92b
Instruction Fuzzy Hash: 665150716003059FC720EF69D88096BB3E8BF84358F154A2EF85997281DB78ED45CBA5

Function 00430FF0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0043101C

Part of subcall function 0046D4AE: InterlockedIncrement.KERNEL32(-000000F4), ref: 0046D4C3

OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0043104D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00431095
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,00000000,0000000E), ref: 0043112B
ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,00000000,0000000E), ref: 00431160

Part of subcall function 0046D739: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046D74D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DocumentInterlockedProperties$CloseDecrementIncrementMessageOpenPrinterPrinter.Send
String ID:
API String ID: 1978028495-0
Opcode ID: 506ef3e9b99150b24976f6d8dcf29990401427e8b68715683b7098298c7fe1b6
Instruction ID: 5b202f4705e53aa115a964e7a9ef541c147c0581211678d0d8b3084fb3c2e2a9
Opcode Fuzzy Hash: 506ef3e9b99150b24976f6d8dcf29990401427e8b68715683b7098298c7fe1b6
Instruction Fuzzy Hash: 2F41F374204345AFC724EF25CC81EEB7BA9EF98764F004A1DF84987391DB389945C7AA

Function 00427840 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00427882
IsRectEmpty.USER32(?), ref: 004278B3
OffsetRect.USER32(?,00000000,?), ref: 00427903
LPtoDP.GDI32(?,?,00000002), ref: 00427938
GetClientRect.USER32(?,?), ref: 00427947
IntersectRect.USER32(?,?,?), ref: 0042795C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClientCopyEmptyIntersectOffset
String ID:
API String ID: 1743551499-0
Opcode ID: 655ce08c6c2863d99bb9c03da091e194017723a8bda3fa8876a160141da2f5dd
Instruction ID: d2166bb0ea56408f5a092c9b56579073aaaa5bed31e8e44e94c30f0cd5b9a183
Opcode Fuzzy Hash: 655ce08c6c2863d99bb9c03da091e194017723a8bda3fa8876a160141da2f5dd
Instruction Fuzzy Hash: 42413AB66087019FC318DF68D89096BB7E9FBC8710F048A2EF556C7250DB74E945CBA2

Function 00468E9E Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0056512C,00000001,?,76F8E860,00594698,?,?,0045EFDD,?,?,?,00000000,00000001), ref: 00468EDD
GetStringTypeA.KERNEL32(00000000,00000001,00565128,00000001,?,?,0045EFDD,?,?,?,00000000,00000001), ref: 00468EF7
GetStringTypeA.KERNEL32(?,?,?,?,0045EFDD,76F8E860,00594698,?,?,0045EFDD,?,?,?,00000000,00000001), ref: 00468F2B
MultiByteToWideChar.KERNEL32(?,00594699,?,?,00000000,00000000,76F8E860,00594698,?,?,0045EFDD,?,?,?,00000000,00000001), ref: 00468F63
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0045EFDD,?), ref: 00468FB9
GetStringTypeW.KERNEL32(?,?,00000000,0045EFDD,?,?,?,?,?,?,0045EFDD,?), ref: 00468FCB

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 58f0d66b20c6461fb7d5b936351a0218c583cec4f69cbaad2c7ed5693aefc7e9
Instruction ID: 82d9b5123f7253229c76e67ec3b92d2d86f3c53e5047042f7e187a6b43e617ee
Opcode Fuzzy Hash: 58f0d66b20c6461fb7d5b936351a0218c583cec4f69cbaad2c7ed5693aefc7e9
Instruction Fuzzy Hash: B5418E71A40209AFCF209F94DC85DEF3F6AFB09750F10062AFA11D2250E7398951DB96

Function 0041CC50 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0041CBC0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041CC3B

CreateCompatibleDC.GDI32(?), ref: 0041CCAA
DeleteObject.GDI32(00000000), ref: 0041CCBF

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create$BitmapCompatibleDeleteObject
String ID:
API String ID: 3709961035-0
Opcode ID: 4f497df86c32f6cb8f921a38a19cc56ebaabde72449597c8d31f45c32f044277
Instruction ID: d662572bb7870b5a5981f534a48ddb8d546e20bb1ce28623fe25b5c895baf7cf
Opcode Fuzzy Hash: 4f497df86c32f6cb8f921a38a19cc56ebaabde72449597c8d31f45c32f044277
Instruction Fuzzy Hash: 163160762447419FC310DF69DD85F9BB7E8FB89724F008A2EF56983281D738E80587A6

Function 004191B0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041923D
wsprintfA.USER32 ref: 00419259

Strings

%d / %d], xrefs: 00419237
- [, xrefs: 004191D8
?? / %d], xrefs: 00419253
- , xrefs: 00419284

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]
API String ID: 2111968516-3107364983
Opcode ID: 594a95e95b305528a2e74b432cc54adbea861c8d3067a639311251806b20eb9e
Instruction ID: f2d2529fec0c4779a17b1b96f550eaca5faaf1c81980b6fdfdfde8c370099419
Opcode Fuzzy Hash: 594a95e95b305528a2e74b432cc54adbea861c8d3067a639311251806b20eb9e
Instruction Fuzzy Hash: 6E315C74608700AFC314DB65D991BABB7E4EF84714F048D2EF89A87291EB78E844CB57

Function 00477012 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00593F4C,00593F3C,00000000,?,00593F4C,?,0047727A,00593F3C,00000000,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E), ref: 0047701D
EnterCriticalSection.KERNEL32(00593F68,00000010,?,00593F4C,?,0047727A,00593F3C,00000000,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E), ref: 0047706C
LeaveCriticalSection.KERNEL32(00593F68,00000000,?,00593F4C,?,0047727A,00593F3C,00000000,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E), ref: 0047707F
LocalAlloc.KERNEL32(00000000,00000004,?,00593F4C,?,0047727A,00593F3C,00000000,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E), ref: 00477095
LocalReAlloc.KERNEL32(?,00000004,00000002,?,00593F4C,?,0047727A,00593F3C,00000000,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E), ref: 004770A7
TlsSetValue.KERNEL32(00593F4C,00000000), ref: 004770E3

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 05501eb74ecb6271f95f5ac4c46d643184a78ba36660847608d252c46a3cba33
Instruction ID: ffa709d08ba80250ae416e753fdb215fb948af39e78fde62fca22338affc4e8e
Opcode Fuzzy Hash: 05501eb74ecb6271f95f5ac4c46d643184a78ba36660847608d252c46a3cba33
Instruction Fuzzy Hash: 9E318971204609AFD724DF25C889EA6B7E8FB45364F40C62EE41A87290E774E815CBA5

Function 0046FE4D Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046FE52
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0046FE9F
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0046FEC1
GetCapture.USER32 ref: 0046FED3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0046FEE2
WinHelpA.USER32(?,?,?,?), ref: 0046FEF6

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 88b377c8b5020cd43abb1382565acb3dc0aec4f3a5dc33264a39bbba02e9ccb1
Instruction ID: d3941ef6ac1a5182254b5ea989e3d606b7db0d7472764a4555482f649b646216
Opcode Fuzzy Hash: 88b377c8b5020cd43abb1382565acb3dc0aec4f3a5dc33264a39bbba02e9ccb1
Instruction Fuzzy Hash: 4021B571240209BFEB21AF61DC89FBA77AAFF04744F00857EB2459B1E2CBB49C009B54

Function 00475323 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00475356
GetLastActivePopup.USER32(?), ref: 00475365
IsWindowEnabled.USER32(?), ref: 0047537A
EnableWindow.USER32(?,00000000), ref: 0047538D
GetWindowLongA.USER32(?,000000F0), ref: 0047539F
GetParent.USER32(?), ref: 004753AD

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 2b85ab582e73265ccf8c198778deb590851dfaaf2f7beb57ed52b9107ffb761e
Instruction ID: cbf3f42d2a1b77f05bb8ee903e369ba82bbd0d287c2c96c9de9ee43b75fada8a
Opcode Fuzzy Hash: 2b85ab582e73265ccf8c198778deb590851dfaaf2f7beb57ed52b9107ffb761e
Instruction Fuzzy Hash: EF11A372602B2557C6315A695D80BABB7989F54BD5F09812AED0CEF320DBECCC4142ED

Function 0042A510 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0042A532
ScreenToClient.USER32(00000001,?), ref: 0042A541

Part of subcall function 0042A5C0: DPtoLP.GDI32(?,?,00000001), ref: 0042A6D7

LoadCursorA.USER32(00000000,00007F85), ref: 0042A571
SetCursor.USER32(00000000), ref: 0042A578
LoadCursorA.USER32(00000000,00007F84), ref: 0042A597
SetCursor.USER32(00000000), ref: 0042A59E

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: ec990fa58663ca054ab091c813e0bc4e1c35787422df00d3c6748c09afa0f105
Instruction ID: d1b3a271db5dc39d5630341a40cc3e23d2f0bec5b1dec491f63f6bf8c03c51f7
Opcode Fuzzy Hash: ec990fa58663ca054ab091c813e0bc4e1c35787422df00d3c6748c09afa0f105
Instruction Fuzzy Hash: 9311A932604211ABC610DB64FD99FAF73E8AF94B11F00492EF545822C0EA74D998C7B7

Function 00405EC0 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 00405EDB
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00405EED
SendMessageA.USER32(?,0000110A,00000002,?), ref: 00405EFB
SendMessageA.USER32(?,0000110A,00000001,?), ref: 00405F0D
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00405F1F
SendMessageA.USER32(?,0000110A,00000001,?), ref: 00405F2D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c05b63edbf76456e9c2823ca9536d1b4877e531e1087791f649af9f0e3ed4019
Instruction ID: 70f02ab46790cd73f2d73b610f596882bd1944a5fc2ae664e628ec4c496772aa
Opcode Fuzzy Hash: c05b63edbf76456e9c2823ca9536d1b4877e531e1087791f649af9f0e3ed4019
Instruction Fuzzy Hash: C30162B27507053AF534D6659CC2FA3A2ADDF98B91F008A19B701EB1C0C5F9EC428A74

Function 00474D28 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00474D2B

Part of subcall function 00474BCD: GetWindowLongA.USER32(00000000,000000F0), ref: 00474BDE

GetParent.USER32(00000000), ref: 00474D52

Part of subcall function 00474BCD: GetClassNameA.USER32(00000000,?,0000000A), ref: 00474BF9
Part of subcall function 00474BCD: lstrcmpiA.KERNEL32(?,combobox), ref: 00474C08

GetWindowLongA.USER32(?,000000F0), ref: 00474D6D
GetParent.USER32(?), ref: 00474D7B
GetDesktopWindow.USER32 ref: 00474D7F
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00474D93

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 69c595cd13f719f150fb997e4cb44741c4df789d4df0af3236d141fe0d08f3b3
Instruction ID: 638904ba72ca7a4f32dea5206e55fe6d99f5b9aafd46876ab0fdf96b6a6b3603
Opcode Fuzzy Hash: 69c595cd13f719f150fb997e4cb44741c4df789d4df0af3236d141fe0d08f3b3
Instruction Fuzzy Hash: 16F0A43A60062166D23226795CC8FFF625E9BC2B50F15826AF96CE63D09B18DC4142ED

Function 00474C42 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00474C51
GetWindow.USER32(?,00000005), ref: 00474C62
GetDlgCtrlID.USER32(00000000), ref: 00474C6B
GetWindowLongA.USER32(00000000,000000F0), ref: 00474C7A
GetWindowRect.USER32(00000000,?), ref: 00474C8C
PtInRect.USER32(?,?,?), ref: 00474C9C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 4b8df82934fc4d42636690fa4886531f728b4e97ec5858791bdfcc287af51207
Instruction ID: 505814a22be16dab4a225b4d8283c8c94fe2a620e1358d2fe7803ea1745dcf42
Opcode Fuzzy Hash: 4b8df82934fc4d42636690fa4886531f728b4e97ec5858791bdfcc287af51207
Instruction Fuzzy Hash: 47018F36201015BFDB22AB65DC48EFF376CEF80700F018136F909E21A0E734D9529B98

Function 0041E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

tU, xrefs: 0041E401

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: tU
API String ID: 0-3221499103
Opcode ID: 1f7eebd957f8696a344deabc56b47d93f48b44fbebbb604e8eff865c071fad6b
Instruction ID: 80f3c2af3a13ea4094ad5144e1bc9462b0b63a8cfd3e6531e20ab25650aa4e0c
Opcode Fuzzy Hash: 1f7eebd957f8696a344deabc56b47d93f48b44fbebbb604e8eff865c071fad6b
Instruction Fuzzy Hash: 99515FB55083419FC310EF6AC8819ABF7E8FBC5714F408A2EF5A983241D779E948CB56

Function 00461FDE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00461FFD
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00462032
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00462092

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 0046206C
__MSVCRT_HEAP_SELECT, xrefs: 0046202D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: a5b1165b247358fe88da7f8a0e62ca4502783bc6f59b457a3f359c00331e7bf1
Instruction ID: 89f265cfb29b1daf103995f50fd5091015ef40ae417c78724ebafae9dd36419b
Opcode Fuzzy Hash: a5b1165b247358fe88da7f8a0e62ca4502783bc6f59b457a3f359c00331e7bf1
Instruction Fuzzy Hash: 3C311571D456487DEB3186705E86BEA37A89B06304F1404DBE784D6243F6B98ECACB1B

Function 0046F83A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0046F8F3
GetWindowLongA.USER32(?,000000FC), ref: 0046F904
GetWindowLongA.USER32(?,000000FC), ref: 0046F914
SetWindowLongA.USER32(?,000000FC,?), ref: 0046F930

Strings

(, xrefs: 0046F8DE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: b98a9586146e75e96aac3dba3b0b2ff16fafa8285cba61d6d9fc9b80c4ee5037
Instruction ID: d420b3b4a64ae829150570d142ddf70712cf023686a4d293aa0ba48f14e6601e
Opcode Fuzzy Hash: b98a9586146e75e96aac3dba3b0b2ff16fafa8285cba61d6d9fc9b80c4ee5037
Instruction Fuzzy Hash: 0131C131600700AFDB20BF75E884B6EB7A5FF44354F15467EE08697691EB38E808CB99

Function 00477ACF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00477B00

Part of subcall function 00477BEC: lstrlenA.KERNEL32(00000104,00000000,?,00477B30), ref: 00477C23

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00477BA1
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00477BCE

Strings

.INI, xrefs: 00477BC8
.HLP, xrefs: 00477B9B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: d63371f1f8fe7c5ed2a6db3dcb3e02ca68bdf7fa21a0f1f1fb02bc229fd47a57
Instruction ID: a5d98f0c71fd96bee3ef9b6ebde9c1671483f6acb93653600e9477c913f91f30
Opcode Fuzzy Hash: d63371f1f8fe7c5ed2a6db3dcb3e02ca68bdf7fa21a0f1f1fb02bc229fd47a57
Instruction Fuzzy Hash: 20318FB1804708AFDB20DBB1D884BC7B7FCAB04318F1089AFE189D2151EB78A984CB54

Function 00477752 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0047775E
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0047780D
LoadBitmapA.USER32(00000000,00007FE3), ref: 00477825

Strings

lCV, xrefs: 004777DE
, xrefs: 0047776D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID: $lCV
API String ID: 2596413745-807549491
Opcode ID: 56de67f5e817d70d487605b86c53acb0b1da9225a4ff7b389ab735f118f1dc73
Instruction ID: 1397403bd45a3b00e82b84a98740aee9633d8dd26ac94b5c0d250a7eb78369e8
Opcode Fuzzy Hash: 56de67f5e817d70d487605b86c53acb0b1da9225a4ff7b389ab735f118f1dc73
Instruction Fuzzy Hash: 57213D71E00255AFDB10CF78CCC5BEE7BB8EB84700F054167E509EB281D674AA448F80

Function 0041B820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0041B860
GlobalSize.KERNEL32(?), ref: 0041B883
GlobalSize.KERNEL32(?), ref: 0041B8B3
GlobalUnlock.KERNEL32(?), ref: 0041B8C3

Strings

BM, xrefs: 0041B87D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Size$LockUnlock
String ID: BM
API String ID: 2233901773-2348483157
Opcode ID: 5fdd7adef1893906d2a794018d209024b8e6bf477706f507d92b7d686f4a8c68
Instruction ID: d513b327e7671aa58c944e97e96e874706d4a628b87d804eb9d458ee7e9a29d0
Opcode Fuzzy Hash: 5fdd7adef1893906d2a794018d209024b8e6bf477706f507d92b7d686f4a8c68
Instruction Fuzzy Hash: 7321B875D00254ABD710DFA9D8857DDBBB8FF0C720F10416EE919E3381D77859408799

Function 0046FD53 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0046FD89
wsprintfA.USER32 ref: 0046FDA5
GetClassInfoA.USER32(?,-00000058,?), ref: 0046FDB4

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 0046FD9F
Afx:%x:%x, xrefs: 0046FD83

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: 4b035ebf5cf6ea2a6c9cccea3074cb77d3d910b1a88c120a604990c901d38e74
Instruction ID: eabac19fb34d81976e486e013a0fe2e532b68e7c42edcf08e308841cb50b64f0
Opcode Fuzzy Hash: 4b035ebf5cf6ea2a6c9cccea3074cb77d3d910b1a88c120a604990c901d38e74
Instruction Fuzzy Hash: B3211271901219AF8F11DF99DC849DF7BB9FF49754B00802AF909E3201E3349A50CBAA

Function 00413570 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32(00000001,?,?,00000058), ref: 004135E9
DestroyCursor.USER32(?), ref: 004135F6
Shell_NotifyIconA.SHELL32(?,?,00000000,00000058), ref: 00413629

Strings

d, xrefs: 00413599
X, xrefs: 00413587

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: IconNotifyShell_$CursorDestroy
String ID: X$d
API String ID: 3039372612-651813629
Opcode ID: 9154f06f6ff4680538fa8416619833bd2801409e50f1102f4aeb0b686e3347fc
Instruction ID: c1f5e5c4388b93bbcf625b953cf6c7e7ee7bece0f85ac29783896a7843ae4d68
Opcode Fuzzy Hash: 9154f06f6ff4680538fa8416619833bd2801409e50f1102f4aeb0b686e3347fc
Instruction Fuzzy Hash: BB211A75608700AFE310DF15D844B9BBBE5BFD4B05F00891EB9C992350D7B9AA488B96

Function 0046E391 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0046E3D2
GetDlgItem.USER32(?,00000002), ref: 0046E3F1
IsWindowEnabled.USER32(00000000), ref: 0046E3FC
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0046E412

Strings

Edit, xrefs: 0046E3DC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: d8eb78c3b024d58035f7117050f605d19c3ea60c0230948e7b38146bd2ca2c17
Instruction ID: 22eecc0fc03a64b2863bf9d6f9e9b58c117299cf802192387890c45b531af0f2
Opcode Fuzzy Hash: d8eb78c3b024d58035f7117050f605d19c3ea60c0230948e7b38146bd2ca2c17
Instruction Fuzzy Hash: 6E01A174300211AAEE311A379C09FBB67E5AB40751F54853BF405E22E1EF69EC81C91A

Function 0040F5F0 Relevance: 7.9, APIs: 5, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 78fbd1040c8e34095fe7d7b3da2ca38542bc3d6706b9c448219803cd17ce5242
Instruction ID: 6c1928931aa9ae69e89fe3c8e72cfd1d6964ecded9c713d1942d2c4d62c6ea05
Opcode Fuzzy Hash: 78fbd1040c8e34095fe7d7b3da2ca38542bc3d6706b9c448219803cd17ce5242
Instruction Fuzzy Hash: 09C173715142069FC720DF24D88596B77E8FFD4348F14493EF84AA7392E738E9098BA6

Function 004280D0 Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00428159
GetClientRect.USER32(00000000,?), ref: 00428192
DPtoLP.GDI32 ref: 004281E8
GetClientRect.USER32(00000000,?), ref: 004282BC
DPtoLP.GDI32 ref: 00428312

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Client$Copy
String ID:
API String ID: 472922470-0
Opcode ID: 02224563dc447ac36a888956aeffb618a0e49198ba695e541bf92c68bbc51d32
Instruction ID: 9a0f554373825854b883f340c86267e09227e3a1474b3ba677f6f92ed1de7058
Opcode Fuzzy Hash: 02224563dc447ac36a888956aeffb618a0e49198ba695e541bf92c68bbc51d32
Instruction Fuzzy Hash: 40818F713087559FC314EF69D880A7FB3E5BBC8708F80491EF59A83241DF79A8058B6A

Function 00416150 Relevance: 7.7, APIs: 5, Instructions: 196windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041622C
SendMessageA.USER32(?,00008003,00000000,00000000), ref: 00416243
GetWindowRect.USER32(?,00000000), ref: 00416295
GetClientRect.USER32(?,00000000), ref: 004162ED
GetWindowRect.USER32(?,00000000), ref: 00416311

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: RectWindow$ClientMessageSend
String ID:
API String ID: 1071774122-0
Opcode ID: 65144e59f690062ddf29e09e28bcc39a1baf765ac7dd97516862a5d8105c0ae8
Instruction ID: 4f05c03b21c4ac828c49b8f6875f71c117c30326f452cccc988624c30f459908
Opcode Fuzzy Hash: 65144e59f690062ddf29e09e28bcc39a1baf765ac7dd97516862a5d8105c0ae8
Instruction Fuzzy Hash: FE61D2716043419FC710DF69C885AABB7E8FF84748F004A2EF945A7391DA38ED45CB9A

Function 00408040 Relevance: 7.7, APIs: 5, Instructions: 159windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00408062
CreateRectRgn.GDI32 ref: 004080E4
GetClientRect.USER32(?,?), ref: 0040810D
FillRgn.GDI32(?,?,?), ref: 00408186
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004081FC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID:
API String ID: 97219908-0
Opcode ID: 5ee344db93a73a499be82144d8e4d891e9c4a0e2fba6e21aa1618d4ad7dc74eb
Instruction ID: d3d89a15dfd3c71483f26b37ee1d1183756f9cc798b3ad3c59848ab4458f05f6
Opcode Fuzzy Hash: 5ee344db93a73a499be82144d8e4d891e9c4a0e2fba6e21aa1618d4ad7dc74eb
Instruction Fuzzy Hash: EE5150B1204341AFD714DF65C985E6BB7E9FF88704F00892DF59997280DB78E809CBA6

Function 00461D27 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00461D85
GetFileType.KERNEL32(?,?,00000000), ref: 00461E30
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00461E93
GetFileType.KERNEL32(00000000,?,00000000), ref: 00461EA1
SetHandleCount.KERNEL32 ref: 00461ED8

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: c0b36a9afe723728aa66d434e0aede92c13837a4a67b7a5e286b40c13eba0d95
Instruction ID: abde31565f0d13969f60ef153e186353bc52180c2492079cd4a1a320a9d91de7
Opcode Fuzzy Hash: c0b36a9afe723728aa66d434e0aede92c13837a4a67b7a5e286b40c13eba0d95
Instruction Fuzzy Hash: 685108719002418BC7208B68D884A6677E0FB22729F2D476EC966873F1E739DC46DB4A

Function 00414270 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00414340
WinHelpA.USER32(?,00000000,00000002,00000000), ref: 0041435B
GetMenu.USER32(?), ref: 0041436B
SetMenu.USER32(?,00000000), ref: 00414378
DestroyMenu.USER32(00000000), ref: 00414383

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$DestroyHelpWindow
String ID:
API String ID: 427501538-0
Opcode ID: 4396fd2ab34f76f089d2c4c6d2b66f9ab450b293be7a7576c98c56e1908d5f96
Instruction ID: 698ed5674c1f3632432da9617761f4130ec0e09fc74735336cffbeb68cc45c97
Opcode Fuzzy Hash: 4396fd2ab34f76f089d2c4c6d2b66f9ab450b293be7a7576c98c56e1908d5f96
Instruction Fuzzy Hash: 2B31C971600609ABC314DF66CC85D6BB7ACFF85348F014A2EF915A3240DB39B98487A9

Function 00420610 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

midiStreamStop.WINMM(?,00000000,?,00000000,0042017A,00000000,0058B738,00416766,0058B738,?,0041132F,0058B738,0040F2E6,00000001,00000000,000000FF), ref: 00420645
midiOutReset.WINMM(?,?,0041132F,0058B738,0040F2E6,00000001,00000000,000000FF), ref: 00420663
WaitForSingleObject.KERNEL32(?,000007D0,?,0041132F,0058B738,0040F2E6,00000001,00000000,000000FF), ref: 00420686
midiStreamClose.WINMM(?,?,0041132F,0058B738,0040F2E6,00000001,00000000,000000FF), ref: 004206C3
midiStreamClose.WINMM(?,?,0041132F,0058B738,0040F2E6,00000001,00000000,000000FF), ref: 004206F7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: midi$Stream$Close$ObjectResetSingleStopWait
String ID:
API String ID: 3142198506-0
Opcode ID: 8a1cab5dbc75b26f35b83567f4be8b7ea745bf1ef4eec50f8f6c24d5bab26aee
Instruction ID: 429a950637548dcea4eddf4dc324bbe82926b985b71d9027c43f35cb107909f9
Opcode Fuzzy Hash: 8a1cab5dbc75b26f35b83567f4be8b7ea745bf1ef4eec50f8f6c24d5bab26aee
Instruction Fuzzy Hash: BB316E723007618FC7309FA9E4C852BB7E6FBD4305B604A3FE146C6642C778E8958B98

Function 00410440 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004104B0
GetMenu.USER32(?), ref: 004104BF
DestroyAcceleratorTable.USER32(?), ref: 0041050C
SetMenu.USER32(?,00000000), ref: 00410521
DestroyMenu.USER32(?), ref: 00410531

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 10ebf0df417b22990bcbb1e0396d7cc4f1163dc4935c5f1c44e87b18265f5275
Instruction ID: 2ea5e2e12dfa62224bee449740c5e18b157ad11435182c1699deab5d7d343f5f
Opcode Fuzzy Hash: 10ebf0df417b22990bcbb1e0396d7cc4f1163dc4935c5f1c44e87b18265f5275
Instruction Fuzzy Hash: 1A318872500205AFC720EF65DD44D6B77A9EF84358B01492EFD0997282EB78F845CBB5

Function 00415FE0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00415FFC

Part of subcall function 0040AC40: IsChild.USER32(?,?), ref: 0040ACBD
Part of subcall function 0040AC40: GetParent.USER32(?), ref: 0040ACD7

GetCursorPos.USER32(?), ref: 00416014
GetClientRect.USER32(?,?), ref: 00416023
PtInRect.USER32(?,?,?), ref: 00416044
SetCursor.USER32(?,?,00000000,?,?,?,?,00415C70), ref: 004160C2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ChildCursorRect$ClientParent
String ID:
API String ID: 1110532797-0
Opcode ID: ddbc872971c76f50618c886466f51c7c997c1f77896e11dea6b5d77f69c35950
Instruction ID: 6a03b85f5b981bfaad4bddf4fa97ad7a5440b228b5ed9883122299ed7f80ff0e
Opcode Fuzzy Hash: ddbc872971c76f50618c886466f51c7c997c1f77896e11dea6b5d77f69c35950
Instruction Fuzzy Hash: 2421DB316002115BD730DB25CC49FAF77E9AF88718F054A2EF949A32C1EA38FD4587A9

Function 0046BB60 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046BB65
GetParent.USER32(?), ref: 0046BBA2
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046BBCA
GetParent.USER32(?), ref: 0046BBF3
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046BC10

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: f6edfa5ec0815920fb54eab3d670a88dffa1670c314afe6b7480f85d8cd0cad8
Instruction ID: fe11eb16d613ce5c913965c569447a33582ae661fe681304f5ade1ddd47bf9ab
Opcode Fuzzy Hash: f6edfa5ec0815920fb54eab3d670a88dffa1670c314afe6b7480f85d8cd0cad8
Instruction Fuzzy Hash: 3831A470E00219DBCB04EFA1DC45EAEB774FF50318F10452EA421A71E1EB38AE45CB5A

Function 00402EA0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0047418C: __EH_prolog.LIBCMT ref: 00474191
Part of subcall function 0047418C: GetWindowDC.USER32(?,?,?,00402ED1), ref: 004741BA

GetClientRect.USER32 ref: 00402EE2
GetWindowRect.USER32(?,?), ref: 00402EF1

Part of subcall function 00473F46: ScreenToClient.USER32(?,00000000), ref: 00473F5A
Part of subcall function 00473F46: ScreenToClient.USER32(?,00000008), ref: 00473F63

OffsetRect.USER32(?,?,?), ref: 00402F1C

Part of subcall function 00473E83: ExcludeClipRect.GDI32(?,?,?,?,?,753DA5C0,?,?,00402F2C,?), ref: 00473EA8
Part of subcall function 00473E83: ExcludeClipRect.GDI32(?,?,?,?,?,753DA5C0,?,?,00402F2C,?), ref: 00473EBD

OffsetRect.USER32(?,?,?), ref: 00402F3F
FillRect.USER32(?,?,?), ref: 00402F5A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: cd84e47e113154ce4653dd7d912cc3e9fe6011c3d13e70e703fbd2f99bfb2be0
Instruction ID: 389d13470583802657d25e91ce87db695a856d32e4047111536eab862acca800
Opcode Fuzzy Hash: cd84e47e113154ce4653dd7d912cc3e9fe6011c3d13e70e703fbd2f99bfb2be0
Instruction Fuzzy Hash: D23171B5208702AFD714DF24C845FABB7E8EB88754F008A1DF49A87290DB74E949CB56

Function 00405E40 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046C263: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 0046C284

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00405E65
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00405E85
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00405E97
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00405EA5
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00405EB7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef180a3869087299ea98189645b00caf623884e91589511481768352ceb61f82
Instruction ID: 05eaa6226330d22775f877e20df3326543d1ecf9f390de9282fbb21af86a27af
Opcode Fuzzy Hash: ef180a3869087299ea98189645b00caf623884e91589511481768352ceb61f82
Instruction Fuzzy Hash: A70144B2B407053AF6349AA68CC1F6792AD9F94B55F04452AB741E72C0DAF8EC064A74

Function 0046FCB2 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046FCB7
GetClassInfoA.USER32(?,?,?), ref: 0046FCD2
RegisterClassA.USER32(?), ref: 0046FCDD
lstrcatA.KERNEL32(00000034,?,00000001), ref: 0046FD14
lstrcatA.KERNEL32(00000034,?), ref: 0046FD22

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: fc4b9e70072c9a6a4de6ea6010ecec731a1cac7165d70d188ca798f11a6d9a74
Instruction ID: 8776c70e8e4cde198d9ed84723235d2b0dbd7adaff8b0a27603911e1a9ea5b5f
Opcode Fuzzy Hash: fc4b9e70072c9a6a4de6ea6010ecec731a1cac7165d70d188ca798f11a6d9a74
Instruction Fuzzy Hash: E211E571500208BEDB10AFB59841BDE7BB8EF05314F00896FF55AA7251D779A6048BA9

Function 00461F4A Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,0045F6B2,004610EB,00000000,?,?,00000000,00000001), ref: 00461F4C
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00461F5A
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00461FA6

Part of subcall function 0045FA62: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00461F6F,00000001,00000074,?,?,00000000,00000001), ref: 0045FB58

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00461F7E
GetCurrentThreadId.KERNEL32 ref: 00461F8F

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 1ab6db0675a12060436d9e0950c769b011abf70acea02798a0c7a995397092d6
Instruction ID: 8be2d9e2a45208f235805a2894ad2b3050a3a55f907363f6779d7a9506584963
Opcode Fuzzy Hash: 1ab6db0675a12060436d9e0950c769b011abf70acea02798a0c7a995397092d6
Instruction Fuzzy Hash: 33F02B329043119FD7342B70BC0D91A3E50EF41771B18013FF949D62B1EB288880979B

Function 00476E4C Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,00477359,00000000,00000001), ref: 00476E58
GlobalHandle.KERNEL32(008524F8), ref: 00476E80
GlobalUnlock.KERNEL32(00000000), ref: 00476E89
GlobalFree.KERNEL32(00000000), ref: 00476E90
DeleteCriticalSection.KERNEL32(00593F30,?,?,00477359,00000000,00000001), ref: 00476E9A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 48be3e27307f0d94e6edd77c3a3c79419fd7f905fff22dc0d4623950cae13e6a
Instruction ID: 0ff47692f3dae785690b975b2492c9738ef1e88b27dc1e55bffc3a341667f6ae
Opcode Fuzzy Hash: 48be3e27307f0d94e6edd77c3a3c79419fd7f905fff22dc0d4623950cae13e6a
Instruction Fuzzy Hash: 42F0B4356006009BD7205F38DD8CA6B73EEAF84761706452EF80DD3352CB24DC424779

Function 0040B650 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 0040F050: GetCurrentThreadId.KERNEL32 ref: 0040F075
Part of subcall function 0040F050: IsWindow.USER32(000203E6), ref: 0040F091
Part of subcall function 0040F050: SendMessageA.USER32(000203E6,000083E7,0040E981,00000000), ref: 0040F0AA
Part of subcall function 0040F050: ExitProcess.KERNEL32 ref: 0040F0BF

DeleteCriticalSection.KERNEL32(0058C1D8,?,?,?,?,?,?,?,?,004166CD), ref: 0040B68A

Part of subcall function 0046F7A0: __EH_prolog.LIBCMT ref: 0046F7A5

Strings

\U, xrefs: 0040B6C2
#, xrefs: 0040B903
!, xrefs: 0040B678

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#$\U
API String ID: 2888814780-2604676548
Opcode ID: 6b92d1c18af96e79ecd4f14a91da24d0effccb3f52d52451fb6e21d07015d167
Instruction ID: 16ffa0b27588915a0765722eb77ca79688d70676aee5522c25cc1b96d69aae7a
Opcode Fuzzy Hash: 6b92d1c18af96e79ecd4f14a91da24d0effccb3f52d52451fb6e21d07015d167
Instruction Fuzzy Hash: 66915F701487818AD312DF75C49479ABFE4AFA6348F14085EE4D6072E2DBB8A24DC7A7

Function 004223C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

PU, xrefs: 0042255F
, xrefs: 004223F9

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $PU
API String ID: 0-4237030340
Opcode ID: 2639bf2a3c4b7080201bed84bcdce9a8754e6fb28a0ec4a3c12a93aa6a54cf42
Instruction ID: b9b873fff5f93f6da448c2498aa5feb3a5ea6e9f94fdcab4cc4ded94d1ff13a2
Opcode Fuzzy Hash: 2639bf2a3c4b7080201bed84bcdce9a8754e6fb28a0ec4a3c12a93aa6a54cf42
Instruction Fuzzy Hash: 8451D170304351ABD318DF28D991F6BB7A4FB85358F400A2EF94693290DB78E845CB9A

Function 004734CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 004734E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0047353B
GlobalUnlock.KERNEL32(?), ref: 004735D2

Strings

@, xrefs: 00473525

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: 367d12f71d64ac993f857addbd875d0d1479eab6aef20f9df2bd962b1da27692
Instruction ID: 873fbc1776db20b2526d97063324ad192f66f4ebfb9d58c3c2714c52bfed225b
Opcode Fuzzy Hash: 367d12f71d64ac993f857addbd875d0d1479eab6aef20f9df2bd962b1da27692
Instruction Fuzzy Hash: A841A572800215FBCB14DFA4C8819EEBBB4FF00355F14C56EE819AB245D7359A46DB98

Function 0041BD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B920: GetObjectA.GDI32(?,00000018,?), ref: 0041B95D
Part of subcall function 0041B920: GetDeviceCaps.GDI32 ref: 0041B9F7
Part of subcall function 0041B920: GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041BA31
Part of subcall function 0041B920: CreatePalette.GDI32(00000000), ref: 0041BA3C

GlobalAlloc.KERNEL32(00000002,?), ref: 0041BDDA
GlobalLock.KERNEL32(00000000), ref: 0041BDF5
GlobalUnlock.KERNEL32(00000000), ref: 0041BE0E

Strings

U, xrefs: 0041BE61

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$Palette$AllocCapsCreateDeviceEntriesLockObjectSystemUnlock
String ID: U
API String ID: 1348334340-1631320392
Opcode ID: 27b49a2e031553069b41dd37f788e1b84eaec9befdd4dfb6afc83c2249e35f2b
Instruction ID: ebb3b724c0f0c4522f240f298f395d51bde323dd2f89bbc7712c7219b1454b67
Opcode Fuzzy Hash: 27b49a2e031553069b41dd37f788e1b84eaec9befdd4dfb6afc83c2249e35f2b
Instruction Fuzzy Hash: 6131C3711083419FC304EF29C885AAFFBE4FBD4754F44091EF89993291DB789948CBA2

Function 00406F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00478688,00000142,00000000,FFFF0000), ref: 00407002
SendMessageA.USER32(00478688,0000014D,000000FF,%o@), ref: 00407020
SendMessageA.USER32(00478688,0000014E,00000000,00000000), ref: 00407033

Strings

%o@, xrefs: 0040700A, 00407035, 00406FE6, 00406FBF, 00406FC3, 00406FEC, 00407017

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: %o@
API String ID: 3850602802-1434348513
Opcode ID: 6f308e6d9310b61d76ed087881eccedcea4bfe66a4fa71a11561717b3b19de4f
Instruction ID: e350a658d404d8aea9bcffc44e8191e4e50d2dbf86209e5dd5d02d6efaa060ab
Opcode Fuzzy Hash: 6f308e6d9310b61d76ed087881eccedcea4bfe66a4fa71a11561717b3b19de4f
Instruction Fuzzy Hash: 1821B075244711ABC624DF28DC45F6BB7E9EB84720F108B1EF06A973D0CB78A8058B56

Function 004311C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046B8EB: __EH_prolog.LIBCMT ref: 0046B8F0
Part of subcall function 0046B8EB: lstrcpynA.KERNEL32(?,?,00000104), ref: 0046B9DD

Part of subcall function 0046BA85: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041AB89,?,-00000001,00000000,?,?,?,00576BB0), ref: 0046BA8F
Part of subcall function 0046BA85: GetFocus.USER32 ref: 0046BAAA
Part of subcall function 0046BA85: IsWindowEnabled.USER32(?), ref: 0046BAD3
Part of subcall function 0046BA85: EnableWindow.USER32(?,00000000), ref: 0046BAE5
Part of subcall function 0046BA85: GetOpenFileNameA.COMDLG32(?,?), ref: 0046BB10
Part of subcall function 0046BA85: EnableWindow.USER32(?,00000001), ref: 0046BB2E
Part of subcall function 0046BA85: IsWindow.USER32(?), ref: 0046BB34
Part of subcall function 0046BA85: SetFocus.USER32(?), ref: 0046BB42

Part of subcall function 0046BB60: __EH_prolog.LIBCMT ref: 0046BB65
Part of subcall function 0046BB60: GetParent.USER32(?), ref: 0046BBA2
Part of subcall function 0046BB60: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046BBCA
Part of subcall function 0046BB60: GetParent.USER32(?), ref: 0046BBF3
Part of subcall function 0046BB60: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046BC10

Part of subcall function 00471A15: SetWindowTextA.USER32(?,004192DA), ref: 00471A23

Part of subcall function 0046D739: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046D74D

SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043126D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043127C

Part of subcall function 00471B50: SetFocus.USER32(?,0040E113), ref: 00471B5A

Strings

prn, xrefs: 004311EE
out.prn, xrefs: 004311E9

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledFileInterlockedNameOpenTextlstrcpynlstrlen
String ID: out.prn$prn
API String ID: 4074345921-3109735852
Opcode ID: a2557c269c6a38f6c929e2347e1c85f4eedd2da945d4eec52e3389c75e3987ef
Instruction ID: 49b7a3aa3f2dbd6be5706a5f0eb2f5a07f6041d650a948d6503ad2f12d42b4e2
Opcode Fuzzy Hash: a2557c269c6a38f6c929e2347e1c85f4eedd2da945d4eec52e3389c75e3987ef
Instruction Fuzzy Hash: 3021D130248380ABD330EB15CC86F9BB7E4AB88B10F108A1EF5AD532D1DBB86448C657

Function 00475A8E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00475A93

Part of subcall function 0047729F: __EH_prolog.LIBCMT ref: 004772A4

Part of subcall function 0047197F: GetWindowLongA.USER32(?,000000F0), ref: 0047198B

Part of subcall function 004740D8: __EH_prolog.LIBCMT ref: 004740DD
Part of subcall function 004740D8: GetDC.USER32(00000000), ref: 00474106

Part of subcall function 0045D0DC: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0045D0E5

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

GetTextMetricsA.GDI32(?,xiG), ref: 00475AE5

Strings

,?Y, xrefs: 00475AA4
xiG, xrefs: 00475ADE, 00475AF4, 00475AE1

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog$ObjectSelect$LongMessageMetricsSendTextWindow
String ID: ,?Y$xiG
API String ID: 2410843227-2087424264
Opcode ID: 69889bceefd2c83b8e7bb9b6eb8ef8f691a8589763f607f56094c45e0a44ddfb
Instruction ID: 9c9307730fe50c161ba64023d1a3c671d1fc06c48b167a13d981bb016b4544db
Opcode Fuzzy Hash: 69889bceefd2c83b8e7bb9b6eb8ef8f691a8589763f607f56094c45e0a44ddfb
Instruction Fuzzy Hash: 4E11E972A104549BCB04FBA9CC419EDB779EF84314F00812FE016E7291DFB86D05CB58

Function 00411F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,WTWindow,00000000), ref: 00411F98
LoadCursorA.USER32(00000000,00007F00), ref: 00411FA9
GetStockObject.GDI32(00000005), ref: 00411FB3

Strings

WTWindow, xrefs: 00411F8C, 00411F96

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: WTWindow
API String ID: 1762135420-3503404378
Opcode ID: da021dda2874144fb779ae11ccbfa7df7d7be79ad8bb83575e0c16199db67c60
Instruction ID: 4d5303316e54df7daf3b52edec16a50304027cceaf3e62d0b2bbf661990492e6
Opcode Fuzzy Hash: da021dda2874144fb779ae11ccbfa7df7d7be79ad8bb83575e0c16199db67c60
Instruction Fuzzy Hash: FB118E72909341AFC300DF669C8495BFBE8FF88364F40482EF98C93210D73899858B9A

Function 00474BCD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 00474BDE
GetClassNameA.USER32(00000000,?,0000000A), ref: 00474BF9
lstrcmpiA.KERNEL32(?,combobox), ref: 00474C08

Strings

combobox, xrefs: 00474C02

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: b9e1fabaa97307bd3decc448943da14d069960939f8bf40b1eaea744793a75ed
Instruction ID: 90aa373466ba7f91f5b5d848785174d5de7cbcc2b52d3f742c59fa2188825bae
Opcode Fuzzy Hash: b9e1fabaa97307bd3decc448943da14d069960939f8bf40b1eaea744793a75ed
Instruction Fuzzy Hash: 0DE06531554109BFCF115F74DC8AEAA3FA8F751305F108231B41AD60A0D734E6858B55

Function 00477E9F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(005940C0,?,?,?,0046B350,00000000,00000001), ref: 00477EC5
DeleteCriticalSection.KERNEL32(005940D8,?,?,?,0046B350,00000000,00000001), ref: 00477ED7

Strings

x@Y, xrefs: 00477EC7
pBY, xrefs: 00477EE1

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: pBY$x@Y
API String ID: 166494926-2448141916
Opcode ID: 8ac1a05d61e2cd0038db65a03034c418a31063f6bc91c023d21b7aa466f4fdd1
Instruction ID: b1ff4ef8fce947eae710bd5bf2d013e9ebda547561555ea301db1a1abcc675b2
Opcode Fuzzy Hash: 8ac1a05d61e2cd0038db65a03034c418a31063f6bc91c023d21b7aa466f4fdd1
Instruction Fuzzy Hash: 7AE092764002059BDE201768EC88F8B66A8F750325F4A457BE50851161C3791C8ADE90

Function 00462440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0045D4A0), ref: 00462445
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00462455

Strings

IsProcessorFeaturePresent, xrefs: 0046244F
KERNEL32, xrefs: 00462440

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 6f0a52847082aba49243649d36a22544d5ee3b7dae16f93ffe555051898b49f0
Instruction ID: 98183eccf72e074d2c6a639e8bea91f2e272d18255bd8ecd1f042599cf88130e
Opcode Fuzzy Hash: 6f0a52847082aba49243649d36a22544d5ee3b7dae16f93ffe555051898b49f0
Instruction Fuzzy Hash: 82C08C3034470076DE241BF26E5AB262A583B10B82F00C029B80ED22C2EFD8C240DC2F

Function 00460846 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0357803f7f2186f299218331d05d0216b36892005f39d8a281e0fda14afc09
Instruction ID: f960e4c88a9ad66bb6414e3a6983e947215c99e23ffeef225339426325261603
Opcode Fuzzy Hash: 9d0357803f7f2186f299218331d05d0216b36892005f39d8a281e0fda14afc09
Instruction Fuzzy Hash: C491F7B1D01614AADF21ABA5DC40A9F7B79EB14764F200227F814B6291F3399D84CB6E

Function 0046661C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,0057CFB0,?,?,?,00466AE8,00000000,00000010,00000000,00000009,00000009,?,0045ECE1,00000010,00000000), ref: 0046663D
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00466AE8,00000000,00000010,00000000,00000009,00000009,?,0045ECE1,00000010,00000000), ref: 00466661
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00466AE8,00000000,00000010,00000000,00000009,00000009,?,0045ECE1,00000010,00000000), ref: 0046667B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00466AE8,00000000,00000010,00000000,00000009,00000009,?,0045ECE1,00000010,00000000,?), ref: 0046673C
HeapFree.KERNEL32(00000000,00000000,?,?,00466AE8,00000000,00000010,00000000,00000009,00000009,?,0045ECE1,00000010,00000000,?,00000000), ref: 00466753

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: cda2dc0af6b1b49adb7c87794e7997fade247249ae505687e4779431393fe54e
Instruction ID: 2f1ea318260cb07eb049b80432b6bd71319b9de7815da68d213eba0708e9428b
Opcode Fuzzy Hash: cda2dc0af6b1b49adb7c87794e7997fade247249ae505687e4779431393fe54e
Instruction Fuzzy Hash: 853122B06007019FD3308F28EC44B26BFE5FB54759F12423FE559A7390EB78A885AB49

Function 00420F70 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(?,?,00000001,004215A0,?,00030000,?,?,?,00000000), ref: 00420F9B
midiStreamProperty.WINMM ref: 00421082
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 004211D0

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: 126a88f6ad608e44213d9c1cd214248f6d0f0cdf2ec4c4f901cd5e9682351b52
Instruction ID: d0697528e31cc4bed1924d6a0530d8351b751d82de7897053be41b04885aac2a
Opcode Fuzzy Hash: 126a88f6ad608e44213d9c1cd214248f6d0f0cdf2ec4c4f901cd5e9682351b52
Instruction Fuzzy Hash: A4A16A713006158FC724CF28D990BAAB7F6FB88304F50492EE686C7660EB36F959CB44

Function 00467E98 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 00467F12
GetLastError.KERNEL32 ref: 00467F1C
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 00467FE2
GetLastError.KERNEL32 ref: 00467FEC

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 96fbc5e88bfc92c2852f38554bf3c3b5a1d92691f8a13e70a250bf02526e99ae
Instruction ID: d332be2d40cfb6abffec8b8f5db54918eb3b57eee31e53739252456cc49ed2ab
Opcode Fuzzy Hash: 96fbc5e88bfc92c2852f38554bf3c3b5a1d92691f8a13e70a250bf02526e99ae
Instruction Fuzzy Hash: 2A510B34604345DFDF258F58C880B9A7BB0AF12308F15459FE85597352E778D98ACB1B

Function 004066F0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00474240: __EH_prolog.LIBCMT ref: 00474245
Part of subcall function 00474240: BeginPaint.USER32(?,?,?,?,00403979), ref: 0047426E

Part of subcall function 00473DF1: GetClipBox.GDI32(?,?), ref: 00473DF8

IsRectEmpty.USER32(?), ref: 00406736
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004067BD
GetCurrentObject.GDI32(?,00000006), ref: 0040684A
GetClientRect.USER32(?,?), ref: 004068BC

Part of subcall function 004742B2: __EH_prolog.LIBCMT ref: 004742B7
Part of subcall function 004742B2: EndPaint.USER32(?,?,?,?,004039F3), ref: 004742D4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
String ID:
API String ID: 3717962522-0
Opcode ID: 65f885eb3526d0252576b7f384d26fec78ce7bc173c1c1b09f351b156ae28715
Instruction ID: 7dade80446448011c74f9fb2cac64b53d744628463fe04792e54b48bae25361c
Opcode Fuzzy Hash: 65f885eb3526d0252576b7f384d26fec78ce7bc173c1c1b09f351b156ae28715
Instruction Fuzzy Hash: A26181715083409FD324EF65C845FABB7E8FF94714F00892EF58A83281EB78A949CB56

Function 0041F070 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041F082
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0041F0DA
__ftol.LIBCMT ref: 0041F1C5
__ftol.LIBCMT ref: 0041F1D2

Part of subcall function 004739D4: SelectObject.GDI32(?,00000000), ref: 004739F6
Part of subcall function 004739D4: SelectObject.GDI32(?,?), ref: 00473A0C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect__ftol$ClientRect
String ID:
API String ID: 2514210182-0
Opcode ID: ede41a5f59c22cac25aa33cd9883f69df61d0774e8decf863d072fb6ecb27aac
Instruction ID: 8a8ff725df4c7092a64b77eb5595b6fdface77cb1b8c5b669d748acd09b4d75f
Opcode Fuzzy Hash: ede41a5f59c22cac25aa33cd9883f69df61d0774e8decf863d072fb6ecb27aac
Instruction Fuzzy Hash: 5F5191B17083019FC714CF69C9809ABBBE5FBC8740F148A2EF88593251D775DD8A8B96

Function 00433230 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0043326E
GetDC.USER32(?), ref: 004333D2
ReleaseDC.USER32(?,?), ref: 004333F6
DeleteObject.GDI32(?), ref: 00433428

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 949e9433fb59bf0aaa2ad5784353e3cd7180ec7919ca4f918eeef5c69b549ca5
Instruction ID: 44e232cdd571b176809f15026cce0ab641258020c2f9ba23574246c0cdeac4d0
Opcode Fuzzy Hash: 949e9433fb59bf0aaa2ad5784353e3cd7180ec7919ca4f918eeef5c69b549ca5
Instruction Fuzzy Hash: F2517FB1A002049BDF14DF68C484B9A7BE5BF58311F1881BAEC49CF30AEB389945CB65

Function 0040C820 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0040C894
GetParent.USER32(00000000), ref: 0040C8E4
IsWindow.USER32(?), ref: 0040C904
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0040C97F

Part of subcall function 00471AE7: ShowWindow.USER32(?,?,0040A94C,00000000), ref: 00471AF5

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: 200f1ff9b9adeb69ba133031a965ae02e4caeddccad27a990c744491c4676665
Instruction ID: ea20214b372e507e443f447ca025677d0f7a7dd167c2e451cc21eef61c62fef0
Opcode Fuzzy Hash: 200f1ff9b9adeb69ba133031a965ae02e4caeddccad27a990c744491c4676665
Instruction Fuzzy Hash: 2B419D726443019BD720DF659C81BABB3A5AB84754F04463EFE48AB3C1D778EC0987A9

Function 00402B30 Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00471B0E: IsWindowEnabled.USER32(?), ref: 00471B18

IsWindowVisible.USER32(?), ref: 00402B6A

Part of subcall function 0046FADD: GetWindowTextLengthA.USER32(?), ref: 0046FAEA
Part of subcall function 0046FADD: GetWindowTextA.USER32(?,00000000,00000000), ref: 0046FB02

Part of subcall function 0046C334: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 0046C340

wsprintfA.USER32 ref: 00402C04
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00402C30
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00402C3F

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
String ID:
API String ID: 1914814478-0
Opcode ID: ab03fea636787b38b29d0c7050d8f69896b72406ab629ece0a1cc2a618a13dc4
Instruction ID: 1cdd6a1be4acccc58ed8ff6989e724eb3c6d48bc50464b85765291571a18148f
Opcode Fuzzy Hash: ab03fea636787b38b29d0c7050d8f69896b72406ab629ece0a1cc2a618a13dc4
Instruction Fuzzy Hash: 705159756087409FD724DF18C981B5BB7F5BB88700F10892EE59A97780DB78E805CB56

Function 00467CA8 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 00467D6F

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e52c2993afcaf054bc18bf68a1c9e53c36c80aca4dcacc6224d702edc3d32fcc
Instruction ID: bbbd4664e637b102c8ded723cae5aee58f314db65eb25608cbb14cd9da25013d
Opcode Fuzzy Hash: e52c2993afcaf054bc18bf68a1c9e53c36c80aca4dcacc6224d702edc3d32fcc
Instruction Fuzzy Hash: A451C671904208EFCB11CF68C884AAE7BF4FF41348F2085AAE815DB261E734DE45CB5A

Function 0042AF60 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0042AFD4
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0042B02D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0042B03C
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0042B06A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: eb0949d41033795a7ff70fd39be6b5347c7141ec9afd17f5bfd4f75e077b70bd
Instruction ID: c4f2f2259c3340a15df4632b2b0b93aa99c458f41509755437dc5f64c237777a
Opcode Fuzzy Hash: eb0949d41033795a7ff70fd39be6b5347c7141ec9afd17f5bfd4f75e077b70bd
Instruction Fuzzy Hash: D741B4722487519FD320DB19DC80B5BF7E4EB95710F448A1EF9A5873D1C3789808CB96

Function 0043F1D0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 0043F25A
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0043F29E
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0043F2D4
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043F2E3

Part of subcall function 00471A15: SetWindowTextA.USER32(?,004192DA), ref: 00471A23

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: 950ee736e21458447628c34c8ba3adbd6c437294d6807ff92f8bb7bf5bb8c617
Instruction ID: 8fbbb3b2bae3dafa055d9318beb4c7ced8aa091d6a611b099dd922dbd78dc037
Opcode Fuzzy Hash: 950ee736e21458447628c34c8ba3adbd6c437294d6807ff92f8bb7bf5bb8c617
Instruction Fuzzy Hash: A83127746047009FD324DF19C851B2BBBE5FB88B14F108A1EF99987791CBB9A800CB99

Function 004751AB Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00475323: GetParent.USER32(?), ref: 00475356
Part of subcall function 00475323: GetLastActivePopup.USER32(?), ref: 00475365
Part of subcall function 00475323: IsWindowEnabled.USER32(?), ref: 0047537A
Part of subcall function 00475323: EnableWindow.USER32(?,00000000), ref: 0047538D

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 004751E1
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0047524F
MessageBoxA.USER32(00000000,?,?,00000000), ref: 0047525D
EnableWindow.USER32(00000000,00000001), ref: 00475279

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: d2c1782df0c7113eddbd8952f9d46956ad480ef16e6100e09095bf28ff284157
Instruction ID: 9c80c63bd24c0c1a98d17240afdb8fdcb57eb70f75e52e575085223e4a427432
Opcode Fuzzy Hash: d2c1782df0c7113eddbd8952f9d46956ad480ef16e6100e09095bf28ff284157
Instruction Fuzzy Hash: 0721F672E00508AFDB209F94CCC1BEEB7B9EB04741F54847AF609EB281C7B59D808B55

Function 00471D00 Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(00471CFC,?,00000104,?,?,?,?,?,?,?,00471CEA,?), ref: 00471D2A
GetFileTime.KERNEL32(00000000,00471CEA,?,?,?,?,?,?,?,?,?,00471CEA,?), ref: 00471D4B
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00471CEA,?), ref: 00471D5A
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00471CEA,?), ref: 00471D7B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 9d9881dbc263a5b8fa4c7d07be2ce02ab6064cb793db8891312b2db3ffe36b2f
Instruction ID: a4707360c74a456ccdae97127b0bf88171baa88d7dc5335b57f9def078485494
Opcode Fuzzy Hash: 9d9881dbc263a5b8fa4c7d07be2ce02ab6064cb793db8891312b2db3ffe36b2f
Instruction Fuzzy Hash: 98318E72500605AFC720DF65CC85AEBB7B8BB14350F108A2EE19AC7290EB74B984CF94

Function 00408540 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 004085D8
ScreenToClient.USER32(?,?), ref: 004085FA
ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 00408610
GetFocus.USER32 ref: 0040861B

Part of subcall function 00471B50: SetFocus.USER32(?,0040E113), ref: 00471B5A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Focus$ChildClientFromMessagePointScreenWindow
String ID:
API String ID: 3117237277-0
Opcode ID: 07db3c0479429faccc63a16535d0e82368efcc6ee8c66ee8da7b15772b08aa0b
Instruction ID: e1b7a02907dd99f160127e811902425370d7ec120630163b340fada0c1a8b5a8
Opcode Fuzzy Hash: 07db3c0479429faccc63a16535d0e82368efcc6ee8c66ee8da7b15772b08aa0b
Instruction Fuzzy Hash: A821A731300201ABD614DB24DD55F6B73A9AF80308F15853EF949A73C5EF39F84687A9

Function 0045D345 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045D36B

Part of subcall function 00462126: HeapCreate.KERNELBASE(00000000,00001000,00000000,0045D3A3,00000001), ref: 00462137
Part of subcall function 00462126: HeapDestroy.KERNEL32 ref: 00462176

GetCommandLineA.KERNEL32 ref: 0045D3CB
GetStartupInfoA.KERNEL32(?), ref: 0045D3F6
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0045D419

Part of subcall function 0045D472: ExitProcess.KERNEL32 ref: 0045D48F

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 41a8fb379b94b455b51e338aa8201f144a67dff6a0c2a10af741cdec3f47e444
Instruction ID: 5661033b32775c9a12dfa35f0390fc67844d618482af10204a6a8410d617cfb2
Opcode Fuzzy Hash: 41a8fb379b94b455b51e338aa8201f144a67dff6a0c2a10af741cdec3f47e444
Instruction Fuzzy Hash: 4621B4B0C00705ABD718AFB5DC86A6E7BA8EF05705F10452FF904972A1EB384884CB5A

Function 0043FA50 Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002D), ref: 0043FA79
SystemParametersInfoA.USER32 ref: 0043FAD3
CreateFontIndirectA.GDI32(?), ref: 0043FAE1
CreatePalette.GDI32(00000300), ref: 0043FB39

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateSystem$FontIndirectInfoMetricsPaletteParameters
String ID:
API String ID: 934993634-0
Opcode ID: 70c9d039254e57aa9d12a712da2462a451a78c5f66dcf8029049ad9e5079015b
Instruction ID: b466a86b134289036f60271dfa1366d860eb734cd505bd5e93e2a925e6432325
Opcode Fuzzy Hash: 70c9d039254e57aa9d12a712da2462a451a78c5f66dcf8029049ad9e5079015b
Instruction Fuzzy Hash: 8031BF71505780CFD320CF69C888AABFBF5FF84308F40896EE19A8B691D775A448CB61

Function 00408E60 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 00408EA5
EndPage.GDI32(?), ref: 00408ECB

Part of subcall function 00416E50: wsprintfA.USER32 ref: 00416E5F

Part of subcall function 00471A15: SetWindowTextA.USER32(?,004192DA), ref: 00471A23

UpdateWindow.USER32(?), ref: 00408F1A
EndPage.GDI32(?), ref: 00408F32

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Page$Window$StartTextUpdatewsprintf
String ID:
API String ID: 104827578-0
Opcode ID: b7e6fb22168a0ec747e8e8d6a78c3b9572f797515b189a7e40c703727f9d9547
Instruction ID: 76a126c5e669ccb961305bb716359de43ed18da72669309d886377c5c4e1d722
Opcode Fuzzy Hash: b7e6fb22168a0ec747e8e8d6a78c3b9572f797515b189a7e40c703727f9d9547
Instruction Fuzzy Hash: 39215071601B019BC324DF7ADC84ADBB7E9EFC4704F10883EF49ED6251EA34A4458B59

Function 00403840 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040386C
GetParent.USER32(?), ref: 00403881
SetParent.USER32(?,?), ref: 0040389F
GetWindowRect.USER32(?,?), ref: 004038B4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Parent$RectWindow
String ID:
API String ID: 2276825053-0
Opcode ID: a5e4abb74182fa9b892a7cdb8a51bd2566858b4e28b9b4be093a5a9241846108
Instruction ID: 6d77d100f4ad5647351825a86b773f975fe2f9da10a3dc674ea74a66752f98d2
Opcode Fuzzy Hash: a5e4abb74182fa9b892a7cdb8a51bd2566858b4e28b9b4be093a5a9241846108
Instruction Fuzzy Hash: 90119DB26003459FD724EF68D885DABB7EDEB84240F00892EB84593342EA38ED0587A5

Function 0046A10C Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046A13B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046A14E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046A19A
CompareStringW.KERNEL32(0044EA86,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046A1B2

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 8d124a7aa517b040810bc54054e15a2f24b37b62d91f383f8c13674890d9b8b3
Instruction ID: e6350a6030e44aafd75241cd2cf8a3f69e9a910660179f18c287d4f3d451c8c8
Opcode Fuzzy Hash: 8d124a7aa517b040810bc54054e15a2f24b37b62d91f383f8c13674890d9b8b3
Instruction Fuzzy Hash: 19213732900209EBCF218F94CC819DEBFB6FB49360F14412AFA1172160D3369966DFA6

Function 0040AE00 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0040AE0D

Part of subcall function 0040AC40: IsChild.USER32(?,?), ref: 0040ACBD
Part of subcall function 0040AC40: GetParent.USER32(?), ref: 0040ACD7

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0040AE66
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0040AE76
GetWindow.USER32(00000000,00000002), ref: 0040AE7B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$ChildParent
String ID:
API String ID: 1043810220-0
Opcode ID: 86e27de25a9b26dfb8bc09f5fe73546b362a933bed0be32aaef598f33a6dbc8c
Instruction ID: ffd94925fdcc8633ea0c98e9d785ecc9018fe610cf148161d3d741686e166bf9
Opcode Fuzzy Hash: 86e27de25a9b26dfb8bc09f5fe73546b362a933bed0be32aaef598f33a6dbc8c
Instruction Fuzzy Hash: 7F015A323C171276E2319629DC96F6B72485B65B50F14023ABB04FA2D0DEA8EC5082AE

Function 00430290 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004302AB
SendMessageA.USER32(?,000083EB,?,00000000), ref: 004302D5
SendMessageA.USER32(?,000083EC,?,00000000), ref: 004302E9
SendMessageA.USER32(?,000083E9,?,00000000), ref: 0043030C

Part of subcall function 00471A3C: GetDlgCtrlID.USER32(?), ref: 00471A46

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID:
API String ID: 1383977212-0
Opcode ID: 421a95fa17a577cc58ad5fe5a6aa5d5bf4b9a95455aea61e190d071effaf1d46
Instruction ID: 6dc8fc750a089d2c32b6cf8276add181b6ed1884dfb6f16ec65238a8b4bb0e5b
Opcode Fuzzy Hash: 421a95fa17a577cc58ad5fe5a6aa5d5bf4b9a95455aea61e190d071effaf1d46
Instruction Fuzzy Hash: 05018F763016047BD214B76A8CD5E6FB3ADAB88B44F00861EF50587381CE68EC4287AC

Function 0046DDC4 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0046DDF8
GetCurrentProcess.KERNEL32(?,00000000), ref: 0046DDFE
DuplicateHandle.KERNEL32(00000000), ref: 0046DE01
GetLastError.KERNEL32(00000000), ref: 0046DE1B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 44073da6993db5aa74f34ccdf51d2f76f546f329e6d784b3c41536306307706d
Instruction ID: 043fa79a574df1887e9d4c74485a08c96e559af4b53f6ac4d2a10f2e3ee63deb
Opcode Fuzzy Hash: 44073da6993db5aa74f34ccdf51d2f76f546f329e6d784b3c41536306307706d
Instruction Fuzzy Hash: B901AC71F00200BFEB10ABA5CC49F5A7BACDF44750F14412AF519CB281FA74DC008B65

Function 0046C6A7 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0046C6BF
GetParent.USER32(00000000), ref: 0046C6CC
ScreenToClient.USER32(00000000,?), ref: 0046C6ED
IsWindowEnabled.USER32(00000000), ref: 0046C706

Part of subcall function 00474BCD: GetWindowLongA.USER32(00000000,000000F0), ref: 00474BDE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 82f841dc397e9549cc08d70f4fd7c4e50a627e18c517167b020bae2ff2870f50
Instruction ID: 4cd8c38ca5cf0f23aaa2b66958c32c2db4fe78da0c899c28f51b9086bd16622e
Opcode Fuzzy Hash: 82f841dc397e9549cc08d70f4fd7c4e50a627e18c517167b020bae2ff2870f50
Instruction Fuzzy Hash: 54018436601515BF87129B5CDC84DBF7BB9AF89745B18402AF509D3320EB34DD009B6D

Function 0047077C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00470787
GetTopWindow.USER32(00000000), ref: 0047079A
GetTopWindow.USER32(?), ref: 004707CA
GetWindow.USER32(00000000,00000002), ref: 004707E5

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 60be6d74377206515a093b599eb4c7ebab2811d068277878a8efecd6b0df07c3
Instruction ID: dfd22dbbfbf0aaf7cdb11d1a5608ec2a76592bb9f64f7e4404a1720225b4c223
Opcode Fuzzy Hash: 60be6d74377206515a093b599eb4c7ebab2811d068277878a8efecd6b0df07c3
Instruction Fuzzy Hash: D5017C32103225F78B262B72DC41EDF7B59AF05794F40802BFD0895210DB39E9119EA9

Function 004707F5 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00470803
SendMessageA.USER32(00000000,?,?,?), ref: 00470839
GetTopWindow.USER32(00000000), ref: 00470846
GetWindow.USER32(00000000,00000002), ref: 00470864

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 3dae254cf8aea76aacf07e80e1aafad2fe9f4269a3c3b918e24def7794f80b3b
Instruction ID: 40f5e9ccf106b301665a7cb305d9f3b741fb57ee3209332de8445c40b55d509d
Opcode Fuzzy Hash: 3dae254cf8aea76aacf07e80e1aafad2fe9f4269a3c3b918e24def7794f80b3b
Instruction Fuzzy Hash: BE01003200111AFBCF126F91DC05DDF3B26AF45750F068026FA0855161D73AC962EBEA

Function 004722DB Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00472303
GetFocus.USER32 ref: 00472316
GetParent.USER32(?), ref: 00472324
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00472340

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 4e59ceea92cdd6221226cdac779bf4f02cf47eed5d5e39d2b7d94c09c2decbb8
Instruction ID: 950f85ccabf1b95a4f9a436a59c85ada3d195813cbdf3ec6c565640fde682076
Opcode Fuzzy Hash: 4e59ceea92cdd6221226cdac779bf4f02cf47eed5d5e39d2b7d94c09c2decbb8
Instruction Fuzzy Hash: DC117031100600EBCB289F35EC59B9AB7A5FF40314F10C62EF54A861A0D778E885CB59

Function 0047554F Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0047557B
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00475584
wsprintfA.USER32 ref: 004755A0
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004755B9

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: bd1de253b89545f2de3453fda18226bbb0da2f795f58e4529d724c9c0072945a
Instruction ID: 8cd0c097d313efdd0a1ed23d4ca9f36cf2fe07ce0428449d3182396ec9464168
Opcode Fuzzy Hash: bd1de253b89545f2de3453fda18226bbb0da2f795f58e4529d724c9c0072945a
Instruction Fuzzy Hash: EB01A232400615FBCB115FA4DC09FEE3BA9FF04714F048429FE199A064D7B4C961CB88

Function 00470EE4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00470F22
SetBkColor.GDI32(00000000,00000000), ref: 00470F2E
GetSysColor.USER32(00000008), ref: 00470F3E
SetTextColor.GDI32(00000000,?), ref: 00470F48

Part of subcall function 00474BCD: GetWindowLongA.USER32(00000000,000000F0), ref: 00474BDE

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 2249476f7ddb9cc153caf7cce40e326fd7d26a305ecdce494f5f4f8c43d45d30
Instruction ID: c7125af1ea361918c94b7ba985a74354512559c5d094521bfbad09b86107a741
Opcode Fuzzy Hash: 2249476f7ddb9cc153caf7cce40e326fd7d26a305ecdce494f5f4f8c43d45d30
Instruction Fuzzy Hash: 7B012831101108EADF315F68EC99BEB3B69EB00304F50C522F91DE42A0C7B4D995CA99

Function 00431C70 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00431CB3
wsprintfA.USER32 ref: 00431CC9

Strings

%d.%d, xrefs: 00431CC3
gfff, xrefs: 00431C7B

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf
String ID: %d.%d$gfff
API String ID: 2111968516-3773932281
Opcode ID: 9c396d81fed79751329ac163c5ae3072fe6b0db240dab04ff7aa6b507bd593f4
Instruction ID: 367a0977d8ef031184464bb8d9897595f73509fa652b4fdcb5516ea6a3201d6b
Opcode Fuzzy Hash: 9c396d81fed79751329ac163c5ae3072fe6b0db240dab04ff7aa6b507bd593f4
Instruction Fuzzy Hash: 04F05961B043001BCB5C992FBC09E2B2A9ABBE9B10F05C43EF94DC7390D420CC558276

Function 0047406F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00474080
GetViewportExtEx.GDI32(?,?), ref: 0047408D
MulDiv.KERNEL32(?,00000000,00000000), ref: 004740B2
MulDiv.KERNEL32(?,00000000,00000000), ref: 004740CD

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 64ebbbe7244f297dc0b6b18667281f510e9cb3cb37d6a77307e2ed269d9cf65e
Instruction ID: 3199eaa4c17e8a0a490178b8ef638be8b3baf4bbc3accff8c24b208e6c72b840
Opcode Fuzzy Hash: 64ebbbe7244f297dc0b6b18667281f510e9cb3cb37d6a77307e2ed269d9cf65e
Instruction Fuzzy Hash: 95F0B672400109BFEB116BA5EC06CAEBBBDEF80614710846EF855A2171EAB16D519B98

Function 00474006 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00474017
GetViewportExtEx.GDI32(?,?), ref: 00474024
MulDiv.KERNEL32(?,00000000,00000000), ref: 00474049
MulDiv.KERNEL32(?,00000000,00000000), ref: 00474064

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 14be75578abe60a75538d4937c04265d5fb2163cba79d4cc351c1cac08a6858d
Instruction ID: 2b78ff3c4320fceceb8ea501bcd5b06b5bf1b1db320e4cdf723b6efcd815ec50
Opcode Fuzzy Hash: 14be75578abe60a75538d4937c04265d5fb2163cba79d4cc351c1cac08a6858d
Instruction Fuzzy Hash: 98F0B672400109BFEB116BA5EC06CAEBBBDEF80614710846EF855A2171EAB16D519B98

Function 0042FC00 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 0042FC0F
PtInRect.USER32(?,?,?), ref: 0042FC24

Part of subcall function 00471B0E: IsWindowEnabled.USER32(?), ref: 00471B18

Part of subcall function 00430040: UpdateWindow.USER32(00000002), ref: 0043005D

GetCapture.USER32 ref: 0042FC4C
SetCapture.USER32(00000002), ref: 0042FC57

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CaptureRectWindow$ClientEnabledUpdate
String ID:
API String ID: 2789096292-0
Opcode ID: df8fbb4edd3b42a485b5f125e04c96f9006c50770f74bc8d7903e7e2f3d8b616
Instruction ID: 26798a8f5a1bf5fbab33eb0f694450b0773367508c96786e39c0d84b83947614
Opcode Fuzzy Hash: df8fbb4edd3b42a485b5f125e04c96f9006c50770f74bc8d7903e7e2f3d8b616
Instruction Fuzzy Hash: 06F044313046105BD314EB25EDD9AAB73BCBF84704F84492EF885D3351EA78ED058B99

Function 004064B0 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 004064CA
RegQueryValueA.ADVAPI32 ref: 004064EE
lstrcpyA.KERNEL32(?,00000000), ref: 00406501
RegCloseKey.ADVAPI32(?), ref: 0040650C

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID:
API String ID: 534897748-0
Opcode ID: 6aa79808bf9e2556fc5578d366f862695ad54d73404ec7359500b09cb606661f
Instruction ID: 8769d3babde921560ebcae0942976e448e6e89d1df66b6fc6a7427062e2453e7
Opcode Fuzzy Hash: 6aa79808bf9e2556fc5578d366f862695ad54d73404ec7359500b09cb606661f
Instruction Fuzzy Hash: 57F04F75104301FFD320CB50DC88EABBBA8EBC4758F00891DB98982250D670D884CBE2

Function 00474CB7 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00474CC4
GetWindowTextA.USER32(?,?,00000100), ref: 00474CE0
lstrcmpA.KERNEL32(?,?), ref: 00474CF4
SetWindowTextA.USER32(?,?), ref: 00474D04

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 555733eba9165b6aff7f22b11e7196c6e5973f0acc0e4008553099c14a9613d7
Instruction ID: a1ed741967d999b99ce4b4bd73e446a6656bade9ef6607e42b68fda37ac7a161
Opcode Fuzzy Hash: 555733eba9165b6aff7f22b11e7196c6e5973f0acc0e4008553099c14a9613d7
Instruction Fuzzy Hash: 5DF05E32400028BBCF226F20DC48ADE3B69FB18390F008025F85EE1120D7759A908B94

Function 0040FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

<, xrefs: 0040FE7A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: a2c159da4e249896854ac361ecaa3d1692c122a585e0067c7694c20b6074caf6
Instruction ID: c3e7435a111e96b57f6acf1a1ce43fcb89ba2d5b8591e1eb373debf233325612
Opcode Fuzzy Hash: a2c159da4e249896854ac361ecaa3d1692c122a585e0067c7694c20b6074caf6
Instruction Fuzzy Hash: 56B1B2715087418BD324CF24C880A6BB7E1BBC8314F548A3EF99AE7791DB34D949CB86

Function 0042B380 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042B4E0
IsRectEmpty.USER32(?), ref: 0042B4EB

Part of subcall function 004285C0: CreateFontIndirectA.GDI32(?), ref: 004286EC

Part of subcall function 0043F1D0: CreateSolidBrush.GDI32(?), ref: 0043F25A
Part of subcall function 0043F1D0: SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0043F29E
Part of subcall function 0043F1D0: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0043F2D4
Part of subcall function 0043F1D0: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043F2E3

Strings

$U, xrefs: 0042B517

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CreateRect$BrushCopyEmptyFontIndirectSolid
String ID: $U
API String ID: 4199050670-4162315028
Opcode ID: d4cd15719ce686cf07f3feeb445fc07796c7eabd14b47a9f6acdbed3c4265759
Instruction ID: 8fc5348f0a3bc0b607d06059d43e236fbeb2f8e8318fae88816ca53fcf6e23df
Opcode Fuzzy Hash: d4cd15719ce686cf07f3feeb445fc07796c7eabd14b47a9f6acdbed3c4265759
Instruction Fuzzy Hash: A061A2703087519FD314DB25D881B6BB7E9EFD8708F40491EF586C7281EBB8E9048BA6

Function 0045D512 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0045D5A2

Strings

pow, xrefs: 0045D57A, 0045D597

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1da1faeb9f98e9d2ae4e3a7714a37f550bceb1c278d1ab6c715077f326c19c35
Instruction ID: db9f40cfb892af5a67ed334eab2e3806592e5982e210060e87f28404a2bcf349
Opcode Fuzzy Hash: 1da1faeb9f98e9d2ae4e3a7714a37f550bceb1c278d1ab6c715077f326c19c35
Instruction Fuzzy Hash: 6D513961E08505B6C721B718CA0076F7B949F10716F204D6BE885423AAFBBD8CDDAA4F

Function 0046132B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 004648C4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0045FB18,00000009,00000000,00000000,00000001,00461F6F,00000001,00000074,?,?,00000000,00000001), ref: 00464901
Part of subcall function 004648C4: EnterCriticalSection.KERNEL32(?,?,?,0045FB18,00000009,00000000,00000000,00000001,00461F6F,00000001,00000074,?,?,00000000,00000001), ref: 0046491C

GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,0045D3E5), ref: 0046137C

Part of subcall function 00464925: LeaveCriticalSection.KERNEL32(?,0045ED02,00000009,0045ECEE,00000000,?,00000000,00000000,00000000), ref: 00464932

Strings

HY, xrefs: 00461399
HY, xrefs: 004613E9

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterInfoInitializeLeave
String ID: HY$HY
API String ID: 1866836854-3247467571
Opcode ID: afdac39a4bc455e6c00eef2f5e7a8386f715ed9fac612720b03da19f71a18876
Instruction ID: 02fd6c580399e47e5b707f2cb32d3bb10b091244034d30feb218abcd4037e7cb
Opcode Fuzzy Hash: afdac39a4bc455e6c00eef2f5e7a8386f715ed9fac612720b03da19f71a18876
Instruction Fuzzy Hash: 2D419A319142946EEB10DB75E881B7B7BD0EB05318F2C406FD546873B1EA3D4C4BAB8A

Function 00412A80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00412B84
GlobalReAlloc.KERNEL32(00000000,00000000,00000002), ref: 00412B8E

Part of subcall function 00476447: __EH_prolog.LIBCMT ref: 0047644C

Part of subcall function 0046D739: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046D74D

Strings

U, xrefs: 00412AA9

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocDecrementH_prologInterlockedUnlock
String ID: U
API String ID: 2641609054-1631320392
Opcode ID: 942711fff29e9135b6c83105e58911b81a7c31eeda666022907624a95639d0ef
Instruction ID: 2f29f5767ce6fad1e8dd5ad2eba2a7e2dbed843652206221ce8656e90ed31822
Opcode Fuzzy Hash: 942711fff29e9135b6c83105e58911b81a7c31eeda666022907624a95639d0ef
Instruction Fuzzy Hash: A6517E34D01298DEDB14EFA5C945BEDBBB0AF15304F10419EE40977282EBB81B49DB66

Function 0046157E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00461592

Strings

, xrefs: 004615DB
, xrefs: 004615B7

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 2a166ceacffaa43511a7ed2443310940c6aad7ead1c1865dfc4963b8eb690a04
Instruction ID: 7b312100cf0f95f0526d4e00c8b411f449009418391c63736ab60c63019c9d3a
Opcode Fuzzy Hash: 2a166ceacffaa43511a7ed2443310940c6aad7ead1c1865dfc4963b8eb690a04
Instruction Fuzzy Hash: 40417A350002982FDB118755DD89FFB7F99EB02704F1C01D7D54AC72A2E2694D0A9F67

Function 0046FD43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00477F5D: LeaveCriticalSection.KERNEL32(?,004772D7,00000010,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD,0047247F,0047371E), ref: 00477F75

Part of subcall function 0046044C: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0045D425,00000000), ref: 0046047A

wsprintfA.USER32 ref: 0046FD89
wsprintfA.USER32 ref: 0046FDA5
GetClassInfoA.USER32(?,-00000058,?), ref: 0046FDB4

Strings

Afx:%x:%x, xrefs: 0046FD83

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: 88ef8a0a5ef2387652c261d28c1852fadf36f6a6eb9d9197b0cc0eaa6ab33a36
Instruction ID: 7fac69f10263178095d71ec1b2f9d1a61b6b144cda2c08b5a8f44bca149aaf0c
Opcode Fuzzy Hash: 88ef8a0a5ef2387652c261d28c1852fadf36f6a6eb9d9197b0cc0eaa6ab33a36
Instruction Fuzzy Hash: 6B114871901209AF8B10DFA5D8819DF7BB8FF45354B00803FF919E3201E7789944CBAA

Function 004031D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00478328,000000B1,00000000,000000FF), ref: 0040325D
SendMessageA.USER32(00478328,000000B7,00000000,00000000), ref: 0040326C

Strings

u1@, xrefs: 00403234, 0040326E, 0040321F, 00403223, 0040323A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: u1@
API String ID: 3850602802-502936971
Opcode ID: c2164b4bdccf19a330fd4526381b0f0df1e2cffc20c439cd43ab42ba10f27cca
Instruction ID: b4567b96ea2c538a43089c81484892998045735e21a81bb1707479b993f9f19e
Opcode Fuzzy Hash: c2164b4bdccf19a330fd4526381b0f0df1e2cffc20c439cd43ab42ba10f27cca
Instruction Fuzzy Hash: 9C11B171244700ABD624EF29DC41F5BB7E5EBC4720F508B0EF46A933D0CB78A4048B66

Function 00407470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 004074F4
SendMessageA.USER32(004786A8,00000186,00000000,00000000), ref: 00407507

Strings

%t@, xrefs: 004074D4, 00407509, 004074BF, 004074C3, 004074E1

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: %t@
API String ID: 3850602802-4232618107
Opcode ID: accb48743e8ee64732a8de7bc50b60255e3de093190fcef20d42ecf9b616fdf2
Instruction ID: 3120474453437181f941fd10f702b77a0c1d5fb6a8c9eea7bd7f0e14bfa7ebd4
Opcode Fuzzy Hash: accb48743e8ee64732a8de7bc50b60255e3de093190fcef20d42ecf9b616fdf2
Instruction Fuzzy Hash: 70118E75604600AFC224DB28DC41BABB7E5EBC4720F108B1EF46A933D0CB78A8058B66

Function 004758F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004758FA
GetObjectA.GDI32(00000000,00000018,?), ref: 00475952

Strings

=V, xrefs: 00475941

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologObject
String ID: =V
API String ID: 3423075018-215034083
Opcode ID: f252849322de71bdcc6581efa045b5f7eff829aaaa59db05cb54a7125da8502a
Instruction ID: 662833542efa4137c0a26e6f84aeb3d69e5ca894ede19365a60a2916a025081d
Opcode Fuzzy Hash: f252849322de71bdcc6581efa045b5f7eff829aaaa59db05cb54a7125da8502a
Instruction Fuzzy Hash: CF1191B1D00645DFCB10EF94C5467EEBBF0AF08329F00845FE24967291C7B85648CB95

Function 00475B29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047729F: __EH_prolog.LIBCMT ref: 004772A4

SendMessageA.USER32(00476978,00000198,?,?), ref: 00475B53
InvalidateRect.USER32(00000000,?,00000000), ref: 00475B6F

Strings

,?Y, xrefs: 00475B38

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prologInvalidateMessageRectSend
String ID: ,?Y
API String ID: 222458238-2222958074
Opcode ID: c07e69f3cf629500e280c5cabdbf6240123b5f1c115ee04ad5fdc57835144ffe
Instruction ID: 1f1c8affe02d97bc6f0534c434defd7ca6bcffc322ed21c8483ef46ad482a111
Opcode Fuzzy Hash: c07e69f3cf629500e280c5cabdbf6240123b5f1c115ee04ad5fdc57835144ffe
Instruction Fuzzy Hash: A4F08C76900208AFDB10EF94DC45DEABBBDFB44300F04853EFA06A6291DA70A914CB94

Function 0046F044 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0047720A: TlsGetValue.KERNEL32(00593F4C,?,00000000,00476C91,00476590,00476CAD,0047247F,0047371E,?,00000000,?,0046B321,00000000,00000000,00000000,00000000), ref: 00477249

GetMessageTime.USER32 ref: 0046F056
GetMessagePos.USER32 ref: 0046F05F

Strings

<?Y, xrefs: 0046F04A

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$TimeValue
String ID: <?Y
API String ID: 3832333830-2555971210
Opcode ID: bdfb59f83cbbf6080d6b9d75a4766fabe37ad573bff726fecd104fd05217d0f6
Instruction ID: c12bbb765ade36660669acdf220657b596ff165c7c04faee05214ba4a6a223ea
Opcode Fuzzy Hash: bdfb59f83cbbf6080d6b9d75a4766fabe37ad573bff726fecd104fd05217d0f6
Instruction Fuzzy Hash: A0D01234800B309BC7209F75A4880A77BF4EB087113404C6FE58AC7600D639F4418F94

Function 004174C0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00417551
wsprintfA.USER32 ref: 0041756B
wsprintfA.USER32 ref: 00417586

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 55f19e7ad791d1d26e388c0eee1221bb41a480fb75aae9702a659598a4a8d21b
Instruction ID: 196f6ca80803ca5c4114b07e7bbd5e781052d0ae176ceb3d41d8a06a09504baf
Opcode Fuzzy Hash: 55f19e7ad791d1d26e388c0eee1221bb41a480fb75aae9702a659598a4a8d21b
Instruction Fuzzy Hash: E83186B15083046FC214DB64DC8596FBBE9FFC4758F404A1EFD4A93281DB74DA48C6AA

Function 00477118 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00477175
LeaveCriticalSection.KERNEL32(?,?), ref: 00477185
LocalFree.KERNEL32(?), ref: 0047718E
TlsSetValue.KERNEL32(?,00000000), ref: 004771A4

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: fa6655c953e1d8e8d0f64c68ae1b5c46ae989d64089f928e5f73d8e595ce5b6b
Instruction ID: 062e92fe4e207278b0df58f954ce857d02aac5d2a22035f1a58a77f042725859
Opcode Fuzzy Hash: fa6655c953e1d8e8d0f64c68ae1b5c46ae989d64089f928e5f73d8e595ce5b6b
Instruction Fuzzy Hash: D3216731204200EFD7248F54C884BAA77A5FF85711F90C06EE94A8B3A1CB79EC81CF54

Function 0046617A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00465F42,00000000,00000000,00000000,0045EC83,00000000,00000000,?,00000000,00000000,00000000), ref: 004661A2
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00465F42,00000000,00000000,00000000,0045EC83,00000000,00000000,?,00000000,00000000,00000000), ref: 004661D6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004661F0
HeapFree.KERNEL32(00000000,?), ref: 00466207

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 5a209c09ee67883e19d62e9eed7f3ae439cef2b96d724e3c7fc3b2e148471ccf
Instruction ID: 7912f207cbf5b0a9bbe1d673698e619bf45a8c84ea9d53e31a850529be38cc5a
Opcode Fuzzy Hash: 5a209c09ee67883e19d62e9eed7f3ae439cef2b96d724e3c7fc3b2e148471ccf
Instruction Fuzzy Hash: 29116AB0204200AFC7208F59EC85D26BBB9FBA63107124A6FE162C61B0D7709C4AEF04

Function 00477EED Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005940C0,?,00000000,?,?,004772C0,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD), ref: 00477F28
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,004772C0,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD), ref: 00477F3A
LeaveCriticalSection.KERNEL32(005940C0,?,00000000,?,?,004772C0,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD), ref: 00477F43
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,004772C0,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD,0047247F), ref: 00477F55

Part of subcall function 00477E5A: GetVersion.KERNEL32(?,00477EFD,?,004772C0,00000010,?,00000000,?,?,?,00476CA7,00476D0A,00476590,00476CAD,0047247F,0047371E), ref: 00477E6D

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 6eea9aec912a9759b340d8fade9a0438bd98f529098a3e6c006da420ff70e341
Instruction ID: 30871b883a5d9f38214ebed38fb9ee139059a27816811538b49a6bfcc80a7d74
Opcode Fuzzy Hash: 6eea9aec912a9759b340d8fade9a0438bd98f529098a3e6c006da420ff70e341
Instruction Fuzzy Hash: 40F0313640521ADFCB10DF55EC88D97B7ACF720316B45443BE20952111D735B85EDE98

Function 0046489B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00461EE9,?,0045D3B5), ref: 004648A8
InitializeCriticalSection.KERNEL32(?,00461EE9,?,0045D3B5), ref: 004648B0
InitializeCriticalSection.KERNEL32(?,00461EE9,?,0045D3B5), ref: 004648B8
InitializeCriticalSection.KERNEL32(?,00461EE9,?,0045D3B5), ref: 004648C0

Memory Dump Source

Source File: 00000000.00000002.2700257028.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2700233998.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700314827.000000000054B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700436778.000000000056E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700462363.0000000000570000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700487169.0000000000572000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700505914.000000000057B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000057F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.000000000058B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700525437.0000000000592000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2700596113.0000000000596000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 5f12d4544ca50ed756d2f1de1a65b11600caa226476e2f1af5ca3926978be80d
Instruction ID: 9f8e55b54403afaa3974ab61bc745f441abd61f0ad51473595f3e6de149f14d1
Opcode Fuzzy Hash: 5f12d4544ca50ed756d2f1de1a65b11600caa226476e2f1af5ca3926978be80d
Instruction Fuzzy Hash: A7C002328000349ACE636B75FD09C853F6AEB15260301017BA51C551348E211CD4FFD0

Analysis Process: csrss2.exePID: 1544, Parent PID: 6388COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	557
Total number of Limit Nodes:	47

Executed Functions

Function 00427270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0049380A: __EH_prolog.LIBCMT ref: 0049380F

FindFirstFileA.KERNELBASE(?,000000FF), ref: 004272EA

Part of subcall function 004935C1: InterlockedDecrement.KERNEL32(-000000F4), ref: 004935D5

FindNextFileA.KERNELBASE(00000000,000000FF), ref: 00427398
FindClose.KERNELBASE(00000000), ref: 004273A7

Part of subcall function 0049380A: lstrlenA.KERNEL32(00000000,00000000,?,?,0041EFDC,?,?,004BAC70,?,?,?,?,?,?,00000000,004DA240), ref: 00493836

Strings

\*.*, xrefs: 004272C7
., xrefs: 0042731E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Find$File$CloseDecrementFirstH_prologInterlockedNextlstrlen
String ID: .$\*.*
API String ID: 2178277139-3701014519
Opcode ID: 64b4b8e9199241888c95735858c5b752797a444a6edd9652ac210ae0c2be43c3
Instruction ID: 8036b0377c93d999fb473fe67dd0b3540fd724cdbe5983538224818820e9563e
Opcode Fuzzy Hash: 64b4b8e9199241888c95735858c5b752797a444a6edd9652ac210ae0c2be43c3
Instruction Fuzzy Hash: ED41A071108381AAC721EF65C855BEBBBE4ABC5728F004A1DF495432D1DBB89509C7A6

Function 00425BC0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,?), ref: 00425BD0
FindClose.KERNEL32(00000000), ref: 00425BDC

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 71cba2a59a8f684087693ae095061b4c953350e1431a99d37c38f5dc98b2b0fc
Instruction ID: 0da459bf486d42d7192d78708c1891240b013e40e281aa1af22d91769ac510c8
Opcode Fuzzy Hash: 71cba2a59a8f684087693ae095061b4c953350e1431a99d37c38f5dc98b2b0fc
Instruction Fuzzy Hash: D9D0A7755001005BD3119B78ED08BBA3F5CA784310FC80B75F92DC52F0F67ED858A516

Function 00403953 Relevance: 2.9, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

g;J, xrefs: 00403BC6
g;J, xrefs: 00403BDA

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID:
String ID: g;J$g;J
API String ID: 0-1743829225
Opcode ID: 01fd762bea440f991928f5bc6fe0adc17cfb32b232b957a8f5d93b5b669ee01b
Instruction ID: 8f16863e56dfa6b4477993a145b2ea1f5b40dfb0422e97da74ad5240af915d6e
Opcode Fuzzy Hash: 01fd762bea440f991928f5bc6fe0adc17cfb32b232b957a8f5d93b5b669ee01b
Instruction Fuzzy Hash: 8EE15CF1A412469BFB00CF99DCC1B99BBA5EF54324F280475E906AF381D378B960DB52

Function 0040102A Relevance: 1.7, APIs: 1, Instructions: 219nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000000,0040103A,0000002C,?,?,?,?,00401012), ref: 00401162

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: b0de30a15207844d859e1ceb90459aaf6dc06da6405ad641bf762fe2b64ab593
Instruction ID: b83366f35ced9a9f0ef06b8e886ea6cf348bc42536754f30d2641a7d17a1c48d
Opcode Fuzzy Hash: b0de30a15207844d859e1ceb90459aaf6dc06da6405ad641bf762fe2b64ab593
Instruction Fuzzy Hash: 3A9148756042058FD709CF10C490BA6B7E5FF88300F0482BEE91A9F7A6EB35E949CB95

Function 0040297D Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

SeDebugPrivilege, xrefs: 00402A8E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID:
String ID: SeDebugPrivilege
API String ID: 0-2896544425
Opcode ID: ecd2a7a9d774634d20b4db324e773f1e6a620f69b71acc6e5ef90e8f938fc2bc
Instruction ID: 42ad6f569015e2bb939d893bf281edd7a90351c1495f4fe7e4e1c8b986bca75d
Opcode Fuzzy Hash: ecd2a7a9d774634d20b4db324e773f1e6a620f69b71acc6e5ef90e8f938fc2bc
Instruction Fuzzy Hash: CA51BFB0E40309ABDF10DF96DC82B9EB7B0AB08705F14446AF5147E3C2D6B96615CFA6

Function 004024A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae4cef203ebc10c15a8aafe6d59316b355870558847f8b861b99101a45e0be7
Instruction ID: ca72665e39cbcf01cc0b7b4eae30b673411e2c5688dc7ea2a30eddc3f4b57c63
Opcode Fuzzy Hash: 5ae4cef203ebc10c15a8aafe6d59316b355870558847f8b861b99101a45e0be7
Instruction Fuzzy Hash: A8514970D01309BBDB10AF91DD57BAEBA74EB04705F10447AF6543A2C1D6BA0BA4CB9A

Function 00495283 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0049CF75: TlsGetValue.KERNEL32(004F5934,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000,?,0049117D,00000000,00000000,00000000,00000000), ref: 0049CFB4

CallNextHookEx.USER32(?,00000003,?,?), ref: 004952AD
GetClassLongA.USER32(?,000000E6), ref: 004952F4
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_0009C2F1), ref: 00495320
lstrcmpiA.KERNEL32(?,ime), ref: 0049532F
GetWindowLongA.USER32(?,000000FC), ref: 004953A2
SetWindowLongA.USER32(?,000000FC,00000000), ref: 004953C3

Strings

$YO, xrefs: 0049528E
AfxOldWndProc423, xrefs: 00495404, 00495409, 00495414, 0049541C, 00495425
ime, xrefs: 00495329

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: $YO$AfxOldWndProc423$ime
API String ID: 3731301195-829207192
Opcode ID: 1c57dd5263a08e8abe94d1ede623f68be4b8421f8a9d5d15bda55bd4c0d0fd88
Instruction ID: 0ef7985b582a249a487894d1b43cc383631ffeb3dca20fb0826675cff6a654dd
Opcode Fuzzy Hash: 1c57dd5263a08e8abe94d1ede623f68be4b8421f8a9d5d15bda55bd4c0d0fd88
Instruction Fuzzy Hash: 1451BF71500A15AFCF229F65CD48B6F3FB8BF05365F204236F915A7290C7789980DB98

Function 004438A0 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 004438C9
OleInitialize.OLE32(00000000), ref: 00443905
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00443923
SetCurrentDirectoryA.KERNELBASE(02155AB8,?), ref: 0044397D
LoadCursorA.USER32(00000000,00007F00), ref: 004439D8
GetStockObject.GDI32(00000005), ref: 004439F9
GetCurrentThreadId.KERNEL32 ref: 00443A21

Strings

`uJ, xrefs: 00443DC8
_EL_HideOwner, xrefs: 00443A03
puJ, xrefs: 00443BE4
@;J, xrefs: 00443A36, 00443A48
d'J, xrefs: 00443AB0

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: @;J$_EL_HideOwner$`uJ$d'J$puJ
API String ID: 3783217854-3570461103
Opcode ID: 66972985305ac5528c14b2bbeced615976f4abafbdf026a2e6a78867fdfcd397
Instruction ID: cc3429733cbe7c88da09b1661991b6bf32bca1e7c2846e655fe626bf6c2f5cf6
Opcode Fuzzy Hash: 66972985305ac5528c14b2bbeced615976f4abafbdf026a2e6a78867fdfcd397
Instruction Fuzzy Hash: 1EE1F170A002059BDB14DF59CD81FEEBBB4FF45708F14006EE905A7392DBB86A45CB99

Function 004950A8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004950AD
GetPropA.USER32(?,AfxOldWndProc423), ref: 004950C5
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00495123

Part of subcall function 00494C8F: GetWindowRect.USER32(?,?), ref: 00494CB4
Part of subcall function 00494C8F: GetWindow.USER32(?,00000004), ref: 00494CD1

SetWindowLongA.USER32(?,000000FC,?), ref: 00495153
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0049515B
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00495162
GlobalDeleteAtom.KERNEL32(00000000), ref: 00495169

Part of subcall function 00494C6C: GetWindowRect.USER32(?,?), ref: 00494C78

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 004951BD

Strings

AfxOldWndProc423, xrefs: 004950BB, 004950C3, 00495159, 00495161

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 3487d19992af2a09ca8ff36568464691ed101f39040ff7fd9f25908d6174e686
Instruction ID: e7a7e283b09b4fd0e2dd08ed79b702ca4f0425c0eeabf9001776d12b4439218c
Opcode Fuzzy Hash: 3487d19992af2a09ca8ff36568464691ed101f39040ff7fd9f25908d6174e686
Instruction Fuzzy Hash: C1316032C0010ABFCF12AFA9DD4AEBF7E78FF46311F10412AF901A2151D7794A119B69

Function 0041E560 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,004CA0A4), ref: 0041E5C7
LoadLibraryA.KERNEL32(?,?,004DA410), ref: 0041E6B9
LoadLibraryA.KERNELBASE(?,?), ref: 0041E6FF
LoadLibraryA.KERNELBASE(?,?,004DA318,00000001), ref: 0041E747
LoadLibraryA.KERNEL32(00000001), ref: 0041E75D
GetProcAddress.KERNEL32(00000000,?), ref: 0041E76F
FreeLibrary.KERNEL32(00000000), ref: 0041E802

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: 15eb221890c57bc080a92a3e14d4f6e674ae98567117fd24cf76f71215b92304
Instruction ID: bd12899291bab486287edffc3b7453388bc3727ea026067b9d01d83fe6e97f40
Opcode Fuzzy Hash: 15eb221890c57bc080a92a3e14d4f6e674ae98567117fd24cf76f71215b92304
Instruction Fuzzy Hash: F3A1C5B5600301ABD714EF66C881B9BF7A8BF99714F044A2EFC1587341D738E945CBAA

Function 0049CC0E Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004F5950,004F5924,00000000,?,004F5934,004F5934,0049CFA9,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000), ref: 0049CC1D
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004F5934,004F5934,0049CFA9,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000), ref: 0049CC72
GlobalHandle.KERNEL32(005726D0), ref: 0049CC7B
GlobalUnlock.KERNEL32(00000000), ref: 0049CC84
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0049CC96
GlobalHandle.KERNEL32(005726D0), ref: 0049CCAD
GlobalLock.KERNEL32(00000000), ref: 0049CCB4
LeaveCriticalSection.KERNEL32(004827A5,?,?,004F5934,004F5934,0049CFA9,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000), ref: 0049CCBA
GlobalLock.KERNEL32(00000000), ref: 0049CCC9
LeaveCriticalSection.KERNEL32(?), ref: 0049CD12

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: de6de187401da04899c430119141eaf7502d1b245029fab46751cf9974a5b850
Instruction ID: 980336bcb0c95c1f80a1f3462de612242df6d9b48ab30cf31455ff369881f06b
Opcode Fuzzy Hash: de6de187401da04899c430119141eaf7502d1b245029fab46751cf9974a5b850
Instruction Fuzzy Hash: 3F31AF71200705AFDB249F28DD89A2ABFE9FB45305B004A3EF956C3661E7B5E9058B14

Function 00499522 Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0049952F
GetSystemMetrics.USER32(0000000C), ref: 00499536
GetDC.USER32(00000000), ref: 0049954F
GetDeviceCaps.GDI32(00000000,00000058), ref: 00499560
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00499568
ReleaseDC.USER32(00000000,00000000), ref: 00499570

Part of subcall function 0049DA95: GetSystemMetrics.USER32(00000002), ref: 0049DAA7
Part of subcall function 0049DA95: GetSystemMetrics.USER32(00000003), ref: 0049DAB1

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 81072f149da787c350e800c9a0e176dcf7666b1f0f4e0d88c95ead38160eed81
Instruction ID: b5cab80b30af7880081ece306699154a8f5006c59c9fd5db8759168e078542b8
Opcode Fuzzy Hash: 81072f149da787c350e800c9a0e176dcf7666b1f0f4e0d88c95ead38160eed81
Instruction Fuzzy Hash: CDF0B471540700ABE6206B768C4AF277FB4EB85751F01443EF60146290DAB49C01DF65

Function 004982F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0049830C
SetWindowsHookExA.USER32(000000FF,0049864E,00000000,00000000), ref: 0049831C

Part of subcall function 0049D00A: __EH_prolog.LIBCMT ref: 0049D00F

Strings

YO, xrefs: 0049834C
YO, xrefs: 00498327

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: YO$YO
API String ID: 2183259885-3531760179
Opcode ID: 59a817a0f507ffd7a41029a1a5902a791b8bc84e5960e18316853b0efabd1426
Instruction ID: 0e19cd52427adb6a4b1a05c5dc24281a496e83d07e112325682956f9510cdca4
Opcode Fuzzy Hash: 59a817a0f507ffd7a41029a1a5902a791b8bc84e5960e18316853b0efabd1426
Instruction Fuzzy Hash: D9F0A772900600AFDF242BB49D0EB1A3E50AB02B24F04067FF2425A1E1CF6C8C41C75D

Function 0049DA75 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,0049DA70), ref: 0049DAEC
GetProcessVersion.KERNELBASE(00000000,?,?,?,0049DA70), ref: 0049DB29
LoadCursorA.USER32(00000000,00007F02), ref: 0049DB57
LoadCursorA.USER32(00000000,00007F00), ref: 0049DB62

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 9d34db93605226ba28479783b4303b71e6f58fb62404b90ae1bd517678a2edf6
Instruction ID: 624f365b8fd67f949674c0a2b2ccd97c5bf34164140ae83448841cd101b94e6b
Opcode Fuzzy Hash: 9d34db93605226ba28479783b4303b71e6f58fb62404b90ae1bd517678a2edf6
Instruction Fuzzy Hash: 74116AB1A04B109FDB289F3E888462ABBE5FB587047114D3FE18BC6B80D7B8E441CB54

Function 00495479 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0049CF75: TlsGetValue.KERNEL32(004F5934,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000,?,0049117D,00000000,00000000,00000000,00000000), ref: 0049CFB4

GetCurrentThreadId.KERNEL32 ref: 0049549B
SetWindowsHookExA.USER32(00000005,00495283,00000000,00000000), ref: 004954AB

Strings

$YO, xrefs: 00495480

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID: $YO
API String ID: 933525246-1293913394
Opcode ID: b50bf0a1ce91f620609c65ed919ef193c0ce6008d0dc3d63e4aa9356963666e1
Instruction ID: cd6b6e9615420b79076cd2bf83677cb37d5a7c86833ce12d19c714d5e5fe4794
Opcode Fuzzy Hash: b50bf0a1ce91f620609c65ed919ef193c0ce6008d0dc3d63e4aa9356963666e1
Instruction Fuzzy Hash: E3E0E531600F009EDA705F65AC04B177EE4DB80716F20027FF20981180D77858408B3D

Function 00494DDF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00494DE4

Part of subcall function 0049CF75: TlsGetValue.KERNEL32(004F5934,?,00000000,0049C9FC,0049C2F1,0049CA18,004982E9,00499585,?,00000000,?,0049117D,00000000,00000000,00000000,00000000), ref: 0049CFB4

Strings

$YO, xrefs: 00494DEF

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: H_prologValue
String ID: $YO
API String ID: 3700342317-1293913394
Opcode ID: fd0fc4ef6428f9dc404dcb6bf835cfbac86ee139741ed9cbc3bf4bd18811e0b7
Instruction ID: b47b6967a0da3fab0a5e5fb586d27de81d0287a27827a12500a8787886050ab9
Opcode Fuzzy Hash: fd0fc4ef6428f9dc404dcb6bf835cfbac86ee139741ed9cbc3bf4bd18811e0b7
Instruction Fuzzy Hash: A2211572A00209AFDF15DF54C481EEE7BA9FB84358F00806AF915AB241D779AE45CB94

Function 004273F0 Relevance: 3.1, APIs: 2, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00427270: FindFirstFileA.KERNELBASE(?,000000FF), ref: 004272EA
Part of subcall function 00427270: FindNextFileA.KERNELBASE(00000000,000000FF), ref: 00427398
Part of subcall function 00427270: FindClose.KERNELBASE(00000000), ref: 004273A7

DeleteFileA.KERNELBASE(?,?,?,?,?), ref: 00427484

Part of subcall function 004273F0: RemoveDirectoryA.KERNELBASE(00000000,?,?,?), ref: 00427478

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: FileFind$CloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 196174304-0
Opcode ID: f7b7f80042e2b2c0f7ea75d44cd098dbef3308cc7f11bca9382c24756f8099a8
Instruction ID: 5ebb4780e19f728c8113e92e8af8900d8d8e26c802167fa355245858f3a8adad
Opcode Fuzzy Hash: f7b7f80042e2b2c0f7ea75d44cd098dbef3308cc7f11bca9382c24756f8099a8
Instruction Fuzzy Hash: 1D219272208251AFC710EF99D981E4BBBE4EB88714F40492EF89683351D778D845CBA7

Function 0046B530 Relevance: 3.0, APIs: 2, Instructions: 41
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,?), ref: 0046B55C
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?), ref: 0046B584

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 9ef402e0ce2f695447dfc30a69c6048856071ae87b0c02ac4a4a7ef8613e183b
Instruction ID: da980e464dc69a9cfae3febe2065c1b7622b270efc39f4890e4ae6222071d290
Opcode Fuzzy Hash: 9ef402e0ce2f695447dfc30a69c6048856071ae87b0c02ac4a4a7ef8613e183b
Instruction Fuzzy Hash: EFF01D71705311ABD724CF29D840BABB3A9EFC5715F10481EF546C7280D774E8458795

Function 0049D7CC Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,004995A4,00000000,00000000,00000000,00000000,?,00000000,?,0049117D,00000000,00000000,00000000,00000000,004827A5), ref: 0049D7D5
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0049117D,00000000,00000000,00000000,00000000,004827A5,00000000), ref: 0049D7DC

Part of subcall function 0049D82F: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0049D860
Part of subcall function 0049D82F: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0049D901
Part of subcall function 0049D82F: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0049D92E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 115bbce4a160d7239dc3935cf7bfc31af98f64c2272ff9f828ccc4b1d668c22c
Instruction ID: e171e35785427f85b0f5b0a9fd7bbda1b45adc07b7090449e080cdd79831acc0
Opcode Fuzzy Hash: 115bbce4a160d7239dc3935cf7bfc31af98f64c2272ff9f828ccc4b1d668c22c
Instruction Fuzzy Hash: 4EF037B59042108FDB14FF25D445B1A7FA4AF48710F0584AFB4549B3A3CB78D840CB9A

Function 0048795B Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00482723,00000001), ref: 0048796C

Part of subcall function 00487813: GetVersionExA.KERNEL32 ref: 00487832

HeapDestroy.KERNEL32 ref: 004879AB

Part of subcall function 0048B265: HeapAlloc.KERNEL32(00000000,00000140,00487994,000003F8), ref: 0048B272

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 8bb6c981b73fd0df7cfb5cc72c40e4ac9c7fdcdb123b7effe4ed07acd25c5856
Instruction ID: e6c41c72256b27f29c7182fdee955b8e1228c4326f55af088b11d7afe26bc4b7
Opcode Fuzzy Hash: 8bb6c981b73fd0df7cfb5cc72c40e4ac9c7fdcdb123b7effe4ed07acd25c5856
Instruction Fuzzy Hash: B2F030B194C20259FF2077355D5577E3A94DB80745F204C77F400C41A1EB68C881E729

Function 00495843 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0049586A
CallWindowProcA.USER32(?,?,?,?,?), ref: 0049587F

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 80053dc2a5373cb8cee8d8b06f5c3cf492d6379a788cdd7ebdb8e0541c7877a0
Instruction ID: 2eb01a6373b07559f13368e9584f8e20f580ee845591d5b8d5ae247be6d738d5
Opcode Fuzzy Hash: 80053dc2a5373cb8cee8d8b06f5c3cf492d6379a788cdd7ebdb8e0541c7877a0
Instruction Fuzzy Hash: 18F0F236500608FFCF229F99DC08D9A7FB9FF09390B148429FA4686520D732D820AB44

Function 00483FB5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0048409C

Part of subcall function 0048A024: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00484EEC,00000009,00000000,00000000,00000001,004877A4,00000001,00000074,?,?,00000000,00000001), ref: 0048A061
Part of subcall function 0048A024: EnterCriticalSection.KERNEL32(?,?,?,00484EEC,00000009,00000000,00000000,00000001,004877A4,00000001,00000074,?,?,00000000,00000001), ref: 0048A07C

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 54b84166e5d564cf27637c259f1278d827bb7c35ceff65d714631c7efa04d056
Instruction ID: 07a2765fc855a9e509391bff4c205e4eeac4bc535655e9a6aacdafec722566e6
Opcode Fuzzy Hash: 54b84166e5d564cf27637c259f1278d827bb7c35ceff65d714631c7efa04d056
Instruction Fuzzy Hash: 4621E731900206ABDB20FF69DD42B9F77A4EB42764F144A2BF610EB2C0D37D9841975D

Function 00495507 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00443A21,?,?,?,?,?,?,?,?,?), ref: 004955A5

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2479283861b7e0d666fd1cbe135689e849e5e113767cb32c7fbfe08952541a7d
Instruction ID: f0d0120e79e73770b64e4a80fae59f1b91a85067e854f7e15617262a8e33eda6
Opcode Fuzzy Hash: 2479283861b7e0d666fd1cbe135689e849e5e113767cb32c7fbfe08952541a7d
Instruction Fuzzy Hash: 8C319D79A00219AFCF41DFA8C944ADEBBF1BF4C310B11846AF918E7210E7359A519F94

Function 00495057 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4056f76fea1392ca2c04b4694c82613e1315a399d60d3c5e69d33d064b8b5f64
Instruction ID: dcf6433aa65929d46d7788a2158c0ff286549e6a31ae4fdd65bd2cf45765edba
Opcode Fuzzy Hash: 4056f76fea1392ca2c04b4694c82613e1315a399d60d3c5e69d33d064b8b5f64
Instruction Fuzzy Hash: 7DF01C37041A19BBCF235F919D04DDF3F29AF04360F108426FA1555510D77A9561EBE9

Function 004274C0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RemoveDirectoryA.KERNELBASE(?), ref: 004274F9

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: DirectoryRemove
String ID:
API String ID: 597925465-0
Opcode ID: 819904816ab548d90b081e37abdb27ce1c1f3a0b2c54350e91e7eedb67f11842
Instruction ID: df60b55cd1cdea8576c77bf921cf302a1c31efc7583f5bcf8f0cf8f150d5bd1e
Opcode Fuzzy Hash: 819904816ab548d90b081e37abdb27ce1c1f3a0b2c54350e91e7eedb67f11842
Instruction Fuzzy Hash: 28F0A04160CAB129EF336E2474003EBAF820F0B314F88448FD4D502A42E25D5CC3D34E

Function 0040F9D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(?,?), ref: 0040F9DE

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1f1264a5d95f29fadf04d547bdc26e5ebe2161f3a0de4c9ecb7a476687b27766
Instruction ID: de09ed452d8a10dc4996c20b2e5018f6ba2699cb403b82b46f91a806ccb1a803
Opcode Fuzzy Hash: 1f1264a5d95f29fadf04d547bdc26e5ebe2161f3a0de4c9ecb7a476687b27766
Instruction Fuzzy Hash: 5DC0CAB5200200AF8300CB28C884A16B7E8FB89305B108898F859CB250CA32A802EA00

Non-executed Functions

Function 0043A3A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0043A417
GlobalLock.KERNEL32(00000000), ref: 0043A433
GlobalUnlock.KERNEL32(00000000), ref: 0043A455
OpenClipboard.USER32(00000000), ref: 0043A45D
GlobalFree.KERNEL32(00000000), ref: 0043A469
EmptyClipboard.USER32 ref: 0043A471
SetClipboardData.USER32(0000C1CB,00000000), ref: 0043A483
CloseClipboard.USER32 ref: 0043A489

Strings

0kJ, xrefs: 0043A49B

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID: 0kJ
API String ID: 453615576-3408537184
Opcode ID: 1a6ae6e1aed71f54883849e5f7d2502802d1f3421e52dd43efe0443b044d6175
Instruction ID: 1fa607483231440fcbb624a741b02f4a1a4bbb9938153bef3f6799ae3870a233
Opcode Fuzzy Hash: 1a6ae6e1aed71f54883849e5f7d2502802d1f3421e52dd43efe0443b044d6175
Instruction Fuzzy Hash: 5731B671204311AFC314EB69DD49B6BBBE8FB89714F00462DB99693290DBB8D805C766

Function 00494017 Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0049401C
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 0049403A
lstrcpynA.KERNEL32(?,?,00000104), ref: 00494049
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0049407D
CharUpperA.USER32(?), ref: 0049408E
FindFirstFileA.KERNEL32(?,?), ref: 004940A4
FindClose.KERNEL32(00000000), ref: 004940B0
lstrcpyA.KERNEL32(?,?), ref: 004940C0

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 43d07ebba896ddecd094f062cede0d867290c6c1b1ef0ac9e93f9bc63b950f89
Instruction ID: 353c8f3fbcaa0207b7b727d48fef554a3ebaceecde8e17b7b952152123c9d55b
Opcode Fuzzy Hash: 43d07ebba896ddecd094f062cede0d867290c6c1b1ef0ac9e93f9bc63b950f89
Instruction Fuzzy Hash: 7B218C72901119ABCF209F65CC48EEF7FBCEF46764F008626FA19E2160C3748A45DBA4

Function 0041E080 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041E10F
GetWindowRect.USER32(?,?), ref: 0041E166
GetParent.USER32(?), ref: 0041E176
GetParent.USER32(?), ref: 0041E1A9
GlobalSize.KERNEL32(00000000), ref: 0041E1F3
GlobalLock.KERNEL32(00000000), ref: 0041E1FB
IsWindow.USER32(?), ref: 0041E214
GetTopWindow.USER32(?), ref: 0041E251
GetWindow.USER32(00000000,00000002), ref: 0041E26A
SetParent.USER32(?,?), ref: 0041E296
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0041E2E1
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0041E2F0
GetParent.USER32(?), ref: 0041E303
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0041E31C
GetWindowLongA.USER32(?,000000F0), ref: 0041E324
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0041E354
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 0041E362
IsWindow.USER32(?), ref: 0041E3AE
GetFocus.USER32 ref: 0041E3B8
SetFocus.USER32(?,00000000), ref: 0041E3D0
GlobalUnlock.KERNEL32(00000000), ref: 0041E3DB
GlobalFree.KERNEL32(00000000), ref: 0041E3E2

Strings

H[J, xrefs: 0041E2AB

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID: H[J
API String ID: 300820980-1317939579
Opcode ID: fa92ada336d3eae5b6837802b37e2b3c42584eee02334bcd28cd9abf0278cb7f
Instruction ID: 39b8e44ec2a17ba6ff8cf4a4e66a51912655e3e67650b8695d55032c3bb28bb2
Opcode Fuzzy Hash: fa92ada336d3eae5b6837802b37e2b3c42584eee02334bcd28cd9abf0278cb7f
Instruction Fuzzy Hash: EFA18DB5604300AFD724DF6ACD84F6BBBE8BB88700F104A1DF95187391DBB8E8458B59

Function 00414140 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 397COMMON

Download Yara Rule

APIs

Part of subcall function 0049A0A7: __EH_prolog.LIBCMT ref: 0049A0AC
Part of subcall function 0049A0A7: BeginPaint.USER32(?,?,?,?,00413C29), ref: 0049A0D5

Part of subcall function 00499C58: GetClipBox.GDI32(?,?), ref: 00499C5F

IsRectEmpty.USER32(?), ref: 00414186
GetClientRect.USER32(?,?), ref: 0041419E
InflateRect.USER32(00000001,?,?), ref: 00414254
IntersectRect.USER32(?,?,?), ref: 004142AF
FillRect.USER32(?,?,00000000), ref: 004142EF
GetCurrentObject.GDI32(?,00000006), ref: 004144C3
OffsetRect.USER32(?,00000001,00000001), ref: 004145A1
OffsetRect.USER32(?,00000002,00000002), ref: 00414635
OffsetRect.USER32(?,00000001,00000001), ref: 004145E8

Part of subcall function 004999CF: SetTextColor.GDI32(?,?), ref: 004999E9
Part of subcall function 004999CF: SetTextColor.GDI32(?,?), ref: 004999F7

Strings

X[J, xrefs: 004144E4, 004144E9
H[J, xrefs: 00414265
H[J, xrefs: 0041443C
x[J, xrefs: 00414431
d[J, xrefs: 004142FD

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Rect$Offset$ColorText$BeginClientClipCurrentEmptyFillH_prologInflateIntersectObjectPaint
String ID: H[J$H[J$X[J$d[J$x[J
API String ID: 397966577-2929124178
Opcode ID: d14bc4ce108b75d7331af7a52448e1862d9321240d7899ed548ea1d6bf35b608
Instruction ID: bece4f45e98f6f65ed3970cd416de86f77d6da769730fc69c29f04c8d61efc71
Opcode Fuzzy Hash: d14bc4ce108b75d7331af7a52448e1862d9321240d7899ed548ea1d6bf35b608
Instruction Fuzzy Hash: 80F18A702083409FD324DB65C985FABB7E9BFC9704F00491EF59A87280D7B8E985CB66

Function 004821B1 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,004822EA), ref: 004821D3
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004821EB
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004821FC
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048220D
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0048221E
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0048222F
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00482240

Strings

USER32, xrefs: 004821CE
MonitorFromRect, xrefs: 00482207
EnumDisplayMonitors, xrefs: 00482229
MonitorFromWindow, xrefs: 004821F6
GetMonitorInfoA, xrefs: 0048223A
GetSystemMetrics, xrefs: 004821E5
MonitorFromPoint, xrefs: 00482218

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: cc85dc6669de831f5db9761a3fd33237a4c69dc8f18462c01cdf8e096ccf8939
Instruction ID: 2ffd5ff1b1a01187642e20700869b43d7a38a04d64fcc8819bbd5607944a9a2b
Opcode Fuzzy Hash: cc85dc6669de831f5db9761a3fd33237a4c69dc8f18462c01cdf8e096ccf8939
Instruction Fuzzy Hash: BB113DB0A01A16DA8701AF39AEC4E3EBAE4B68D7603658C7FD204D2250D7F85462DF5C

Function 004441B0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0044431B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00444330
InitializeCriticalSection.KERNEL32(?), ref: 0044435B
CreateThread.KERNEL32(00000000,00000000,00444590,?,00000004,?), ref: 00444390
EnterCriticalSection.KERNEL32(004DAD00), ref: 004443A2
LeaveCriticalSection.KERNEL32(004DAD00,-000000FC,00000000,00000000), ref: 00444555
ResumeThread.KERNEL32(?), ref: 00444563
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 00444575

Strings

fmt , xrefs: 00444234
RIFF, xrefs: 004441C4, 004441D8
data, xrefs: 00444255
WAVE, xrefs: 004441F1, 00444208

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt
API String ID: 1802393137-4212202414
Opcode ID: 331986374113c9db0557d220ad4acb5b571815a9431e824cabb5cf178681c2fb
Instruction ID: eb820a2e75a4996b1abb2aa341f0d044c08b40d62b21885e007427697d2c0af4
Opcode Fuzzy Hash: 331986374113c9db0557d220ad4acb5b571815a9431e824cabb5cf178681c2fb
Instruction Fuzzy Hash: 7AB1D1756003005BEB14DF24DC41B2BB7E6FBC8709F144A2EFA4597791E6B8ED018B9A

Function 0042C020 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 0042C0C6

Part of subcall function 0042BDF0: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0042BED9
Part of subcall function 0042BDF0: OffsetRect.USER32(?,?,?), ref: 0042BEE6
Part of subcall function 0042BDF0: IntersectRect.USER32(?,?,?), ref: 0042BF02
Part of subcall function 0042BDF0: IsRectEmpty.USER32(?), ref: 0042BF0D

InflateRect.USER32(?,?,?), ref: 0042C139
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042C33D
GetClipRgn.GDI32(?,00000000), ref: 0042C34C
CreatePolygonRgn.GDI32 ref: 0042C3CA
SelectClipRgn.GDI32(?,?), ref: 0042C4AD
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0042C4D0
SelectClipRgn.GDI32(?,?), ref: 0042C551
DeleteObject.GDI32(?), ref: 0042C567

Strings

gfff, xrefs: 0042C22D
fJ, xrefs: 0042C43A

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: gfff$fJ
API String ID: 1105800552-447356860
Opcode ID: b9f58171d507b82872df2583b0a7800d81f85e82559adf0f40af58a6ea9dcff2
Instruction ID: dc4b211f174813cc6d431f69a847c508d58ffecc26be931b09aaec0a00e5c46f
Opcode Fuzzy Hash: b9f58171d507b82872df2583b0a7800d81f85e82559adf0f40af58a6ea9dcff2
Instruction Fuzzy Hash: AEF125B06083419FD324CF59D980B6BBBE5BBC9704F508A2EF98987391DB74E805CB56

Function 004943BB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004943C0
GetSystemMetrics.USER32(0000002A), ref: 00494471
GlobalLock.KERNEL32(?), ref: 004944FB
CreateDialogIndirectParamA.USER32(?,?,?,Function_00094203,00000000), ref: 0049452D

Strings

MS Shell Dlg, xrefs: 0049447F
Helv, xrefs: 004944A5
MS Sans Serif, xrefs: 00494492

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2364537584-2894235370
Opcode ID: 8e7a1d75436dd1451b56d77fe3f2740b896d4ccfff63ee10eea926ca60570e81
Instruction ID: 3554d9b753696a6349b7eda43d8995375cf60c7f65cec24e19f56d72d73e9860
Opcode Fuzzy Hash: 8e7a1d75436dd1451b56d77fe3f2740b896d4ccfff63ee10eea926ca60570e81
Instruction Fuzzy Hash: E4617E7190020AEFCF11EFA5D985AAEBFB1BF44319F10453FE505A2291D7788E42CB59

Function 00428040 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0042805D
GetWindowRect.USER32(?,?), ref: 0042806C
IntersectRect.USER32(?,?,?), ref: 004280C5
EqualRect.USER32(?,?), ref: 004280F5
GetWindowRect.USER32(?,?), ref: 00428113
OffsetRect.USER32(?,?,?), ref: 0042818A
OffsetRect.USER32(?,?,00000000), ref: 004281A4
OffsetRect.USER32(?,?,00000000), ref: 004281BC
OffsetRect.USER32(?,00000000,?), ref: 004281D6
OffsetRect.USER32(?,00000000,?), ref: 004281EE

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: 5872130884061722fee572e52a0e6d7c06a53095d68a86626b3f578f11eab2cc
Instruction ID: 379c4d72628840687cd1a79efd1f1207c5f8dfbbc3ac218135c9d376611abccd
Opcode Fuzzy Hash: 5872130884061722fee572e52a0e6d7c06a53095d68a86626b3f578f11eab2cc
Instruction Fuzzy Hash: A3510B71609316AFC708CF28D98496FBBE9ABC8744F404A2EF985D3354DA74ED05CB62

Function 00410260 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32 ref: 0041036C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00410391
SafeArrayDestroy.OLEAUT32(00000000), ref: 0041039C
VariantCopyInd.OLEAUT32(?,?), ref: 004103F5
SysAllocString.OLEAUT32(00000000), ref: 00410558
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00410591

Strings

CJ, xrefs: 00410583

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: ArraySafe$Data$AccessAllocCopyCreateDestroyStringUnaccessVariant
String ID: CJ
API String ID: 3584657539-2320575418
Opcode ID: b7e440aaed31aabb241b88ebc9faa8618c8c99c3b32d198e91bac8ca6a4fde3d
Instruction ID: 416e0e6a20873dadabc8f8e09b39a28bbedee44dedaabd50ad72e48dffac3fcb
Opcode Fuzzy Hash: b7e440aaed31aabb241b88ebc9faa8618c8c99c3b32d198e91bac8ca6a4fde3d
Instruction Fuzzy Hash: 8B91B9722082019FD714CF19C9C47AEB3E2EB98300F50082FEA9287351E6BDDCC18B5A

Function 00418260 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 161windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00418282
CreateRectRgn.GDI32 ref: 00418304
GetClientRect.USER32(?,?), ref: 0041832D
FillRgn.GDI32(?,?,?), ref: 004183AB
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00418421

Strings

d[J, xrefs: 0041843F
d[J, xrefs: 00418367

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID: d[J$d[J
API String ID: 97219908-962033872
Opcode ID: f0ff0affe2ac1a0df323ab508dd87eef4b83f396706740158613ba489b135eeb
Instruction ID: 35ffc8e28d65823c21db044075805e5ca69a5ef081432d9deeedb905dfa8ad70
Opcode Fuzzy Hash: f0ff0affe2ac1a0df323ab508dd87eef4b83f396706740158613ba489b135eeb
Instruction Fuzzy Hash: F3517BB1204702AFD714DF65C985EABB7E8BF88704F04891EF956C3240DB78E905CBA6

Function 004401B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004401DC

Part of subcall function 00493336: InterlockedIncrement.KERNEL32(?), ref: 0049334B

OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0044020D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00440255
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,00000000,0000000E), ref: 004402EB
ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,00000000,0000000E), ref: 00440320

Part of subcall function 004935C1: InterlockedDecrement.KERNEL32(-000000F4), ref: 004935D5

Strings

LtJ, xrefs: 0044032E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: DocumentInterlockedProperties$CloseDecrementIncrementMessageOpenPrinterPrinter.Send
String ID: LtJ
API String ID: 1978028495-1536932298
Opcode ID: 215b8b831f08f237cb1de9eee6eefa604813b018bc2a32597b0102165d5bf104
Instruction ID: ed8e4868c1f07c02dbae18814a9ee3252970b27e9ee2df79b77b60bb1c2e85f2
Opcode Fuzzy Hash: 215b8b831f08f237cb1de9eee6eefa604813b018bc2a32597b0102165d5bf104
Instruction Fuzzy Hash: 48412374104301ABDB24EF25C881EEF7BA9EF88724F004A0EF84987281D7789945C7AA

Function 0042A1E0 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0042A35E
AppendMenuA.USER32(?,?,00000000,?), ref: 0042A4C1
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0042A4F9
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042A517
AppendMenuA.USER32(?,?,00000000,?), ref: 0042A575
ModifyMenuA.USER32(?,?,?,?,?), ref: 0042A59A
AppendMenuA.USER32(?,?,?,?), ref: 0042A5E2
ModifyMenuA.USER32(?,?,?,?,?), ref: 0042A607

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: f19aa213f171937c8b48c8b1bb5daeb77a0ead1594c0f72b60a434dddfaeb140
Instruction ID: 870211d622837dba77e585636181b6f97bcefb294854f959307c32abc02c6b0c
Opcode Fuzzy Hash: f19aa213f171937c8b48c8b1bb5daeb77a0ead1594c0f72b60a434dddfaeb140
Instruction Fuzzy Hash: C6D1A8716043249BC714EF19D884A2BBBE4FF8A714F48492EFC8583341D778ED618B9A

Function 0049045D Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,?,?,00000000), ref: 00490610
GetLastError.KERNEL32 ref: 0049061C
GetFileType.KERNEL32(00000000), ref: 00490631
CloseHandle.KERNEL32(00000000), ref: 0049063C

Strings

@, xrefs: 00490649
H, xrefs: 00490683

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 288074e804f2b286a1894e78047b2263789a81026825965792de2d1b87f62b83
Instruction ID: a146a790a4c356fd3c5cb3d5812f34bea7742830798f442cc04fe8a3b10d82c1
Opcode Fuzzy Hash: 288074e804f2b286a1894e78047b2263789a81026825965792de2d1b87f62b83
Instruction Fuzzy Hash: D8811871804209AEEF20DBA888447AF7F60AF01334F15467BE951AA2D1D7BC8D45CB5E

Function 0048234A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00482388
GetSystemMetrics.USER32(00000000), ref: 004823A0
GetSystemMetrics.USER32(00000001), ref: 004823A7
lstrcpyA.KERNEL32(?,DISPLAY), ref: 004823CB

Strings

B, xrefs: 00482369
DISPLAY, xrefs: 004823C5

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: e0119fb5df751310c2682b44f98ef8885bb4e8f80677ad0bc2f15268499be704
Instruction ID: f351dcdd63be77af6c50a4bcb3f632e7d2537c54ce79d9190209777e7922198d
Opcode Fuzzy Hash: e0119fb5df751310c2682b44f98ef8885bb4e8f80677ad0bc2f15268499be704
Instruction Fuzzy Hash: 3111C671601224ABCB11AF74DE84A9FBFA8FF0A751B108863FD05DA141D7F9D580CBA8

Function 00424300 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00424351
IsWindow.USER32(?), ref: 00424366
IsChild.USER32(?,?), ref: 00424377
SetFocus.USER32(?), ref: 00424388
IsWindow.USER32(?), ref: 00424480
IsWindowVisible.USER32(?), ref: 0042448E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: 50c2d32ac8bb02d5ce3400207b4262f143e9da09f611150cf851a0d384416186
Instruction ID: f72e9e4c1a8ed903d9bd43d5b0f00456f867da036e18637015a97d46c99b736d
Opcode Fuzzy Hash: 50c2d32ac8bb02d5ce3400207b4262f143e9da09f611150cf851a0d384416186
Instruction Fuzzy Hash: 72519FB16003059FC720EF29D980D6BB7E8FFC8358F45492EF88587242DB78E8458BA5

Function 00428230 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004282BD
wsprintfA.USER32 ref: 004282D9

Strings

%d / %d], xrefs: 004282B7
?? / %d], xrefs: 004282D3
- , xrefs: 00428304
- [, xrefs: 00428258

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]
API String ID: 2111968516-3107364983
Opcode ID: ad562d864368950ce5d125e291b7c57ba8f6c9559ef20b54c16076164a27f210
Instruction ID: f51f925357ed870e5c4d6087be753bb813058d0a8ab621f019eb152f6c32382b
Opcode Fuzzy Hash: ad562d864368950ce5d125e291b7c57ba8f6c9559ef20b54c16076164a27f210
Instruction Fuzzy Hash: F5318274208700AFC714DF25DC51BABBBE4EB85714F10892EF89A87291DB78E905CB66

Function 00416160 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041617B
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0041618D
SendMessageA.USER32(?,0000110A,00000002,?), ref: 0041619B
SendMessageA.USER32(?,0000110A,00000001,?), ref: 004161AD
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 004161BF
SendMessageA.USER32(?,0000110A,00000001,?), ref: 004161CD

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 12e86eec18fc8d060ff459e3db644d8f929e5c365dcd260cb32c05425894f2ae
Instruction ID: f6d152415faea29a715282fbfe906744b2185a7d7f8e85897a8b480b0476d072
Opcode Fuzzy Hash: 12e86eec18fc8d060ff459e3db644d8f929e5c365dcd260cb32c05425894f2ae
Instruction Fuzzy Hash: 8E0136B2B503057EF534D6659CC2FE7A2AD9F98B92F018619B701DB2C0C5E5EC414A74

Function 00494243 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00494284
GetDlgItem.USER32(?,00000002), ref: 004942A3
IsWindowEnabled.USER32(00000000), ref: 004942AE
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 004942C4

Strings

Edit, xrefs: 0049428E

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 51433964ae43bfef0d87327cdfa9aa405375d027bb0aa82a63ca663413ef5452
Instruction ID: 66a9f01fe654d217e64d5418674ac1898c9e0ca036db8093beec6a5a2332880d
Opcode Fuzzy Hash: 51433964ae43bfef0d87327cdfa9aa405375d027bb0aa82a63ca663413ef5452
Instruction Fuzzy Hash: 7A018E302002017AEE251B25DC09F6B7E54BBD6BA5F1546BBF501D12E0CBA89C53961C

Function 004160E0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004920BF: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 004920E0

SendMessageA.USER32(?,0000110A,00000004,?), ref: 00416105
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00416125
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00416137
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00416145
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00416157

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a969cf09eab6fe959f02b75da027fa79588a8edb02deab496ad5f75c81f96c20
Instruction ID: d59eb0f78978487390f240e7fc167d83a8545c08ebf72463ec97a9d499bc2c7a
Opcode Fuzzy Hash: a969cf09eab6fe959f02b75da027fa79588a8edb02deab496ad5f75c81f96c20
Instruction Fuzzy Hash: CF01DBB27407013AF634EA668CC1FA792ADAF95B55F01052EF701D72C1CBE8EC428634

Function 00440380 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00491747: __EH_prolog.LIBCMT ref: 0049174C
Part of subcall function 00491747: lstrcpynA.KERNEL32(?,?,00000104), ref: 00491839

Part of subcall function 004918E1: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,00429BF9,?,-00000001,00000000,?,?,?,004BFBD8), ref: 004918EB
Part of subcall function 004918E1: GetFocus.USER32 ref: 00491906
Part of subcall function 004918E1: IsWindowEnabled.USER32(?), ref: 0049192F
Part of subcall function 004918E1: EnableWindow.USER32(?,00000000), ref: 00491941
Part of subcall function 004918E1: GetOpenFileNameA.COMDLG32(?,?), ref: 0049196C
Part of subcall function 004918E1: EnableWindow.USER32(?,00000001), ref: 0049198A
Part of subcall function 004918E1: IsWindow.USER32(?), ref: 00491990
Part of subcall function 004918E1: SetFocus.USER32(?), ref: 0049199E

Part of subcall function 004919BC: __EH_prolog.LIBCMT ref: 004919C1
Part of subcall function 004919BC: GetParent.USER32(?), ref: 004919FE
Part of subcall function 004919BC: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00491A26
Part of subcall function 004919BC: GetParent.USER32(?), ref: 00491A4F
Part of subcall function 004919BC: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00491A6C

Part of subcall function 00497878: SetWindowTextA.USER32(?,0042835A), ref: 00497886

Part of subcall function 004935C1: InterlockedDecrement.KERNEL32(-000000F4), ref: 004935D5

SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0044042D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0044043C

Part of subcall function 004979B3: SetFocus.USER32(?,0041E3A3), ref: 004979BD

Strings

prn, xrefs: 004403AE
out.prn, xrefs: 004403A9

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledFileInterlockedNameOpenTextlstrcpynlstrlen
String ID: out.prn$prn
API String ID: 4074345921-3109735852
Opcode ID: 5bcc9d73fbb4553a1da3a12c7f3b6a076181e6e1db892f33aca80254bbec1ddb
Instruction ID: 52ae3d1ea2a52bd8830117dca27636049f71e179903fbcc5530cd66a645a47c2
Opcode Fuzzy Hash: 5bcc9d73fbb4553a1da3a12c7f3b6a076181e6e1db892f33aca80254bbec1ddb
Instruction Fuzzy Hash: 2D21A175248380AAD770EB14CC46F9BBBE4AB85B24F104B2EB4A9532D1CBBC6544CB56

Function 00430200 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(004D9FB8,004D9FE0,00000001,00430830,004D9F9C,00030000,?,004D9F9C,?,00000000), ref: 0043022B
midiStreamProperty.WINMM ref: 00430312
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,00000000,00000000,004D9F9C,?,00000000), ref: 00430460

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: 50d4ff1e07362300f6b09ff666569b9ac0ec706aa1e7d8f968b2d934994416e8
Instruction ID: a9293b236320aafc2d3270c0e55331d7d7a5170c9e59c0f80dfab7e67c24d0a5
Opcode Fuzzy Hash: 50d4ff1e07362300f6b09ff666569b9ac0ec706aa1e7d8f968b2d934994416e8
Instruction Fuzzy Hash: 0AA16C712006058FD724DF28D894BAAB7F6FB88304F504A6EE69AC7750EB35F919CB44

Function 0042E320 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0042E332
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042E38A
__ftol.LIBCMT ref: 0042E475
__ftol.LIBCMT ref: 0042E482

Part of subcall function 0049983B: SelectObject.GDI32(?,00000000), ref: 0049985D
Part of subcall function 0049983B: SelectObject.GDI32(?,?), ref: 00499873

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: ObjectSelect__ftol$ClientRect
String ID:
API String ID: 2514210182-0
Opcode ID: 5552e7a9638becf2884f5e7c132b2588c841c14a9f9cd2e4001e69c476f1af27
Instruction ID: 85e707fe64b73d2e85c27df218e296803753f8bfab39f830748cbcf75306aa52
Opcode Fuzzy Hash: 5552e7a9638becf2884f5e7c132b2588c841c14a9f9cd2e4001e69c476f1af27
Instruction Fuzzy Hash: 2651AAB1B083128BC714DE2AD98086BBBE5BBC8300F544A2EF88993251D634DD458B96

Function 0043A1E0 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0043A254
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0043A2AD
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043A2BC
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0043A2EA

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: e81fc13187dc090939fcc66cb1ea3ea51e5cb69e26b70d1d04303671285798c2
Instruction ID: 026069f7d2cacdf8a06c3d2bbc20449674ff4995da87fca4470d798b884a4514
Opcode Fuzzy Hash: e81fc13187dc090939fcc66cb1ea3ea51e5cb69e26b70d1d04303671285798c2
Instruction Fuzzy Hash: 1A41C3722887419FD320DF19C840B5BBBD4EB89724F444A2EF9A5873C1C7799409CB96

Function 0049017C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 0048A024: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00484EEC,00000009,00000000,00000000,00000001,004877A4,00000001,00000074,?,?,00000000,00000001), ref: 0048A061
Part of subcall function 0048A024: EnterCriticalSection.KERNEL32(?,?,?,00484EEC,00000009,00000000,00000000,00000001,004877A4,00000001,00000074,?,?,00000000,00000001), ref: 0048A07C

InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,?,?,004905DA,?,?,00000000), ref: 004901CF
EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,?,?,004905DA,?,?,00000000), ref: 004901E4
LeaveCriticalSection.KERNEL32(00000068,?,00000000,?,?,004905DA,?,?,00000000), ref: 004901F1

Strings

, xrefs: 00490225

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: bebed559cc42a7db96bf027adccc4c7def8867bd0069b173bb2066f4dce244c3
Instruction ID: 2fbff14996252bbc30d10b93ba060575fb67b19a7edc7d92540b7f45f9c1c35f
Opcode Fuzzy Hash: bebed559cc42a7db96bf027adccc4c7def8867bd0069b173bb2066f4dce244c3
Instruction Fuzzy Hash: DC312B721053019FDB20DF24DC89B6A7BE0EB41328F148A7FEA654B1D1D7B8AC44C759

Function 0044E2D0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 0044E35A
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0044E39E
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0044E3D4
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0044E3E3

Part of subcall function 00497878: SetWindowTextA.USER32(?,0042835A), ref: 00497886

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: 1cf81669b03e765e4221966c97bc8fdb8de737ba5ece6c3104630e284c90dad1
Instruction ID: acaeb9b6bf987a6531c98d85f3a5d58646fc1965f05ffceab7b6cb27b763e1ad
Opcode Fuzzy Hash: 1cf81669b03e765e4221966c97bc8fdb8de737ba5ece6c3104630e284c90dad1
Instruction Fuzzy Hash: E0317CB0604700AFD714DF19C845B2AFBE5FB89B14F108A1EF95587791CBB8E800CB99

Function 00498145 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 0049816D
GetFocus.USER32 ref: 00498180
GetParent.USER32(?), ref: 0049818E
GetNextDlgTabItem.USER32(?,?,00000000), ref: 004981AA

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: ac13f713dde63d5371b58b6db666a467680f3e8cb18997629ad5f3f6c41129c6
Instruction ID: 9b7723d7672df08ebb9b4ecf13f1d189b51f1d5baf96a7c46e60c58514ac5a95
Opcode Fuzzy Hash: ac13f713dde63d5371b58b6db666a467680f3e8cb18997629ad5f3f6c41129c6
Instruction Fuzzy Hash: DE117C70110601AFDF289F28DC1AF5BBBB5EF85315F10862EF142862A0CB78E846DB18

Function 004201B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0042031D
GetObjectA.GDI32(00000000), ref: 00420324

Strings

H[J, xrefs: 004202D4

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: Object$Stock
String ID: H[J
API String ID: 1996491644-1317939579
Opcode ID: 2acada4daf88374fde27280a05f11b5bdfd5d7734a876c15ed511c41531f2222
Instruction ID: 32e44d5ad2aa9551e212c8847e7111932f1d1773aa48272dae3fc4d4eb7f2e64
Opcode Fuzzy Hash: 2acada4daf88374fde27280a05f11b5bdfd5d7734a876c15ed511c41531f2222
Instruction Fuzzy Hash: AF81BC76604B41CFC314DF28D451AABB7E1FFC8710F148A2EE89687391D778A856CB92

Function 00482289 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004822C2
GetSystemMetrics.USER32(00000001), ref: 004822CA

Strings

B#H, xrefs: 004822AB

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: MetricsSystem
String ID: B#H
API String ID: 4116985748-1257324159
Opcode ID: 3d3cded7641270f062849f7a1274a4ce534457d467069ebcd40b6691a6b83fb3
Instruction ID: fff96a6a8657548368c69ed91bb9a2325abd53b4dfd488990503c36094d06e5f
Opcode Fuzzy Hash: 3d3cded7641270f062849f7a1274a4ce534457d467069ebcd40b6691a6b83fb3
Instruction Fuzzy Hash: 4FF0903110434A9EC710BB358E0066FB6E0AB44364F008CBEE48192590D7B8E8D1DB19

Function 00426270 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00426301
wsprintfA.USER32 ref: 0042631B
wsprintfA.USER32 ref: 00426336

Memory Dump Source

Source File: 00000002.00000002.2700289021.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2700266957.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700359469.00000000004A2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700389565.00000000004B7000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700417101.00000000004B9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700438170.00000000004BA000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700472933.00000000004CA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700499081.00000000004CD000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F3000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700526869.00000000004F9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2700643967.00000000004FB000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_csrss2.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 52fd1aedb44dc9cceb7b18c1082ffcd465a0e7cd6cd12600ce7971fd3a0e94da
Instruction ID: 5fad551a30f40049ee2740815ab2d3d754456975c7c59d494e258403c0c4226c
Opcode Fuzzy Hash: 52fd1aedb44dc9cceb7b18c1082ffcd465a0e7cd6cd12600ce7971fd3a0e94da
Instruction Fuzzy Hash: 7031C8B15043045BC204EB65ED45AAFB7E8EFC4754F400E1EFC4693292DBB8DA05C7AA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4549359\....\TemporaryFile (copy)

C:\Users\user\AppData\Local\Temp\csrss2.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exePID: 6388, Parent PID: 3504

Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop28.21322.11468.28457.exe

Function 004346B0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
commemorythreadCOMMON

Function 0046E165 Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Function 00477D1A Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 0046F20F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 00476EA3 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 00411BC0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Function 00401750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97
processsynchronizationCOMMON

Function 004736BB Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 00411AA0 Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Function 0046F5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
threadCOMMON

Function 0046EF47 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
COMMON

Function 0046DE39 Relevance: 3.1, APIs: 2, Instructions: 107
fileCOMMON

Function 00477A6C Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0046DF90 Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Function 00462126 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON