Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522715
MD5:	9fc46b6036032a8d8a89e3567a3dcec3
SHA1:	42dcd68b4a35686b000a18efb4c2b2ae07d5cc94
SHA256:	0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9FC46B6036032A8D8A89E3567A3DCEC3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00402285 InternetQueryDataAvailable,InternetReadFile,

1_2_00402285

Source: file.exe	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: file.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/03
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0041A0FC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0041A0FC

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

1_2_0042D8E9

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004042E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

1_2_004042E1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0043C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0043C7D6

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F1BD5: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_003F1BD5

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00406219 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00406219

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

1_2_003F33A3

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA137	1_2_003DA137
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2136	1_2_003D2136
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E427D	1_2_003E427D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F3A6	1_2_0040F3A6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040655F	1_2_0040655F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2508	1_2_003D2508
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C35F0	1_2_003C35F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003CF730	1_2_003CF730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D3721	1_2_003D3721
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E088F	1_2_003E088F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D28F0	1_2_003D28F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DC8CE	1_2_003DC8CE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1903	1_2_003D1903
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043EA2B	1_2_0043EA2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EACF	1_2_0040EACF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E3BA1	1_2_003E3BA1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402D2D	1_2_00402D2D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1D98	1_2_003D1D98
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E0DE0	1_2_003E0DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040CE8D	1_2_0040CE8D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404EB7	1_2_00404EB7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E1F2C	1_2_003E1F2C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D14F7 appears 36 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004059E6 appears 65 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D6B90 appears 39 times

Source: file.exe, 00000001.00000000.1843449360.000000000046B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewritelJ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamewritelJ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040AEE3 GetLastError,FormatMessageW,

1_2_0040AEE3

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		1_2_003F33A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		1_2_00424AEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

1_2_0041D606

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0043557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

1_2_0043557E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0042E0F6

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3044 __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_003F3044

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{725F645B-EAED-4fc5-B1C5-D9AD0ACCBA5E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 13

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

1_2_003CEE30

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004221AF push edi; ret	1_2_004221B1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003ED53C push 74003ECFh; iretd	1_2_003ED541
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D6BD5 push ecx; ret	1_2_003D6BE8

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_0043A2EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_003F43FF

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 704

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

1_2_003CE700

Source: file.exe, 00000001.00000002.3095650650.0000000001894000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_1-83868

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A35D BlockInput,

1_2_0041A35D

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

1_2_003CD7A0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

1_2_003CEE30

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003E37FA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_003E37FA

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_003DA128
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DF170 SetUnhandledExceptionFilter,	1_2_003DF170
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003D7CCD

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F6C61 LogonUserW,

1_2_003F6C61

Source: C:\Users\user\Desktop\file.exe

1_2_003CD7A0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_003F43FF

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

1_2_003F3321

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040602A GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_0040602A

Source: file.exe	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000000.1843414149.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: I@ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00432095 _memset,_memset,GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

1_2_00432095

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00432BF9 GetUserNameW,

1_2_00432BF9

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003DE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_003DE284

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

1_2_003CE700

Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	1_2_0042C06C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004365D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_004365D3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_00424EFB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	21 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	1 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	12 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	5 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	55%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://secure.globalsign.net/cacert/PrimObject.crt0	file.exe	false	unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09	file.exe	false	unknown
http://www.globalsign.net/repository09	file.exe	false	unknown
http://www.autoitscript.com/autoit3/0	file.exe	false	unknown
http://www.globalsign.net/repository/0	file.exe	false	unknown
http://www.globalsign.net/repository/03	file.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522715
Start date and time:	2024-09-30 15:53:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 351
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
09:54:17	API Interceptor	2x Sleep call for process: file.exe modified

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.569533356371872
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	663'280 bytes
MD5:	9fc46b6036032a8d8a89e3567a3dcec3
SHA1:	42dcd68b4a35686b000a18efb4c2b2ae07d5cc94
SHA256:	0e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534
SHA512:	45c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d
SSDEEP:	12288:YBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4avx5DGDt2:icneJVBvXAvwRJdwvZ5avx5DGR2
TLSH:	5CE4AF22F5D68036C2B327B19E7EF76A963D79360326C1D723C82D715EA05816B39723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	656aea74787e6629

Static PE Info

General

Entrypoint:	0x4164e1
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F7A68F11F5Bh
jmp 00007F7A68F08DCEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7A68F08F4Ah
cmp edi, eax
jc 00007F7A68F090E6h
cmp ecx, 00000080h
jc 00007F7A68F08F5Eh
cmp dword ptr [004A9724h], 00000000h
je 00007F7A68F08F55h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F7A68F08F47h
jmp 00007F7A68F09322h
test edi, 00000003h
jne 00007F7A68F08F56h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F7A68F08F6Bh
rep movsd
jmp dword ptr [00416660h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F7A68F08F4Eh
and eax, 03h
add ecx, eax
jmp dword ptr [00416574h+eax*4]
jmp dword ptr [00416670h+ecx*4]
nop
jmp dword ptr [004165F4h+ecx*4]
nop
test byte ptr [ebp+41h], ah
add byte ptr [eax-2BFFBE9Bh], dh
inc ecx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F7A6B381747h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F7A68F08F0Eh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d404	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x3610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa0400	0x1ef0	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaf000	0x6394	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x805d8	0x80600	902480d52d8d17dc44d0fe582df89694	False	0.5586850352969815	data	6.686701795005364	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfa8	0xe000	b19195bd10fd0137d1243bf6477e30cd	False	0.3606480189732143	data	4.797311098909003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	b507a11a98d5604998e6f4aea115ac82	False	0.15324519230769232	data	2.1542326021054983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x3610	0x3800	0006aae833ec05200b55a1f81d014e00	False	0.2738560267857143	data	3.799914142499706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaf000	0x758a	0x7600	8c3d02534aa508c46376d7dcfb5d14c8	False	0.6427436440677966	data	6.241673341100085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0x2f0	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.3550531914893617
RT_MENU	0xabab0	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xabb00	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xabbfc	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xac12c	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xac7bc	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xacc8c	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xad288	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xad8e4	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xadc6c	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xaddc4	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0xaddd8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xaddec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xade00	0x14	data	English	Great Britain	1.25
RT_VERSION	0xade14	0x368	data	English	United States	0.46559633027522934
RT_MANIFEST	0xae17c	0x494	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4351535836177474

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Target ID:	1
Start time:	09:54:14
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3c0000
File size:	663'280 bytes
MD5 hash:	9FC46B6036032A8D8A89E3567A3DCEC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.1%
Total number of Nodes:	537
Total number of Limit Nodes:	23

Executed Functions

Function 003CD7A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 138
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 003CD7BA

Part of subcall function 003C2190: __wcsicoll.LIBCMT ref: 003C2262
Part of subcall function 003C2190: __wcsicoll.LIBCMT ref: 003C2278
Part of subcall function 003C2190: __wcsicoll.LIBCMT ref: 003C228E
Part of subcall function 003C2190: __wcsicoll.LIBCMT ref: 003C22A4
Part of subcall function 003C2190: _wcscpy.LIBCMT ref: 003C22C4

IsDebuggerPresent.KERNEL32 ref: 003CD7C6
GetFullPathNameW.KERNEL32(00467F6C,00000104,?,00467F50,00467F54), ref: 003CD82D

Part of subcall function 003C16A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003C16E5

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 003CD8A2
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 003EE14F
SetCurrentDirectoryW.KERNEL32(?), ref: 003EE1A3
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003EE1D3
GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 003EE21D
ShellExecuteW.SHELL32(00000000), ref: 003EE224

Part of subcall function 003D03E0: GetSysColorBrush.USER32(0000000F), ref: 003D03EB
Part of subcall function 003D03E0: LoadCursorW.USER32(00000000,00007F00), ref: 003D03FA
Part of subcall function 003D03E0: LoadIconW.USER32(?,00000063), ref: 003D0410
Part of subcall function 003D03E0: LoadIconW.USER32(?,000000A4), ref: 003D0423
Part of subcall function 003D03E0: LoadIconW.USER32(?,000000A2), ref: 003D0436
Part of subcall function 003D03E0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 003D045E
Part of subcall function 003D03E0: RegisterClassExW.USER32(?), ref: 003D04AD

Part of subcall function 003D0350: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 003D0385
Part of subcall function 003D0350: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 003D03AE
Part of subcall function 003D0350: ShowWindow.USER32(?,00000000), ref: 003D03C4
Part of subcall function 003D0350: ShowWindow.USER32(?,00000000), ref: 003D03CE

Part of subcall function 003CE2C0: _memset.LIBCMT ref: 003CE2E2
Part of subcall function 003CE2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003CE3A7

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 003EE148
runas, xrefs: 003EE218, 003EE247
AutoIt, xrefs: 003EE143

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__memset_wcscpy
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 765478012-2030392706
Opcode ID: c231ed20e1a0d2046b1d3b818fcfec5211f4dfbd60b08b2eef2eec54145a0bed
Instruction ID: 2dda904c0fef0961c1b5de969b32b20640dd3d8d5d1d4d3014f6e869d7a34c0e
Opcode Fuzzy Hash: c231ed20e1a0d2046b1d3b818fcfec5211f4dfbd60b08b2eef2eec54145a0bed
Instruction Fuzzy Hash: FE414931A04340ABEB16ABA0DC45FE977389B49711F4441BEFA45972D2DBB84D84C73E

Function 003CE700 Relevance: 10.7, APIs: 7, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003CE72A

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

GetCurrentProcess.KERNEL32(?), ref: 003CE7D4
GetNativeSystemInfo.KERNEL32(?), ref: 003CE832
FreeLibrary.KERNEL32(?), ref: 003CE842
FreeLibrary.KERNEL32(?), ref: 003CE854

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
String ID:
API String ID: 3363477735-0
Opcode ID: 3ba78aac1dda29cec37ce0aec9541de724ef349ac558f3b6f9bcf73ab7411aa2
Instruction ID: b8223f711bff0cd75c04452eef1354d39584898b56f0a21b18f9453b265f2847
Opcode Fuzzy Hash: 3ba78aac1dda29cec37ce0aec9541de724ef349ac558f3b6f9bcf73ab7411aa2
Instruction Fuzzy Hash: E461BD71808696EACB12DFA5C88469CBFB4BF09304F14466ED404D7B81C3B5AA98CF96

Function 003CEE30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,003CEE15,003CD92E), ref: 003CEE3B
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 003CEE4D

Strings

IsThemeActive, xrefs: 003CEE47
uxtheme.dll, xrefs: 003CEE36

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: b3946ed9d81139bf55c3d321cad076990344bba9322834754aed0cf600b220c9
Instruction ID: 3c14487e21cd7cf7be2d3490cea89927eefec98f7a45a51cf0ccdfb8ab6ef1de
Opcode Fuzzy Hash: b3946ed9d81139bf55c3d321cad076990344bba9322834754aed0cf600b220c9
Instruction Fuzzy Hash: 14D0C9B8901703DAE7311F71C90AB1277E4BB40B82F21482DB9A1E1150DBB8C8808B28

Function 003CE560 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003CE5FF
__wsplitpath.LIBCMT ref: 003CE61C

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

_wcsncat.LIBCMT ref: 003CE633
__wmakepath.LIBCMT ref: 003CE64F

Part of subcall function 003D39BE: __wmakepath_s.LIBCMT ref: 003D39D4

Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1546
Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1560
Part of subcall function 003D14F7: __CxxThrowException@8.LIBCMT ref: 003D1571

_wcscpy.LIBCMT ref: 003CE687

Part of subcall function 003CE6C0: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,003CE6A1), ref: 003CE6DD

_wcscat.LIBCMT ref: 003E7324
_wcslen.LIBCMT ref: 003E7334
_wcslen.LIBCMT ref: 003E7345
_wcscat.LIBCMT ref: 003E735F
_wcsncpy.LIBCMT ref: 003E739F

Strings

\, xrefs: 003E734D
Include, xrefs: 003CE62D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
String ID: Include$\
API String ID: 3173733714-3429789819
Opcode ID: 062b769b86ed66d948b0bb6ed1954458d19e61f8ead3f82e283ac92721faec74
Instruction ID: 4b95fbd9d1bc67f7018f31419db48c1624f6b0c78bda22aeb8735c02373c5641
Opcode Fuzzy Hash: 062b769b86ed66d948b0bb6ed1954458d19e61f8ead3f82e283ac92721faec74
Instruction Fuzzy Hash: C3518FB2414341ABD315EF65EC859A673E8FB4A300F50862EF589872A1F7F09A44CB5B

Function 003D14F7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 003D1511

Part of subcall function 003D34DB: __FF_MSGBANNER.LIBCMT ref: 003D34F4
Part of subcall function 003D34DB: __NMSG_WRITE.LIBCMT ref: 003D34FB
Part of subcall function 003D34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003D6A35,?,00000001,?,?,003D8179,00000018,0044D180,0000000C,003D8209), ref: 003D3520

std::exception::exception.LIBCMT ref: 003D1546
std::exception::exception.LIBCMT ref: 003D1560
__CxxThrowException@8.LIBCMT ref: 003D1571

Strings

@fE, xrefs: 003D1524
4*D, xrefs: 003D153F
,*D, xrefs: 003D1529

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: ,*D$4*D$@fE
API String ID: 615853336-2089784397
Opcode ID: 8e52b6eb5884eed9262f370eb77bf35d3752e08558469e3b5c7880d2b3af41ae
Instruction ID: ac87e9ad01beff78d59e40d0cb0b35c9f04056ac6c5ac81e4276047d800161d8
Opcode Fuzzy Hash: 8e52b6eb5884eed9262f370eb77bf35d3752e08558469e3b5c7880d2b3af41ae
Instruction Fuzzy Hash: 42F02D33500209BBDB23EF55FC41A5D7769AF81311F514067F8019A392DBB5CF048B55

Function 003CE6C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,003CE6A1), ref: 003CE6DD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,003CE6A1,00000000,?,?,?,003CE6A1), ref: 003E7117
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,003CE6A1,?,00000000,?,?,?,?,003CE6A1), ref: 003E715E
RegCloseKey.ADVAPI32(?,?,?,?,003CE6A1), ref: 003E718F

Strings

Software\AutoIt v3\AutoIt, xrefs: 003CE6D3
Include, xrefs: 003E710F, 003E7158

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 8e3a4044955fc70a1b8edbf727919d51893ed5525f54fad74c23fcd46ca1ee24
Instruction ID: ab4298ffb1636078ba7b567412020f32d98825cd0faa8b256a3c29672f1f41ed
Opcode Fuzzy Hash: 8e3a4044955fc70a1b8edbf727919d51893ed5525f54fad74c23fcd46ca1ee24
Instruction Fuzzy Hash: ED21C076B80208BBEB10DBA5DD46FBEB3BCAB55700F104259B605E7281EAB5AA008754

Function 003D06E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 003D06F7
RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 003D071E
RegCloseKey.KERNEL32(?), ref: 003D0745
RegCloseKey.ADVAPI32(?), ref: 003D0759

Strings

Control Panel\Mouse, xrefs: 003D06F5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Control Panel\Mouse
API String ID: 1607946009-824357125
Opcode ID: 03deb0a69ca07b14ec798beeaf61d8e9c7188f67c2a09690958963b72606c494
Instruction ID: 4d544ee0a13c75b091d32dfd19c8a5d4b66f84524ca61da8c8e7d324a5226d75
Opcode Fuzzy Hash: 03deb0a69ca07b14ec798beeaf61d8e9c7188f67c2a09690958963b72606c494
Instruction Fuzzy Hash: 79115E76640108BF9B14CFA9ED459EFB7FCEF99310B10469AF909C3210E6719A11DBA4

Function 003CF1D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 003E9558
GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 003E959F

Part of subcall function 003CF220: GetFullPathNameW.KERNEL32(00000000,00000104,00467F6C,003CF1F5,00467F6C,004690E8,00467F6C,?,003CF1F5,?,?,00000001), ref: 003CF23C

Part of subcall function 003CF3B0: SHGetMalloc.SHELL32(003CF1FC), ref: 003CF3BD
Part of subcall function 003CF3B0: SHGetDesktopFolder.SHELL32(?,004690E8), ref: 003CF3D2
Part of subcall function 003CF3B0: _wcsncpy.LIBCMT ref: 003CF3ED
Part of subcall function 003CF3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 003CF427
Part of subcall function 003CF3B0: _wcsncpy.LIBCMT ref: 003CF440

Part of subcall function 003CF290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 003CF2AB

Strings

PWD, xrefs: 003E9583
0WD, xrefs: 003E956B
X, xrefs: 003E9564

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen_memset
String ID: 0WD$PWD$X
API String ID: 2873425188-916512069
Opcode ID: eb0b1669dcafa8d8271f62333529dd3b4078b369a7bce77e06c2b8dfce819ee5
Instruction ID: 6b3dc58b594eed501e0de24712fa207447a74526c5eb5a63a36cc790625ee6e5
Opcode Fuzzy Hash: eb0b1669dcafa8d8271f62333529dd3b4078b369a7bce77e06c2b8dfce819ee5
Instruction Fuzzy Hash: A91186B5A002489FDB01DFD9D845B9EFBFA6F55304F048029E504EB282DBF95809CBA5

Function 003CD8B0 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 003CD979
FreeLibrary.KERNEL32(?), ref: 003CD98E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FreeInfoLibraryParametersSystem
String ID:
API String ID: 3403648963-0
Opcode ID: b316f9bc38b31ad811d0b89329185cf75fe6373512d330af0982a80c16af2220
Instruction ID: 0a0d5d36d05d15aa85a42f3cac2e291a81f5d678c9ca5c5935b50f02633653a2
Opcode Fuzzy Hash: b316f9bc38b31ad811d0b89329185cf75fe6373512d330af0982a80c16af2220
Instruction Fuzzy Hash: 0E218DB1908304AFC301EF19EC85A1ABBA8FB84354F40493EF98897362D771ED058B96

Non-executed Functions

Function 0043C7D6 Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0043C89B
DefDlgProcW.USER32(?,0000004E,?,?), ref: 0043C8B6
GetKeyState.USER32(00000011), ref: 0043C8E7
GetKeyState.USER32(00000009), ref: 0043C8F0
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0043C903
GetKeyState.USER32(00000010), ref: 0043C90D
GetWindowLongW.USER32(00000002,000000F0), ref: 0043C921
SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0043C94D
SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0043C970
_wcsncpy.LIBCMT ref: 0043C9E3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0043CA14
SendMessageW.USER32 ref: 0043CA39
InvalidateRect.USER32(?,00000000,00000001), ref: 0043CA99
SendMessageW.USER32(?,00001030,?,0043EA24), ref: 0043CB3E
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,00000000), ref: 0043CB55
ImageList_BeginDrag.COMCTL32(00000000,00000000,000000F8,000000F0), ref: 0043CB66
SetCapture.USER32(?), ref: 0043CB70
ClientToScreen.USER32(?,?), ref: 0043CBD1
ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0043CBE0
ReleaseCapture.USER32 ref: 0043CBF4
GetCursorPos.USER32(?), ref: 0043CC2C
ScreenToClient.USER32(?,?), ref: 0043CC3A
SendMessageW.USER32(?,00001012,00000000,?), ref: 0043CCA0
SendMessageW.USER32 ref: 0043CCCC
SendMessageW.USER32(?,00001111,00000000,?), ref: 0043CD0D
SendMessageW.USER32 ref: 0043CD3A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0043CD53
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0043CD64
GetCursorPos.USER32(?), ref: 0043CD82
ScreenToClient.USER32(?,?), ref: 0043CD90
GetParent.USER32(00000000), ref: 0043CDB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 0043CE1A
SendMessageW.USER32 ref: 0043CE4D
ClientToScreen.USER32(?,?), ref: 0043CEA8
TrackPopupMenuEx.USER32(?,00000000,?,?,03DD1AA8,00000000,?,?,?,?), ref: 0043CED6
SendMessageW.USER32(?,00001111,00000000,?), ref: 0043CF00
SendMessageW.USER32 ref: 0043CF25
ClientToScreen.USER32(?,?), ref: 0043CF6F
TrackPopupMenuEx.USER32(?,00000080,?,?,03DD1AA8,00000000,?,?,?,?), ref: 0043CFA0
GetWindowLongW.USER32(?,000000F0), ref: 0043D040

Strings

@GUI_DRAGID, xrefs: 0043CB9C
F, xrefs: 0043CF2B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3100379633-4164748364
Opcode ID: 21abbd48ef1e982e62ec567e59fb19b704b87bd59f536270361c11c5f4b82bcb
Instruction ID: e4c8a9a89bc0582b83e224b59fa43e9bae982a18730336ea487c27a365b27c93
Opcode Fuzzy Hash: 21abbd48ef1e982e62ec567e59fb19b704b87bd59f536270361c11c5f4b82bcb
Instruction Fuzzy Hash: 3042DF786042019FD728DF18C8C4F6777A4AF89710F14465EFA45AB3D1CBB4E846CBAA

Function 003F43FF Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003F4407
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003F442D
IsIconic.USER32(?), ref: 003F4436
ShowWindow.USER32(?,00000009), ref: 003F4443
SetForegroundWindow.USER32(?), ref: 003F4451
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003F4468
GetCurrentThreadId.KERNEL32 ref: 003F446C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003F447A
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 003F4489
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 003F448F
AttachThreadInput.USER32(00000000,?,00000001), ref: 003F4498
SetForegroundWindow.USER32(00000000), ref: 003F449E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F44AD
keybd_event.USER32(00000012,00000000), ref: 003F44B6
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F44C4
keybd_event.USER32(00000012,00000000), ref: 003F44CD
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F44DB
keybd_event.USER32(00000012,00000000), ref: 003F44E4
MapVirtualKeyW.USER32(00000012,00000000), ref: 003F44F2
keybd_event.USER32(00000012,00000000), ref: 003F44FB
SetForegroundWindow.USER32(00000000), ref: 003F4505
AttachThreadInput.USER32(00000000,?,00000000), ref: 003F4526
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 003F452C

Strings

Shell_TrayWnd, xrefs: 003F4428

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 2889586943-2988720461
Opcode ID: 5ecca880d06902b38c5230488e1ccc3cbcb2c4329dab53dbed8683ebd7350331
Instruction ID: 1f4b075db0e8537bc2e276bf8b56db46f9611587aedfdaa5ca372ebf9a13d2e4
Opcode Fuzzy Hash: 5ecca880d06902b38c5230488e1ccc3cbcb2c4329dab53dbed8683ebd7350331
Instruction Fuzzy Hash: E741A2767402087FE7206BA4AD4AFBE7B6CDF46B11F11402AFB05EA1D0C6F098409BA5

Function 003C98F0 Relevance: 40.9, APIs: 21, Strings: 1, Instructions: 2413COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003C9911

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_memmove.LIBCMT ref: 003C995C

Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1546
Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1560
Part of subcall function 003D14F7: __CxxThrowException@8.LIBCMT ref: 003D1571

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 003C99A3
_memmove.LIBCMT ref: 003C9FE6
_memmove.LIBCMT ref: 003CA914
_memmove.LIBCMT ref: 003E9769

Strings

DZD, xrefs: 003E9DE5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
String ID: DZD
API String ID: 2383988440-3107441753
Opcode ID: 65844ec18fa3cacaf63e44f71be87b463085998adb591de6ce50c3ae63d60a36
Instruction ID: a3b21da474cbc835e06d45225b75efa0bae724574ba422b757be7d99d2f44eca
Opcode Fuzzy Hash: 65844ec18fa3cacaf63e44f71be87b463085998adb591de6ce50c3ae63d60a36
Instruction Fuzzy Hash: 9A13AC74A086509FC726DF25C881F2AB7E5BF89304F25896EE486CB391D731EC45CB92

Function 00406219 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 234processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406243
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00406294
CloseHandle.KERNEL32(?), ref: 004062A6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004062BE
GetProcessWindowStation.USER32 ref: 004062D7
SetProcessWindowStation.USER32(00000000), ref: 004062E1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004062FD
_wcslen.LIBCMT ref: 0040639E

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_wcsncpy.LIBCMT ref: 004063C6
LoadUserProfileW.USERENV(?,00000020), ref: 004063DF
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004063F9
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00406428
UnloadUserProfile.USERENV(?,?), ref: 0040645B
CloseWindowStation.USER32(00000000), ref: 00406472
CloseDesktop.USER32(?), ref: 00406480
SetProcessWindowStation.USER32(?), ref: 0040648E
CloseHandle.KERNEL32(?), ref: 00406498
DestroyEnvironmentBlock.USERENV(?), ref: 004064AF

Strings

winsta0, xrefs: 004062B9
default, xrefs: 004062F8
, xrefs: 0040624E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
String ID: $default$winsta0
API String ID: 2173856841-1027155976
Opcode ID: cf07f6aa5b793ef1d7c83749bcea0b174ea47c88fc57e106fa89afdabe6315dd
Instruction ID: b9b6f3875f692a2d6a879dd75330e41743ab843aa7845e6f5ed881fb2cfe2354
Opcode Fuzzy Hash: cf07f6aa5b793ef1d7c83749bcea0b174ea47c88fc57e106fa89afdabe6315dd
Instruction Fuzzy Hash: A1818070A00209ABDB10DFA4DD4AFAF77B8AF44704F15812AFA15BB380D778D915CB69

Function 0040BCB3 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF220: GetFullPathNameW.KERNEL32(00000000,00000104,00467F6C,003CF1F5,00467F6C,004690E8,00467F6C,?,003CF1F5,?,?,00000001), ref: 003CF23C

Part of subcall function 003F38ED: __wsplitpath.LIBCMT ref: 003F3913
Part of subcall function 003F38ED: __wsplitpath.LIBCMT ref: 003F3935
Part of subcall function 003F38ED: __wcsicoll.LIBCMT ref: 003F3959

Part of subcall function 003F397D: GetFileAttributesW.KERNEL32(?), ref: 003F3984

_wcscat.LIBCMT ref: 0040BD20
_wcscat.LIBCMT ref: 0040BD49
__wsplitpath.LIBCMT ref: 0040BD76
FindFirstFileW.KERNEL32(?,?), ref: 0040BD8E
_wcscpy.LIBCMT ref: 0040BDFD
_wcscat.LIBCMT ref: 0040BE0F
_wcscat.LIBCMT ref: 0040BE21
lstrcmpiW.KERNEL32(?,?), ref: 0040BE4D
DeleteFileW.KERNEL32(?), ref: 0040BE5F
MoveFileW.KERNEL32(?,?), ref: 0040BE7F
CopyFileW.KERNEL32(?,?,00000000), ref: 0040BE96
DeleteFileW.KERNEL32(?), ref: 0040BEA1
CopyFileW.KERNEL32(?,?,00000000), ref: 0040BEB8
FindClose.KERNEL32(00000000), ref: 0040BEBF
MoveFileW.KERNEL32(?,?), ref: 0040BEDB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040BEF0
FindClose.KERNEL32(00000000), ref: 0040BF08

Strings

\*.*, xrefs: 0040BD1A, 0040BD43

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
String ID: \*.*
API String ID: 2188072990-1173974218
Opcode ID: 5ed296d1485249596c11616d3f28c20346140e64362b68fd80e8ccce586d4c5e
Instruction ID: 8890383cd0bd3736dff9d7dbc66a9bfec8d86743b649ad3034a12816a695aa02
Opcode Fuzzy Hash: 5ed296d1485249596c11616d3f28c20346140e64362b68fd80e8ccce586d4c5e
Instruction Fuzzy Hash: AC5185B2004384AAD721DBA0DC45EEF73ECAF95310F444A2EF68996181EF75D648C7A6

Function 00438877 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 217timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0043889E
FindClose.KERNEL32(00000000), ref: 004388DE
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00438903
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0043891B
FileTimeToSystemTime.KERNEL32(?,?), ref: 00438943
__swprintf.LIBCMT ref: 0043898D
__swprintf.LIBCMT ref: 004389D7
__swprintf.LIBCMT ref: 00438A05
__swprintf.LIBCMT ref: 00438A33

Part of subcall function 003D31BB: __flsbuf.LIBCMT ref: 003D3234
Part of subcall function 003D31BB: __flsbuf.LIBCMT ref: 003D324C

__swprintf.LIBCMT ref: 00438A61
__swprintf.LIBCMT ref: 00438A8F
__swprintf.LIBCMT ref: 00438ABD

Strings

%02d, xrefs: 004389FD, 00438A2D, 00438A5B, 00438A87, 00438AB7
%4d%02d%02d%02d%02d%02d, xrefs: 00438987
%4d, xrefs: 004389D1
dND, xrefs: 00438ADC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d$dND
API String ID: 999945258-1667752901
Opcode ID: 0b3a00c5528931ea5b068c0e54fae18fb3b36e37990a6d148dd53e2ca8428ce5
Instruction ID: 6ee83824ddc1ef79662cc6987dfedf10fd80c33ab0faefe8a0ff6c1001a6f2a6
Opcode Fuzzy Hash: 0b3a00c5528931ea5b068c0e54fae18fb3b36e37990a6d148dd53e2ca8428ce5
Instruction Fuzzy Hash: B671A872648300ABD315EBA4CC82F6FB7E8AFC8700F40491EF6959A291EBB4DD44C756

Function 00424AEB Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C1D: _wcslen.LIBCMT ref: 00403C38

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424B67
GetLastError.KERNEL32 ref: 00424B7D
GetCurrentThread.KERNEL32 ref: 00424B91
OpenThreadToken.ADVAPI32(00000000), ref: 00424B98
GetCurrentProcess.KERNEL32(00000028,?), ref: 00424BA9
OpenProcessToken.ADVAPI32(00000000), ref: 00424BB0

Strings

SeDebugPrivilege, xrefs: 00424BDA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
String ID: SeDebugPrivilege
API String ID: 1312810259-2896544425
Opcode ID: 26072c4e76dbcd5726fe0912bd6aaa0efb19962529a53afac6b0c82e21350010
Instruction ID: 5f6a753664147d5b56f78ab6010e9f04e6f3962234ed666e9189de1bf59710c0
Opcode Fuzzy Hash: 26072c4e76dbcd5726fe0912bd6aaa0efb19962529a53afac6b0c82e21350010
Instruction Fuzzy Hash: 6D519F76304201ABE310DF68EC86F6BB7E8EF84704F54851AFA45DB281D7B5E844CBA5

Function 003C35F0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 003C3681
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003C3697
__wsplitpath.LIBCMT ref: 003C36C2

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

_wcscpy.LIBCMT ref: 003C36D7
_wcscat.LIBCMT ref: 003C36EC
SetCurrentDirectoryW.KERNEL32(?), ref: 003C36FC

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1546
Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1560
Part of subcall function 003D14F7: __CxxThrowException@8.LIBCMT ref: 003D1571

Part of subcall function 003C3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,003C378C,?,?,?,00000010), ref: 003C3D38
Part of subcall function 003C3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 003C3D71

_wcscpy.LIBCMT ref: 003C37D0
_wcslen.LIBCMT ref: 003C3853
_wcslen.LIBCMT ref: 003C38AD

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 003E817E
Error opening the file, xrefs: 003E81AF
_, xrefs: 003C394C
Unterminated string, xrefs: 003E82C6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 3393021363-188983378
Opcode ID: 0ec5b2951086a5c10781788dcf9910216ef7aa7aa9cafb11c158be3445302c0b
Instruction ID: e96f56aca085a94edc62fc65e6f65241812d661e3395cb60c48b13cccd9685f0
Opcode Fuzzy Hash: 0ec5b2951086a5c10781788dcf9910216ef7aa7aa9cafb11c158be3445302c0b
Instruction Fuzzy Hash: 6BD1C1B2508341AAD712EF64D841FEFB7E8AF85300F04892EF58597241DB75DA4987A3

Function 00432095 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 377timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004320BD
_memset.LIBCMT ref: 004320DB
GetLocalTime.KERNEL32(?), ref: 0043225C
__swprintf.LIBCMT ref: 00432273
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0044BF48), ref: 004324A6
SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0044BF48), ref: 004324C0
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0044BF48), ref: 004324DA
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0044BF48), ref: 004324F4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0044BF48), ref: 0043250E
SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0044BF48), ref: 00432528
SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0044BF48), ref: 00432542
SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0044BF48), ref: 0043255C
SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0044BF48), ref: 00432576

Strings

%.3d, xrefs: 00432267

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FolderPath$_memset$LocalTime__swprintf
String ID: %.3d
API String ID: 645292623-986655627
Opcode ID: 8aa9c44f31608443af5702dae01dc4763c7e9d2532278e014b70934fe5c7b343
Instruction ID: 90358d6aefab8e33940147c1a84ac937f34f21fca408b74567d78728c0930735
Opcode Fuzzy Hash: 8aa9c44f31608443af5702dae01dc4763c7e9d2532278e014b70934fe5c7b343
Instruction Fuzzy Hash: 13C1D9326602189BDB14EB64DC86FEE7378FF48701F4045AEFA09E7082DB759E058B64

Function 003F1BD5 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003F1BF6
__swprintf.LIBCMT ref: 003F1C1B
_wcslen.LIBCMT ref: 003F1C27
CreateDirectoryW.KERNEL32(?,00000000), ref: 003F1C54

Strings

\, xrefs: 003F1C31
\??\%s, xrefs: 003F1C15
:, xrefs: 003F1C3C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateDirectoryFullNamePath__swprintf_wcslen
String ID: :$\$\??\%s
API String ID: 2192556992-3457252023
Opcode ID: f1e093ebb372028016856012f18982c2127ff31cd6d0546af53266134e663db2
Instruction ID: d3417d2e97f5c81908f81a44159442ccb4611b7efa6acc9ad50c755597b6388e
Opcode Fuzzy Hash: f1e093ebb372028016856012f18982c2127ff31cd6d0546af53266134e663db2
Instruction Fuzzy Hash: 7941197664031CA7D720DB64EC45FEB73BCFF58711F4081A6FA0896181EBB09A448BE5

Function 003F1A73 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003F1A97
GetFileAttributesW.KERNEL32(?), ref: 003F1AD4
SetFileAttributesW.KERNEL32(?,?), ref: 003F1AEA
FindNextFileW.KERNEL32(00000000,?), ref: 003F1AFC
FindClose.KERNEL32(00000000), ref: 003F1B0D
FindClose.KERNEL32(00000000), ref: 003F1B21
FindFirstFileW.KERNEL32(*.*,?), ref: 003F1B3C
SetCurrentDirectoryW.KERNEL32(?), ref: 003F1B83
SetCurrentDirectoryW.KERNEL32(0044AB0C), ref: 003F1BA7
FindNextFileW.KERNEL32(00000000,00000010), ref: 003F1BAF
FindClose.KERNEL32(00000000), ref: 003F1BBA
FindClose.KERNEL32(00000000), ref: 003F1BC8

Strings

*.*, xrefs: 003F1B37

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 8265e5c53f940fe2a7831e9ff3f732ffdc3e15ccc401e2ad44082a22a317be11
Instruction ID: d3e3360a99dc033454928fd8a691124b42468e5e7cf5cdf9e3bf48edaf7dbfbe
Opcode Fuzzy Hash: 8265e5c53f940fe2a7831e9ff3f732ffdc3e15ccc401e2ad44082a22a317be11
Instruction Fuzzy Hash: E541E772604209EBD701EF64EC41EBBB3ACEE85311F454A2AFE54C3180E775E919C7A2

Function 0040280D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0040282F
FindNextFileW.KERNEL32(00000000,?), ref: 00402892
FindClose.KERNEL32(00000000), ref: 004028A3
FindClose.KERNEL32(00000000), ref: 004028B7
FindFirstFileW.KERNEL32(*.*,?), ref: 004028D4
SetCurrentDirectoryW.KERNEL32(?), ref: 00402923
SetCurrentDirectoryW.KERNEL32(0044AB0C), ref: 00402946
FindNextFileW.KERNEL32(00000000,00000010), ref: 00402950
FindClose.KERNEL32(00000000), ref: 0040295B

Part of subcall function 003F3BED: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003F3C0F

FindClose.KERNEL32(00000000), ref: 00402969

Strings

*.*, xrefs: 004028CF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 70d5283e1780123b43974cc194452cb753fd82a7f578308df88a52a4d31a203e
Instruction ID: 2b94302c1cbe077bb0bce4d5eb3f1193ac7222351fce730e92b99f58c44fd5da
Opcode Fuzzy Hash: 70d5283e1780123b43974cc194452cb753fd82a7f578308df88a52a4d31a203e
Instruction Fuzzy Hash: 5141D877A001186BDB10EBA4ED49EEB73689F49311F1042A7FD04A32C0E7B59E55CAA5

Function 0040602A Relevance: 18.2, APIs: 12, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 003F6DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 003F6DCF
Part of subcall function 003F6DB5: GetLastError.KERNEL32(?,00000000,?), ref: 003F6DD9
Part of subcall function 003F6DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 003F6DFF

Part of subcall function 003F6D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003F6D9C

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00406090
_memset.LIBCMT ref: 004060A5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004060C4
GetLengthSid.ADVAPI32(?), ref: 004060D6
GetAce.ADVAPI32(?,00000000,?), ref: 00406113
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0040612F
GetLengthSid.ADVAPI32(?), ref: 00406147
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00406170
CopySid.ADVAPI32(00000000), ref: 00406177
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004061A9
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004061CB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004061DE

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3490752873-0
Opcode ID: c069f58893444b9457c1f18d659d09d48c55d7f63d36e69ce4c630d672fdb4ff
Instruction ID: cdb03f1fad99a661913d1ca11fd0d49a44a2c78edd71e408e4677eba01d22026
Opcode Fuzzy Hash: c069f58893444b9457c1f18d659d09d48c55d7f63d36e69ce4c630d672fdb4ff
Instruction Fuzzy Hash: CA517075900219ABDB10DFA5CC85EEFB7BCAF45700F048529F616BB282DA74DA05CBA4

Function 003F33A3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 003F33B3
OpenProcessToken.ADVAPI32(00000000), ref: 003F33BA
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 003F33CF
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 003F33F3
GetLastError.KERNEL32 ref: 003F33F9
ExitWindowsEx.USER32(?,00000000), ref: 003F341C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 003F344B
SetSystemPowerState.KERNEL32(00000001,00000000), ref: 003F345E

Strings

SeShutdownPrivilege, xrefs: 003F33C8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: c98391b21f34bfd0f017332897316c94834c49502c9d2d5a9036712c0f5d4096
Instruction ID: aad42a0bc5b4a164fed1fa8e23ae7b3e26cc1f81ff61c86b1db2aa257ee58215
Opcode Fuzzy Hash: c98391b21f34bfd0f017332897316c94834c49502c9d2d5a9036712c0f5d4096
Instruction Fuzzy Hash: 52210575740208ABFB218FA5EC4EFBAB7ACEB09701F900064FE09D60D1DAB69D008665

Function 003F3044 Relevance: 16.6, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 003F3058
__swprintf.LIBCMT ref: 003F306A
__wcsicoll.LIBCMT ref: 003F3077
FindResourceW.KERNEL32(?,?,0000000E), ref: 003F308A
LoadResource.KERNEL32(?,00000000), ref: 003F30A2
LockResource.KERNEL32(00000000), ref: 003F30AF
FindResourceW.KERNEL32(?,?,00000003), ref: 003F30DC
LoadResource.KERNEL32(?,00000000), ref: 003F30EA
SizeofResource.KERNEL32(?,00000000), ref: 003F30F9
LockResource.KERNEL32(?), ref: 003F3105

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
String ID:
API String ID: 1158019794-0
Opcode ID: bb26e555ef320192410a612656a6c1609f918a26ba4fbb5d3b3a7273f03c36c8
Instruction ID: 2af57cf0ed6d6c8845304ade33608e2886e10789e9ae94fabf3fce98ecd27483
Opcode Fuzzy Hash: bb26e555ef320192410a612656a6c1609f918a26ba4fbb5d3b3a7273f03c36c8
Instruction Fuzzy Hash: E341E2726042196BDB21DF64EC84FBB77ADEB89311F008066FA05DB241EBB1DA51C7A4

Function 0041A0FC Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0041A137
EmptyClipboard.USER32 ref: 0041A13D
CloseClipboard.USER32 ref: 0041A143
GlobalAlloc.KERNEL32(00000002,?,?,?), ref: 0041A163

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fb27d6c7cde8667623f4f663390a747df9251f8c7af290651cca8b1e53a1039d
Instruction ID: 3552d84ea91b37e517aac3980442f7e69f5675145b0c8a76c235d21c5e721a4e
Opcode Fuzzy Hash: fb27d6c7cde8667623f4f663390a747df9251f8c7af290651cca8b1e53a1039d
Instruction Fuzzy Hash: 4041BD76600205AFD310EFA4EC89FAAB7A4FF15312F118169F909CB261DBB1AD40CB84

Function 0041D606 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0041D614
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0041D6A2
GetLastError.KERNEL32 ref: 0041D6AC
SetErrorMode.KERNEL32(00000000,?), ref: 0041D73E

Strings

NOTREADY, xrefs: 0041D6F1
READONLY, xrefs: 0041D700
UNKNOWN, xrefs: 0041D70F
READY, xrefs: 0041D6D3
INVALID, xrefs: 0041D6E2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 33e815829086d4f16ad1ae13675487765167cbc424b5c6f0c17b0e306ed06dbc
Instruction ID: 110d5a8e4e6ec4a932ad458a2c3e6ac141be2a8861065f7ce7b96484f79a6e08
Opcode Fuzzy Hash: 33e815829086d4f16ad1ae13675487765167cbc424b5c6f0c17b0e306ed06dbc
Instruction Fuzzy Hash: 8D415E75A00209DFCB01EFA4C984ADEB7B4FF49310F10816AF905AB351D7789E85CBA9

Function 0040EACF Relevance: 14.6, APIs: 3, Strings: 5, Instructions: 645COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87
_strncmp.LIBCMT ref: 0040EB94
_memmove.LIBCMT ref: 0040EC7E

Strings

h, xrefs: 0040F704
^, xrefs: 0040F394
oD, xrefs: 0040EB7F
tbD, xrefs: 0040EB8B, 0040EB92
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove$_strncmp
String ID: oD$\$^$h$tbD
API String ID: 2175499884-871789576
Opcode ID: 0e305ea3fd6115f2f556933ae85f4ccdf7f7c1c08eae8a0cad688f6ff4b02213
Instruction ID: cdbc74091d1413d5d32775ca0e82181a05f64711d6cf7adc8607571d42a35274
Opcode Fuzzy Hash: 0e305ea3fd6115f2f556933ae85f4ccdf7f7c1c08eae8a0cad688f6ff4b02213
Instruction Fuzzy Hash: 0E42C270E04249CFDB14CF69C8806AEBBF2FF85304F2481BAD856AB391D3799946CB55

Function 0042C06C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 231comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0042C0DC
_wcslen.LIBCMT ref: 0042C0EE
CreateBindCtx.OLE32(00000000,?), ref: 0042C198
MkParseDisplayName.OLE32(?,?,?,?), ref: 0042C1DE

Part of subcall function 00411AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00411B16
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B6E
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B84
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B9D
Part of subcall function 00411AB8: VariantClear.OLEAUT32(?), ref: 00411C17

CLSIDFromProgID.OLE32(00000000,?,?), ref: 0042C284
GetActiveObject.OLEAUT32(?,00000000,?), ref: 0042C29E

Strings

dND, xrefs: 0042C0C7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
String ID: dND
API String ID: 2728119192-2949930476
Opcode ID: 24350d91820cc478236354c08b2a718357d43e38e919234566e83919c4882191
Instruction ID: ab1035815a80a7ca023f7ad5b246bb3db93d8c0f80e5c04da7f14d5b64cbb678
Opcode Fuzzy Hash: 24350d91820cc478236354c08b2a718357d43e38e919234566e83919c4882191
Instruction Fuzzy Hash: 0D817F71604305AFD704EBA4DC81FABB3A8BF88704F50491DF645DB291EB74E905CBAA

Function 00424EFB Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00424F4A
WSAGetLastError.WSOCK32(00000000), ref: 00424F59
bind.WSOCK32(00000000,?,00000010), ref: 00424F93
WSAGetLastError.WSOCK32(00000000), ref: 00424FA0
closesocket.WSOCK32(00000000,00000000), ref: 00424FB4
listen.WSOCK32(00000000,00000005), ref: 00424FBE
WSAGetLastError.WSOCK32(00000000), ref: 00424FE6
closesocket.WSOCK32(00000000,00000000), ref: 00424FFA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: dbed1c474ade2fbd6ca243684e1cc2d38ac792c9c83f60ea299aa550ef0b3785
Instruction ID: 1dc372d6a447730e41154293934be246d1143622a5c6ffbf5fcba0fd71089c89
Opcode Fuzzy Hash: dbed1c474ade2fbd6ca243684e1cc2d38ac792c9c83f60ea299aa550ef0b3785
Instruction Fuzzy Hash: 71318135200110AFD310EF64ED85F6BB7A8EF85321F55821EF855DB291C774AC82CB99

Function 0040655F Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00406910
VUUU, xrefs: 00406962
VUUU, xrefs: 004068F3
ERCP, xrefs: 00406646
8jD, xrefs: 0040663F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: 8jD$ERCP$VUUU$VUUU$VUUU
API String ID: 0-1297584818
Opcode ID: 91f03501251560dc2aecf80c6458ae1b77f22872e626ee85f60e1bb46ed8614a
Instruction ID: c14333601eb5dbcf7e1d7294825c18fb14371f7dd09e20755ce69285ec777555
Opcode Fuzzy Hash: 91f03501251560dc2aecf80c6458ae1b77f22872e626ee85f60e1bb46ed8614a
Instruction Fuzzy Hash: 8C729071A002198BDF24CF58C8907AEB7B2AF41314F1582BBD85AB73C1D738A9A5CF55

Function 004042E1 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00404320
GetKeyboardState.USER32(?), ref: 00404335
SetKeyboardState.USER32(?), ref: 00404389
PostMessageW.USER32(?,00000101,00000010,?), ref: 004043B9
PostMessageW.USER32(?,00000101,00000011,?), ref: 004043DA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00404426
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0040444B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 45ca70caddb3b1aaa8c0cf75b4e54ec1b55c79e6acee878eeaaf6342ef7929e7
Instruction ID: bae7db2d47e0cf64a1f0dc96225d6804215385ac0c98fc2023534f9014ad5935
Opcode Fuzzy Hash: 45ca70caddb3b1aaa8c0cf75b4e54ec1b55c79e6acee878eeaaf6342ef7929e7
Instruction Fuzzy Hash: 1B51E4E060479539F73692788846BB7BFA85F86300F08869AF6D5255C3C3BCE994C768

Function 0043557E Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004355C2
Process32FirstW.KERNEL32(00000000,0000022C), ref: 004355D2
__wsplitpath.LIBCMT ref: 004355FE

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

_wcscat.LIBCMT ref: 00435611
__wcsicoll.LIBCMT ref: 00435635
Process32NextW.KERNEL32(00000000,?), ref: 00435665
CloseHandle.KERNEL32(00000000), ref: 00435674

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: 5f28820aac95192838ca42d7414318dd8cb3e11cbf41bcb863d8b396c9177400
Instruction ID: 74c1ee13a6caf142360cc45790fe4784d472f894b45350cf7d782316f940f49d
Opcode Fuzzy Hash: 5f28820aac95192838ca42d7414318dd8cb3e11cbf41bcb863d8b396c9177400
Instruction Fuzzy Hash: E1517475900618ABDB11DFA4CC86FDE73B8AF04704F108099F909AF282DB74AF44CB64

Function 003DA128 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003E1EE1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003E1EF6
UnhandledExceptionFilter.KERNEL32(pqE), ref: 003E1F01
GetCurrentProcess.KERNEL32(C0000409), ref: 003E1F1D
TerminateProcess.KERNEL32(00000000), ref: 003E1F24

Strings

pqE, xrefs: 003E1EFC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: pqE
API String ID: 2579439406-2602716394
Opcode ID: 996e76038542dc25d0a0eb52f7c8c3a2c12d19de644dce1ea3aa54bd74916dba
Instruction ID: 8d838bb83a2f5b407fc51d7c93b9b78b7a88f150a5cf00fa60bb53159a9c1d45
Opcode Fuzzy Hash: 996e76038542dc25d0a0eb52f7c8c3a2c12d19de644dce1ea3aa54bd74916dba
Instruction Fuzzy Hash: 0B21DDB8809304DFDB51DF65FE846043BB4BB08302F4001BAF9098B762EBB59981CF0A

Function 00412408 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

FindFirstFileW.KERNEL32(?,?), ref: 00412455
Sleep.KERNEL32(0000000A), ref: 00412481
FindNextFileW.KERNEL32(?,?), ref: 0041255F
FindClose.KERNEL32(?), ref: 00412575

Strings

*.*, xrefs: 00412436

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
String ID: *.*
API String ID: 2786137511-438819550
Opcode ID: b5ff3f68f98d09aa652bcc3f03bd2a580b81e67d0ea91cac8516f748993e9c95
Instruction ID: dbda1f3190e201b206b9d432286ba125aaaced069a5fb2c1627f07e485e4e0e5
Opcode Fuzzy Hash: b5ff3f68f98d09aa652bcc3f03bd2a580b81e67d0ea91cac8516f748993e9c95
Instruction Fuzzy Hash: A0419BB1A00219ABDB14DF68CD88AEF7BB5AF45300F14815AE809A7241D674AE95CBA4

Function 0042D8E9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0042D950
IsClipboardFormatAvailable.USER32(0000000D), ref: 0042D95E
GetClipboardData.USER32(0000000D), ref: 0042D96A
CloseClipboard.USER32 ref: 0042D976
GlobalLock.KERNEL32(00000000), ref: 0042D9A0
CloseClipboard.USER32 ref: 0042D9AA
IsClipboardFormatAvailable.USER32(00000001), ref: 0042D9EA
GetClipboardData.USER32(00000001), ref: 0042D9F6
CloseClipboard.USER32 ref: 0042DA02

Strings

dND, xrefs: 0042D93E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
String ID: dND
API String ID: 15083398-2949930476
Opcode ID: 66399488391600496e669a59c8fe5fece3478ae3d7ab4c98ad029d71179fbd30
Instruction ID: 35650fa4be32707e3968bd5d42c17e75e6042a1a4da2dc04f9de41782e56a108
Opcode Fuzzy Hash: 66399488391600496e669a59c8fe5fece3478ae3d7ab4c98ad029d71179fbd30
Instruction Fuzzy Hash: B3014C366003406BC311EBB89C85BABBB64EF4B310F04056AFD90CB381DB20DD15C3A5

Function 003F3321 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 003F332E
mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 003F3344
__wcsicoll.LIBCMT ref: 003F335A
mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 003F3370

Strings

DOWN, xrefs: 003F3354

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: 2b462ab7daae06c6e1e62ba4b892024e69841ffa9095f4c509164e47f35e9c85
Instruction ID: 8ef3efe555be3eaf5703b8913c15a7c88e88e83db0bdeed0ffddb1803bc4cc08
Opcode Fuzzy Hash: 2b462ab7daae06c6e1e62ba4b892024e69841ffa9095f4c509164e47f35e9c85
Instruction Fuzzy Hash: CEF0E57A6887143AFD0166943C02EF7334C8B126A7F000022FE0CD5280D9516D1546F9

Function 004365D3 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00424E62: inet_addr.WSOCK32(?), ref: 00424E86

socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00436629
WSAGetLastError.WSOCK32(00000000), ref: 0043664C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: f14eb8c52cf856b1ee46ac69ac83f60328c0dc1fa9352951f1f30289da83974d
Instruction ID: 947be785870bbfe9f14b7c5c38cccdbaa135f7fad5cb9cb04d59811bcab95b2d
Opcode Fuzzy Hash: f14eb8c52cf856b1ee46ac69ac83f60328c0dc1fa9352951f1f30289da83974d
Instruction Fuzzy Hash: 8341C2326002046FD710AF68DC87F5AB7E8AF44724F15862AF905DF3C2DAB6AD418799

Function 0043A2EA Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F356: IsWindow.USER32(00000000), ref: 0042F386

IsWindowVisible.USER32 ref: 0043A322
IsWindowEnabled.USER32 ref: 0043A332
GetForegroundWindow.USER32(?,?,?,00000001), ref: 0043A33F
IsIconic.USER32 ref: 0043A34D
IsZoomed.USER32 ref: 0043A35B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a08504f131f97bdb90cd1ca02f147625af889defa140f90abbd4aaabcf171a9c
Instruction ID: 24189b11dc4c3fec8f96a494bff4914822ed6caec0f797d1a5740f1618327668
Opcode Fuzzy Hash: a08504f131f97bdb90cd1ca02f147625af889defa140f90abbd4aaabcf171a9c
Instruction Fuzzy Hash: 0711E1327401119FE310AF26DC09B5FB7A8EF45311F1A802AF884D7240C7B8EC0187A9

Function 0042E0F6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 00402654: _wcslen.LIBCMT ref: 00402680

CoInitialize.OLE32(00000000), ref: 0042E16E
CoCreateInstance.OLE32(00442A08,00000000,00000001,004428A8,?), ref: 0042E187
CoUninitialize.OLE32 ref: 0042E1A6

Strings

.lnk, xrefs: 0042E141, 0042E15E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f9c35da9a04e5d1bbda24f259f69431f78db2a88aed40ccfd30e8028294b89e6
Instruction ID: 0f54a998aa77f2cb376357f039841236354cbbe4d1a46907d46307022816ca0f
Opcode Fuzzy Hash: f9c35da9a04e5d1bbda24f259f69431f78db2a88aed40ccfd30e8028294b89e6
Instruction Fuzzy Hash: B0A1BAB6A042119FC704EF65D880E5BB7E9BF88300F148A4DF8959B391CB35EC45CBA6

Function 0040F3A6 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87

Strings

U, xrefs: 0040FAFE
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: U$\
API String ID: 4104443479-100911408
Opcode ID: 748b056de9c438353bd8501ea4b8663cb0ab8bc0935641ff540e53e654609c9f
Instruction ID: 38f3c749abc5a33a33cad0dc71a53c27099378203fb6eeb8fb79978a16ce7796
Opcode Fuzzy Hash: 748b056de9c438353bd8501ea4b8663cb0ab8bc0935641ff540e53e654609c9f
Instruction Fuzzy Hash: 0002C070E042498FDB24CF69C8907BEBBF2AF85304F24817ED852A7781D3386986CB55

Function 0040CE8D Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 409COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87
_memmove.LIBCMT ref: 0040D0BA

Strings

\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: c995de8476453ea48030eeee8fa889edb71141f8deb599ddbd04406fc1b84411
Instruction ID: d806cb6640a1835ac4ccbbff3ea8a1a263402f4ed5f48d0be8c0bce6c04d730a
Opcode Fuzzy Hash: c995de8476453ea48030eeee8fa889edb71141f8deb599ddbd04406fc1b84411
Instruction Fuzzy Hash: 8FF1A270D042498FCF24CFA9C4806AEFBF2FF89310F2882AAD455AB385D3359946CB55

Function 00404EB7 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 481stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00404EC7

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Strings

xUD, xrefs: 004051B3
XUD, xrefs: 0040511E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _malloclstrlen
String ID: XUD$xUD
API String ID: 3912106968-3215536762
Opcode ID: 6331671fab3787a58c4f94009ab9831a8fcbc13d02dce0bf24e403ef7c7fe0f4
Instruction ID: 853c88882363fa45a21899946f652c848c4b1e544293261ce38645fc5f4b9edb
Opcode Fuzzy Hash: 6331671fab3787a58c4f94009ab9831a8fcbc13d02dce0bf24e403ef7c7fe0f4
Instruction Fuzzy Hash: 7D2227B4A006019FC728CF19C090A6AB7F1FF98314F20C56ED85A9B7A5D775E992CF84

Function 0041CAE7 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0041CB0C
FindNextFileW.KERNEL32(00000000,?), ref: 0041CB69
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0041CB98

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9f731cd2febaeb6b9eea6f2e3cca31139db6c20c4ffc48ac2b8f9ee02d6fea81
Instruction ID: baaec3e8edb712f09edc928e54d5725dbe24a30ff086ab4d4ae13cdd936a4da3
Opcode Fuzzy Hash: 9f731cd2febaeb6b9eea6f2e3cca31139db6c20c4ffc48ac2b8f9ee02d6fea81
Instruction Fuzzy Hash: 2541BF766042009FC710DF68E881A96B3F4FF8A310F548A6EE96ACB350D775F945CB91

Function 003F399B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00000000), ref: 003F39AC
FindFirstFileW.KERNEL32(?,?), ref: 003F39BD
FindClose.KERNEL32(00000000), ref: 003F39D0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 1991857a59f4a477da5de043e8d4b1915e2c59d143440f5d9c56ae6717c074c5
Instruction ID: 99338f6ce42130dcb56e335f77307d01230778859fe08f2974c1a50388768822
Opcode Fuzzy Hash: 1991857a59f4a477da5de043e8d4b1915e2c59d143440f5d9c56ae6717c074c5
Instruction Fuzzy Hash: 24E092368245189B8610AB78AC094EA779CDF07335F400752FE38C21D0D7B0AA9047DA

Function 00402D2D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00402D3F

Part of subcall function 003D47D3: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,003F0DB1,00000000,?,?,00401DDE,?,00000001), ref: 003D47DE
Part of subcall function 003D47D3: __aulldiv.LIBCMT ref: 003D47FE

Strings

@uF, xrefs: 00402D36

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: @uF
API String ID: 2893107130-1110195652
Opcode ID: c9d7d37fd8000302d96b19b58d97ddef490b06d02edf537805d13d024d1ffe95
Instruction ID: 0f2a082bbeef4ffb88bf51bdf62e25bd2b551bd98c175b634250a38d2d34613b
Opcode Fuzzy Hash: c9d7d37fd8000302d96b19b58d97ddef490b06d02edf537805d13d024d1ffe95
Instruction Fuzzy Hash: A821D2335306108BF320CF36CC05652B3E3EBE0310F25CA6AD4A5973D1DAB96906CB88

Function 00402285 Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 004022A5
InternetReadFile.WININET(?,00000000,?,?), ref: 004022DD

Part of subcall function 00402252: GetLastError.KERNEL32 ref: 00402268

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: e89e8bf59bac2e8735fdbd9db96d4432093e89b8e971e4fdacc5b8628ad471d5
Instruction ID: c9d78ef3f5df0da4c24cab48b4e186fc7434a8879024968ec5aa07d34c02a564
Opcode Fuzzy Hash: e89e8bf59bac2e8735fdbd9db96d4432093e89b8e971e4fdacc5b8628ad471d5
Instruction Fuzzy Hash: 27218875500204BBE710EF55DD45FAB73ACEF94724F00C03AFE09AA2C0D6B8E54587A5

Function 0041DE7C Relevance: 3.1, APIs: 2, Instructions: 55fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0041DEA1
FindClose.KERNEL32(00000000), ref: 0041DEDD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4efb9997ca352bbb7e089929926fb9d5ea18f2da1400adc0fb3d9983d3bc06dc
Instruction ID: cb57a9022d91984d7e543171d53d46bfa30bb2d4fe2742aa9da9e57a86bee4af
Opcode Fuzzy Hash: 4efb9997ca352bbb7e089929926fb9d5ea18f2da1400adc0fb3d9983d3bc06dc
Instruction Fuzzy Hash: B31182726002049FD710DF69DC89B5AF7E9EF84321F158A1EF968DB290DB71E8408B94

Function 0040AEE3 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,00000001,?,00411BF7,?,00000001,?), ref: 0040AF14
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,00000001,?,00411BF7,?,00000001,?), ref: 0040AF2D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 433974212a52e47e206ba25db44d79438c2ec45b0f25f31c6ea4c6812d7c56ab
Instruction ID: 08708ce578ba39579ed4b874b1f9cde28d4a2babbcc4bbd420aa74c4444a3fa7
Opcode Fuzzy Hash: 433974212a52e47e206ba25db44d79438c2ec45b0f25f31c6ea4c6812d7c56ab
Instruction Fuzzy Hash: 11F0E9712103186AE7209B58DC4AFBAB37CEF44721F0042A9F504AB1C1D7F07D40C7A5

Function 003CF730 Relevance: 2.1, APIs: 1, Instructions: 607COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003CFDCD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c2e55c5bb64f2d5dde6378c38f4af22e06b8661eee2a8aad13836ba5779c6b86
Instruction ID: e6ff771a4c89e78806d6fcead9d0595025b536c4d0c31ec69a6f411a5c2e32a4
Opcode Fuzzy Hash: c2e55c5bb64f2d5dde6378c38f4af22e06b8661eee2a8aad13836ba5779c6b86
Instruction Fuzzy Hash: E92270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0

Function 0043EA2B Relevance: 2.0, APIs: 1, Instructions: 502COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?,?,?), ref: 0043EA5A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: e14573d4f55668faa254d141827fa555e664bd2dc82405ff121dcdd29bf5e828
Instruction ID: fc5389cd7a77837da2840b890a22eb0f70731d111051c3920a43eb4e2b00b36f
Opcode Fuzzy Hash: e14573d4f55668faa254d141827fa555e664bd2dc82405ff121dcdd29bf5e828
Instruction Fuzzy Hash: 4EB1027330D1282DF218A6AABC85EBF679CD7C5376F10463FF144C51C2D66B6821A2B9

Function 0041A35D Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0041A378

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b2955cbfa7222ddb86a647b5d61e843fa5c691177cb206f58925ce1dabf092e2
Instruction ID: 05ef767b50f7fd68298278c05e05592d6d5281a4562ab947df8ee0caba857318
Opcode Fuzzy Hash: b2955cbfa7222ddb86a647b5d61e843fa5c691177cb206f58925ce1dabf092e2
Instruction Fuzzy Hash: 94E09A352003049BC300AFA5C808EA6BBE8AB94360B01842AED4ACB300DB70A88087A1

Function 003F6C61 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 003F6C83

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 6de1bc2e34a9878c7d2586b6b7fc277f8c3ed06e6367e01e8496fa52e8dd56e0
Instruction ID: d86ea42516be7a8b4719e690e45c18f07a81dd5ad317f7dabcabe2a06debf048
Opcode Fuzzy Hash: 6de1bc2e34a9878c7d2586b6b7fc277f8c3ed06e6367e01e8496fa52e8dd56e0
Instruction Fuzzy Hash: 86E0ECB626460EAFDB04CF68DC42EBB37ADA749710F004614BA16C7280C670E911CA74

Function 00432BF9 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00432C0B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 90fd325505dea23ec2b30df891dd4aa5493fc8aca3964582250eee5d70c7b726
Instruction ID: b5cc85939f420638dc36bdab0c84ba9ed0edcb3f95043d0b614d6ac73880068b
Opcode Fuzzy Hash: 90fd325505dea23ec2b30df891dd4aa5493fc8aca3964582250eee5d70c7b726
Instruction Fuzzy Hash: 51C04CB5008008EBDB148F54D9889EA3BB8BB08341F104199B60E95040D7B55689DB95

Function 003DF170 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F12E), ref: 003DF175

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a6462e118c7864655b5b2e10f9b803b62dfe451d2feb7980395891541423998e
Instruction ID: e5f9eede6d5c69cab839a18249d802030b3c0be39c241c545cb6f6b4e94c6251
Opcode Fuzzy Hash: a6462e118c7864655b5b2e10f9b803b62dfe451d2feb7980395891541423998e
Instruction Fuzzy Hash: 629002696515019B47051BB0AE4A54525E06A596027810475B502C8554DA9481049615

Function 003E1F2C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 003E1F3C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 6d3f0be0f91892fff6d4dbabfce5a579622fd59c5634061c3571db9a001f0d74
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 4C613A719003658FCB19CF4AC48469ABBF6BF84310F1AC6AED9096B3A1C7B19955CBC4

Function 003D28F0 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 589e47ee80de01d8002e99d88080610d416119e64ebaa1e7f2967bac324fa7e7
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 54C160B3D1A5B20ACB77452E245823FEFA26EA1B5131FC396DCD03F389C6226D1596D0

Function 003D2508 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 443dbc71e1fd42677c42dec11642f18ca1130378452e2daf1b1023301bc29d5d
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 8DC171B3D1A5B24ACB37452D641823FEFA26EA1B5131FC396DCD03F389C622AD1596D0

Function 003D2136 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 7e34cd6d217aae01390782907cc5e656a77e15f45ff2e88251a5e8872b4088e1
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 58C161B3D0A5B21ACB77462E641823FEF626EA1B5131FC796DCD03F389C2266D0596D0

Function 003D1D98 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 8d46e5ce9737119fe1cadfafd38f74151ad2e48ade5787ec2eda4ca9224cfe68
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 20B161B3D0E5B21AC737462E245823BEFA26E91B5131FC396DCD03F389C626AD1595D0

Function 004194D6 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00419528
DeleteObject.GDI32(?), ref: 0041953E
DestroyWindow.USER32(?), ref: 00419550
GetDesktopWindow.USER32 ref: 0041956E
GetWindowRect.USER32(00000000), ref: 00419575
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0041968B
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00419699
CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004196D5
GetClientRect.USER32(00000000,?), ref: 004196E5
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00419728
CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0041974D
GetFileSize.KERNEL32(00000000,00000000), ref: 00419768
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00419773
GlobalLock.KERNEL32(00000000), ref: 0041977C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041978B
GlobalUnlock.KERNEL32(00000000), ref: 00419792
CloseHandle.KERNEL32(00000000), ref: 00419799
CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004197A6
OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004429F8,00000000), ref: 004197BD
GlobalFree.KERNEL32(00000000), ref: 004197CF
CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 004197FB
SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 0041981E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00419844
ShowWindow.USER32(?,00000004), ref: 00419852
CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0041989C
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004198B0
GetStockObject.GDI32(00000011), ref: 004198BA
SelectObject.GDI32(00000000,00000000), ref: 004198C2
GetTextFaceW.GDI32(00000000,00000040,?), ref: 004198D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004198DB
DeleteDC.GDI32(00000000), ref: 004198E5
_wcslen.LIBCMT ref: 00419903
_wcscpy.LIBCMT ref: 00419927
CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004199C8
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004199DC
GetDC.USER32(00000000), ref: 004199E9
SelectObject.GDI32(00000000,?), ref: 004199F9
SelectObject.GDI32(00000000,00000007), ref: 00419A24
ReleaseDC.USER32(00000000,00000000), ref: 00419A2F
MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00419A4C
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00419A5A

Strings

, xrefs: 004199E2
static, xrefs: 0041971A, 00419895
AutoIt v3, xrefs: 004196CF
DISPLAY, xrefs: 004198A8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
String ID: $AutoIt v3$DISPLAY$static
API String ID: 4040870279-2373415609
Opcode ID: 3a50c9df4c65eef02d213e9d987f3f941e3bf19b9f44c035be8e4b1dd3a42157
Instruction ID: 798a17842d15460ce16c01d83dd07e5c6554402bd1c46a42b4ce299cc8c18890
Opcode Fuzzy Hash: 3a50c9df4c65eef02d213e9d987f3f941e3bf19b9f44c035be8e4b1dd3a42157
Instruction Fuzzy Hash: EA028F75A00204AFDB14DF64DD99FAE7BB9FB49300F108169FA05AB291C7B4ED41CB68

Function 00401746 Relevance: 49.8, APIs: 33, Instructions: 275COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004017A5
SetTextColor.GDI32(?,?), ref: 004017AD
GetSysColorBrush.USER32(0000000F), ref: 004017C4
GetSysColor.USER32(0000000F), ref: 004017D0
SetBkColor.GDI32(?,?), ref: 004017EB
SelectObject.GDI32(?,?), ref: 004017FB
InflateRect.USER32(?,000000FF,000000FF), ref: 00401831
GetSysColor.USER32(00000010), ref: 00401839
CreateSolidBrush.GDI32(00000000), ref: 00401840
FrameRect.USER32(?,?,00000000), ref: 00401851
DeleteObject.GDI32(?), ref: 0040185C
InflateRect.USER32(?,000000FE,000000FE), ref: 004018B6
FillRect.USER32(?,?,?), ref: 004018F7

Part of subcall function 003F085C: GetSysColor.USER32(0000000E), ref: 003F0880
Part of subcall function 003F085C: SetTextColor.GDI32(?,00000000), ref: 003F0888
Part of subcall function 003F085C: GetSysColorBrush.USER32(0000000F), ref: 003F08BB
Part of subcall function 003F085C: GetSysColor.USER32(0000000F), ref: 003F08C6
Part of subcall function 003F085C: GetSysColor.USER32(00000011), ref: 003F08E6
Part of subcall function 003F085C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003F08F8
Part of subcall function 003F085C: SelectObject.GDI32(?,00000000), ref: 003F0909
Part of subcall function 003F085C: SetBkColor.GDI32(?,?), ref: 003F0913
Part of subcall function 003F085C: SelectObject.GDI32(?,?), ref: 003F0921
Part of subcall function 003F085C: InflateRect.USER32(?,000000FF,000000FF), ref: 003F0946
Part of subcall function 003F085C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003F0961
Part of subcall function 003F085C: GetWindowLongW.USER32(?,000000F0), ref: 003F0976
Part of subcall function 003F085C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003F0996

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
String ID:
API String ID: 69173610-0
Opcode ID: fd34d05d19ae03646bb138ce0d7996fec119eb21bc8114a80f4bd21771d3b9bd
Instruction ID: 363054d49519e01775c8adda22666ee31baead92319d620d9c45f9d6e58c2e92
Opcode Fuzzy Hash: fd34d05d19ae03646bb138ce0d7996fec119eb21bc8114a80f4bd21771d3b9bd
Instruction Fuzzy Hash: AAB16875508300AFD304DF64DD88A6BB7F8FB89320F504A2EFA96932A0D774E945CB56

Function 004190AA Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004190DF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0041919C
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004191DC
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004191ED
CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 0041922F
GetClientRect.USER32(00000000,?), ref: 0041923B
CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 0041927D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0041928F
GetStockObject.GDI32(00000011), ref: 00419299
SelectObject.GDI32(00000000,00000000), ref: 004192A1
GetTextFaceW.GDI32(00000000,00000040,?), ref: 004192B1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004192BA
DeleteDC.GDI32(00000000), ref: 004192C3
CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00419309
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00419321
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0041935B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0041936F
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00419380
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004193B5
GetStockObject.GDI32(00000011), ref: 004193C0
SendMessageW.USER32(?,00000030,00000000), ref: 004193D0
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004193DB

Strings

msctls_progress32, xrefs: 00419351
static, xrefs: 00419276, 004193AE
AutoIt v3, xrefs: 00419229
DISPLAY, xrefs: 00419285

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 032bd4067a333a92ba1612c97fbd3c055dbbfd5f61e6788fa50652f6a6805975
Instruction ID: d3a323186bf70c717a8528964a91bc0341417e06b1adb296b4cd95edb444230d
Opcode Fuzzy Hash: 032bd4067a333a92ba1612c97fbd3c055dbbfd5f61e6788fa50652f6a6805975
Instruction Fuzzy Hash: 0EA19075A40308BFFB14DFA4DD4AFAE7769AB45701F108129FB05AB2D1D6B0AD40CB68

Function 003C3C50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003E8392

Strings

#comments-end, xrefs: 003E85AF
#ce, xrefs: 003E85C3
#include, xrefs: 003E84C5
#include-once, xrefs: 003E8465
Unterminated group of comments, xrefs: 003E8602
Cannot parse #include, xrefs: 003E851F
#cs, xrefs: 003E8549, 003E859B
#notrayicon, xrefs: 003E838A
#requireadmin, xrefs: 003E83AD
#comments-start, xrefs: 003E8535, 003E8587
#NoAutoIt3Execute, xrefs: 003E83CF
#OnAutoItStartRegister, xrefs: 003E83F1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: 1965b4be69ab876d37fd029dd5afb08710df637b8fbcc7a9d1f6961d9686aafd
Instruction ID: 5ecb7cfce6490a2f673349e113049cf50be9e3b254dc220b6cb0fd0d6080873a
Opcode Fuzzy Hash: 1965b4be69ab876d37fd029dd5afb08710df637b8fbcc7a9d1f6961d9686aafd
Instruction Fuzzy Hash: 25610AB6A40755A7EB12AB219C42F9F335C9F51700F14812AFC05AE2C3EF74EF4186A6

Function 0042D91D Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 247clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0042D950
IsClipboardFormatAvailable.USER32(0000000D), ref: 0042D95E
GetClipboardData.USER32(0000000D), ref: 0042D96A
CloseClipboard.USER32 ref: 0042D976
GlobalLock.KERNEL32(00000000), ref: 0042D9A0
CloseClipboard.USER32 ref: 0042D9AA
IsClipboardFormatAvailable.USER32(00000001), ref: 0042D9EA
GetClipboardData.USER32(00000001), ref: 0042D9F6
CloseClipboard.USER32 ref: 0042DA02

Strings

dND, xrefs: 0042D93E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
String ID: dND
API String ID: 15083398-2949930476
Opcode ID: 88c361c5d9e81e8f3971e70dcc41a153be121be4bfddc5c0ae14d0d477c24840
Instruction ID: 0addde88ab00f694abbfe3b5fa863e36e12696eb7896cf7eca34f4ab1f19a119
Opcode Fuzzy Hash: 88c361c5d9e81e8f3971e70dcc41a153be121be4bfddc5c0ae14d0d477c24840
Instruction Fuzzy Hash: 4B81CE36300202ABD301EB64ED86F6EB7A8FF95311F41452AFA11DB291DBB0ED05C799

Function 003F06A4 Relevance: 43.6, APIs: 29, Instructions: 108COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 003F06C1
SetCursor.USER32(00000000), ref: 003F06C8
LoadCursorW.USER32(00000000,00007F8A), ref: 003F06D9
SetCursor.USER32(00000000), ref: 003F06E0
LoadCursorW.USER32(00000000,00007F03), ref: 003F06F1
SetCursor.USER32(00000000), ref: 003F06F8
LoadCursorW.USER32(00000000,00007F8B), ref: 003F0709
SetCursor.USER32(00000000), ref: 003F0710
LoadCursorW.USER32(00000000,00007F01), ref: 003F0721
SetCursor.USER32(00000000), ref: 003F0728
LoadCursorW.USER32(00000000,00007F88), ref: 003F0739
SetCursor.USER32(00000000), ref: 003F0740
LoadCursorW.USER32(00000000,00007F86), ref: 003F0751
SetCursor.USER32(00000000), ref: 003F0758
LoadCursorW.USER32(00000000,00007F83), ref: 003F0769
SetCursor.USER32(00000000), ref: 003F0770
LoadCursorW.USER32(00000000,00007F85), ref: 003F0781
SetCursor.USER32(00000000), ref: 003F0788
LoadCursorW.USER32(00000000,00007F82), ref: 003F0799
SetCursor.USER32(00000000), ref: 003F07A0
LoadCursorW.USER32(00000000,00007F84), ref: 003F07B1
SetCursor.USER32(00000000), ref: 003F07B8
LoadCursorW.USER32(00000000,00007F04), ref: 003F07C9
SetCursor.USER32(00000000), ref: 003F07D0
LoadCursorW.USER32(00000000,00007F02), ref: 003F07E1
SetCursor.USER32(00000000), ref: 003F07E8
SetCursor.USER32(00000000), ref: 003F07F4
LoadCursorW.USER32(00000000,00007F00), ref: 003F0805
SetCursor.USER32(00000000), ref: 003F080C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Cursor$Load
String ID:
API String ID: 1675784387-0
Opcode ID: 44f25af236680137626e9656ab30189e4af9ee5261cc68c77bfd586d7d7b4468
Instruction ID: ce2d2a69909bb8f3a4aac28b9f41a5a99dc4fe65fe891df172803d2eafb3f917
Opcode Fuzzy Hash: 44f25af236680137626e9656ab30189e4af9ee5261cc68c77bfd586d7d7b4468
Instruction Fuzzy Hash: 07315276D88205F7E6545BE0BE0DF793718FB25727F814031F309A44D0CAF551209A6D

Function 003F085C Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 003F0880
SetTextColor.GDI32(?,00000000), ref: 003F0888
GetSysColor.USER32(00000012), ref: 003F08A0
SetTextColor.GDI32(?,?), ref: 003F08A8
GetSysColorBrush.USER32(0000000F), ref: 003F08BB
GetSysColor.USER32(0000000F), ref: 003F08C6
CreateSolidBrush.GDI32(?), ref: 003F08CF
GetSysColor.USER32(00000011), ref: 003F08E6
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003F08F8
SelectObject.GDI32(?,00000000), ref: 003F0909
SetBkColor.GDI32(?,?), ref: 003F0913
SelectObject.GDI32(?,?), ref: 003F0921
InflateRect.USER32(?,000000FF,000000FF), ref: 003F0946
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003F0961
GetWindowLongW.USER32(?,000000F0), ref: 003F0976
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003F0996
GetWindowTextW.USER32(00000000,00000000,?), ref: 003F09C7
InflateRect.USER32(?,000000FD,000000FD), ref: 003F09F3
DrawFocusRect.USER32(?,?), ref: 003F09FE
GetSysColor.USER32(00000011), ref: 003F0A0C
SetTextColor.GDI32(?,00000000), ref: 003F0A14
DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 003F0A29
SelectObject.GDI32(?,?), ref: 003F0A3D
DeleteObject.GDI32(00000105), ref: 003F0A49
SelectObject.GDI32(?,?), ref: 003F0A50
DeleteObject.GDI32(?), ref: 003F0A56
SetTextColor.GDI32(?,?), ref: 003F0A5D
SetBkColor.GDI32(?,?), ref: 003F0A68

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1582027408-0
Opcode ID: 41ebaef77379de62b9b2e5b27a632b5b3b2488155524f2b64c0d6aa7b183ad57
Instruction ID: 86860730af49cf53664f6397ae12004efb6d625ac4c878562899fcbc73195c8b
Opcode Fuzzy Hash: 41ebaef77379de62b9b2e5b27a632b5b3b2488155524f2b64c0d6aa7b183ad57
Instruction Fuzzy Hash: BC713275901209BFDB08DFA8DD88EAEBBB9FF49310F104225F615A7291D774A940CFA4

Function 0042AB4D Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042AC5C
RegCreateKeyExW.ADVAPI32(?,?,00000000,00444E64,00000000,?,00000000,?,?,?), ref: 0042ACB6
RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0042AD00

Strings

REG_BINARY, xrefs: 0042AF75
REG_MULTI_SZ, xrefs: 0042ADF6
REG_EXPAND_SZ, xrefs: 0042AD1B
REG_QWORD, xrefs: 0042AF2C
REG_SZ, xrefs: 0042AD83
REG_DWORD, xrefs: 0042AEE8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3217815495-966354055
Opcode ID: d35069c991c9ca366c3ca16ee1f7b7c5b896eaa0dc733a0ba7a73918dbdad7d3
Instruction ID: 8d7785dbe083b3c02cc1c3eaa6c8dc84be69f0eff7f161e318dc4a1e8c965ace
Opcode Fuzzy Hash: d35069c991c9ca366c3ca16ee1f7b7c5b896eaa0dc733a0ba7a73918dbdad7d3
Instruction Fuzzy Hash: E9E19EB1604200ABD710EF65D986F5BB7E8AF48304F14895EF949DB342DB38ED01CB6A

Function 00416529 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00416625
GetDesktopWindow.USER32 ref: 0041663A
GetWindowRect.USER32(00000000), ref: 00416641
GetWindowLongW.USER32(?,000000F0), ref: 00416699
GetWindowLongW.USER32(?,000000F0), ref: 004166AC
DestroyWindow.USER32(?), ref: 004166BD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0041670B
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00416729
SendMessageW.USER32(?,00000418,00000000,?), ref: 0041673D
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0041674D
SendMessageW.USER32(?,00000421,?,?), ref: 0041676D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00416783
IsWindowVisible.USER32(?), ref: 004167A3
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004167BF
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 004167D3
GetWindowRect.USER32(?,?), ref: 004167EA
MonitorFromPoint.USER32(?,00000001,00000002), ref: 00416808
GetMonitorInfoW.USER32(00000000,?), ref: 00416820
CopyRect.USER32(?,?), ref: 00416835
SendMessageW.USER32(?,00000412,00000000), ref: 0041688B

Strings

tooltips_class32, xrefs: 00416704
(, xrefs: 00416816
,, xrefs: 004165E3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 225202481-3320066284
Opcode ID: 93ba74e3dd72a9f99098d2c710289daa3a92f09f03001ef83411e363bef6020f
Instruction ID: ba769e7ae2dedcd9b4d25bd0fc5568848dd3609de5da9c7948f5338056eaa980
Opcode Fuzzy Hash: 93ba74e3dd72a9f99098d2c710289daa3a92f09f03001ef83411e363bef6020f
Instruction Fuzzy Hash: 0BB18E74A00308AFDB14DFA4CD85FEEB7B5AF48300F108519F919AB281DB78E985CB58

Function 00414E02 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 213windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00414E25
_wcslen.LIBCMT ref: 00414E38
__wcsicoll.LIBCMT ref: 00414E45
_wcslen.LIBCMT ref: 00414E59
__wcsicoll.LIBCMT ref: 00414E66
_wcslen.LIBCMT ref: 00414E7A
__wcsicoll.LIBCMT ref: 00414E87

Part of subcall function 003D13CB: __wcsicmp_l.LIBCMT ref: 003D144B

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00414EBD
LoadLibraryExW.KERNEL32(?,00000000,00000032), ref: 00414ED0
LoadImageW.USER32(?,00000000,?,00000001,?,?), ref: 00414F10
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00414F5A
LoadImageW.USER32(?,00000000,?,00000001,?,?), ref: 00414F8B
FreeLibrary.KERNEL32(?,?), ref: 00414F98
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00414FF2
DestroyIcon.USER32(?), ref: 00415000
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0041501D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00415029
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0041504E

Strings

.exe, xrefs: 00414E4F
.icl, xrefs: 00414E32
.dll, xrefs: 00414E70

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 2511167534-1154884017
Opcode ID: 6bd6379ba2d4a9a1f5a51d0e235aefa2f3f7b34cf1f79c703c65ef75c3ad2e0f
Instruction ID: 82348d9a42e2c5ed152bb8cbe9d26962614410fa593bad2858da695bbb162d2c
Opcode Fuzzy Hash: 6bd6379ba2d4a9a1f5a51d0e235aefa2f3f7b34cf1f79c703c65ef75c3ad2e0f
Instruction Fuzzy Hash: 1871B171500705BAEB20DF64DD85FFB73A8AF84B02F00841EF945D6281E7B9AA85C765

Function 00431B83 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

GetWindowRect.USER32(?,?), ref: 00431CB1
GetClientRect.USER32(?,?), ref: 00431CBF
GetSystemMetrics.USER32(00000007), ref: 00431CC7
GetSystemMetrics.USER32(00000008), ref: 00431CDA
GetSystemMetrics.USER32(00000004), ref: 00431CFC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00431D2B
GetSystemMetrics.USER32(00000007), ref: 00431D33
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00431D5D
GetSystemMetrics.USER32(00000008), ref: 00431D65
GetSystemMetrics.USER32(00000004), ref: 00431D89
SetRect.USER32(?,00000000,00000000,?,?), ref: 00431DA8
AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00431DB9
CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00431DEF
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00431E28
GetClientRect.USER32(?,?), ref: 00431E44
GetStockObject.GDI32(00000011), ref: 00431E60
SendMessageW.USER32(?,00000030,00000000), ref: 00431E6C
SetTimer.USER32(00000000,00000000,00000028,004226D2), ref: 00431E93

Strings

AutoIt v3 GUI, xrefs: 00431DE9
@, xrefs: 00431C4F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
String ID: @$AutoIt v3 GUI
API String ID: 867697134-3359773793
Opcode ID: a77bd6da76a6cc40ae4fcc3f3e9d5c3d3ebd4d417f6460abe4a1da3c98f2c5c8
Instruction ID: 14352276e4a418039c107644547341e884de53b68ae81dcdb8bf8edc4e8f9e8d
Opcode Fuzzy Hash: a77bd6da76a6cc40ae4fcc3f3e9d5c3d3ebd4d417f6460abe4a1da3c98f2c5c8
Instruction Fuzzy Hash: 1FC17F756002099FDB14DFA8DD85BAB77B5FB48314F10822AFA15973D0EBB8E840CB59

Function 00428322 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00428354
__wcsicoll.LIBCMT ref: 0042836C
__wcsnicmp.LIBCMT ref: 0042838C

Strings

[LAST, xrefs: 00428445
ACTIVE, xrefs: 00428366
ALL, xrefs: 0042842C
REGEXP=, xrefs: 004283AF
[CLASS:, xrefs: 004283EA
[HANDLE:, xrefs: 00428398
[ALL, xrefs: 0042843E
,QD, xrefs: 00428452
LAST, xrefs: 0042834E
[ACTIVE, xrefs: 00428378
[REGEXPTITLE:, xrefs: 004283C1
HANDLE=, xrefs: 00428386
CLASSNAME=, xrefs: 004283D8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ,QD$ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 790654849-3103311604
Opcode ID: 916a39cddf65b4c388490358f83a461d3f65ccb344acaccf50be531e1bd88571
Instruction ID: 7e0f7b0e041b52a81c5e03701666fe2c3e5ff74c0b322093f7eb1ba13689aaba
Opcode Fuzzy Hash: 916a39cddf65b4c388490358f83a461d3f65ccb344acaccf50be531e1bd88571
Instruction Fuzzy Hash: F7315566A0521967DF11F660ED43F9E73689F10701F60012BFD40FB282EE19AE0487AA

Function 003D7B43 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,003D63FE), ref: 003D7B4B
__mtterm.LIBCMT ref: 003D7B57

Part of subcall function 003D7822: TlsFree.KERNEL32(00000017,003D7CB9,?,003D63FE), ref: 003D784D
Part of subcall function 003D7822: DeleteCriticalSection.KERNEL32(00000000,00000000,003D0D64,?,003D7CB9,?,003D63FE), ref: 003D80DB
Part of subcall function 003D7822: _free.LIBCMT ref: 003D80DE
Part of subcall function 003D7822: DeleteCriticalSection.KERNEL32(00000017,003D0D64,?,003D7CB9,?,003D63FE), ref: 003D8105

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003D7B6D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003D7B7A
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003D7B87
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003D7B94
TlsAlloc.KERNEL32(?,003D63FE), ref: 003D7BE4
TlsSetValue.KERNEL32(00000000,?,003D63FE), ref: 003D7BFF
__init_pointers.LIBCMT ref: 003D7C09
__calloc_crt.LIBCMT ref: 003D7C77
GetCurrentThreadId.KERNEL32 ref: 003D7CA3

Strings

KERNEL32.DLL, xrefs: 003D7B46
FlsFree, xrefs: 003D7B89
FlsSetValue, xrefs: 003D7B7C
FlsGetValue, xrefs: 003D7B6F
d=, xrefs: 003D7C14
FlsAlloc, xrefs: 003D7B67
d=, xrefs: 003D7C51

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$d=$d=
API String ID: 4163708885-2068998250
Opcode ID: 012fbc77cb538969169665a13c5402479e68ea752c8b1026f60e202ce811120c
Instruction ID: f189eae21e90cf80772a5a05f3b1bf766f6269c933a2669b4420aef68cf73c1b
Opcode Fuzzy Hash: 012fbc77cb538969169665a13c5402479e68ea752c8b1026f60e202ce811120c
Instruction Fuzzy Hash: 0631527A908710DADB52AF75FD096153AB4FB45712B92063BF410933B2E775C500CF58

Function 004245E0 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 395COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004245FC
_wcslen.LIBCMT ref: 00424765
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00424775
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0042479D
_wcslen.LIBCMT ref: 00424865
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00424879
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004248A1
_wcslen.LIBCMT ref: 004248F7
_wcslen.LIBCMT ref: 0042490D
_wcslen.LIBCMT ref: 0042492C

Strings

dND, xrefs: 004247B8
dND, xrefs: 004247C8
dND, xrefs: 004247A8
D, xrefs: 0042460D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$Directory$CurrentSystem$_memset
String ID: D$dND$dND$dND
API String ID: 3997764887-1867968706
Opcode ID: a744da9d6736b806545998f60697e710783e5aaa604e7d308ceeaa74e78cdcbc
Instruction ID: 8926394926c5c73e3006d8cbe38bad990b155a8b756e724e13cbdefcf31d7ee3
Opcode Fuzzy Hash: a744da9d6736b806545998f60697e710783e5aaa604e7d308ceeaa74e78cdcbc
Instruction Fuzzy Hash: 91E1BBB66043419BC311EF64D841B2BB7E4EFC5304F14892EF8898B391DB38E945CB9A

Function 00415A00 Relevance: 31.9, APIs: 21, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8210e108a63f173d5e6b92a565953f9d186cbbb83662f0e4f8dc72894271fe54
Instruction ID: c0636935a4cbcfe777454ca0b44954dcbcfebda67a764144116749c7268036f8
Opcode Fuzzy Hash: 8210e108a63f173d5e6b92a565953f9d186cbbb83662f0e4f8dc72894271fe54
Instruction Fuzzy Hash: 71C15A72700214ABE720DFA8EC46FEBB7A4EF95310F00417AFA05DA2C0DBB59945C795

Function 00412A3C Relevance: 31.8, APIs: 21, Instructions: 343COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7B: __time64.LIBCMT ref: 00402B87

_fseek.LIBCMT ref: 00412AB0
__wsplitpath.LIBCMT ref: 00412B10
_wcscpy.LIBCMT ref: 00412B25
_wcscat.LIBCMT ref: 00412B3A
__wsplitpath.LIBCMT ref: 00412B64
_wcscat.LIBCMT ref: 00412B7C
_wcscat.LIBCMT ref: 00412B91
__fread_nolock.LIBCMT ref: 00412BC8
__fread_nolock.LIBCMT ref: 00412BD9
__fread_nolock.LIBCMT ref: 00412BF8
__fread_nolock.LIBCMT ref: 00412C09
__fread_nolock.LIBCMT ref: 00412C2A
__fread_nolock.LIBCMT ref: 00412C3B
__fread_nolock.LIBCMT ref: 00412C4C
__fread_nolock.LIBCMT ref: 00412C5D

Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 004126B4
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 004126F6
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412714
Part of subcall function 0041268F: _wcscpy.LIBCMT ref: 00412748
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412758
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412776
Part of subcall function 0041268F: _wcscpy.LIBCMT ref: 004127A7

__fread_nolock.LIBCMT ref: 00412CED

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
String ID:
API String ID: 2054058615-0
Opcode ID: 70f4612b1af38e37304d7e4540ada5a2bcbcf0db70445c07fc2ec1b418bda74c
Instruction ID: 0a3ccdc012951e8b05a997ba886d3b2ca44c43e52bbf7194f9ecc2d436634809
Opcode Fuzzy Hash: 70f4612b1af38e37304d7e4540ada5a2bcbcf0db70445c07fc2ec1b418bda74c
Instruction Fuzzy Hash: 7AC14DB2508340ABD720DF65D881EEBB3E9EFC8700F404D2EF68987241EBB59544CB66

Function 00408665 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00408716

Strings

0, xrefs: 0040894A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window
String ID: 0
API String ID: 2353593579-4108050209
Opcode ID: 2554422854dff78f9ada2a4e65e8e83408250a44e3d1d1bdc380a094be36d476
Instruction ID: 21b6df823bd0442b239a76645ca11085511fe470b8a92ed3ea26cc5a8a7bf6c2
Opcode Fuzzy Hash: 2554422854dff78f9ada2a4e65e8e83408250a44e3d1d1bdc380a094be36d476
Instruction Fuzzy Hash: F0B1C2B02043419BE324DF14CD85BA7B7E4BB85304F14492EF9D1A62D1CBB8E845CB5A

Function 0042ED23 Relevance: 28.5, APIs: 6, Strings: 10, Instructions: 471COMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0042EE0E
GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0042F1FA
IsWindow.USER32(?), ref: 0042F22F
GetDesktopWindow.USER32 ref: 0042F2EB
EnumChildWindows.USER32(00000000), ref: 0042F2F2
EnumWindows.USER32(00421059,?), ref: 0042F2FA

Part of subcall function 004059E6: _wcslen.LIBCMT ref: 004059F6

Strings

TITLE, xrefs: 0042F113
LAST, xrefs: 0042EEBB
HANDLE, xrefs: 0042EEEF
CLASS, xrefs: 0042EF7A
ACTIVE, xrefs: 0042EED5
ALL, xrefs: 0042F0DE
INSTANCE, xrefs: 0042F0AC
REGEXPCLASS, xrefs: 0042EFA7
REGEXPTITLE, xrefs: 0042EF09
dND, xrefs: 0042ED7B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE$dND
API String ID: 329138477-1932064226
Opcode ID: 1d9e51060787106a2ee8856b6bda70ab5f6c2264ceba6533049c68f15b6f382c
Instruction ID: 402e7566acdc84228d4e80ef609636864234236f073e6e693350337bbaea8f70
Opcode Fuzzy Hash: 1d9e51060787106a2ee8856b6bda70ab5f6c2264ceba6533049c68f15b6f382c
Instruction Fuzzy Hash: D5F1C6725143009BCB04EF61E882F6BB3B4BF95304F84456EF9459B242DB79ED09CBA6

Function 00426555 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 308COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426580
_wcsncpy.LIBCMT ref: 004265DD
_wcsncpy.LIBCMT ref: 00426609

Part of subcall function 003CF260: _wcslen.LIBCMT ref: 003CF262
Part of subcall function 003CF260: _wcscpy.LIBCMT ref: 003CF282

_wcstok.LIBCMT ref: 0042664C

Part of subcall function 003D3DD8: __getptd.LIBCMT ref: 003D3DDE

_wcstok.LIBCMT ref: 004266FF
_wcscpy.LIBCMT ref: 0042678E
GetOpenFileNameW.COMDLG32(00000058), ref: 004268C1
_wcslen.LIBCMT ref: 004268E0
_memset.LIBCMT ref: 004267B4

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

_wcslen.LIBCMT ref: 0042690A
GetSaveFileNameW.COMDLG32(00000058), ref: 00426954

Part of subcall function 004211B1: _memmove.LIBCMT ref: 00421244

Strings

@OD, xrefs: 004266BE
dND, xrefs: 004265AF
X, xrefs: 004267E3
@OD, xrefs: 00426914
@OD, xrefs: 00426713

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$FileName_memmove_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
String ID: @OD$@OD$@OD$X$dND
API String ID: 2101810193-182411560
Opcode ID: b8a4fd87e7b626acf819fb998252767bc145c83966bccddb91a72f6b54ab1d62
Instruction ID: cff415790feb1108bf0d89d1caa18ac6db3ee2287657cae98d3b9cbd31d86fc9
Opcode Fuzzy Hash: b8a4fd87e7b626acf819fb998252767bc145c83966bccddb91a72f6b54ab1d62
Instruction Fuzzy Hash: 23C1C3716043049BD711EF60E885E9FB3E5AF84304F508A2EF9998B252DB34ED45CB56

Function 003F41CD Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 003F41EE
__wcsicoll.LIBCMT ref: 003F42A2
LoadIconW.USER32(00000000,00007F04), ref: 003F42B8

Strings

question, xrefs: 003F420D
warning, xrefs: 003F4255
info, xrefs: 003F429C
blank, xrefs: 003F41E8
stop, xrefs: 003F4231

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 2eb10c8c7efc4fa7384334010b1533487aed1ef722b2169cf91845e99f5a55dd
Instruction ID: 238c11097730c46bf63799edb6931fe22b7afd6609d117d7aa72552533ef4e7a
Opcode Fuzzy Hash: 2eb10c8c7efc4fa7384334010b1533487aed1ef722b2169cf91845e99f5a55dd
Instruction Fuzzy Hash: BB21C53774421A77DB029B64BC05FEB33ACDF55352F050433FA04E6286E3A5A92092F9

Function 004145AE Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000063), ref: 004145C1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004145D3
SetWindowTextW.USER32(?,?), ref: 004145ED
GetDlgItem.USER32(?,000003EA), ref: 00414605
SetWindowTextW.USER32(00000000,?), ref: 0041460C
GetDlgItem.USER32(?,000003E9), ref: 0041461D
SetWindowTextW.USER32(00000000,?), ref: 00414624
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00414646
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 00414660
GetWindowRect.USER32(?,?), ref: 0041466A
SetWindowTextW.USER32(?,?), ref: 004146DA
GetDesktopWindow.USER32 ref: 004146E4
GetWindowRect.USER32(00000000), ref: 004146EB
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00414739
GetClientRect.USER32(?,?), ref: 00414747
PostMessageW.USER32(?,00000005,00000000,00000080), ref: 00414771
SetTimer.USER32(?,0000040A,?,00000000), ref: 004147B4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 3b4e5c69634fe8f20fa88864b420277a31c992f2f60addbc1196e5843f616562
Instruction ID: 8d1798b02ce8455128d6f5eff4bc4d64e1ed700abf309914986c7531309c40e6
Opcode Fuzzy Hash: 3b4e5c69634fe8f20fa88864b420277a31c992f2f60addbc1196e5843f616562
Instruction Fuzzy Hash: 69618E75600705ABDB20DFA8CE89FABB7F8AF84704F100919F64697690D7B8F944CB54

Function 00418E98 Relevance: 25.6, APIs: 17, Instructions: 117COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00418EAC
LoadCursorW.USER32(00000000,00007F00), ref: 00418EB8
LoadCursorW.USER32(00000000,00007F03), ref: 00418EC4
LoadCursorW.USER32(00000000,00007F8B), ref: 00418ED0
LoadCursorW.USER32(00000000,00007F01), ref: 00418EDC
LoadCursorW.USER32(00000000,00007F81), ref: 00418EE8
LoadCursorW.USER32(00000000,00007F88), ref: 00418EF4
LoadCursorW.USER32(00000000,00007F80), ref: 00418F00
LoadCursorW.USER32(00000000,00007F86), ref: 00418F0C
LoadCursorW.USER32(00000000,00007F83), ref: 00418F18
LoadCursorW.USER32(00000000,00007F85), ref: 00418F24
LoadCursorW.USER32(00000000,00007F82), ref: 00418F30
LoadCursorW.USER32(00000000,00007F84), ref: 00418F3C
LoadCursorW.USER32(00000000,00007F04), ref: 00418F48
LoadCursorW.USER32(00000000,00007F02), ref: 00418F54
LoadCursorW.USER32(00000000,00007F89), ref: 00418F60
GetCursorInfo.USER32(?), ref: 00418F70

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 76ceb8ab9d9c04ed20432f43eb3ade67c6bc1f762efaa30f8add68aea923dcf7
Instruction ID: aea531b820de27f51e597004b0ffa0648fef4650125a8610fb3b6f81ec3f5eb6
Opcode Fuzzy Hash: 76ceb8ab9d9c04ed20432f43eb3ade67c6bc1f762efaa30f8add68aea923dcf7
Instruction Fuzzy Hash: 64311471E4831A6AEB109FB5DC4AB9F7FA4EF00750F10452BF608AF2C0DAB965418BD5

Function 0042910A Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 00429155
GetFocus.USER32 ref: 00429169
GetDlgCtrlID.USER32(00000000), ref: 00429174
PostMessageW.USER32(?,00000111,?,00000000), ref: 004291C8

Strings

0, xrefs: 004292CB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: 5389a741802ece733a0da71bb77f092222606378b861156e53e659af064f08af
Instruction ID: 222e6f73a49a6b2cfc98c30e93aa194588a144c2230ed265a8f733ec50bd9379
Opcode Fuzzy Hash: 5389a741802ece733a0da71bb77f092222606378b861156e53e659af064f08af
Instruction Fuzzy Hash: 0A91D171604321AFD710DF14E885BABB7A8FF88714F444A2EF99497281D7B4DC05CBAA

Function 00415755 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00415858
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,00000000), ref: 004158A1

Strings

tooltips_class32, xrefs: 0041589A, 00415979
,, xrefs: 00415800
dND, xrefs: 004158D4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$CreateDestroy
String ID: ,$dND$tooltips_class32
API String ID: 1109047481-2325309128
Opcode ID: c95c3e9993d79cc3b788b4e0b6394fdf9a11231f2ac03d2c1e06fb0816b2a70d
Instruction ID: 02afc73aa3d93256ec219a2d0866fd5c0c26ace98452a744c55947d53e32ac1c
Opcode Fuzzy Hash: c95c3e9993d79cc3b788b4e0b6394fdf9a11231f2ac03d2c1e06fb0816b2a70d
Instruction Fuzzy Hash: EC71D175650208EFE720CF58DC85FFA77B8EB89310F50811AF9449B351DAB4AD42CBA9

Function 0041CD0B Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0041CE26
__wsplitpath.LIBCMT ref: 0041CE65
_wcscat.LIBCMT ref: 0041CE78
_wcscat.LIBCMT ref: 0041CE8B
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CE9F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0041CEB2

Part of subcall function 003F397D: GetFileAttributesW.KERNEL32(?), ref: 003F3984

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CEF2
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CF0A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CF1B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CF2C
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CF40
_wcscpy.LIBCMT ref: 0041CF4E
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0041CF91

Strings

*.*, xrefs: 0041CF48

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: d1fb1325a2a00d1f785182643114bd3bf9f1406aa20bd5fa8fba6112e98613f1
Instruction ID: 7d228a80d4072c894bc5f056709ef547862b969c1ebcf31dab6a39f225b98e29
Opcode Fuzzy Hash: d1fb1325a2a00d1f785182643114bd3bf9f1406aa20bd5fa8fba6112e98613f1
Instruction Fuzzy Hash: C271D472980208ABDB24EB54DCC5BEEB7B5AB44300F1489BBE509D7240D778DEC5CB99

Function 0042E7D4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 207windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042E7EF
GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 0042E877
GetMenuItemCount.USER32(?), ref: 0042E90B
DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 0042E99F
DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 0042E9A8
DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 0042E9B1
DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 0042E9BA
GetMenuItemCount.USER32 ref: 0042E9C3
SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 0042E9FB
GetCursorPos.USER32(?), ref: 0042EA05
SetForegroundWindow.USER32(?), ref: 0042EA0F
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 0042EA25
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 0042EA32

Strings

0, xrefs: 0042E7E8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID: 0
API String ID: 3993528054-4108050209
Opcode ID: 50c9355a7fbdf3ad95f8d6becaf89ba3407d99584643b23f4186e0c28756613e
Instruction ID: 3cb96867eaf5007e3d2f12ad9190ab790fbe56139ad171365ae1802152d56987
Opcode Fuzzy Hash: 50c9355a7fbdf3ad95f8d6becaf89ba3407d99584643b23f4186e0c28756613e
Instruction Fuzzy Hash: 7071EF70608314BBE720DB65DC45F9BB7A8AF85724F30461BF5A5AB3D1C7B8A8408B19

Function 003C2190 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

__wcsicoll.LIBCMT ref: 003C2262
__wcsicoll.LIBCMT ref: 003C2278
__wcsicoll.LIBCMT ref: 003C228E

Part of subcall function 003D13CB: __wcsicmp_l.LIBCMT ref: 003D144B

__wcsicoll.LIBCMT ref: 003C22A4
_wcscpy.LIBCMT ref: 003C22C4
GetModuleFileNameW.KERNEL32(00000000,00467F6C,00000104), ref: 003E8AD6
_wcscpy.LIBCMT ref: 003E8B29

Strings

CMDLINERAW, xrefs: 003C21CF
/AutoIt3OutputDebug, xrefs: 003C2273
/AutoIt3ExecuteLine, xrefs: 003C2289
CMDLINE, xrefs: 003C21F8
hND, xrefs: 003C2364
/ErrorStdOut, xrefs: 003C225D
/AutoIt3ExecuteScript, xrefs: 003C229F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW$hND
API String ID: 574121520-3179223061
Opcode ID: 4693bf4e734649073a3ef6f36ec48bd27af65d6881ffc307b5967a8ae9b8d184
Instruction ID: 96818c4d888e98a9fa175d9d14cbcde7006d8cad4d8427de6bac97b9703316ff
Opcode Fuzzy Hash: 4693bf4e734649073a3ef6f36ec48bd27af65d6881ffc307b5967a8ae9b8d184
Instruction Fuzzy Hash: E3718471D1421A9BDF05EBA0DC92FEE7B74AF50344F004529E905EB242EBB4AD49CBD1

Function 0041DC39 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041DC6B
_memset.LIBCMT ref: 0041DC86
CoInitialize.OLE32(00000000), ref: 0041DC9C
SHGetMalloc.SHELL32(?), ref: 0041DCA6
CoUninitialize.OLE32 ref: 0041DCB0
_wcscpy.LIBCMT ref: 0041DCF3
SHGetDesktopFolder.SHELL32(00000000,?), ref: 0041DD4F
_wcscpy.LIBCMT ref: 0041DD70
_wcscpy.LIBCMT ref: 0041DDD0
SHBrowseForFolderW.SHELL32(?), ref: 0041DDFB
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0041DE1D
CoUninitialize.OLE32 ref: 0041DE6B

Strings

dND, xrefs: 0041DCB9
dND, xrefs: 0041DE56

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID: dND$dND
API String ID: 3566271842-91332234
Opcode ID: 5850a403d8b813c675dd418a59454b63b9f754ed44fba41181f1e9abe4dbd501
Instruction ID: b08d74c5168080b7081e5c8c121e545521b1e444bfc33d12618d7c9dbc824d08
Opcode Fuzzy Hash: 5850a403d8b813c675dd418a59454b63b9f754ed44fba41181f1e9abe4dbd501
Instruction Fuzzy Hash: 6E7150B5E00208AFCB14EFA4D984EDEB7B9EF48304F048599F5099B311D775AE81CBA4

Function 00430E50 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON

Download Yara Rule

APIs

DragQueryPoint.SHELL32(?,?), ref: 00430E7A

Part of subcall function 004015F9: ClientToScreen.USER32(00000000,?), ref: 00401621
Part of subcall function 004015F9: GetWindowRect.USER32(?,?), ref: 004016A9
Part of subcall function 004015F9: PtInRect.USER32(?,?,?), ref: 004016BB

SendMessageW.USER32 ref: 00430EEC
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00430EF5
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00430F1F
_wcscat.LIBCMT ref: 00430F5C
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00430F71
SendMessageW.USER32(?,000000B0,?,?), ref: 00430F83
SendMessageW.USER32(?,000000B1,?,?), ref: 00430F91
SendMessageW.USER32(?,000000B1,?,?), ref: 00430FAE
DragFinish.SHELL32(?), ref: 00430FB4
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 0043109C

Strings

@GUI_DROPID, xrefs: 00430FDA
@GUI_DRAGID, xrefs: 0043100E
@GUI_DRAGFILE, xrefs: 0043104A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085615965-3440237614
Opcode ID: 30ba0290057149cd1c1b250ec1a4310076689f483600cc93484a847d6aa6a830
Instruction ID: 1a1b310030ac030a55a719c3c87087a9a18e95e5d9ac37cc10544d21d27c3105
Opcode Fuzzy Hash: 30ba0290057149cd1c1b250ec1a4310076689f483600cc93484a847d6aa6a830
Instruction Fuzzy Hash: 38619F752083009FD310EF64CC85F5BB7A8EF89354F104A2DF9559B291DBB4ED098B96

Function 00412833 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 004128A1

Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 004126B4
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 004126F6
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412714
Part of subcall function 0041268F: _wcscpy.LIBCMT ref: 00412748
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412758
Part of subcall function 0041268F: __fread_nolock.LIBCMT ref: 00412776
Part of subcall function 0041268F: _wcscpy.LIBCMT ref: 004127A7

__fread_nolock.LIBCMT ref: 004128D8
__fread_nolock.LIBCMT ref: 004128E8
__fread_nolock.LIBCMT ref: 00412901
__fread_nolock.LIBCMT ref: 0041291B
_fseek.LIBCMT ref: 00412935
_malloc.LIBCMT ref: 00412940
_malloc.LIBCMT ref: 0041294C
__fread_nolock.LIBCMT ref: 0041295D
_free.LIBCMT ref: 0041298C
_free.LIBCMT ref: 00412995

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 004128B0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock$_free_fseek_malloc_wcscpy
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1255752989-2806939583
Opcode ID: 38d32b9282e1a52f629e5e6418d797511fd44381ea6891a4f24b9c2ed71963cb
Instruction ID: 24651dff84ee99652bdcf0e3c5d777125da884ee7fc98c8d9124bef2328b229a
Opcode Fuzzy Hash: 38d32b9282e1a52f629e5e6418d797511fd44381ea6891a4f24b9c2ed71963cb
Instruction Fuzzy Hash: 9E5101B1900218AFDB20DF69DC81B9AB7B8EF48300F0045AAF64DEB341E7759A94CF55

Function 0040B918 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040B92F
__wcsicoll.LIBCMT ref: 0040B945
__wcsicoll.LIBCMT ref: 0040B9DC

Strings

MAIN, xrefs: 0040B95D
MENU, xrefs: 0040B981
SECONDARY, xrefs: 0040B993
PRIMARY, xrefs: 0040B96F
MIDDLE, xrefs: 0040B9D6
LEFT, xrefs: 0040B929
RIGHT, xrefs: 0040B93F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
API String ID: 3832890014-4202584635
Opcode ID: 83c805a86ac0f922070095dc6c5be1e885fa0bfff7540f4724f42283a3258357
Instruction ID: c50e9713e9d390bcd77d0d378793a7473244daedee7b05cdac4fdc985351a085
Opcode Fuzzy Hash: 83c805a86ac0f922070095dc6c5be1e885fa0bfff7540f4724f42283a3258357
Instruction Fuzzy Hash: 25118FA3B5851523EA1231647D03BEB2299CF50393F040037F90CE9686F75EEA6581EE

Function 00426DDB Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 310COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00426EB0
SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00426F29
SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00426FBE
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00426FEA
_memmove.LIBCMT ref: 00427005
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 0042700E
SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 0042702B
_memmove.LIBCMT ref: 004270B9
SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 0042710E
SafeArrayUnaccessData.OLEAUT32(00000004), ref: 004270F8

Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1546
Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1560
Part of subcall function 003D14F7: __CxxThrowException@8.LIBCMT ref: 003D1571

SafeArrayUnaccessData.OLEAUT32(00439A0A), ref: 00426F95

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

SafeArrayUnaccessData.OLEAUT32(00439A0A), ref: 0042717D

Strings

qB, xrefs: 00427167, 004270D9, 00426F83, 00426F11, 00426F14, 00426F86, 004270DC, 0042716A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
String ID: qB
API String ID: 2170234536-1254620311
Opcode ID: 12ac694cb3d3432eb826b24a8118b8f055ab0abc237ba5aa152344d73a38ccf3
Instruction ID: a23feee293f2d11a774d4deaece5d6d5a7b83a1f92827256f84ae3b238894cbb
Opcode Fuzzy Hash: 12ac694cb3d3432eb826b24a8118b8f055ab0abc237ba5aa152344d73a38ccf3
Instruction Fuzzy Hash: 95B101757002159FDB00CF58E884BBAB7B5FF88304F65806EE9458B351D73AE845CBA9

Function 00427BBF Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 227windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00427BDD
GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 00427C43
SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 00427C7C
Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 00427C8E

Strings

0, xrefs: 00427BD6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: InfoItemMenu$Sleep_memset
String ID: 0
API String ID: 1504565804-4108050209
Opcode ID: ac6eecf327fb78c0dc12411db0d79ba85a1bed85c4c8000d8753effe6e84a3f6
Instruction ID: 6642b917ef0c2736640c201cb44c7f2f063e9cee061ca34d39faca3ff47433e5
Opcode Fuzzy Hash: ac6eecf327fb78c0dc12411db0d79ba85a1bed85c4c8000d8753effe6e84a3f6
Instruction Fuzzy Hash: 7871E371604258ABDB20CF65EC48FAFBBA9FF82314F40856FF90597241C774A941CBA5

Function 004205C5 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,003E7F37,?,0000138C,?,00000001,?,?,?), ref: 004205F5
LoadStringW.USER32(00000000,?,003E7F37,?), ref: 004205FC

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,003E7F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 0042061C
LoadStringW.USER32(00000000,?,003E7F37,?), ref: 00420623
__swprintf.LIBCMT ref: 00420661
__swprintf.LIBCMT ref: 00420679
_wprintf.LIBCMT ref: 0042072D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00420746

Strings

Line %d:, xrefs: 0042065B
%s (%d) : ==> %s: %s %s, xrefs: 00420728
Error: , xrefs: 004206F8
^ ERROR, xrefs: 004206CF
Line %d (File "%s"):, xrefs: 00420673

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 3631882475-2268648507
Opcode ID: 4fd1288f34e7f0b612316c1eb075916422f686bbc5a756d425674053c2a0bd62
Instruction ID: 7de7e53e88929f5c2bf8ea8bef7a263bcd717aeece83f04c7465bfca69aeab46
Opcode Fuzzy Hash: 4fd1288f34e7f0b612316c1eb075916422f686bbc5a756d425674053c2a0bd62
Instruction Fuzzy Hash: ED41BF72A00209ABDB01FBA0DC86EEF777CAF44351F50402AF605AB142DB74AE45CB75

Function 0041516A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415184
GetMenuItemInfoW.USER32 ref: 004151A3
DeleteMenu.USER32(?,?,00000000), ref: 0041520F
DeleteMenu.USER32(?,?,00000000), ref: 00415225
GetMenuItemCount.USER32(?), ref: 00415236
SetMenu.USER32(?,00000000), ref: 00415244
DestroyMenu.USER32(?,?,00000000), ref: 00415251
DrawMenuBar.USER32 ref: 00415264
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Strings

0, xrefs: 0041517C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
String ID: 0
API String ID: 1663942905-4108050209
Opcode ID: 42d166d2980ff17aee2aec449d99418037e4ab175f05569cb4a863e82ea78191
Instruction ID: 494702c9f38e42ded653a62ca705cb55fd09f5e47bd7a2480d4e903f704eb167
Opcode Fuzzy Hash: 42d166d2980ff17aee2aec449d99418037e4ab175f05569cb4a863e82ea78191
Instruction Fuzzy Hash: D2413974201601EFD714DF64D988BAB77A8BF85300F50891AF959CB290DB78E880CFA9

Function 00431672 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00431681
ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0043169B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004316CB
SendMessageW.USER32 ref: 004316FA
ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00431733
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00431754
ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 0043176A
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0043178D
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004317B2
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004317C1
SendMessageW.USER32 ref: 00431809
SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 0043182C
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 0043184A
DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00431856
DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0043185C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
String ID:
API String ID: 4116747274-0
Opcode ID: 7cbef5e33322ded164f42f91efecacf1974d2f5da74c3f16e89a8a6cf0c126ae
Instruction ID: f778f727b90f82615c234d64481fcc8eca85d9b161daf4b868803dfbf05c06bb
Opcode Fuzzy Hash: 7cbef5e33322ded164f42f91efecacf1974d2f5da74c3f16e89a8a6cf0c126ae
Instruction Fuzzy Hash: 56616D75A00209AFDB20DFA4DC85FAEB7B4FB48310F14415AFA15AB2D0C7B4A985CF54

Function 0042B028 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 400registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042B103

Strings

dND, xrefs: 0042B05E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID: dND
API String ID: 15295421-2949930476
Opcode ID: 7fc7db7d372c6bdccfb2cad089da295d78a9a9b714ee8072790ceb5259eb32e4
Instruction ID: 81dc02b54358f66ed3614a80f67056713dbe9fd88ba4affbe1041db58db7cb37
Opcode Fuzzy Hash: 7fc7db7d372c6bdccfb2cad089da295d78a9a9b714ee8072790ceb5259eb32e4
Instruction Fuzzy Hash: D8E14C71604211ABD714EF28D982F6BB7E4AF88704F548A1DF985CB281DB35ED01CB9A

Function 0042BCD8 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 304comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0042BD40
CLSIDFromProgID.OLE32(?,?), ref: 0042BD58
CLSIDFromString.OLE32(?,?), ref: 0042BD6A
CoCreateInstance.OLE32(?,?,00000005,00442998,?), ref: 0042BDCF
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0042BE43
_memset.LIBCMT ref: 0042BE53
_wcslen.LIBCMT ref: 0042BF29
_memset.LIBCMT ref: 0042BF7D
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0042BFAC
CoTaskMemFree.OLE32(?), ref: 0042BFBB
CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0042BFFE

Part of subcall function 004271BD: VariantInit.OLEAUT32(00000000), ref: 004271FD
Part of subcall function 004271BD: VariantCopy.OLEAUT32(00000000,00439A0A), ref: 00427207
Part of subcall function 004271BD: VariantClear.OLEAUT32 ref: 00427214

Strings

NULL Pointer assignment, xrefs: 0042C01F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$CreateFromInitializeInstance_memset$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
String ID: NULL Pointer assignment
API String ID: 3150643473-2785691316
Opcode ID: 8be6a5b418b0b8916d269b810139f955444585cc4395e73d64e40f0cb7c0a4d3
Instruction ID: cb0b4182174ce0a3eafd39ec3ca11537e1b62fd8a2bc655bbebe8cc2277168d4
Opcode Fuzzy Hash: 8be6a5b418b0b8916d269b810139f955444585cc4395e73d64e40f0cb7c0a4d3
Instruction Fuzzy Hash: 00B13BB1E10228ABDB14DFA4DC41BEEB7B8EF48700F50815AF909E7241EB745A45CBA4

Function 0042138A Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004213C4
_wcslen.LIBCMT ref: 004213CF
__swprintf.LIBCMT ref: 0042146D
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004214E0
GetClassNameW.USER32(?,?,00000400), ref: 0042155D
GetDlgCtrlID.USER32(?), ref: 004215B5
GetWindowRect.USER32(?,?), ref: 004215F0
GetParent.USER32(?), ref: 0042160F
ScreenToClient.USER32(00000000), ref: 00421616
GetClassNameW.USER32(?,?,00000100), ref: 0042168D
GetWindowTextW.USER32(?,?,00000400), ref: 004216CA

Strings

%s%u, xrefs: 00421467

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: 105c15bb59cb1d852d9799aa3ddcc5a34a06733cbec56e1f4fc21494e4c99737
Instruction ID: b3ed90d7a171798e41a44b5dc6dc96c2fc4ec6546476e0cb40e855db4cbbcdb8
Opcode Fuzzy Hash: 105c15bb59cb1d852d9799aa3ddcc5a34a06733cbec56e1f4fc21494e4c99737
Instruction Fuzzy Hash: 65A1C1722043119BDB10DF50D884BAF73A9FFE4310F44896AFD899B251DB38E946CBA5

Function 003F1329 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003F139D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003F13AE
CreateCompatibleDC.GDI32(00000000), ref: 003F13B8
SelectObject.GDI32(00000000,?), ref: 003F13C5
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 003F142B
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 003F1464

Strings

(, xrefs: 003F144C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
String ID: (
API String ID: 3300687185-3887548279
Opcode ID: e684ff0c75917d2ace567d55caa17308a1a066e1306e438f3d93b9faa8a287e7
Instruction ID: fbaed40c29917dec5e17cc713a4deea4339124a45d82c223bf5ae396162f7f9d
Opcode Fuzzy Hash: e684ff0c75917d2ace567d55caa17308a1a066e1306e438f3d93b9faa8a287e7
Instruction Fuzzy Hash: 1F513975A00209AFDB14CFA8D985FAFBBB9EF49710F108419FA5997640D7B0A944CB60

Function 0041DA60 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 0041366C: CharLowerBuffW.USER32(?,?), ref: 00413681

Part of subcall function 004059E6: _wcslen.LIBCMT ref: 004059F6

GetDriveTypeW.KERNEL32 ref: 0041DB1F
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041DB65
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041DBA0
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041DBDA

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

Strings

close, xrefs: 0041DACE
open , xrefs: 0041DB2E
type cdaudio alias cd wait, xrefs: 0041DB48
closed, xrefs: 0041DAE0, 0041DB08
wait, xrefs: 0041DB87
close cd wait, xrefs: 0041DBC1
open, xrefs: 0041DAF2
set cd door , xrefs: 0041DB6B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1976180769-4113822522
Opcode ID: 711d0af724b6969b8912622a0b5a3752e4a59fe787aae8785452c58efe9e7517
Instruction ID: 6f7ca1f7180f7232236a2e92b7fd2eb165dd7840228f86384261475e4c17fecc
Opcode Fuzzy Hash: 711d0af724b6969b8912622a0b5a3752e4a59fe787aae8785452c58efe9e7517
Instruction Fuzzy Hash: 22514BB15183409FD710EF10C882F5BB7E8BF88714F54891EF9859B292DB78E944CB9A

Function 003F29F2 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003F2A05
_wcslen.LIBCMT ref: 003F2A16
_wcslen.LIBCMT ref: 003F2A54
_wcsncpy.LIBCMT ref: 003F2A68
_wcslen.LIBCMT ref: 003F2A85
_wcsncpy.LIBCMT ref: 003F2A99
_wcslen.LIBCMT ref: 003F2AB5
_wcsncpy.LIBCMT ref: 003F2A38

Part of subcall function 003D30B0: __fassign.LIBCMT ref: 003D30A6

_wcslen.LIBCMT ref: 003F2AC5
_wcsncpy.LIBCMT ref: 003F2ADD
_wcslen.LIBCMT ref: 003F2AFE
_wcsncpy.LIBCMT ref: 003F2B12
_wcslen.LIBCMT ref: 003F2B2D
_wcsncpy.LIBCMT ref: 003F2B41

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$_wcsncpy$LocalTime__fassign
String ID:
API String ID: 461458858-0
Opcode ID: 21d61368bf48edbdb46062210561f1408bcce6bd1fd5541650aa59df2813a503
Instruction ID: 8fefadd231cfbeeed8a53418a28bd6b7a3a95c1b5cf27d972efe6f2cdc5a8ba4
Opcode Fuzzy Hash: 21d61368bf48edbdb46062210561f1408bcce6bd1fd5541650aa59df2813a503
Instruction Fuzzy Hash: 7A4152A7C10208B6DF26FBE5D8479DFB778EF45300F80C496E905A7251F770A69483A6

Function 004185C8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 135registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

_memset.LIBCMT ref: 00418660
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00418698
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004186B5
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 004186D3
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00418701
CLSIDFromString.OLE32(?,?), ref: 0041872A
RegCloseKey.ADVAPI32(000001FE), ref: 00418736
RegCloseKey.ADVAPI32(?), ref: 0041873C

Strings

SOFTWARE\Classes\, xrefs: 004185F7
\CLSID, xrefs: 0041860F
dND, xrefs: 0041861C
\IPC$, xrefs: 0041867B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$$dND
API String ID: 2901625445-442154740
Opcode ID: 9501be21b13b7447ee404431cc5f8a522ee47114c7daf8640a922dda3b53beea
Instruction ID: cecb3b772a2c9e9905e7a34aa3b821cfe50d8b2757a5c4e2a0b089f3e090cb04
Opcode Fuzzy Hash: 9501be21b13b7447ee404431cc5f8a522ee47114c7daf8640a922dda3b53beea
Instruction Fuzzy Hash: 6C411D76D00209ABCB15EFA4D845FEEB7B9EF84340F508029F915EB251EB74AD05CB94

Function 003F000A Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 003F0030
GetFileSize.KERNEL32(00000000,00000000), ref: 003F004B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 003F0056
GlobalLock.KERNEL32(00000000), ref: 003F0063
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003F0072
GlobalUnlock.KERNEL32(00000000), ref: 003F0079
CloseHandle.KERNEL32(00000000), ref: 003F0080
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003F008D
OleLoadPicture.OLEAUT32(?,00000000,00000000,004429F8,?), ref: 003F00AB
GlobalFree.KERNEL32(00000000), ref: 003F00BD
GetObjectW.GDI32(?,00000018,?), ref: 003F00E4
CopyImage.USER32(?,00000000,?,?,00002000), ref: 003F0115
DeleteObject.GDI32(?), ref: 003F013D
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003F0154

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: 7c8486f200b8a382c4b25f8544feeee62c292c5f4423b8dc1976e8275bfc7f01
Instruction ID: fc1d3a2c5f588c44155ea7b458660a9c305e21a8e8885b4a06ba150640a3e20f
Opcode Fuzzy Hash: 7c8486f200b8a382c4b25f8544feeee62c292c5f4423b8dc1976e8275bfc7f01
Instruction Fuzzy Hash: 77415E79600208AFE715DFA8DD85FAA77B8FF49711F108164FA05EB290D7B4AD01CB64

Function 003F3478 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003F3495
gethostname.WSOCK32(?,00000100), ref: 003F34AF
gethostbyname.WSOCK32(?), ref: 003F34BC
_wcscpy.LIBCMT ref: 003F34EB
WSACleanup.WSOCK32 ref: 003F34F3
_memmove.LIBCMT ref: 003F350A
inet_ntoa.WSOCK32(?), ref: 003F3516
_strcat.LIBCMT ref: 003F3524
_wcscpy.LIBCMT ref: 003F353B
WSACleanup.WSOCK32 ref: 003F3549
_wcscpy.LIBCMT ref: 003F355B

Strings

0.0.0.0, xrefs: 003F34E5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 1965227024-3771769585
Opcode ID: 1e2f81df98c35e306a50701c7282e02e4635ddaea7b4b15fbed30e22943b8eb1
Instruction ID: af5ee33dda169817cf78d98cb9ea5430fbe2a28bdfae30029825a3e402010b91
Opcode Fuzzy Hash: 1e2f81df98c35e306a50701c7282e02e4635ddaea7b4b15fbed30e22943b8eb1
Instruction Fuzzy Hash: 73212C76A00118BBC711AB68EC45EFE737CDF86715F0042A6FA0997141EFB19A418BB1

Function 0041F55A Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0041F5C2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0041F5D9
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041F5EB
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0041F5FE
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0041F60B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0041F621

Strings

status PlayMe mode, xrefs: 0041F5BD
open , xrefs: 0041F571
play PlayMe, xrefs: 0041F61C
alias PlayMe, xrefs: 0041F59C
close PlayMe, xrefs: 0041F5D4, 0041F606
play PlayMe wait, xrefs: 0041F5F9

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: SendString$_memmove_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 369157077-1007645807
Opcode ID: e1a0018d90a453758c20d820baa086351c04ed22615e6d3224bf788b7ae2515c
Instruction ID: ac75afa9ec147da74de2124005fb670c4ead0ad5aaa6abddb5e761772ddda367
Opcode Fuzzy Hash: e1a0018d90a453758c20d820baa086351c04ed22615e6d3224bf788b7ae2515c
Instruction Fuzzy Hash: 7E216372A9021D66E721B794DC42FFF7368AF80B01F104526FA05EA1D1DBB46D868798

Function 00405AEA Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00405AFE
GetClassNameW.USER32(00000000,?,00000100), ref: 00405B13
__wcsicoll.LIBCMT ref: 00405B39
__wcsicoll.LIBCMT ref: 00405B55
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00405BAF

Strings

SHELLDLL_DefView, xrefs: 00405B1F
largeicons, xrefs: 00405B33
smallicons, xrefs: 00405B6B
details, xrefs: 00405B4F
list, xrefs: 00405B91

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll$ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 3125838495-3381328864
Opcode ID: ce73fae68b244fe2914d7b5b2104015f403fcf023cf38db446db7ff4bf4f8b95
Instruction ID: 263b53b245b4f0d51afbf5f27dfe6062545a7c5464c3ffe0c56789ea294eb1cc
Opcode Fuzzy Hash: ce73fae68b244fe2914d7b5b2104015f403fcf023cf38db446db7ff4bf4f8b95
Instruction Fuzzy Hash: 2111B772B44304BBEB10AA64AC06EB773ACDB55712F000167FD44E7281F6B8B8158A69

Function 00409112 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,000000FF,?), ref: 004091FD
SendMessageW.USER32(?,?,00000000,00000000), ref: 00409210
CharNextW.USER32(?,?,?,000000FF,?), ref: 00409242
SendMessageW.USER32(?,?,00000000,00000000), ref: 0040925A
SendMessageW.USER32(?,?,00000000,?), ref: 0040928B
SendMessageW.USER32(?,?,000000FF,?), ref: 004092A2
SendMessageW.USER32(?,?,00000000,00000000), ref: 004092B5
SendMessageW.USER32(?,00000402,?), ref: 004092F2
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00409366
SendMessageW.USER32(?,00001002,00000000,?), ref: 004093D0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 435a878c2010e14ce73dc9c524274da8bceebecb701ab65ebadcfc19fbd54297
Instruction ID: b0b04931236be818247adc1f8bd9bae9c37270c91c9c892423ac0808db060047
Opcode Fuzzy Hash: 435a878c2010e14ce73dc9c524274da8bceebecb701ab65ebadcfc19fbd54297
Instruction Fuzzy Hash: 5E81D136600119ABDB10DF94DC84FFFB778EB55720F10826AFA14AB2C1D7B99D418BA4

Function 00438610 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 0041366C: CharLowerBuffW.USER32(?,?), ref: 00413681

Part of subcall function 004059E6: _wcslen.LIBCMT ref: 004059F6

GetDriveTypeW.KERNEL32(?), ref: 00438773
_wcscpy.LIBCMT ref: 0043879F

Strings

dND, xrefs: 00438624
fixed, xrefs: 004386D2
ramdisk, xrefs: 0043870C
a, xrefs: 00438745
unknown, xrefs: 00438729
all, xrefs: 00438675
removable, xrefs: 004386B5
network, xrefs: 004386EF
cdrom, xrefs: 00438695

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy_wcslen
String ID: a$all$cdrom$dND$fixed$network$ramdisk$removable$unknown
API String ID: 3052893215-349175299
Opcode ID: a9e060beb0a2492aaee988efaf3578aad3c5f9bf81fe15ae7159d8bffd6f3d20
Instruction ID: dbbb67c7b875ad0ee082e75cfd86b8943d9f8952dd5a14beb838390cd0c257e8
Opcode Fuzzy Hash: a9e060beb0a2492aaee988efaf3578aad3c5f9bf81fe15ae7159d8bffd6f3d20
Instruction Fuzzy Hash: B061A2725043019BC700EF54CC82F5BB7E5EF98345F24482EF9849B392DB79E9498B9A

Function 0041E724 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0041E76C

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

LoadStringW.USER32(?,?,?,00000FFF), ref: 0041E78D
__swprintf.LIBCMT ref: 0041E7E4
_wprintf.LIBCMT ref: 0041E8A0
_wprintf.LIBCMT ref: 0041E8C4

Strings

Error: , xrefs: 0041E867
^ ERROR, xrefs: 0041E83E
%s (%d) : ==> %s:%s%s, xrefs: 0041E89B
Line %d (File "%s"):, xrefs: 0041E7DE
%s (%d) : ==> %s:, xrefs: 0041E8BF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-2354261254
Opcode ID: 2b9687606f691c0f71e6bbf26e171d581debe50bc0ef61632aab357d1d6205db
Instruction ID: e9d449e535a368acf873b51bff07ede15b85b98ea486cd142a0d215dabce47b9
Opcode Fuzzy Hash: 2b9687606f691c0f71e6bbf26e171d581debe50bc0ef61632aab357d1d6205db
Instruction Fuzzy Hash: F451B471A10219ABDB15EFA0DC81EFF7378EF45350F14402AF905AB242EB74AE45CBA4

Function 00413126 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 0041315E
__i64tow.LIBCMT ref: 0041317B
__swprintf.LIBCMT ref: 0041319C
__swprintf.LIBCMT ref: 004131B8
_wcscpy.LIBCMT ref: 004131D6
_wcscpy.LIBCMT ref: 00413212

Strings

False, xrefs: 004131E9
True, xrefs: 004131D0
%.15g, xrefs: 00413196
0x%p, xrefs: 004131B2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __swprintf_wcscpy$__i64tow__itow
String ID: %.15g$0x%p$False$True
API String ID: 3038501623-2263619337
Opcode ID: eef7a8259f2c31560c2711f98e6b38a34a9d5b13a867796e56bc8d88bb0d9463
Instruction ID: 4f952346c317bdb790b1e5a942a5ff301537e2589774d7c088728f8ad4cd853c
Opcode Fuzzy Hash: eef7a8259f2c31560c2711f98e6b38a34a9d5b13a867796e56bc8d88bb0d9463
Instruction Fuzzy Hash: 1F41E7729001109BDB10FF74EC42FAA7378EF55311F0485EBE909CB346EA35DA5987AA

Function 0041E525 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0041E56D

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0041E58C
__swprintf.LIBCMT ref: 0041E5E3
_wprintf.LIBCMT ref: 0041E690
_wprintf.LIBCMT ref: 0041E6B4

Strings

Error: , xrefs: 0041E657
^ ERROR , xrefs: 0041E626
%s (%d) : ==> %s:%s%s, xrefs: 0041E68B
Line %d (File "%s"):, xrefs: 0041E5DD
%s (%d) : ==> %s:, xrefs: 0041E6AF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-8599901
Opcode ID: 9c4199e5483f1308b058a0bbec5aadbfe9a1033a2085fca857e4ead4de53e999
Instruction ID: 8dba80e4dd3d686824cac9a4f78430b99d9586b8b22c9b0893ddfc674819884c
Opcode Fuzzy Hash: 9c4199e5483f1308b058a0bbec5aadbfe9a1033a2085fca857e4ead4de53e999
Instruction Fuzzy Hash: C051A935D002099BDB15EBA0DC86EFF7778EF44340F50802AF9156B242EB74AE45CB64

Function 0041268F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 004126B4
__fread_nolock.LIBCMT ref: 004126F6
__fread_nolock.LIBCMT ref: 00412714
_wcscpy.LIBCMT ref: 00412748
__fread_nolock.LIBCMT ref: 00412758
__fread_nolock.LIBCMT ref: 00412776
_wcscpy.LIBCMT ref: 004127A7
_fseek.LIBCMT ref: 004127E1
__fread_nolock.LIBCMT ref: 004127F4
_fseek.LIBCMT ref: 0041280D

Strings

FILE, xrefs: 004126CF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock$_fseek_wcscpy
String ID: FILE
API String ID: 3888824918-3121273764
Opcode ID: 879398c9922bd37d82c8938ccdf573510cdcbd5477323710c77883603e59114d
Instruction ID: 7647ddee409942b1dde0a285fbbec84b4835262af166c30ba47e16034b14e6ea
Opcode Fuzzy Hash: 879398c9922bd37d82c8938ccdf573510cdcbd5477323710c77883603e59114d
Instruction Fuzzy Hash: B2418AB2910204B7DB20EFA4DCC1FEB73BDAF58700F14455AB904AB281E6B59B54CBA5

Function 00403A65 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00403A6B

Part of subcall function 003CC870: timeGetTime.WINMM(003EDCE3), ref: 003CC870

Sleep.KERNEL32(0000000A), ref: 00403AA3
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00403ACC
SetActiveWindow.USER32(?), ref: 00403AF0
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00403B00
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00403B26
Sleep.KERNEL32(000000FA), ref: 00403B31
IsWindow.USER32(?), ref: 00403B3E
EndDialog.USER32(?,00000000), ref: 00403B50

Part of subcall function 004038C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 004038E8
Part of subcall function 004038C5: GetCurrentThreadId.KERNEL32 ref: 004038EF
Part of subcall function 004038C5: AttachThreadInput.USER32(00000000), ref: 004038F6

EnumThreadWindows.USER32(00000000,Function_00033CEE,00000000), ref: 00403B6F

Strings

BUTTON, xrefs: 00403ABD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
String ID: BUTTON
API String ID: 1834419854-3405671355
Opcode ID: aae3f0ddf635ccffdfeca7ed1bdeae61ff746ea76e6c29b44c34a42f9fc627c3
Instruction ID: 92dbe9649f4c2b4d2aecfda0be25a3adaee5f7d39113251d5e5dc76c3e18c6eb
Opcode Fuzzy Hash: aae3f0ddf635ccffdfeca7ed1bdeae61ff746ea76e6c29b44c34a42f9fc627c3
Instruction Fuzzy Hash: 8731F776344200BBE3209F60BD49F163B68AB4172AF504076FA01EA2D1E6B4E441876E

Function 003D04E0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 003D0513
RegisterClassExW.USER32(00000030), ref: 003D053D
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003D054E
InitCommonControlsEx.COMCTL32(004690E8), ref: 003D056B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003D057B
LoadIconW.USER32(00000000,000000A9), ref: 003D0592
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 003D05A2

Strings

AutoIt v3 GUI, xrefs: 003D052F
TaskbarCreated, xrefs: 003D0543
0, xrefs: 003D04F5
+, xrefs: 003D04FC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e8d584e3963776543ff5eda3c74ed16ab9aff3d0781a63c7ee3338e5d9030f3a
Instruction ID: ea675e15cc93ae3a900f482eba8d8e3aa40609f4fa2c124d4395a45994c55664
Opcode Fuzzy Hash: e8d584e3963776543ff5eda3c74ed16ab9aff3d0781a63c7ee3338e5d9030f3a
Instruction Fuzzy Hash: 7321F9B4901308AFDB10DF94E949B9DBBB4FB09710F51822AF605A6390D7F44544CF99

Function 00413BCC Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00413C55
SetKeyboardState.USER32(?), ref: 00413CB0
GetAsyncKeyState.USER32(000000A0), ref: 00413CD3
GetKeyState.USER32(000000A0), ref: 00413CEA
GetAsyncKeyState.USER32(000000A1), ref: 00413D19
GetKeyState.USER32(000000A1), ref: 00413D2A
GetAsyncKeyState.USER32(00000011), ref: 00413D56
GetKeyState.USER32(00000011), ref: 00413D64
GetAsyncKeyState.USER32(00000012), ref: 00413D8D
GetKeyState.USER32(00000012), ref: 00413D9B
GetAsyncKeyState.USER32(0000005B), ref: 00413DC4
GetKeyState.USER32(0000005B), ref: 00413DD2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 09792d26b6dc00bc2612cc11f19eea7ebe78e7105bc4b413fd5af269767428c4
Instruction ID: 75b27f3fbd8f3a9dbf3ff3bc45cfa75c6244671e8f3e4a12c34d62b4426fdc6b
Opcode Fuzzy Hash: 09792d26b6dc00bc2612cc11f19eea7ebe78e7105bc4b413fd5af269767428c4
Instruction Fuzzy Hash: BA61F63590478869FB319F6488457EBBBB44F12305F08459FD5C1266C2E6BCABCCC7AA

Function 003F57C5 Relevance: 18.2, APIs: 12, Instructions: 184COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003F57E9
GetWindowRect.USER32(00000000,?), ref: 003F57FB
MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 003F5865
GetDlgItem.USER32(?,00000002), ref: 003F5878
GetWindowRect.USER32(00000000,?), ref: 003F588A
MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 003F58DC
GetDlgItem.USER32(?,000003E9), ref: 003F58EA
GetWindowRect.USER32(00000000,?), ref: 003F58FC
MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 003F5941
GetDlgItem.USER32(?,000003EA), ref: 003F594F
MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 003F5968
InvalidateRect.USER32(?,00000000,00000001), ref: 003F5975

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 31357877353da1f49dbd3c504381673cf39ae26f7880edd5d26deb8df6712a9c
Instruction ID: 2ad952dd7e93bd8c33f699bcd8baaf23aecef4d00d0e51d6f3dc70778d36a7e8
Opcode Fuzzy Hash: 31357877353da1f49dbd3c504381673cf39ae26f7880edd5d26deb8df6712a9c
Instruction Fuzzy Hash: 7A513F75B00609AFDB18CF69DD95AAEB7BAFB88310F158129FA05E7390D770ED008B50

Function 00405E3B Relevance: 18.2, APIs: 12, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 003F6DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 003F6DCF
Part of subcall function 003F6DB5: GetLastError.KERNEL32(?,00000000,?), ref: 003F6DD9
Part of subcall function 003F6DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 003F6DFF

Part of subcall function 003F6D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003F6D9C

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00405EA1
_memset.LIBCMT ref: 00405EB6
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00405ED5
GetLengthSid.ADVAPI32(?), ref: 00405EE7
GetAce.ADVAPI32(?,00000000,?), ref: 00405F24
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00405F40
GetLengthSid.ADVAPI32(?), ref: 00405F58
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00405F81
CopySid.ADVAPI32(00000000), ref: 00405F88
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00405FBA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00405FDC
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00405FEF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3490752873-0
Opcode ID: 105a9596a82440c3cd5ef367265d397c1720b81069965123e01240467002f440
Instruction ID: 88ecd1c7aaf580c680552df670facc061a83038a2bfdbbcda6e1645e566705cb
Opcode Fuzzy Hash: 105a9596a82440c3cd5ef367265d397c1720b81069965123e01240467002f440
Instruction Fuzzy Hash: 87516DB590060AABDB20DFA4CC85EEFB7B8FF45700F048529F615EB281D6789A05CB64

Function 00431493 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00431496
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004314B1
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 004314CA
DeleteObject.GDI32(?), ref: 004314D8
DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 004314E6
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 00431529
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00431542
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00431563
DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 00431587
SendMessageW.USER32(?,000000F7,00000001,?), ref: 00431596
DeleteObject.GDI32(?), ref: 004315A4
DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004315B2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
String ID:
API String ID: 3218148540-0
Opcode ID: 55f9f452f9997f374a1447e2f046c14d587409572f781430c257eb6c1f24fed4
Instruction ID: 5a487c6ace5da0f6133092409dfe0271f9ed7d65449db44ffffb113100ddd4b9
Opcode Fuzzy Hash: 55f9f452f9997f374a1447e2f046c14d587409572f781430c257eb6c1f24fed4
Instruction Fuzzy Hash: 9741C475740306ABDB20DF64ED49FAB77A8EB94711F00452AFA02E72D0C7B5E845CB64

Function 003F3769 Relevance: 18.1, APIs: 12, Instructions: 119COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 003F3781
_wcscpy.LIBCMT ref: 003F378F
__wsplitpath.LIBCMT ref: 003F37BD
__wsplitpath.LIBCMT ref: 003F37DF
_wcscpy.LIBCMT ref: 003F3803
_wcscpy.LIBCMT ref: 003F3822
_wcscpy.LIBCMT ref: 003F3832
_wcscat.LIBCMT ref: 003F383F
_wcscat.LIBCMT ref: 003F3899
_wcscat.LIBCMT ref: 003F38CF
_wcscat.LIBCMT ref: 003F38DF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 5c85b8040986ebc70c1a73973d42d231fd8ae5cefee5c55bf82a2bf9200c4bcc
Instruction ID: 7f6d6e90e9e3f43cfe6f4fa594d2590f79b077d494c7384a8c0423554e8e04e5
Opcode Fuzzy Hash: 5c85b8040986ebc70c1a73973d42d231fd8ae5cefee5c55bf82a2bf9200c4bcc
Instruction Fuzzy Hash: 6E4183B380021C67DB26EB50DC91EFE737CAB94710F0086DAF60966140EA746FC98FA1

Function 00436759 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

dND, xrefs: 00436781

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: dND
API String ID: 0-2949930476
Opcode ID: d50ba7e2679a48e6b9f20b8e4964f8e5eda1b4c4ae2a6f2299e5d6aec8b7931d
Instruction ID: 77890b34f2963f1b174c3789fbfdd58c7211fa6493fc24e058a3556ff3dfbfe5
Opcode Fuzzy Hash: d50ba7e2679a48e6b9f20b8e4964f8e5eda1b4c4ae2a6f2299e5d6aec8b7931d
Instruction Fuzzy Hash: 50A17972604301ABD310EF64D842F5BB7E5ABC9710F14892EF595DB281EA75EC048B92

Function 00420D60 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00420DA2
GetWindowTextW.USER32(?,?,00000400), ref: 00420DDE
_wcslen.LIBCMT ref: 00420DEF
CharUpperBuffW.USER32(?,00000000), ref: 00420DFD
GetClassNameW.USER32(?,?,00000400), ref: 00420E70
GetWindowTextW.USER32(?,?,00000400), ref: 00420EA9
GetClassNameW.USER32(?,?,00000400), ref: 00420EED
GetClassNameW.USER32(?,?,00000400), ref: 00420F25
GetWindowRect.USER32(?,?), ref: 00420F94

Part of subcall function 003F198A: _memmove.LIBCMT ref: 003F19CA

Strings

ThumbnailClass, xrefs: 00420E7B, 00420EF4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
String ID: ThumbnailClass
API String ID: 4136854206-1241985126
Opcode ID: 7fb1b332e994986c8560795f136a5d8168f9bdf6e7e7925b2dedc13816e4509c
Instruction ID: c594a4301890046a3a2a4274d2467a01242530d72235aa5219fc3b3613476a20
Opcode Fuzzy Hash: 7fb1b332e994986c8560795f136a5d8168f9bdf6e7e7925b2dedc13816e4509c
Instruction Fuzzy Hash: E091E4712043109FCB14DF10D980BABB7E8EF94714F45891EFD89AB242D778E945CBA6

Function 0042665E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

_wcstok.LIBCMT ref: 004266FF

Part of subcall function 003D3DD8: __getptd.LIBCMT ref: 003D3DDE

_wcscpy.LIBCMT ref: 0042678E
_memset.LIBCMT ref: 004267B4
GetOpenFileNameW.COMDLG32(00000058), ref: 004268C1
_wcslen.LIBCMT ref: 004268E0
_wcslen.LIBCMT ref: 0042690A

Part of subcall function 004211B1: _memmove.LIBCMT ref: 00421244

GetSaveFileNameW.COMDLG32(00000058), ref: 00426954

Strings

@OD, xrefs: 004266BE
X, xrefs: 004267E3
@OD, xrefs: 00426914
@OD, xrefs: 00426713

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$FileName_memmove$OpenSave__getptd_memset_wcscpy_wcstok
String ID: @OD$@OD$@OD$X
API String ID: 2090881903-2855337533
Opcode ID: 5de0ebee0d14acca571e8d00e03f41aa78882c043f915f082467266a2b3c1eac
Instruction ID: 07e4a2d7e9282094d6e25e0fd38b2394b0b603a2e8d6a546a6e54c5ea201ae39
Opcode Fuzzy Hash: 5de0ebee0d14acca571e8d00e03f41aa78882c043f915f082467266a2b3c1eac
Instruction Fuzzy Hash: 6D81D1716043408BD715EF20E881E5FB3E5AFC4354F518A2EF99A8B261DB38ED46CB46

Function 004310AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416308: GetCursorPos.USER32(?), ref: 0041631D
Part of subcall function 00416308: ScreenToClient.USER32(?,?), ref: 0041633A
Part of subcall function 00416308: GetAsyncKeyState.USER32(?), ref: 00416377
Part of subcall function 00416308: GetAsyncKeyState.USER32(?), ref: 00416387

DefDlgProcW.USER32(?,00000205,?,?), ref: 004310FF
ImageList_DragLeave.COMCTL32(00000000), ref: 0043111D
ImageList_EndDrag.COMCTL32 ref: 00431123
ReleaseCapture.USER32 ref: 00431129
SetWindowTextW.USER32(?,00000000), ref: 004311C0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004311D0

Strings

dND, xrefs: 00431226
@GUI_DROPID, xrefs: 004311FF
@GUI_DRAGFILE, xrefs: 00431234

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID$dND
API String ID: 2483343779-3326785506
Opcode ID: 4b6c5682c05005f0a43076529a7c4d867d18867b0495482a0e15da405d394ca7
Instruction ID: 88d1d851e4f59fa37f3e3bcf39bb7d202bb450277f9ff6aa36f2002ea667e1bd
Opcode Fuzzy Hash: 4b6c5682c05005f0a43076529a7c4d867d18867b0495482a0e15da405d394ca7
Instruction Fuzzy Hash: F451EF352043119BD714EF18CC89FAB77A4FF88350F00462EF9419B2A2DB749C45CBAA

Function 00431874 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00431881
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004318DC
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00431901
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0043191A
SendMessageW.USER32(?,0000113E,00000000,?), ref: 0043199A
SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 004319C7
GetClientRect.USER32(?,?), ref: 004319D4
RedrawWindow.USER32(?,?,00000000,00000000), ref: 004319E3
DestroyIcon.USER32(?), ref: 00431AAE

Strings

2, xrefs: 00431993

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
String ID: 2
API String ID: 1331449709-450215437
Opcode ID: 9af043a63b973663a25e30961ebaccd3cf6cbdcb45a86e4c502ac0d4b530b31e
Instruction ID: 57cae8f0c468949794fd52b8aa7cb75f0fbdf385d03d2027de275f22027e5637
Opcode Fuzzy Hash: 9af043a63b973663a25e30961ebaccd3cf6cbdcb45a86e4c502ac0d4b530b31e
Instruction Fuzzy Hash: 4A519E74A00209AFDB10CF94CC95BEEB7B9FF89310F10815AFA44AB3A1D7B4A945CB55

Function 00410BB7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00410C16

Strings

static, xrefs: 00410BF8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DestroyWindow
String ID: static
API String ID: 3375834691-2160076837
Opcode ID: af23a36da3e4d09e22f794b70ba1cb23bd4a3e4d52840b329e1a4f58f071407c
Instruction ID: d07e2ca63e7f9275448af8fb1ef3d9be3471036baf80f84c1b27ed9c5c1b5668
Opcode Fuzzy Hash: af23a36da3e4d09e22f794b70ba1cb23bd4a3e4d52840b329e1a4f58f071407c
Instruction Fuzzy Hash: 47418075250209ABDB149F64DD85FEB3368EB99724F10432AFA14D72D0D7B4E881CBA8

Function 003F6ED1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?), ref: 003F6EF4
OpenThreadToken.ADVAPI32(00000000), ref: 003F6EF7
GetCurrentProcess.KERNEL32(00000008,?), ref: 003F6F07
OpenProcessToken.ADVAPI32(00000000), ref: 003F6F0A
LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 003F6F43
LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 003F6F5A
_memcmp.LIBCMT ref: 003F6F8B
CloseHandle.KERNEL32(?), ref: 003F6FD5

Strings

SeAssignPrimaryTokenPrivilege, xrefs: 003F6F3B
SeIncreaseQuotaPrivilege, xrefs: 003F6F51

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
API String ID: 1446985595-805462909
Opcode ID: da1e6ce4da83bbff180f9fd4f5f43a07e9e994a9de09d22f5ac4a086a9cd7865
Instruction ID: 7e30379cf6553bf2c0130bd2e94f80db1998c86ac5fe94b3343e85c1d2ec6793
Opcode Fuzzy Hash: da1e6ce4da83bbff180f9fd4f5f43a07e9e994a9de09d22f5ac4a086a9cd7865
Instruction Fuzzy Hash: 7C318C72D0031DABDB12CFA1DD46AFEB7B8FF85710F14445AEA00A7240E774AA45CBA0

Function 0041D938 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0041D946
GetDriveTypeW.KERNEL32(?,?), ref: 0041D998
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0041DA38

Strings

CDROM, xrefs: 0041D9E2
Removable, xrefs: 0041D9B5
RAMDisk, xrefs: 0041D9F1
Network, xrefs: 0041D9D3
Unknown, xrefs: 0041DA00
dND, xrefs: 0041DA0F
Fixed, xrefs: 0041D9C4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$dND
API String ID: 2907320926-1967378714
Opcode ID: 520b35f5d93606fb2a0b550e2ee632cf3a1738870f2b0bf5245fef6b63dc9841
Instruction ID: 34e5ec21f4633d5d862429f33d74bbd6013e42d2184a10b47afbd188637a98ca
Opcode Fuzzy Hash: 520b35f5d93606fb2a0b550e2ee632cf3a1738870f2b0bf5245fef6b63dc9841
Instruction Fuzzy Hash: BC316BB5A142089FDB00EFA8D485A9EB7B0FF49310B10815BF905DB312C738ED41DB5A

Function 003D03E0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 003D03EB
LoadCursorW.USER32(00000000,00007F00), ref: 003D03FA
LoadIconW.USER32(?,00000063), ref: 003D0410
LoadIconW.USER32(?,000000A4), ref: 003D0423
LoadIconW.USER32(?,000000A2), ref: 003D0436
LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 003D045E
RegisterClassExW.USER32(?), ref: 003D04AD

Part of subcall function 003D04E0: GetSysColorBrush.USER32(0000000F), ref: 003D0513
Part of subcall function 003D04E0: RegisterClassExW.USER32(00000030), ref: 003D053D
Part of subcall function 003D04E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003D054E
Part of subcall function 003D04E0: InitCommonControlsEx.COMCTL32(004690E8), ref: 003D056B
Part of subcall function 003D04E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003D057B
Part of subcall function 003D04E0: LoadIconW.USER32(00000000,000000A9), ref: 003D0592
Part of subcall function 003D04E0: ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000), ref: 003D05A2

Strings

#, xrefs: 003D0483
0, xrefs: 003D047C
AutoIt v3, xrefs: 003D0499

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a6739d036f53a5f1fff1aadb4ad2327b36613dad56d57b6b98e1c401173b1bcb
Instruction ID: 4a21a1eca50ffe0197b38d33ea4e8c436fb3bc87c386ff0887bdbf7b7d09e776
Opcode Fuzzy Hash: a6739d036f53a5f1fff1aadb4ad2327b36613dad56d57b6b98e1c401173b1bcb
Instruction Fuzzy Hash: 02214DB5D44318ABD714DFA9EC45F9D7BB8BB48704F00416AE604A7291E7F499008B99

Function 0040807C Relevance: 16.7, APIs: 11, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00408101
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00408104
GetWindowLongW.USER32(?,000000F0), ref: 00408128
_memset.LIBCMT ref: 00408139
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040814B
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004081BF
SendMessageW.USER32(?,00001074,?,00000007), ref: 0040820D
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00408228
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 0040824A
SendMessageW.USER32(?,0000101E,00000001,?), ref: 00408261
SendMessageW.USER32(?,00001008,?,00000007), ref: 00408279

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: cd08758c62e121aec0cece4c392adfc9442d0dece60e75ede4d6dd8b607af079
Instruction ID: a3410041fc10909de40d920f6cd4881ceac2f4d6b94fffa7dafc2358f743a6d3
Opcode Fuzzy Hash: cd08758c62e121aec0cece4c392adfc9442d0dece60e75ede4d6dd8b607af079
Instruction Fuzzy Hash: 1C616C74A00208AFDB10DF94DD85FEA73B8AF49310F1042ADFA54AB3D1DBB4AA45CB54

Function 004308E2 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 003EFF70: InvalidateRect.USER32(?,00000000,00000001), ref: 003EFFFE

DestroyAcceleratorTable.USER32(?), ref: 00430904
ImageList_Destroy.COMCTL32(?), ref: 00430967
ImageList_Destroy.COMCTL32(?), ref: 0043097F
ImageList_Destroy.COMCTL32(?), ref: 0043098F
DeleteObject.GDI32(?), ref: 004309BE
DestroyIcon.USER32(?), ref: 004309D6
DeleteObject.GDI32(?), ref: 004309EE
DestroyWindow.USER32(?), ref: 00430A06
DestroyIcon.USER32(?), ref: 00430A2D
DestroyIcon.USER32(?), ref: 00430A3B
KillTimer.USER32(00000000,00000000), ref: 00430ABA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
String ID:
API String ID: 1237572874-0
Opcode ID: 4eab6a84c9d62c2d3c595409e8dc03ebffc84d8d8ef2e8fdd3aa4618acc17ca5
Instruction ID: 06cd7df91358d1c70a5fd154a9a6121848dbbc1fdad4916c398b0c1bfc86e3d0
Opcode Fuzzy Hash: 4eab6a84c9d62c2d3c595409e8dc03ebffc84d8d8ef2e8fdd3aa4618acc17ca5
Instruction Fuzzy Hash: E2617E746002018FDB24EF69EDA4F2637A9BF59304F54126DE505CB3A2DBB8EC01CB5A

Function 0043931C Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004395B7), ref: 0043933A
SafeArrayAllocData.OLEAUT32(004395B7), ref: 00439389
VariantInit.OLEAUT32(?), ref: 0043939B
SafeArrayAccessData.OLEAUT32(004395B7,?), ref: 004393BC
VariantCopy.OLEAUT32(?,?), ref: 0043941B
SafeArrayUnaccessData.OLEAUT32(004395B7), ref: 0043942E
VariantClear.OLEAUT32(?), ref: 00439443
SafeArrayDestroyData.OLEAUT32(004395B7), ref: 00439468
SafeArrayDestroyDescriptor.OLEAUT32(004395B7), ref: 00439472
VariantClear.OLEAUT32(?), ref: 00439484
SafeArrayDestroyDescriptor.OLEAUT32(004395B7), ref: 004394A1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 63a94c20cdae3818ec2fdbb475bb85fc4024bf9b345ed8bb55b7ca6f44bfa77c
Instruction ID: fd3045c767291b62f8cb5d5a24a7f42982ac41dabf92805fb928ee771a2f89ee
Opcode Fuzzy Hash: 63a94c20cdae3818ec2fdbb475bb85fc4024bf9b345ed8bb55b7ca6f44bfa77c
Instruction Fuzzy Hash: 9A515C76A00219EFCB00DFA4D9899EEB778FF48304F51456EF905A7201DB75AE06CBA0

Function 004046C5 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004046F3
GetAsyncKeyState.USER32(000000A0), ref: 0040477E
GetKeyState.USER32(000000A0), ref: 0040478F
GetAsyncKeyState.USER32(000000A1), ref: 004047AD
GetKeyState.USER32(000000A1), ref: 004047BE
GetAsyncKeyState.USER32(00000011), ref: 004047DA
GetKeyState.USER32(00000011), ref: 004047E8
GetAsyncKeyState.USER32(00000012), ref: 00404804
GetKeyState.USER32(00000012), ref: 00404812
GetAsyncKeyState.USER32(0000005B), ref: 0040482E
GetKeyState.USER32(0000005B), ref: 0040483D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d350aa26cde7627fbb41cc367a1ccd3c86dfca56b499eec1c6e2cf2d81c78ace
Instruction ID: 7c53e8e8b73ab87104a82bee6971d4deaa1e6c3e48573624213ee1183b90e247
Opcode Fuzzy Hash: d350aa26cde7627fbb41cc367a1ccd3c86dfca56b499eec1c6e2cf2d81c78ace
Instruction Fuzzy Hash: E04107B85047C929FF31A76485043A7BAE16B93300F4480ABD6C5277C1D7F999C4C7AA

Function 00430B26 Relevance: 16.6, APIs: 11, Instructions: 125COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00430B80

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_wcscpy.LIBCMT ref: 00430BA4
VariantInit.OLEAUT32(?), ref: 00430C06
VariantInit.OLEAUT32(?), ref: 00430C14
VariantInit.OLEAUT32(?), ref: 00430C1A
VariantInit.OLEAUT32(?), ref: 00430C23
VariantInit.OLEAUT32(?), ref: 00430C2C
VariantInit.OLEAUT32(?), ref: 00430C3A
VariantInit.OLEAUT32(?), ref: 00430C43
VariantInit.OLEAUT32(?), ref: 00430C54
VariantInit.OLEAUT32 ref: 00430C6F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: InitVariant$_malloc_wcscpy_wcslen
String ID:
API String ID: 3413494760-0
Opcode ID: 4f21cbb3ea6fd7abc2b9954d67071c422361d53a9135204a52d761953835582e
Instruction ID: 1a43dffd7204fa50cc3c11a2ba162526d8997020e5ead0853d7cac710a9625e8
Opcode Fuzzy Hash: 4f21cbb3ea6fd7abc2b9954d67071c422361d53a9135204a52d761953835582e
Instruction Fuzzy Hash: 654139B2600716AFC715DF69D890A86BBE8FF48314F00862AE519C7B00D775F964CBE1

Function 0040ED42 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 472COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0040EEB9

Strings

h, xrefs: 0040F704
h, xrefs: 0040EFBB
`, xrefs: 0040ED43
', xrefs: 0040EDA4
\, xrefs: 0040CFD7
DEFINE, xrefs: 0040EFA6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _strncmp
String ID: '$DEFINE$\$`$h$h
API String ID: 909875538-3708680428
Opcode ID: fe1e03d8ddaed9df40d2a673e89d652a6fe71378cc1ddc2c17b8f7caf8c97d22
Instruction ID: 2d0ca4790a685b3152513a532ce5f303fd5991269e29a34e0a22becc12d8a126
Opcode Fuzzy Hash: fe1e03d8ddaed9df40d2a673e89d652a6fe71378cc1ddc2c17b8f7caf8c97d22
Instruction Fuzzy Hash: ED02C470A0424ACFCB24CF65C9906AEBBF2FF85304F2486BED815AB781D3399945CB55

Function 00414262 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,?), ref: 0041433B
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 00414354
_malloc.LIBCMT ref: 00414392
_strlen.LIBCMT ref: 004143F0
_malloc.LIBCMT ref: 004143FA
_strcat.LIBCMT ref: 0041440B
_free.LIBCMT ref: 00414550
_free.LIBCMT ref: 00414562

Strings

AU3_FreeVar, xrefs: 0041434E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressProc_free_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2634073740-771828931
Opcode ID: c2b2e2897ba366b9163e0dc86d138ca1ed03e693267ee843c8596e5dcf81bbc9
Instruction ID: c7ca8041fbdec423ac35cb47d1e464fddec2964dc8c68efe6420030c871fe9a8
Opcode Fuzzy Hash: c2b2e2897ba366b9163e0dc86d138ca1ed03e693267ee843c8596e5dcf81bbc9
Instruction Fuzzy Hash: F8B1C1B4A00206DFCB00DF54D885AAAB7B5FF88314F2481AAE9158F352D739ED91CB95

Function 0042B770 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0042B7B0
CoUninitialize.OLE32 ref: 0042B7BB

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 0040CAFD: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0040CB4A
Part of subcall function 0040CAFD: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0040CB6A

CLSIDFromProgID.OLE32(00000000,?), ref: 0042B80A
CLSIDFromString.OLE32(00000000,?), ref: 0042B81A
CoCreateInstance.OLE32(?,00000000,00000017,00442998,?), ref: 0042B843
IIDFromString.OLE32(?,?), ref: 0042B87B

Strings

Invalid parameter, xrefs: 0042B896
NULL Pointer assignment, xrefs: 0042B8C0
Failed to create object, xrefs: 0042B905

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 2294789929-1287834457
Opcode ID: d7cffd461fbf4fded0878a45baa85cd01e408c678bdfcb6f7769008629876025
Instruction ID: a1b1334ad4d077580ce4ce7dbe1b6cd4c683291afaaddc394380208085be3dc4
Opcode Fuzzy Hash: d7cffd461fbf4fded0878a45baa85cd01e408c678bdfcb6f7769008629876025
Instruction Fuzzy Hash: 5E61BDB56043119BD310EF15D884B6BB3E8FF84714F508A1EF59497240D778E945CBEA

Function 00410566 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00410616
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0041062A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0041064B
_wcslen.LIBCMT ref: 00410696
_wcscat.LIBCMT ref: 004106A9
SendMessageW.USER32(?,00001057,00000000,?), ref: 004106C2
SendMessageW.USER32(?,00001061,?,?), ref: 004106F4

Strings

SysListView32, xrefs: 004105E9
-----, xrefs: 004106A1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcscat_wcslen
String ID: -----$SysListView32
API String ID: 4008455318-3975388722
Opcode ID: f518b93209f567680ae2d95e0ad2423e8dfdeeec565cfca424d659554b3b9293
Instruction ID: 3e6835b89b8fa0f3fcf69409739a54c79f12ff7f1cbcfcc569b9973c1168ea44
Opcode Fuzzy Hash: f518b93209f567680ae2d95e0ad2423e8dfdeeec565cfca424d659554b3b9293
Instruction Fuzzy Hash: C9518070600308ABDB24CF64DC89FEB77A9AF98304F10465AF948A72C1D7F999C5CB58

Function 00408524 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408545
CreateMenu.USER32 ref: 0040855C
SetMenu.USER32(?,00000000), ref: 0040856C
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004085F0
IsMenu.USER32(?), ref: 00408604
CreatePopupMenu.USER32 ref: 0040860E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00408645
DrawMenuBar.USER32 ref: 0040864E

Strings

0, xrefs: 0040853E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 3f8dfa738889c44705125b6ab2027782c7c536bb71a1285d2fc139fdc397dbce
Instruction ID: f6599dbd17ea781d52e11d809916e0ce155ffb11be7d4dbdc86d17e1414c0374
Opcode Fuzzy Hash: 3f8dfa738889c44705125b6ab2027782c7c536bb71a1285d2fc139fdc397dbce
Instruction Fuzzy Hash: 30417C79A00205AFCB00CF58D984A9AB7B4FF49310F54826AFD58AB380DB75A851CFA5

Function 003F3D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

EnumProcesses.PSAPI(?,00000800,?,?,00403C4D,?,?,?,00468178), ref: 003F3DA0
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00468178), ref: 003F3DFE
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 003F3E11
GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 003F3E28
__wsplitpath.LIBCMT ref: 003F3E52
_wcscat.LIBCMT ref: 003F3E65
__wcsicoll.LIBCMT ref: 003F3E75
CloseHandle.KERNEL32(00000000), ref: 003F3EAD

Strings

M<@, xrefs: 003F3DB3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
String ID: M<@
API String ID: 2903788889-2183987182
Opcode ID: c3b1296289ae345a6610ab5b41c704a77f2c9711fc39a398577d4d38d8fefebe
Instruction ID: 589edcbc364cf0f78dd47bf565caf5f0456218e534de42c081ea624035bf3de0
Opcode Fuzzy Hash: c3b1296289ae345a6610ab5b41c704a77f2c9711fc39a398577d4d38d8fefebe
Instruction Fuzzy Hash: C131437690010DABDB16DFA4DD84EEEB3BDEF99700F104195FA0997240DB71AF858BA0

Function 00428C7F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00428CFF
GetDlgCtrlID.USER32(00000000), ref: 00428D10
GetParent.USER32 ref: 00428D24
SendMessageW.USER32(00000000,?,00000111), ref: 00428D2B
GetDlgCtrlID.USER32(00000000), ref: 00428D31
GetParent.USER32 ref: 00428D48
SendMessageW.USER32(00000000,?,00000111,?), ref: 00428D4F

Strings

ComboBox, xrefs: 00428C8B
ListBox, xrefs: 00428CBD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 2360848162-1403004172
Opcode ID: 8ac06aa81ad974b8b9523c88377aa75330eea9c10f49b2a176bd9d7870baa7a5
Instruction ID: bb64caf176b2594cb9d74ccf5e1ad5cf34d8d9b6a873f05f444d40e3663f1d65
Opcode Fuzzy Hash: 8ac06aa81ad974b8b9523c88377aa75330eea9c10f49b2a176bd9d7870baa7a5
Instruction Fuzzy Hash: 802147716001287BDB04AB69DC85BBF775CEF46320F50821BFA14CB292CAB8E84587B4

Function 00428E7F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00428EFD
GetDlgCtrlID.USER32(00000000), ref: 00428F0E
GetParent.USER32 ref: 00428F22
SendMessageW.USER32(00000000,?,00000111), ref: 00428F29
GetDlgCtrlID.USER32(00000000), ref: 00428F2F
GetParent.USER32 ref: 00428F46
SendMessageW.USER32(00000000,?,00000111,?), ref: 00428F4D

Strings

ComboBox, xrefs: 00428E8B
ListBox, xrefs: 00428EBD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 2360848162-1403004172
Opcode ID: d0c0a59859622a1935439d47ab0a482acfbfec2903cf7fa2828113d5f6bec3c5
Instruction ID: 739e94ac8790a7efec4d0aa7c177ef41339182fc024fe316c0f81c88a2ed215c
Opcode Fuzzy Hash: d0c0a59859622a1935439d47ab0a482acfbfec2903cf7fa2828113d5f6bec3c5
Instruction Fuzzy Hash: 922106717001287BDB00AB69DC85BBF7B9CEF45320F51855BF914DB292CAB8E84587A4

Function 00408CBB Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401331: DeleteObject.GDI32(?), ref: 00401392

SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00408D6F
SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00408D7E

Part of subcall function 004013B9: CreateSolidBrush.GDI32(?), ref: 00401405

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$BrushCreateDeleteObjectSolid
String ID:
API String ID: 3771399671-0
Opcode ID: c70f419ecbbfc4cb1ec38e9cecfc6c9a75bfb7f1da754b5d703c28661df762e7
Instruction ID: ed65be5407d3d46f4d27ee8f43d76a76cab0920f1f98f386fb03565ec288ea67
Opcode Fuzzy Hash: c70f419ecbbfc4cb1ec38e9cecfc6c9a75bfb7f1da754b5d703c28661df762e7
Instruction Fuzzy Hash: 7751D670300204ABDB20DF25DE85F6B77A8AF45714F10452EFA95EB2D1CBB9E941CB98

Function 003F4608 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003F462A
GetForegroundWindow.USER32(00000000), ref: 003F463C
GetWindowThreadProcessId.USER32(00000000), ref: 003F4643
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 003F4658
GetWindowThreadProcessId.USER32(?,?), ref: 003F4666
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 003F467F
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 003F468D
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 003F46DA
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 003F46EE
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 003F46F9

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d22a888d9bb88fb2eb915444a68b67a258ab0a8ab6a5473e1d5a93470c3d8388
Instruction ID: b3048dd14a30192820ea68da085167195451d1b0ffb45f93f6a5c1f1cff13f49
Opcode Fuzzy Hash: d22a888d9bb88fb2eb915444a68b67a258ab0a8ab6a5473e1d5a93470c3d8388
Instruction Fuzzy Hash: B9312FB6500208BFDB12DF69DC8497BB7ADFB4A311F42412AFA45C7250E7F09D408B69

Function 003C9400 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 324sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00467F04), ref: 003EC5DF
InterlockedDecrement.KERNEL32(00467F04), ref: 003EC5FD
Sleep.KERNEL32(0000000A), ref: 003EC605
InterlockedIncrement.KERNEL32(00467F04), ref: 003EC610
InterlockedDecrement.KERNEL32(00467F04), ref: 003EC6C2

Strings

@COM_EVENTOBJ, xrefs: 003EC6F7, 003EC98E
DZD, xrefs: 003EC887

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: @COM_EVENTOBJ$DZD
API String ID: 327565842-3641177784
Opcode ID: bd4be19ecef10d5c40b4cb71bc8feb70261377d759a7437b3e35bead7ea58a6b
Instruction ID: b9697188db6e8a45c6c92dd7ce24d9e5436668d2e3b88259b5253ca1dddb2abc
Opcode Fuzzy Hash: bd4be19ecef10d5c40b4cb71bc8feb70261377d759a7437b3e35bead7ea58a6b
Instruction Fuzzy Hash: AAD102719102188FDF16EF91C985FEEB3B4FF44304F21826AE505AB292DB74AD46CB94

Function 004284CB Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON

Download Yara Rule

Strings

CLASS, xrefs: 0042857D
INSTANCE, xrefs: 0042876B
REGEXPCLASS, xrefs: 004285D7
NAME, xrefs: 00428663
TEXT, xrefs: 0042879E
CLASSNN, xrefs: 004285AA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: 1b6281787eac409d1de19ef00c4b639fe3f3d41980d18e60810339a7c0cb43df
Instruction ID: 5e83a342697bf09b35cd144e2234a474b4da6fd5619cecf4f459428a4acfaa7e
Opcode Fuzzy Hash: 1b6281787eac409d1de19ef00c4b639fe3f3d41980d18e60810339a7c0cb43df
Instruction Fuzzy Hash: BEA182B29002149ADF01DF60E882BEF7364AF54344F94847EEC09AF246DF786949CBB5

Function 0042A3F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042A51C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0042A548
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0042A573
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0042A5A6
RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0042A5CF
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042A608
RegCloseKey.ADVAPI32(?), ref: 0042A613

Strings

dND, xrefs: 0042A44C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
String ID: dND
API String ID: 2027346449-2949930476
Opcode ID: 719e2cc79013c80f937cdc1db70083b9f221703ba019b610833fa272ef06fa53
Instruction ID: 6059cc5e60104ce053288feab4c4fe7554516dc07c991cbbbae4fc58c8da884d
Opcode Fuzzy Hash: 719e2cc79013c80f937cdc1db70083b9f221703ba019b610833fa272ef06fa53
Instruction Fuzzy Hash: 04613C72614301ABD704EF64D881E6BB7E9BF88704F448A1DFA85CB281DB75ED04CB66

Function 0042C3A9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0042C54C
WSAGetLastError.WSOCK32(00000000), ref: 0042C55D

Strings

dND, xrefs: 0042C3D7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLastselect
String ID: dND
API String ID: 215497628-2949930476
Opcode ID: 7ee5e8190bdc2c16701d8685f56e08822c95509ca1afd46a7b295670fea921ce
Instruction ID: 1d9f6722d486684034387099d6a9d1d2d2843db17104169c37db3658fb15fce0
Opcode Fuzzy Hash: 7ee5e8190bdc2c16701d8685f56e08822c95509ca1afd46a7b295670fea921ce
Instruction Fuzzy Hash: C251FB76A10104ABD710FB64EC81FAFB7A8EF89710F54815AF909DB381DA35ED01C7A5

Function 0041FB23 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041FB72
GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0041FBBF
IsMenu.USER32(?), ref: 0041FBD6
CreatePopupMenu.USER32 ref: 0041FC0E
GetMenuItemCount.USER32(?), ref: 0041FC74
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0041FC9D

Strings

2, xrefs: 0041FBF2
0, xrefs: 0041FB6B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID: 0$2
API String ID: 3311875123-3793063076
Opcode ID: 53f68d8691f503dcbede9d4961e29a08c96fed3977c5292c574cd7837b5013ba
Instruction ID: 2cc519df2069a9f0372b186b3a8c76eb62ecbc54328256a6300c52340a4d6afa
Opcode Fuzzy Hash: 53f68d8691f503dcbede9d4961e29a08c96fed3977c5292c574cd7837b5013ba
Instruction Fuzzy Hash: 6551C571A002099BDB10CF68D884BEF77A4FF45314F14853EE815DB391E378988ADBA9

Function 003CFE90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 003CFED3
_memmove.LIBCMT ref: 003CFEE2
__fread_nolock.LIBCMT ref: 003CFF02
_fseek.LIBCMT ref: 003CFF58

Strings

AU3!, xrefs: 003CFECD
EA06, xrefs: 003E5CB6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!$EA06
API String ID: 1268643489-2658333250
Opcode ID: 2f7616d3dc554caef2d3af29bbbf785e0a80c38c65836ca790eeb49ee6af6648
Instruction ID: 2a9b4f20a8b105460e68fb004794c188b3bd14b27c08e6b0c8f7db3ddf1f515d
Opcode Fuzzy Hash: 2f7616d3dc554caef2d3af29bbbf785e0a80c38c65836ca790eeb49ee6af6648
Instruction Fuzzy Hash: F2414B72A041985FDB13CB74D890FFD3B79EB0A304F6404BEF585CB642E670A9458B61

Function 003C1E00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000065,?,0000007F), ref: 003E7AB3

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

_memset.LIBCMT ref: 003C1E90
_wcsncpy.LIBCMT ref: 003C1ED2
_wcscpy.LIBCMT ref: 003C1EF1
Shell_NotifyIconW.SHELL32(00000001,?), ref: 003C1F03
__swprintf.LIBCMT ref: 003E7B2D

Strings

AutoIt - , xrefs: 003C1E64
Line %d: , xrefs: 003E7B27

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy_wcslen_wcsncpy
String ID: Line %d: $AutoIt -
API String ID: 1629950421-4094128768
Opcode ID: 9666233c2511cb7751b503ca1f40e716e708d1076d9c856274b0dd7109eb4183
Instruction ID: 14370bc05b483ef20c4da610b3e1449c7ae00a3a4047609e9a4e1cd928f3609b
Opcode Fuzzy Hash: 9666233c2511cb7751b503ca1f40e716e708d1076d9c856274b0dd7109eb4183
Instruction Fuzzy Hash: 56419272518345ABD322EB20DC41FAF73E8BF85344F44092DF589D6192EB74AA08C797

Function 0040C753 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040C766
__wcsnicmp.LIBCMT ref: 0040C824

Strings

#notrayicon, xrefs: 0040C760
#requireadmin, xrefs: 0040C81E
DZD, xrefs: 0040C79C
#OnAutoItStartRegister, xrefs: 0040C786

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin$DZD
API String ID: 1038674560-382264527
Opcode ID: 6c8135af915b14f567fcee9097a80c1c7df1832f2ef52dbd7774182155dd24f0
Instruction ID: e5e5ba8872a34971bb30e8dcbd312d4b385627689ea3f9238f3febb9c3a0c5b6
Opcode Fuzzy Hash: 6c8135af915b14f567fcee9097a80c1c7df1832f2ef52dbd7774182155dd24f0
Instruction Fuzzy Hash: 39216D3765021067E721B618FC82F9B739C9FA5310F048037F904AF382D67AA95587EA

Function 00413808 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF220: GetFullPathNameW.KERNEL32(00000000,00000104,00467F6C,003CF1F5,00467F6C,004690E8,00467F6C,?,003CF1F5,?,?,00000001), ref: 003CF23C

Part of subcall function 003F397D: GetFileAttributesW.KERNEL32(?), ref: 003F3984

lstrcmpiW.KERNEL32(?,?), ref: 00413875
MoveFileW.KERNEL32(?,?), ref: 004138A7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: File$AttributesFullMoveNamePathlstrcmpi
String ID:
API String ID: 978794511-0
Opcode ID: c5146bbc19b81d68dc5f738c0e0fec3f1763f884e7cd4b9225001d9d35af2e8b
Instruction ID: f9fcf60b3f75d17a38be4adb8aa685e4aa0261afe25802e13a3898ae2174497b
Opcode Fuzzy Hash: c5146bbc19b81d68dc5f738c0e0fec3f1763f884e7cd4b9225001d9d35af2e8b
Instruction Fuzzy Hash: DE5141B2C0021956CF20EFA1DC85BEEB378AF44305F0445DAE60DA7241EB75AB98CB55

Function 004010EC Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f51784e569bb6fb86ecaa7947fa639f5eeb95aa58f954b09be82fe823d8f2e
Instruction ID: 1b7d3f9775e87e992a1cd78b09b8fba884155de660817912e67b3d6ae459ed96
Opcode Fuzzy Hash: 27f51784e569bb6fb86ecaa7947fa639f5eeb95aa58f954b09be82fe823d8f2e
Instruction Fuzzy Hash: 5C4109322142405AE321672CFCC4BA7BB98FBA6325F54012FF186995E0C2F974958725

Function 00415ED9 Relevance: 13.6, APIs: 9, Instructions: 130windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00415EE5
_memset.LIBCMT ref: 00415EF6
SendMessageW.USER32 ref: 00415F20
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00415F57
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00415FBD
_wcslen.LIBCMT ref: 00415FC4
_wcslen.LIBCMT ref: 00415FE2
CharNextW.USER32(00000000), ref: 00415FFE
SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00416027

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$CharLongNextWindow_memset
String ID:
API String ID: 2321321212-0
Opcode ID: 0680be4b4ae93142dd343937af332cdf55b58ef5b9e324cad308871fe74d32fb
Instruction ID: 8ad07544b8bdc2b90ded160dc05b2626c4db67f5d93f4e6c47b1b1190bc2a80d
Opcode Fuzzy Hash: 0680be4b4ae93142dd343937af332cdf55b58ef5b9e324cad308871fe74d32fb
Instruction Fuzzy Hash: 3E41DA71A0021A9BDB14DFA8DC85BEEB7B4FF48320F00822AF915E72C0D7B59555CBA4

Function 00405D58 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004059AD: GetWindowThreadProcessId.USER32(?,00000000), ref: 004059CD
Part of subcall function 004059AD: GetCurrentThreadId.KERNEL32 ref: 004059D4
Part of subcall function 004059AD: AttachThreadInput.USER32(00000000), ref: 004059DB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00405D75
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00405D8E
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00405D9C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00405DA2
PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00405DC3
Sleep.KERNEL32(00000000), ref: 00405DD1
MapVirtualKeyW.USER32(00000025,00000000), ref: 00405DD7
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00405DEC
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00405DF4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b519c4aed39f1a7394383d400fe1e548d64cd10c4d189de62b6633ef06a45b55
Instruction ID: 02be5ef604c8171fc8c53cb3a78458ba9eba99617278c5fa60febb23418338b3
Opcode Fuzzy Hash: b519c4aed39f1a7394383d400fe1e548d64cd10c4d189de62b6633ef06a45b55
Instruction Fuzzy Hash: FB118675390300BBF620AB959C8AF56779DEF89B11F61441AF780AB1C0C5F5A4818E7C

Function 003F26D5 Relevance: 13.5, APIs: 9, Instructions: 42COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 003F26ED
VariantClear.OLEAUT32(?), ref: 003F26F3
VariantClear.OLEAUT32(?), ref: 003F26F9
VariantClear.OLEAUT32(?), ref: 003F2702
VariantClear.OLEAUT32(?), ref: 003F270B
VariantClear.OLEAUT32(?), ref: 003F2711
VariantClear.OLEAUT32(?), ref: 003F271A
VariantClear.OLEAUT32(?), ref: 003F2723
VariantClear.OLEAUT32(?), ref: 003F272C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 450457ed0af4e1e4e224b047303e14db0b0e1043f7004b5c22124781504c6e31
Instruction ID: 6bea97d44d0c90265c086df5e56734ebafa26a2e1568d3ba96d576036aacf5a0
Opcode Fuzzy Hash: 450457ed0af4e1e4e224b047303e14db0b0e1043f7004b5c22124781504c6e31
Instruction Fuzzy Hash: 94012CB60007086AC231E7B9DC40FD7B7EC9B85200F018E1DE68A82015DA74F588CB54

Function 0040F029 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0040F249
_memmove.LIBCMT ref: 0040F2B8
_memmove.LIBCMT ref: 0040F32C

Strings

h, xrefs: 0040F704
\, xrefs: 0040CFD7
', xrefs: 0040F198

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove$_memcmp
String ID: '$\$h
API String ID: 2205784470-1303700344
Opcode ID: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction ID: 65df46cb2e90e4c6c7f055f70cd4f3bda3c69219dacd8e57628656650ef1115b
Opcode Fuzzy Hash: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction Fuzzy Hash: 37E1B270A04209CFCB28CF69C8906AEBBF2FF89300F24857ED845A7780D734A946CB55

Function 0041E9FC Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0041EA43
VariantCopy.OLEAUT32(00000000), ref: 0041EA4D
VariantClear.OLEAUT32 ref: 0041EA5A
VariantTimeToSystemTime.OLEAUT32 ref: 0041EBF3
__swprintf.LIBCMT ref: 0041EC20
VariantInit.OLEAUT32(00000000), ref: 0041ECDB

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0041EC1A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$InitTime$ClearCopySystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 2441338619-1568723262
Opcode ID: dd8de0f432b544f4336bf568093f918b5af73aee24ea68d2be42ce62cdd85fff
Instruction ID: 5b764686a30a0875beb2cd5fab219dd399be9a3738598e8290456455d4b9a8db
Opcode Fuzzy Hash: dd8de0f432b544f4336bf568093f918b5af73aee24ea68d2be42ce62cdd85fff
Instruction Fuzzy Hash: 0FA1E47AA006248BC7209F46E4C07AAF7B4FF45321F1585ABED899B300C736AC95D7E1

Function 0042B9C2 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042BA14
VariantInit.OLEAUT32(?), ref: 0042BAE4

Part of subcall function 00411AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00411B16
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B6E
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B84
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B9D
Part of subcall function 00411AB8: VariantClear.OLEAUT32(?), ref: 00411C17

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0042BC0E
Null Object assignment in FOR..IN loop, xrefs: 0042BA63, 0042BBD3, 0042BBEF, 0042BCBB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Copy$ClearErrorInitLast_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 530611519-625585964
Opcode ID: 8f905180f556c1e4b4e58172fe98402244dffed3cd37fa6c20ce905cf09c2c26
Instruction ID: 405d50503f803f1a9d80281ed067b58e415802055d99ddcc8f66d4e75a8afa01
Opcode Fuzzy Hash: 8f905180f556c1e4b4e58172fe98402244dffed3cd37fa6c20ce905cf09c2c26
Instruction Fuzzy Hash: 46A19572B00219AFDB10DF99EC81EEEB7B9FF84314F50451EF604AB240D775994187A5

Function 00430216 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004302D5
VariantClear.OLEAUT32(?), ref: 00430409
VariantInit.OLEAUT32(?), ref: 0043045D
DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 004304BE
VariantClear.OLEAUT32(?), ref: 004304D0

Part of subcall function 003F548F: VariantCopy.OLEAUT32(?,?), ref: 003F54A0

VariantCopy.OLEAUT32(?,?), ref: 00430534

Part of subcall function 003F5411: VariantClear.OLEAUT32(?), ref: 003F5422

VariantClear.OLEAUT32(00000000), ref: 004305C7

Strings

H, xrefs: 004302B0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Clear$Copy$CallDispFuncInit
String ID: H
API String ID: 3613100350-2852464175
Opcode ID: 91eaf980e8a10b2242eaef3e1df84b77019f3c49607fca55acf2a04f605569ff
Instruction ID: f98e6a8896910a13fdd4ce9fdf997ffe47a65a51b0449f15623557607cd68891
Opcode Fuzzy Hash: 91eaf980e8a10b2242eaef3e1df84b77019f3c49607fca55acf2a04f605569ff
Instruction Fuzzy Hash: 21B17CB5604311AFD710DF58C490A2BB3E4FF88304F549A2EFA969B341D738E951CB9A

Function 0040A9CA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0040AA09
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040AA3E
InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0040AAA2
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0040AAB8
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040AAC7
HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0040AAFF

Part of subcall function 00402252: GetLastError.KERNEL32 ref: 00402268

Strings

, xrefs: 0040AAF8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
String ID:
API String ID: 1291720006-3916222277
Opcode ID: 03452074ad978b76fa7fd7b5596470f7fb334ed4eac2a49e7fd7c3bdb0a831a9
Instruction ID: 25eb02fd5574f0f4a84fff4cbed9e696849f8e650cca796d8a675c1fe84db527
Opcode Fuzzy Hash: 03452074ad978b76fa7fd7b5596470f7fb334ed4eac2a49e7fd7c3bdb0a831a9
Instruction Fuzzy Hash: F851F775640308BBE710EF55DC86FEB77A8FB49710F00852AFA05A72C1D7B4A518CBA4

Function 003C1340 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003C1376
KillTimer.USER32(?,00000001), ref: 003C13F9

Part of subcall function 003C1240: _memset.LIBCMT ref: 003C126B
Part of subcall function 003C1240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003C129B

PostQuitMessage.USER32(00000000), ref: 003C140B

Strings

TaskbarCreated, xrefs: 003C142B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow_memset
String ID: TaskbarCreated
API String ID: 1519149367-2362178303
Opcode ID: 776e1e7e9bc2db6f9bec4245b417db46a9affc9d70277763abf77741f2641fcf
Instruction ID: bc4d6840d9775c1494873f079bd5709cc5ff49aca1f838eb202135848404186a
Opcode Fuzzy Hash: 776e1e7e9bc2db6f9bec4245b417db46a9affc9d70277763abf77741f2641fcf
Instruction Fuzzy Hash: 0341467A2142889BDB22DB58EC85FAE3358F742315F11423FF805CB992D6B4DC40A79B

Function 003F52D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 003F52F4
VariantClear.OLEAUT32(?), ref: 003F532E
SafeArrayUnaccessData.OLEAUT32(?), ref: 003F534E
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003F5381
VariantClear.OLEAUT32(?), ref: 003F53C1
SafeArrayUnaccessData.OLEAUT32(?), ref: 003F5404

Strings

crts, xrefs: 003F5305

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
String ID: crts
API String ID: 586820018-3724388283
Opcode ID: 4944de4db08b85e6200c0db851873216dd14d5fab01fdb912844b129b3983793
Instruction ID: ec47748d577e796b464f02f26e3aff353980fd8d80c39d3a33317b8e99d9ac88
Opcode Fuzzy Hash: 4944de4db08b85e6200c0db851873216dd14d5fab01fdb912844b129b3983793
Instruction Fuzzy Hash: 494181B9200608DBDB10CF19D880AAAB7B5FF9D314F24812AFE49CB355D771E951CBA0

Function 0040BB5E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF220: GetFullPathNameW.KERNEL32(00000000,00000104,00467F6C,003CF1F5,00467F6C,004690E8,00467F6C,?,003CF1F5,?,?,00000001), ref: 003CF23C

lstrcmpiW.KERNEL32(?,?), ref: 0040BB95
MoveFileW.KERNEL32(?,?), ref: 0040BBCB
_wcscat.LIBCMT ref: 0040BC3B
_wcslen.LIBCMT ref: 0040BC47
_wcslen.LIBCMT ref: 0040BC5D
SHFileOperationW.SHELL32(?), ref: 0040BCA3

Strings

\*.*, xrefs: 0040BC35

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
String ID: \*.*
API String ID: 2326526234-1173974218
Opcode ID: 783c936aa4baaf54c9f5314a6b2b0b6fa9d011d2ce5ba08099fbd1516d9e17b6
Instruction ID: 858dddfcefa0e1bdbe20190569c954e019a5d2f90bb47dbb2a75350a73f62405
Opcode Fuzzy Hash: 783c936aa4baaf54c9f5314a6b2b0b6fa9d011d2ce5ba08099fbd1516d9e17b6
Instruction Fuzzy Hash: 573146B190121C6ADF10EFB4DC45AEEB3B4EF49300F4055EEE909A7241EB759B48CB99

Function 003F35B2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 003F3229: _wcsncpy.LIBCMT ref: 003F3241

_wcslen.LIBCMT ref: 003F35D7
GetFileAttributesW.KERNEL32(?), ref: 003F3601
GetLastError.KERNEL32 ref: 003F3610
CreateDirectoryW.KERNEL32(?,00000000), ref: 003F3624
_wcsrchr.LIBCMT ref: 003F364B

Part of subcall function 003F35B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 003F368C

Strings

\, xrefs: 003F35E3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: 635e96ddf894298f7a1f23e413511dc1af1c364b68877930e09a9a76f571476a
Instruction ID: e367f8e8afe952c7242a3c65f709b70200d10b0d0f7144a867f9b9d77530458b
Opcode Fuzzy Hash: 635e96ddf894298f7a1f23e413511dc1af1c364b68877930e09a9a76f571476a
Instruction Fuzzy Hash: 38216D7690131C6ADF21AB74BC46BFA736CDF42310F0046A5FE18C6241E6719F848AE1

Function 003F401B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,004690E8,?,00000100,?,00467F6C), ref: 003F403E
LoadStringW.USER32(00000000), ref: 003F4047
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003F405C
LoadStringW.USER32(00000000), ref: 003F405F
_wprintf.LIBCMT ref: 003F4088
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003F40A0

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003F4083

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7bd3eaa90485456d2c485fba92cae3672223a7de053531a9c0312b23a764054a
Instruction ID: 25926808db4119a26486ac1a26493de1a9665e3ea7c85a15056ead0b5f3b04b7
Opcode Fuzzy Hash: 7bd3eaa90485456d2c485fba92cae3672223a7de053531a9c0312b23a764054a
Instruction Fuzzy Hash: EB0167B6A503187AFB10E7949D07FFA772CD7C4B01F40419ABB48AA1C09AF46D84CBB5

Function 003D785F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0044D130,00000008,003D7967,00000000,00000000,?,003D12DC,?,00000001), ref: 003D7870
__lock.LIBCMT ref: 003D78A4

Part of subcall function 003D81EE: __mtinitlocknum.LIBCMT ref: 003D8204
Part of subcall function 003D81EE: __amsg_exit.LIBCMT ref: 003D8210
Part of subcall function 003D81EE: EnterCriticalSection.KERNEL32(?,?,?,003D78A9,0000000D,?,003D12DC,?,00000001), ref: 003D8218

InterlockedIncrement.KERNEL32(004502E0), ref: 003D78B1
__lock.LIBCMT ref: 003D78C5
___addlocaleref.LIBCMT ref: 003D78E3

Strings

KERNEL32.DLL, xrefs: 003D786B
pE, xrefs: 003D78D8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$pE
API String ID: 637971194-34167638
Opcode ID: 890ede62f31e6228e62680ab5b9f2fa457a748abbb29ad2edf8cdb063aeb8d07
Instruction ID: d76250e2b3db32dd859c4540dd5687b51d39be84b48227a805bf280a38ea0e51
Opcode Fuzzy Hash: 890ede62f31e6228e62680ab5b9f2fa457a748abbb29ad2edf8cdb063aeb8d07
Instruction Fuzzy Hash: E50161768447009BE722AF65E906749BBE0BF40321F10850FE4999B7A1CBB4A644CB15

Function 004250C6 Relevance: 12.3, APIs: 8, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00425196

Part of subcall function 0041875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,00426CC2,?,00433B72,00433B72,?), ref: 0041877B

inet_addr.WSOCK32(?,00000000,?,?), ref: 004251D8
gethostbyname.WSOCK32(?), ref: 004251E3
_memset.LIBCMT ref: 0042524D
GlobalAlloc.KERNEL32(00000040,00000040), ref: 00425259
_memmove.LIBCMT ref: 00425307
GlobalFree.KERNEL32(00000000), ref: 00425399
WSACleanup.WSOCK32 ref: 0042539F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmove_memsetgethostbynameinet_addr
String ID:
API String ID: 583437573-0
Opcode ID: 7b815832bf24928f2d34c8cf1461915060a5aae769530abec65e51f11336bf23
Instruction ID: f9f66eedd6a58e7303661786d20fc1a263fc319dc9bf3059a2904eba74b04db4
Opcode Fuzzy Hash: 7b815832bf24928f2d34c8cf1461915060a5aae769530abec65e51f11336bf23
Instruction Fuzzy Hash: 26A17A72604300ABD310EF64DC81F6BB7E9AF88740F54491EFA45DB282D7B4E905CBA6

Function 00427377 Relevance: 12.3, APIs: 8, Instructions: 267COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00427405

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_memmove.LIBCMT ref: 00427466
_memmove.LIBCMT ref: 00427497
_memmove.LIBCMT ref: 004274F3
_memmove.LIBCMT ref: 00427585
_memmove.LIBCMT ref: 004275AC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove$_malloc
String ID:
API String ID: 1938898002-0
Opcode ID: 2547aeaaec5ec0420e2305bba3f840933aa3d3eb8aa4bd45262eb567bbeb36ec
Instruction ID: 76ba44ebe30fc10b33546493635d4ee21c83d5d1f30553ef97443c09280e9a84
Opcode Fuzzy Hash: 2547aeaaec5ec0420e2305bba3f840933aa3d3eb8aa4bd45262eb567bbeb36ec
Instruction Fuzzy Hash: 8381B3726141196BCB01FFA5AC42FFF7369AF84314F44061BFD04EB282DA39AD1587A4

Function 00408C91 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401331: DeleteObject.GDI32(?), ref: 00401392

SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00408D6F
SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00408D7E

Part of subcall function 004013B9: CreateSolidBrush.GDI32(?), ref: 00401405

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$BrushCreateDeleteObjectSolid
String ID:
API String ID: 3771399671-0
Opcode ID: d2d11fd6f856dc77e20a881baa5e5a619bdf54716c13dbe8f39c620c070e6108
Instruction ID: 14c31bc1549aae5dfcefa12c788c7443d437acb51178555009fd69225bd48254
Opcode Fuzzy Hash: d2d11fd6f856dc77e20a881baa5e5a619bdf54716c13dbe8f39c620c070e6108
Instruction Fuzzy Hash: 0051E670200244AFDB10DF25CD84F5A77A8AF05714F10466EFA95EB2D1CB78E941CB58

Function 003F4ED2 Relevance: 12.1, APIs: 8, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 003F4EF6
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F4F19
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003F4F45
SysAllocString.OLEAUT32(00000000), ref: 003F4F4C
SysAllocString.OLEAUT32(?), ref: 003F4F72
SysFreeString.OLEAUT32(?), ref: 003F4F7B
StringFromGUID2.OLE32(?,?,00000028), ref: 003F4FB6
SysAllocString.OLEAUT32(?), ref: 003F4FC4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4f7c317365fdb8f5dbf1cdd02ce0df07e8a00863ad47ab99358c8e54535e6c83
Instruction ID: f32c1814588ad0c6fd246d044ea9f29df0c33fbc00238da45bbfb2919b6ea5c7
Opcode Fuzzy Hash: 4f7c317365fdb8f5dbf1cdd02ce0df07e8a00863ad47ab99358c8e54535e6c83
Instruction Fuzzy Hash: 3931CA377002185BC7109B99EC49FBBF7A8EB99371F454276F709D7290DA709804C7A4

Function 00400E91 Relevance: 12.1, APIs: 8, Instructions: 104windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00400EAB
GetDC.USER32(00000000), ref: 00400EB3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00400EBF
ReleaseDC.USER32(00000000,?), ref: 00400ECD
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,00000000), ref: 00400F17
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00400F2E
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00400F64
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00400F86

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c41fed995fc5f7a799437a22ef201daeac428fe680eddd8b9adc281e42804998
Instruction ID: c65911335a5501d9483a5bd1681a1f1db5348a19d8e5df8f80d25ddea5d1b527
Opcode Fuzzy Hash: c41fed995fc5f7a799437a22ef201daeac428fe680eddd8b9adc281e42804998
Instruction Fuzzy Hash: DB31A0B52002057BEB14CF54CC85FAB37A8AB88B11F048165FE08EE2C5D6B4A841CB64

Function 0040B415 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0040B433

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0040B466
EnterCriticalSection.KERNEL32(?), ref: 0040B483
_memmove.LIBCMT ref: 0040B4E1
_memmove.LIBCMT ref: 0040B504
LeaveCriticalSection.KERNEL32(?), ref: 0040B513
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0040B52F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0040B544

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
String ID:
API String ID: 2737351978-0
Opcode ID: edefbb8897416af97120b4354811431534870fcf9431cf9defbad3117d98cf13
Instruction ID: 549588a9fbae40e91fc8fb1ad4299e8da3b5ab3d4ca98efca3094b6dae496dc4
Opcode Fuzzy Hash: edefbb8897416af97120b4354811431534870fcf9431cf9defbad3117d98cf13
Instruction Fuzzy Hash: 3A41AD75900309EBC720DF95D941EAFB7B8FF44700F00896AF5569A690D7B4EA44CB58

Function 003C1490 Relevance: 12.1, APIs: 8, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C14BC

Part of subcall function 003C1E00: _memset.LIBCMT ref: 003C1E90
Part of subcall function 003C1E00: _wcsncpy.LIBCMT ref: 003C1ED2
Part of subcall function 003C1E00: _wcscpy.LIBCMT ref: 003C1EF1
Part of subcall function 003C1E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003C1F03

KillTimer.USER32(?,?,?,?,?), ref: 003C1513
SetTimer.USER32(?,?,000002EE,00000000), ref: 003C1522
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 003E7BC8
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 003E7C1C
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 003E7C67

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
String ID:
API String ID: 1792922140-0
Opcode ID: b401f2a1c2d18bb80d472a83010e504ee08373730e840d38d3395ce889f9eada
Instruction ID: ae40bca6db7d10ba74a0839cefd0386c60eed7ad045fbae2f9589feec52ec9a2
Opcode Fuzzy Hash: b401f2a1c2d18bb80d472a83010e504ee08373730e840d38d3395ce889f9eada
Instruction Fuzzy Hash: E5319E70A08659AFEB67CB24CC85FE6FBBCBB47304F100199F18D96241C7705E848B92

Function 003D5134 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 003D515A
__calloc_crt.LIBCMT ref: 003D5166
__getptd.LIBCMT ref: 003D5173
CreateThread.KERNEL32(00000000,?,003D50DB,00000000,00000004,00000000), ref: 003D519A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003D51AA
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 003D51B5
_free.LIBCMT ref: 003D51BE
__dosmaperr.LIBCMT ref: 003D51C9

Part of subcall function 003D7E9A: __getptd_noexit.LIBCMT ref: 003D7E9A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 3638380555-0
Opcode ID: e46d71e2edec99bef6d8f1475a582e3c1da46256b21425f45e2b2904fe3a32ec
Instruction ID: a2c13e8b5b3cfb279b09f8bfd8f382c09a1536d749052a2a39add25e4259c4e0
Opcode Fuzzy Hash: e46d71e2edec99bef6d8f1475a582e3c1da46256b21425f45e2b2904fe3a32ec
Instruction Fuzzy Hash: B511E537105B006BDB132BB5BC46B6B7B68EF82774F21061BF9245A7D2EBB188008665

Function 00439705 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00439786, 00439AAC
Not an Object type, xrefs: 00439761

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Copy$ClearErrorLast
String ID: NULL Pointer assignment$Not an Object type
API String ID: 2487901850-572801152
Opcode ID: 1a1b5cd5d54343431bbb18849c7a9077103b2bdb4b815fc3efc80c896db1bd9d
Instruction ID: 32d886bc4a5e02a4bb18580a363b6549e730760bdabfdf4b281d55defdb223f4
Opcode Fuzzy Hash: 1a1b5cd5d54343431bbb18849c7a9077103b2bdb4b815fc3efc80c896db1bd9d
Instruction Fuzzy Hash: 0DC18F75A00209ABDF14DF98C881FEEB7B9EF48304F50855AF905AB341D7B99D84CBA4

Function 0040045D Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000F), ref: 0040049C
MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004006D8
SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 004006F7
InvalidateRect.USER32(?,00000000,00000001), ref: 0040071A
SendMessageW.USER32(?,00000469,?,00000000), ref: 0040074F
ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 00400772
DefDlgProcW.USER32(?,00000005,?,?), ref: 0040078C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
String ID:
API String ID: 1457242333-0
Opcode ID: 2266da3997ddb101befdb840e693e45bf68c57c0ab1fb1212cb02535c58e0698
Instruction ID: 75c1769f4449f3c0ddaec48042cbf4b221230848dd6ced3c48b17c820bf16b3a
Opcode Fuzzy Hash: 2266da3997ddb101befdb840e693e45bf68c57c0ab1fb1212cb02535c58e0698
Instruction Fuzzy Hash: D7B19070600619EFDB14CF68C984BBEB7F2FF88311F14852AE995A7280D778AA51CF54

Function 0042A821 Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042A90F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID:
API String ID: 15295421-0
Opcode ID: de52173484351571a23abc0c7dcb25003e3bdc707d886c8823466b093e981921
Instruction ID: 5bdf9283d785c24760c0f1d716b3208861d6063291680e43b3780f6dc2da0c65
Opcode Fuzzy Hash: de52173484351571a23abc0c7dcb25003e3bdc707d886c8823466b093e981921
Instruction Fuzzy Hash: 32A159712043019FD710EF24D886F6BB7E9AF84300F54891DFA859B292DB74ED05CB96

Function 0041F707 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF260: _wcslen.LIBCMT ref: 003CF262
Part of subcall function 003CF260: _wcscpy.LIBCMT ref: 003CF282

_memset.LIBCMT ref: 0041F7A8
GetMenuItemInfoW.USER32(?,00000000), ref: 0041F7D3
_wcslen.LIBCMT ref: 0041F8C1
SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0041F925

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0041F941

Strings

0, xrefs: 0041F7A0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default_malloc_memset_wcscpy
String ID: 0
API String ID: 3994258497-4108050209
Opcode ID: ac36e3e0a08d8b553cf22b478fd7fdca363dd4514070405fd2eaca8441d9769a
Instruction ID: 6c05964dca5d0de529cd0b7fdb08bd1d90c9048fc062eb6dafc9330226684e6a
Opcode Fuzzy Hash: ac36e3e0a08d8b553cf22b478fd7fdca363dd4514070405fd2eaca8441d9769a
Instruction Fuzzy Hash: C86105B1604305ABD710EF68CC46BAB77A4AFD5310F044A3EF9948B291D778D88EC796

Function 00407273 Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 004070BF: DeleteObject.GDI32(00000000), ref: 004070FC
Part of subcall function 004070BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0040713C
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040714C
Part of subcall function 004070BF: BeginPath.GDI32(?), ref: 00407161
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040718A

Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004073E8
MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004073F8
AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 00407433
LineTo.GDI32(?,?,FFFFFFFE), ref: 0040743C
CloseFigure.GDI32(?), ref: 00407443
SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 00407452
Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0040746E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: f66760b9e54e981f2748843b34b1a94168fc0087051175de69c742a0f0833152
Instruction ID: adb4bcf81ae530bde4e67a441b4dce817a00c2aed3ad51d73578b56214e47e0d
Opcode Fuzzy Hash: f66760b9e54e981f2748843b34b1a94168fc0087051175de69c742a0f0833152
Instruction Fuzzy Hash: C7713BB4904109EFDB04CF94C884EBEBBB9EF89310F248259F85567381C774AE41CBA6

Function 0043A628 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 0042F356: IsWindow.USER32(00000000), ref: 0042F386

GetMenu.USER32 ref: 0043A6BD
GetMenuItemCount.USER32(00000000), ref: 0043A709
GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0043A73D
_wcslen.LIBCMT ref: 0043A758
GetMenuItemID.USER32(00000000,?), ref: 0043A79A
GetSubMenu.USER32(00000000,?), ref: 0043A7AC
PostMessageW.USER32(?,00000111,?,00000000), ref: 0043A83E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
String ID:
API String ID: 3257027151-0
Opcode ID: 61ca41eb46df345f159bbeb2a889efaabc64c34a27e83bcdc75d9c141af3d165
Instruction ID: 6cae7accc5e4363d66a2f35b8185e7430b4ce6d53adeba3d7d81ccc7d824abea
Opcode Fuzzy Hash: 61ca41eb46df345f159bbeb2a889efaabc64c34a27e83bcdc75d9c141af3d165
Instruction Fuzzy Hash: F351D4725043019BC310EF65DC86B5BB7E8FF88324F044A2EF98997241D775E9548BA6

Function 004044D9 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00404518
GetKeyboardState.USER32(?), ref: 0040452D
SetKeyboardState.USER32(?), ref: 00404581
PostMessageW.USER32(?,00000100,00000010,?), ref: 004045AE
PostMessageW.USER32(?,00000100,00000011,?), ref: 004045CC
PostMessageW.USER32(?,00000100,00000012,?), ref: 00404615
PostMessageW.USER32(?,00000100,0000005B,?), ref: 00404637

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1770ae4e2720259cd992cdf981cc4109592186038950641155fc9756622cd9be
Instruction ID: 6d758e52e6c11f38d5692ffb100a7057d6c8da7ef83acc8a92c27c9082f88d41
Opcode Fuzzy Hash: 1770ae4e2720259cd992cdf981cc4109592186038950641155fc9756622cd9be
Instruction Fuzzy Hash: 9651D4E05087D539F73693688C45BB7BF946B86300F08869AF3D5265C2D3BCA894C7A9

Function 0043DD7C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043DE14
__snwprintf.LIBCMT ref: 0043DEAC
_wcscpy.LIBCMT ref: 0043DF3D

Strings

, $, xrefs: 0043DEEB
AUTOITCALLVARIABLE%d, xrefs: 0043DE9E
CALLARGARRAY, xrefs: 0043DE08

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __snwprintf__wcsicoll_wcscpy
String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
API String ID: 1729044348-3025626884
Opcode ID: b45a55460c618e67625f4a35f349aef0fea10724e2c119520d99775ea8471ec5
Instruction ID: 66c45ce17933c94f551a788b7d0fe9a63bf1a5feb2b8a82bf0416ddb07185010
Opcode Fuzzy Hash: b45a55460c618e67625f4a35f349aef0fea10724e2c119520d99775ea8471ec5
Instruction Fuzzy Hash: 6151AF72A002099BCB11EF94D882EEFB779EF48344F10451AF905AB242D775EE45CBE5

Function 00417BCA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417BEE
_memset.LIBCMT ref: 00417C9A
ShellExecuteExW.SHELL32(0000003C), ref: 00417CDE

Part of subcall function 003CF260: _wcslen.LIBCMT ref: 003CF262
Part of subcall function 003CF260: _wcscpy.LIBCMT ref: 003CF282

CloseHandle.KERNEL32(?), ref: 00417D80

Strings

<, xrefs: 00417CA5
@, xrefs: 00417CAC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
String ID: <$@
API String ID: 1325244542-1426351568
Opcode ID: 23f1a8af65590c6e9d3d157ebc45352e43acb966b3f773cb12caeb849e397d7f
Instruction ID: c7aeaeda4512cc7ae788c7d2e0344aa723dd0f56d6f5a9873f01c622f5b19060
Opcode Fuzzy Hash: 23f1a8af65590c6e9d3d157ebc45352e43acb966b3f773cb12caeb849e397d7f
Instruction Fuzzy Hash: CB51B2769002089FCB10EFA4D986ADFB7B4EF04304F10856EE906AB341DB39AD85CBD4

Function 0042A645 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042A72B

Strings

dND, xrefs: 0042A686

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID: dND
API String ID: 15295421-2949930476
Opcode ID: 8302000ac8af080ad23fe3c166f66c6e7261a9e44794b2068aff1bd42a8f113a
Instruction ID: 4cc9848d1b2df09db6c6d780ce66f6cb260e2f7a39193f45752eba0753efb302
Opcode Fuzzy Hash: 8302000ac8af080ad23fe3c166f66c6e7261a9e44794b2068aff1bd42a8f113a
Instruction Fuzzy Hash: 45513676208301AFD704EF64D881F6BB7B8AFC8700F50891DFA858B291DB74E904CB66

Function 004152F4 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 00415314
ImageList_Remove.COMCTL32(?,?), ref: 00415348
SendMessageW.USER32(?,0000133D,?,00000002), ref: 00415430
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
String ID:
API String ID: 2354583917-0
Opcode ID: 50da63c2d44706f05b74672efc56bdec8d620fa0fb8c4fc4d4a1a55ca1f8a007
Instruction ID: c30844b4ae57437cd268667e07543a6b79daf2a6786bb542b6e76795a3522204
Opcode Fuzzy Hash: 50da63c2d44706f05b74672efc56bdec8d620fa0fb8c4fc4d4a1a55ca1f8a007
Instruction Fuzzy Hash: 1551A174204A41DFC724DF24C594BE677E5FF89301F4486AAF999CB3A1D738A881CB68

Function 004289CA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00428A1C
__itow.LIBCMT ref: 00428A59

Part of subcall function 00421996: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00421A0E

SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00428AC9
__itow.LIBCMT ref: 00428B23

Strings

@OD, xrefs: 00428A37
@OD, xrefs: 00428B01

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @OD$@OD
API String ID: 3379773720-3548418013
Opcode ID: 412faebdba1b0b4bd2c3b95e6be71180aa95bebe9e0ede9ee6dd7a59d1728e8f
Instruction ID: 016a4afb93f3675ae0d30de2f76e3e534083c014ed5d439894584edfcae9ecdf
Opcode Fuzzy Hash: 412faebdba1b0b4bd2c3b95e6be71180aa95bebe9e0ede9ee6dd7a59d1728e8f
Instruction Fuzzy Hash: C0417371A002196BDB15EF54E882FEF77789F58340F40405EFA01AB242DB78AE46CBE5

Function 00409783 Relevance: 10.6, APIs: 7, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f11318a97acc79a195a9eb127b99dfb2c2383dc6bf62001885af018bba80b1
Instruction ID: f830fe01691090abb61cb62ebfba214fd0390a1f175def8236fb0fc1f1349024
Opcode Fuzzy Hash: 56f11318a97acc79a195a9eb127b99dfb2c2383dc6bf62001885af018bba80b1
Instruction Fuzzy Hash: CF410336910114ABDB10EF58DC84FAA7764EB47320F1482BAF858BB3C2C7B45D42CB99

Function 00408783 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00408816
SendMessageW.USER32(?,00000469,?,00000000), ref: 0040882C
EnableWindow.USER32(?,00000000), ref: 00408AB5
EnableWindow.USER32(?,00000001), ref: 00408ACB
ShowWindow.USER32(?,00000000), ref: 00408B41
ShowWindow.USER32(?,00000004), ref: 00408B4D
EnableWindow.USER32(?,00000001), ref: 00408B62

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Enable$Show$MessageMoveSend
String ID:
API String ID: 896007046-0
Opcode ID: 87f6e0763170194fc0710e3f968e7f8560b1a620ba42926c84496c92e9989118
Instruction ID: 9328a766899a6cd44bb07270835ec5fbd12aa3f868494555e7ed898e42fe5609
Opcode Fuzzy Hash: 87f6e0763170194fc0710e3f968e7f8560b1a620ba42926c84496c92e9989118
Instruction Fuzzy Hash: 38418B742003409BE724CB24CA94BB777A0BB95705F18447EF9C1AB6E1DAB8A845CB59

Function 00400D1F Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00400D3F
GetWindowLongW.USER32(?,000000F0), ref: 00400D81
GetWindowLongW.USER32(?,000000F0), ref: 00400DC1
SendMessageW.USER32(03DD1AA8,000000F1,00000000,00000000), ref: 00400DF5
SendMessageW.USER32(03DD1AA8,000000F1,00000001,00000000), ref: 00400E21

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 25768c671390c704a425c08a3c90dc6a20a6a5a19ebea42c931bd1a9db0cb762
Instruction ID: d6909e45120535cea1a2aac1aabee48b4402aeebfeaba5ca6cff106cac72075d
Opcode Fuzzy Hash: 25768c671390c704a425c08a3c90dc6a20a6a5a19ebea42c931bd1a9db0cb762
Instruction Fuzzy Hash: D3414C382402119FC720DF58DC84F2673A5EF9A310F2441B9F515AB3E1DBB4B882DB68

Function 004083D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004083FA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00408492
IsMenu.USER32(?), ref: 004084A6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004084F4
DrawMenuBar.USER32 ref: 00408508

Strings

0, xrefs: 004083F3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: cd81d6054bebe572c531599dd8ae15997aa69db54fb651f260e46f00f8ec84ec
Instruction ID: 3eee896c1ceea0684da9002fb35ddd55cd51d71d8ac5278f1907282681b89b3c
Opcode Fuzzy Hash: cd81d6054bebe572c531599dd8ae15997aa69db54fb651f260e46f00f8ec84ec
Instruction Fuzzy Hash: 5D419B75A00209EFCB10CF95E984B9BB7B5FF89304F10812EE945AB390DBB4A841CB65

Function 00428D67 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00428DF5
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00428E08
SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00428E38

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

Strings

dND, xrefs: 00428E46
ComboBox, xrefs: 00428D73
ListBox, xrefs: 00428DAC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$_memmove_wcslen
String ID: ComboBox$ListBox$dND
API String ID: 1589278365-1991566495
Opcode ID: b819332f10ffeeabad98b8248fa8dd5f10a66c12a17a5322a0bf1052bdaf7b7a
Instruction ID: 38fda0e28c3a142a8dd5de576c8c1ece55d454a62605512ee7c10f2939f261aa
Opcode Fuzzy Hash: b819332f10ffeeabad98b8248fa8dd5f10a66c12a17a5322a0bf1052bdaf7b7a
Instruction Fuzzy Hash: 5C310471A011547BDB10BB69AC46BEF77689B92320F54811BF8189F3C1CA389D4983A5

Function 00408A0B Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00408A22
GetFocus.USER32 ref: 00408A28
EnableWindow.USER32(?,00000000), ref: 00408AB5
EnableWindow.USER32(?,00000001), ref: 00408ACB
ShowWindow.USER32(?,00000000), ref: 00408B41
ShowWindow.USER32(?,00000004), ref: 00408B4D
EnableWindow.USER32(?,00000001), ref: 00408B62

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Enable$Show$FocusMessageSend
String ID:
API String ID: 3429747543-0
Opcode ID: 244fef56ccf220cfe0eb185eb5c77d22f82dc4f832d23de40db1a3bcc584c221
Instruction ID: c2e5e659787668c857c52077d08ddf425233940efe07707167ca6808c7ec2896
Opcode Fuzzy Hash: 244fef56ccf220cfe0eb185eb5c77d22f82dc4f832d23de40db1a3bcc584c221
Instruction Fuzzy Hash: 0431A0747443409BE724DF28C984BABB7E0ABA6305F08053EF9C1A63D1CBBC9845CB59

Function 00421C9F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6759: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003F676B

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00421CDE
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00421D0D
__itow.LIBCMT ref: 00421D1E
__itow.LIBCMT ref: 00421D62

Strings

dND, xrefs: 00421CB6
@OD, xrefs: 00421D36

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$__itow$_memmove_wcslen
String ID: @OD$dND
API String ID: 3055246884-4125053088
Opcode ID: 819b7347c352be91361d53b65dcfe659156c7b0bd9ae221cc4011efadfc76e06
Instruction ID: fe4068e45dbe860ed617c3c894b913016e97fb8537409b9a0aeb43f8805194b8
Opcode Fuzzy Hash: 819b7347c352be91361d53b65dcfe659156c7b0bd9ae221cc4011efadfc76e06
Instruction Fuzzy Hash: 0C210836700318ABD720EF69EC82EAF3368EBA5750F40406AFC14DB252C675EC5187B4

Function 003CF540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 003CF548

Part of subcall function 003CF700: _memset.LIBCMT ref: 003CF708

Part of subcall function 003CF570: _memmove.LIBCMT ref: 003CF5B9

Part of subcall function 003CF570: _memmove.LIBCMT ref: 003CF5D3

_memset.LIBCMT ref: 003CF663
_memset.LIBCMT ref: 003CF66D
_memset.LIBCMT ref: 003CF67A
_sprintf.LIBCMT ref: 003CF69E

Strings

%02X, xrefs: 003CF698

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset$_memmove$_sprintf_strlen
String ID: %02X
API String ID: 1823384282-436463671
Opcode ID: 2490a88a02cfed4dc983466f351cc4815c929613814855cc35398b415a8c4684
Instruction ID: af46ee6d1dcd946e88a11cd3c2828a3dcdea1b155031d87448c60652a3f81eb2
Opcode Fuzzy Hash: 2490a88a02cfed4dc983466f351cc4815c929613814855cc35398b415a8c4684
Instruction Fuzzy Hash: 50210772B002143BD712A768DC82F9BB39DEF51740F10043BF641DB282EE64AE1583A5

Function 0041D435 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0041D446
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0041D4BC
__swprintf.LIBCMT ref: 0041D4D6
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0041D51A

Strings

%lu, xrefs: 0041D4D0
dND, xrefs: 0041D4F1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu$dND
API String ID: 3164766367-824759628
Opcode ID: 36c17976f769deb2fc21495ff35967a9be1839cba6ca756e5cfea8ea976a0dcd
Instruction ID: d635f0b3970cc73e43c7c1d32939e5e081d1821ce331bacfd97ffd2d05a85d80
Opcode Fuzzy Hash: 36c17976f769deb2fc21495ff35967a9be1839cba6ca756e5cfea8ea976a0dcd
Instruction Fuzzy Hash: 13313CB6A00209AFCB14EF94D985EEEB7B8FF48300F10856AF505AB251D774EE45CB94

Function 00410AF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00410B5D
SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00410B6E
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00410B7C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00410B8D
SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00410B9B

Strings

Msctls_Progress32, xrefs: 00410B30

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Msctls_Progress32
API String ID: 3850602802-3636473452
Opcode ID: 2e478303f67926ef16fc37f22292ea60e5e77db256cbafb8c3aad0422dd8eb8f
Instruction ID: 71516c8e119f4cc0e0b6bb64fb7356048ad2c554f4556fe1f1a932f521eba3ae
Opcode Fuzzy Hash: 2e478303f67926ef16fc37f22292ea60e5e77db256cbafb8c3aad0422dd8eb8f
Instruction Fuzzy Hash: 8D21817135030477EB209EA9DC42F97B3A9AF94B24F21450AFB04A72D0C6F4F8818A58

Function 003F3EC5 Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 003F3EE2
Process32FirstW.KERNEL32(00000000,0000022C), ref: 003F3EF2
Process32NextW.KERNEL32(00000000,0000022C), ref: 003F3F1D
__wsplitpath.LIBCMT ref: 003F3F48

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

_wcscat.LIBCMT ref: 003F3F5B
__wcsicoll.LIBCMT ref: 003F3F6B
CloseHandle.KERNEL32(00000000), ref: 003F3FA4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: f87a9e11a3683fade80a8428fe1f42243f4752126b7710c9a05cc90b4d10ecd6
Instruction ID: 77271c2cd96eb4a9cea7b837174263a416a6ba5def80ab434fab17f7ee6fa362
Opcode Fuzzy Hash: f87a9e11a3683fade80a8428fe1f42243f4752126b7710c9a05cc90b4d10ecd6
Instruction Fuzzy Hash: 93219776900209ABDB22DF54DC84FEAB7B8EB49300F1445D9F60997141EB71AF85CF60

Function 004154A6 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 004154AE
ImageList_Destroy.COMCTL32(?), ref: 004154BC
DestroyWindow.USER32(?), ref: 0041569D
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteImageList_ObjectWindow$Icon
String ID:
API String ID: 3985565216-0
Opcode ID: cd2b99fb9b380c5f5720e9fa42506e295cc38b733fa48c11c4af9f175ba143db
Instruction ID: aa801c52f771f0bcc667f09bfcb53ae1bb370dd4b7d07fc3e17ca7b4ada77530
Opcode Fuzzy Hash: cd2b99fb9b380c5f5720e9fa42506e295cc38b733fa48c11c4af9f175ba143db
Instruction Fuzzy Hash: 65213074300A01EFC720DF65D9C4A9A77AABF85310F908569F949CB355CB39EC81CB69

Function 004212A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

Part of subcall function 003F6406: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 003F6425
Part of subcall function 003F6406: GetWindowThreadProcessId.USER32(?,00000000), ref: 003F6438
Part of subcall function 003F6406: GetCurrentThreadId.KERNEL32 ref: 003F643F
Part of subcall function 003F6406: AttachThreadInput.USER32(00000000), ref: 003F6446

GetFocus.USER32 ref: 004212C7

Part of subcall function 003F6451: GetParent.USER32(?), ref: 003F645F
Part of subcall function 003F6451: GetParent.USER32(?), ref: 003F646B

GetClassNameW.USER32(?,?,00000100), ref: 00421310
EnumChildWindows.USER32(?,Function_00045A9E,?), ref: 0042133B
__swprintf.LIBCMT ref: 00421354

Strings

%s%d, xrefs: 0042134E
dND, xrefs: 004212B5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
String ID: %s%d$dND
API String ID: 2645982514-1294106738
Opcode ID: 1c84bbb4df3872a7c561cbacbdded001e17d650a987e438a2e7a1bfda44a22bb
Instruction ID: 3879918634b605944badfada1fe18356be7e0bd7df58882fecfe9333f9c1a499
Opcode Fuzzy Hash: 1c84bbb4df3872a7c561cbacbdded001e17d650a987e438a2e7a1bfda44a22bb
Instruction Fuzzy Hash: AD21D575600718ABD711FF65DC86FEBB3ACEF46710F00801AF919D7251CA74A8058B74

Function 003F3DDA Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,00468178), ref: 003F3DFE
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 003F3E11
GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 003F3E28
__wsplitpath.LIBCMT ref: 003F3E52

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

_wcscat.LIBCMT ref: 003F3E65
__wcsicoll.LIBCMT ref: 003F3E75
CloseHandle.KERNEL32(00000000), ref: 003F3EAD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 135935984-0
Opcode ID: 08ef8cd47bb8bb194d0ffbc228ff11c64f6b9764fad327e9bf9b239cb3f635d7
Instruction ID: e48e8d8e0edfd87997106c290d1d8a6fb045b52b6b3de8d930f59c35428d39c8
Opcode Fuzzy Hash: 08ef8cd47bb8bb194d0ffbc228ff11c64f6b9764fad327e9bf9b239cb3f635d7
Instruction Fuzzy Hash: D8215376500118ABDB12CF50DD84FEE73BDEF99300F104195FA1597150DA71AB858BA4

Function 003D3C9F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 003D3CC4
__calloc_crt.LIBCMT ref: 003D3CD0
__getptd.LIBCMT ref: 003D3CDD
CreateThread.KERNEL32(?,?,003D3C3A,00000000,?,?), ref: 003D3D14
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 003D3D1E
_free.LIBCMT ref: 003D3D27
__dosmaperr.LIBCMT ref: 003D3D32

Part of subcall function 003D7E9A: __getptd_noexit.LIBCMT ref: 003D7E9A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 87ac68d7f362ebf1def120b2f62327543c8d61678399f70cd8a6c78a663e5b95
Instruction ID: 87c8fd5831d47bd13aca072e780a27865c5c74038d49572543b7a10e2af43739
Opcode Fuzzy Hash: 87ac68d7f362ebf1def120b2f62327543c8d61678399f70cd8a6c78a663e5b95
Instruction Fuzzy Hash: 8C11E533208746AFD7127FA4FC4299B37A9EF11774B11042BF8149B352EB70CD018A62

Function 003F6BF8 Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON

Download Yara Rule

APIs

Part of subcall function 003F6AD7: GetProcessHeap.KERNEL32(00000008,0000000C,003F6C03), ref: 003F6ADB
Part of subcall function 003F6AD7: HeapAlloc.KERNEL32(00000000), ref: 003F6AE2

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 003F6C12
GetCurrentProcess.KERNEL32(?,00000000), ref: 003F6C1B
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 003F6C24
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 003F6C30
GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 003F6C39
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 003F6C3C
CreateThread.KERNEL32(00000000,00000000,Function_00036BB5,00000000,00000000,00000000), ref: 003F6C54

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8baa8174e58ba109ad11c45b372ba6149575e4ad598f52d8b9c3b5d048265611
Instruction ID: 1224249f5b317187f8c487583d1621e23c1bbff185426552b6ccebae702ba3da
Opcode Fuzzy Hash: 8baa8174e58ba109ad11c45b372ba6149575e4ad598f52d8b9c3b5d048265611
Instruction Fuzzy Hash: CC01CD752403187BE620EB65DC86F6B776CEB89B50F504415FA049B2D1C6B5E8008AA4

Function 003D0350 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 003D0385
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 003D03AE
ShowWindow.USER32(?,00000000), ref: 003D03C4
ShowWindow.USER32(?,00000000), ref: 003D03CE

Strings

edit, xrefs: 003D03A2
AutoIt v3, xrefs: 003D0379, 003D037E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2d9466c64e5dd1a08e7ef1419375679174cbe5fb8332f020118f23a68b7511f5
Instruction ID: 7c9d933a8ca398003f0ee3d4de47be3b99e91d673a7e0c7cd43239e44afc2815
Opcode Fuzzy Hash: 2d9466c64e5dd1a08e7ef1419375679174cbe5fb8332f020118f23a68b7511f5
Instruction Fuzzy Hash: 4EF017B1BC43187AF6308764BC43F562658A748F56F300436B700BB1D2E1E4B8408BDC

Function 003D3C3A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 003D3C40

Part of subcall function 003D77D1: TlsGetValue.KERNEL32(?,003D792A,?,003D12DC,?,00000001), ref: 003D77DA
Part of subcall function 003D77D1: TlsSetValue.KERNEL32(00000000,?,003D12DC,?,00000001), ref: 003D77FB

___fls_getvalue@4.LIBCMT ref: 003D3C4B

Part of subcall function 003D77B1: TlsGetValue.KERNEL32(?,?,003D3C50,00000000), ref: 003D77BF

___fls_setvalue@8.LIBCMT ref: 003D3C5E
GetLastError.KERNEL32(00000000,?,00000000), ref: 003D3C67
ExitThread.KERNEL32 ref: 003D3C6E
GetCurrentThreadId.KERNEL32 ref: 003D3C74
__freefls@4.LIBCMT ref: 003D3C94

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 259663610-0
Opcode ID: fae6ca8d643ab8c5d673b954379fb5be2d8365a481e39a88d41d2023b729c744
Instruction ID: dc6a063639c3923a4c30c98ea597dd22681d6abc07e0185e0638adf61236388f
Opcode Fuzzy Hash: fae6ca8d643ab8c5d673b954379fb5be2d8365a481e39a88d41d2023b729c744
Instruction Fuzzy Hash: 5FF0BBBB004300AFC706BFB1E949C1E7BA9AF493003218856F8059F322EB34DD42C7A6

Function 003F01F8 Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003F0253
GetWindowRect.USER32(00000000,?), ref: 003F0283
GetClientRect.USER32(?,?), ref: 003F02D1
GetSystemMetrics.USER32(0000000F), ref: 003F031E
GetWindowRect.USER32(?,?), ref: 003F0330
ScreenToClient.USER32(?,?), ref: 003F0359

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: b862624435734cce1e5dab88ab51df55ccd6670683a6493538a8a3ad514347aa
Instruction ID: 024a30a2911776d7fb46fb517093f6f679778165a68eff3a32bef7772d5cc3ff
Opcode Fuzzy Hash: b862624435734cce1e5dab88ab51df55ccd6670683a6493538a8a3ad514347aa
Instruction Fuzzy Hash: 4DA15A79A0070A9BCB24CFBDC5847EEB7B1FF58314F018529EAA9D3251E770A954CB50

Function 00417760 Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004177DA
_malloc.LIBCMT ref: 004177F0
_strcat.LIBCMT ref: 0041781B
_wcslen.LIBCMT ref: 00417851
_malloc.LIBCMT ref: 0041786A
_wcscpy.LIBCMT ref: 00417889

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _malloc_wcslen$_strcat_wcscpy
String ID:
API String ID: 1612042205-0
Opcode ID: 53d064e9c85dd7d6fa659603b4ac40a7b9c9b4b020194d5c66462bf47c09ac58
Instruction ID: 8d2732b0462383dfa44a99c025a5691c152804bfd72cdfbeaa91aaa5f74dde0a
Opcode Fuzzy Hash: 53d064e9c85dd7d6fa659603b4ac40a7b9c9b4b020194d5c66462bf47c09ac58
Instruction Fuzzy Hash: 1F912AB4600205EFCB10DF69C4919AABBB5FF49300B50C65AEC4A8B346DB34F995CB95

Function 0040F149 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87
_strncmp.LIBCMT ref: 0040F9B9

Strings

U, xrefs: 0040FAFE
\, xrefs: 0040CFD7
>, xrefs: 0040F04E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove_strncmp
String ID: >$U$\
API String ID: 2666721431-237099441
Opcode ID: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction ID: 4e9ce61f348d22bc6acdab42add45a94556ea861091d245333018e44918e7585
Opcode Fuzzy Hash: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction Fuzzy Hash: 65F181B0A00249CFDB24CF69C8906AEBBF1FF89314F24817ED855A7781D738A946CB55

Function 0040C48A Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0040C4E6
SetKeyboardState.USER32(00000080), ref: 0040C50A
PostMessageW.USER32(?,00000100,?,?), ref: 0040C54B
PostMessageW.USER32(?,00000104,?,?), ref: 0040C583
PostMessageW.USER32(?,00000102,?,00000001), ref: 0040C5A5
SendInput.USER32(00000001,?,0000001C), ref: 0040C638

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: e9b21e90e04ff9266365b1f604348734822791470e8fe38f495226fc4d0c381d
Instruction ID: c7d39ed1cfb6a66d967b4dedb6a95abc58d940affb546f87013898df3a27c72b
Opcode Fuzzy Hash: e9b21e90e04ff9266365b1f604348734822791470e8fe38f495226fc4d0c381d
Instruction Fuzzy Hash: 21515BB650011CB6DB10EFA99CC5BFF7B68AF86310F404267FE946A282C379D945C7A4

Function 00404AE1 Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00404BE1
_wcscat.LIBCMT ref: 00404BE8
_wcscpy.LIBCMT ref: 00404BFC
_wcscpy.LIBCMT ref: 00404C30
_wcscat.LIBCMT ref: 00404C37
_wcscpy.LIBCMT ref: 00404C4B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: 706feb602a716b1a9bbd63db9e10584bb7b91a31c41e107c340dd493754820c9
Instruction ID: 3bcbf6aa16a597afb2e32c01cc4d9767ce38b8c234e991c23e95822004698b81
Opcode Fuzzy Hash: 706feb602a716b1a9bbd63db9e10584bb7b91a31c41e107c340dd493754820c9
Instruction Fuzzy Hash: 684149B150011866CB31EF5998D2AFF7378DFD6310F40406BFA42AB342D779A992D3A9

Function 00411AB8 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00411B16
VariantCopy.OLEAUT32(?,?), ref: 00411B6E
VariantCopy.OLEAUT32(?,?), ref: 00411B84
VariantCopy.OLEAUT32(?,?), ref: 00411B9D
VariantClear.OLEAUT32(?), ref: 00411C17
SysAllocString.OLEAUT32(00000000), ref: 00411C30

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Copy$AllocClearErrorLastString
String ID:
API String ID: 960795272-0
Opcode ID: 12a0cf67bda34bc195c4fea37a9b212cb028d41ae22036a6a6e52582f7382418
Instruction ID: 35938de70b46a7c51f7c8f5ecef2521bf8e728ec9a214312a053e8bee380681d
Opcode Fuzzy Hash: 12a0cf67bda34bc195c4fea37a9b212cb028d41ae22036a6a6e52582f7382418
Instruction Fuzzy Hash: 59519E759042099FCB14DF64D881F9AB7B5FF48300F10826AE904AB361DB78AD45CBA5

Function 00407ACC Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00407B03
GetWindowRect.USER32(?,?), ref: 00407B81
ScreenToClient.USER32(?,?), ref: 00407B9F
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00407BB2
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00407BF9
EndPaint.USER32(?,?), ref: 00407C37

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Paint$BeginClientRectRectangleScreenViewportWindow
String ID:
API String ID: 4189319755-0
Opcode ID: 8ced841f0e4a3b7df6c9a31d14f84306a5a7738e3c475138fc5bf0eec3328399
Instruction ID: d00eca04505a917db6d8439f08f53be99310a305f74d61ef281e57b6cf18d88e
Opcode Fuzzy Hash: 8ced841f0e4a3b7df6c9a31d14f84306a5a7738e3c475138fc5bf0eec3328399
Instruction Fuzzy Hash: 1D416D706082019FD710DF24C884F6B7BA8AB86724F04467EF9649B3E1DB74A845CB6A

Function 00400994 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00400A11
EnableWindow.USER32(?,00000000), ref: 00400A36
ShowWindow.USER32(?,00000000), ref: 00400A9F
ShowWindow.USER32(?,00000004), ref: 00400AB2
EnableWindow.USER32(?,00000001), ref: 00400AD7
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00400AFC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: cd46d0ff8b5fed107fc901ac91394287541053e3e343b4e87bce915f0787b0f0
Instruction ID: 42fc2adae76b3e7c59b7f08f114258b94745588e3e484c7303e5a28fd67881b8
Opcode Fuzzy Hash: cd46d0ff8b5fed107fc901ac91394287541053e3e343b4e87bce915f0787b0f0
Instruction Fuzzy Hash: 5E412E347003409FDB25CF14C998BA67BE1BB55314F1981BAE999AB3E1C778A841CF18

Function 004094AE Relevance: 9.1, APIs: 6, Instructions: 96windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004094C1
SendMessageW.USER32 ref: 004094F1

Part of subcall function 003F0593: _wcspbrk.LIBCMT ref: 003F05A3

SendMessageW.USER32(?,00001074,?,?), ref: 00409551
_wcslen.LIBCMT ref: 00409566
_wcslen.LIBCMT ref: 00409573
SendMessageW.USER32(?,00001074,?,?), ref: 004095A7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$_memset_wcspbrk
String ID:
API String ID: 1624073603-0
Opcode ID: 117183c2b0d8af9a849dc5b551e481a03a04a39c136c7cf1642d06821e9035a1
Instruction ID: 5f2153eb32994fe9ea0b3e1d2a152015c50ebe84b3a9489350b292b632f30090
Opcode Fuzzy Hash: 117183c2b0d8af9a849dc5b551e481a03a04a39c136c7cf1642d06821e9035a1
Instruction Fuzzy Hash: A93194B2900218ABDB24DF55EC80ADFB374FF94310F10466AF914AB3C1E7B59D958B91

Function 0040875D Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,?,00000000), ref: 00408778
EnableWindow.USER32(?,00000000), ref: 00408AB5
EnableWindow.USER32(?,00000001), ref: 00408ACB
ShowWindow.USER32(?,00000000), ref: 00408B41
ShowWindow.USER32(?,00000004), ref: 00408B4D
EnableWindow.USER32(?,00000001), ref: 00408B62

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Enable$Show$MessageSend
String ID:
API String ID: 1871949834-0
Opcode ID: 5f7428e04000d78c3bf0b8205577aeb6cf3a2f63432b64173e4925f4195ed49c
Instruction ID: dae0bbf4e8cf43e41d3d0060002e035e5898f74851a677f0b45a528d5eaa5c7e
Opcode Fuzzy Hash: 5f7428e04000d78c3bf0b8205577aeb6cf3a2f63432b64173e4925f4195ed49c
Instruction Fuzzy Hash: 0B31CFB57403415BE7248F28C984BABB7E0ABA5345F08043EF9C1A62D1CBBC9849CA59

Function 004319F2 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004319FF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00431A40
SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00431A62
ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00431A79
SendMessageW.USER32 ref: 00431A9D
DestroyIcon.USER32(?), ref: 00431AAE

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
String ID:
API String ID: 3611059338-0
Opcode ID: 57aa7b0f6eca6b648055c469a0c336760795202b9cc53e7595b3887bbcefcbc2
Instruction ID: c3d96c94286da211a29212307c888c2ca1eccb508fd2cc4300a2619786e3580d
Opcode Fuzzy Hash: 57aa7b0f6eca6b648055c469a0c336760795202b9cc53e7595b3887bbcefcbc2
Instruction Fuzzy Hash: CA21AE75600208AFDB10DF60DC89FBA73B8FF98701F50406EFA059B291DBB5A902CB64

Function 0041558B Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0041560A
DestroyWindow.USER32(?), ref: 0041569D
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DestroyWindow$DeleteObject$IconMove
String ID:
API String ID: 1640429340-0
Opcode ID: b0c69c0d1ed8d4d9d4d2558e29d19350f9e82096edf69ef0bbc607aa2300ee84
Instruction ID: 5c0bddf4a89c3b6107b3a5faab9f545ec9c29c4a2856f23dc4da0ac554f36a1d
Opcode Fuzzy Hash: b0c69c0d1ed8d4d9d4d2558e29d19350f9e82096edf69ef0bbc607aa2300ee84
Instruction Fuzzy Hash: 90314874200A01DFDB14DF14C9C8BAA77FAFB85301F4085AAF949CB265D778E881CB69

Function 0040379E Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 003CF260: _wcslen.LIBCMT ref: 003CF262
Part of subcall function 003CF260: _wcscpy.LIBCMT ref: 003CF282

_wcslen.LIBCMT ref: 004037D1
_wcslen.LIBCMT ref: 004037EA
_wcstok.LIBCMT ref: 004037FC
_wcslen.LIBCMT ref: 00403810
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0040381E
_wcstok.LIBCMT ref: 00403835

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
String ID:
API String ID: 3632110297-0
Opcode ID: 930bd6f7014a8e6fbe03e7e6ae2a992f8a69bac63a5c01491ff314014231d8e6
Instruction ID: 5f684c2a92f43ba68398779e1a0fbab7fb30c82e8dcacc9d4c3eabc3d997beb8
Opcode Fuzzy Hash: 930bd6f7014a8e6fbe03e7e6ae2a992f8a69bac63a5c01491ff314014231d8e6
Instruction Fuzzy Hash: F121B0B29002086BCB11AF95DC829BFBBFCFF85311F14442AF859A7341D774EA5187A1

Function 004150DD Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 00415149
DestroyMenu.USER32(?), ref: 0041515F
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteMenuObject$IconWindow
String ID:
API String ID: 752480666-0
Opcode ID: 4b61ea9dbdbcf700eb97045733d2090cfc12fec929a431b7699450e109ccb1dd
Instruction ID: 084bcc4c95277df08b17c691b12a5bedd694613030fc3aefd2263873eb4a9e5c
Opcode Fuzzy Hash: 4b61ea9dbdbcf700eb97045733d2090cfc12fec929a431b7699450e109ccb1dd
Instruction Fuzzy Hash: B6216B34600A01EFC725DF24D988BE673A9BF85310F90855AF9498B351C778ECC1CBA9

Function 003F6E1E Relevance: 9.1, APIs: 6, Instructions: 75processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,?), ref: 003F6E53
OpenProcessToken.ADVAPI32(00000000), ref: 003F6E5A
CreateEnvironmentBlock.USERENV(?,?,00000001), ref: 003F6E6A
CloseHandle.KERNEL32(?), ref: 003F6E77
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 003F6EAD
DestroyEnvironmentBlock.USERENV(?), ref: 003F6EC0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7aec755cab5084c441b94bbad95a9caee05408a05ffbcb6476a15f3ed568bc48
Instruction ID: 36323c99d131219e920da106585820738559eeeabf7ca85ec2c4a6c3f97c7038
Opcode Fuzzy Hash: 7aec755cab5084c441b94bbad95a9caee05408a05ffbcb6476a15f3ed568bc48
Instruction Fuzzy Hash: 3C21497A600209ABDB15CF69DE49EEB77ADEF8A350F448119FE05A3250C674EC11CB64

Function 0041526F Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004152D7
ImageList_Destroy.COMCTL32(?), ref: 004152E9
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 21568e11d0cefc8d132e722847d9bc60dfa41cbf9030b23e7a2bbcd1e6ed12a2
Instruction ID: 4106c4a0c0d54c79aea72d272f7dfb20a5ecb3553e7a004ce59f2a3f5806dd65
Opcode Fuzzy Hash: 21568e11d0cefc8d132e722847d9bc60dfa41cbf9030b23e7a2bbcd1e6ed12a2
Instruction Fuzzy Hash: 15214874600A01DFC714DF69D984AD6B7E5BB89310F50866AF959C7391C738E881CFA8

Function 0041563D Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 00415645
DestroyWindow.USER32(?), ref: 0041569D
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 4b776a131042870c01686dac19dd229d5b93e639025e06ede8f7a09a9ed45e15
Instruction ID: 85a53b618f4a555aa72615df5732dc7a747ff3540d267dcb846df137aa71721b
Opcode Fuzzy Hash: 4b776a131042870c01686dac19dd229d5b93e639025e06ede8f7a09a9ed45e15
Instruction Fuzzy Hash: E6214C74200B01DFDB24DF25C984A9A77A8BF85310F90856AF959CB351CB79D881CBA9

Function 003F3187 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00468178), ref: 003F319E
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00468178), ref: 003F31B9
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,00468178), ref: 003F31C3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00468178), ref: 003F31CB
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,00468178), ref: 003F31D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 002b0bf4a2efee762ca54d63a4e23e3768e12f28b178a5d8e3c0ef33998dfee7
Instruction ID: 95791a7fc6a62bbbb6000f693922034b981d6c1ece79c4b39ff80c5a6b6898af
Opcode Fuzzy Hash: 002b0bf4a2efee762ca54d63a4e23e3768e12f28b178a5d8e3c0ef33998dfee7
Instruction Fuzzy Hash: C6119336D0411DABCF00AF99E9449EDB7B8FF49722F0145A5EA05A3204DB719A41CBA4

Function 0041551D Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0041553C
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 00415557
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconWindow
String ID:
API String ID: 3691411573-0
Opcode ID: ca9348e0de8008a3f81b277dbb912b74b2cdc19a374ac411d3b7c5cad814666b
Instruction ID: c401224019a6664f2d5f9fc5d4e756ae29021f48dcc77250e93233e6082b8861
Opcode Fuzzy Hash: ca9348e0de8008a3f81b277dbb912b74b2cdc19a374ac411d3b7c5cad814666b
Instruction Fuzzy Hash: 3D11B271304701DBD710DF69EDC4A9677A8FB85321F404626FE08C72D0C775D8858BA8

Function 00407199 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 004070BF: DeleteObject.GDI32(00000000), ref: 004070FC
Part of subcall function 004070BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0040713C
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040714C
Part of subcall function 004070BF: BeginPath.GDI32(?), ref: 00407161
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040718A

MoveToEx.GDI32(?,?,?,00000000), ref: 004071C4
LineTo.GDI32(?,?,?), ref: 004071D0
MoveToEx.GDI32(?,?,?,00000000), ref: 004071DE
LineTo.GDI32(?,?,?), ref: 004071EA
EndPath.GDI32(?), ref: 004071FA
StrokePath.GDI32(?), ref: 00407208

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 57a3321e96ef32a2c821349369a1a8f16a7584bbf4dfdf79a9afe1023a90b409
Instruction ID: bf4e06f75eeefc9b4b26f198178f8497bf1a039d5e82e4703b84a2ddcee43eb9
Opcode Fuzzy Hash: 57a3321e96ef32a2c821349369a1a8f16a7584bbf4dfdf79a9afe1023a90b409
Instruction Fuzzy Hash: 6901243A005114BBE3119B44EC4CFDF7B6CAF4A300F000229FA01A21C187F42900CBBE

Function 0040CBC7 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0040CBE3
GetDeviceCaps.GDI32(00000000,00000058), ref: 0040CBEE
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040CBFA
ReleaseDC.USER32(00000000,00000000), ref: 0040CC06
MulDiv.KERNEL32(000009EC,?,?), ref: 0040CC1E
MulDiv.KERNEL32(000009EC,?,?), ref: 0040CC2F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 549f7cbb5c6cac66b69d3ed04cdfb6f6474601c34713cf3b3f2d97544a7688ed
Instruction ID: ada96e1565cf4de43ddb4d2e53d8cb7f764ae962f8b7c64c229a080cca0ac565
Opcode Fuzzy Hash: 549f7cbb5c6cac66b69d3ed04cdfb6f6474601c34713cf3b3f2d97544a7688ed
Instruction Fuzzy Hash: 6E014075600214BFE7109F95DD85F5A7B68FB55751F04802AFF08AB280D6B499008BA4

Function 003CF010 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003CF048
MapVirtualKeyW.USER32(00000010,00000000), ref: 003CF050
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003CF05B
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003CF066
MapVirtualKeyW.USER32(00000011,00000000), ref: 003CF06E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CF076

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4e0958f6187ff479d2d387b0bb05f4693597edd8e19a56e6fdc8d2aee0977784
Instruction ID: 6cb6e0b9c6c64a99e479b687bf5dcfa89287c4fc9a32714e220cfb9988e1773d
Opcode Fuzzy Hash: 4e0958f6187ff479d2d387b0bb05f4693597edd8e19a56e6fdc8d2aee0977784
Instruction Fuzzy Hash: 61016770106B88ADD3309F668C84B43FEF8EF95704F01491DD1D907A52C6B5A84CCB69

Function 0040B5C7 Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0040B5E1
EnterCriticalSection.KERNEL32(?), ref: 0040B5F2
TerminateThread.KERNEL32(?,000001F6), ref: 0040B600
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0040B60E

Part of subcall function 003F25E5: CloseHandle.KERNEL32(00000000,00000000,?,0040B61A,00000000,?,000003E8,?,000001F6), ref: 003F25F3

InterlockedExchange.KERNEL32(?,000001F6), ref: 0040B623
LeaveCriticalSection.KERNEL32(?), ref: 0040B62A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b468f2218364d289c93a878f00723b2b012960dd1f5ed22e2bd37040e13190d1
Instruction ID: 0483b793ad6603d3751c085af1855f459f06c1e1220f17aea44256be45d0804c
Opcode Fuzzy Hash: b468f2218364d289c93a878f00723b2b012960dd1f5ed22e2bd37040e13190d1
Instruction Fuzzy Hash: 83F0AF76141201BBC201AB60EE88DABB77CFF46711B800536F60196590CBB5A421CBBA

Function 003D50DB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 003D50E0

Part of subcall function 003D77D1: TlsGetValue.KERNEL32(?,003D792A,?,003D12DC,?,00000001), ref: 003D77DA
Part of subcall function 003D77D1: TlsSetValue.KERNEL32(00000000,?,003D12DC,?,00000001), ref: 003D77FB

___fls_getvalue@4.LIBCMT ref: 003D50EB

Part of subcall function 003D77B1: TlsGetValue.KERNEL32(?,?,003D3C50,00000000), ref: 003D77BF

___fls_setvalue@8.LIBCMT ref: 003D50FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 003D5106
ExitThread.KERNEL32 ref: 003D510D
__freefls@4.LIBCMT ref: 003D5129

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 442100245-0
Opcode ID: ad002a91dd314fe67003782e3d76c1680744ee5468a2545181b1743befb92f00
Instruction ID: f1370ba81db6b1849fcdf6073a4ce1c6858290bce86d86c4bbd5dfbe2e739fc2
Opcode Fuzzy Hash: ad002a91dd314fe67003782e3d76c1680744ee5468a2545181b1743befb92f00
Instruction Fuzzy Hash: 22F06C7A504700AFD706BF71E94AD1E7BA9AF483147218856B8048F327EB34D842CAA1

Function 00438357 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 228comCOMMON

Download Yara Rule

APIs

Part of subcall function 00402654: _wcslen.LIBCMT ref: 00402680

CoInitialize.OLE32(00000000), ref: 004383FC
CoCreateInstance.OLE32(00442A08,00000000,00000001,004428A8,?), ref: 00438415
CoUninitialize.OLE32 ref: 004385F6

Strings

dND, xrefs: 004383C9
.lnk, xrefs: 004383A5, 004383B8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk$dND
API String ID: 886957087-1712397693
Opcode ID: fb89a00c18796bf6b74f7662b3e55475cdab8e33d96d23d4466861be2e8917b6
Instruction ID: f736806cb88f739cb3238d81bda7a80489679dac1789df4c1217c0f8b4816def
Opcode Fuzzy Hash: fb89a00c18796bf6b74f7662b3e55475cdab8e33d96d23d4466861be2e8917b6
Instruction Fuzzy Hash: 35812871244300AFE210EB64CC82F5AB3E5AF88714F14892DFA58DF2E1D6B5ED45CB96

Function 0041F9B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041FA20
GetMenuItemInfoW.USER32 ref: 0041FA3B
DeleteMenu.USER32(?,?,00000000), ref: 0041FA8C
DeleteMenu.USER32(00000000,?,00000000), ref: 0041FADF

Strings

0, xrefs: 0041FA18

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 8e3f7ae80fd596a5a9c21e750260b9bc6178ef1cb467e82d2a662b52fbfc91a1
Instruction ID: b9c5fc3de154a3292c5bab0ce01a096bf3a9c3a64cb601d6f2823de370ca14b7
Opcode Fuzzy Hash: 8e3f7ae80fd596a5a9c21e750260b9bc6178ef1cb467e82d2a662b52fbfc91a1
Instruction Fuzzy Hash: 3841A471604301AFD310DF25D844B5BB7A8BFD5324F14862EF9699B2C1D378E886CBA5

Function 00403346 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 00403376

Strings

nul, xrefs: 004033EC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: eeb3456d06daa6e5f643e91d758accb7939939747c7a6d2ff977a14c66414a0a
Instruction ID: 90397418790884a27580c7d4c29fe02499254cb96e8d35f2eeebd7ff4476032c
Opcode Fuzzy Hash: eeb3456d06daa6e5f643e91d758accb7939939747c7a6d2ff977a14c66414a0a
Instruction Fuzzy Hash: DB31B131600208ABD720DF68DC45BAB7BACEF45321F10465AFD50AB3C0EBB5DA50CBA5

Function 00403253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00403281

Strings

nul, xrefs: 004032F8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: b35c9dd8c0117a771bcbadc228ccdb793cfc59837af257eabed46d7f80276ae9
Instruction ID: 69beabe856aec06578e91985e2b33cf5254ce5baaea92ce0e5dab6bc9c774756
Opcode Fuzzy Hash: b35c9dd8c0117a771bcbadc228ccdb793cfc59837af257eabed46d7f80276ae9
Instruction Fuzzy Hash: C7218131600204ABE720DF68DC45BABB7ACEF15320F10479EFDA0A63C0DBB59A50C795

Function 00400BD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

SysAnimate32, xrefs: 00400C18

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: SysAnimate32
API String ID: 0-1011021900
Opcode ID: 1017994d86901b2fdff76c26561b9472116ac59dcabf566404441b7ee412fdee
Instruction ID: 31540f590c6187750627cc856af6ab83f821a194e7a7d48f4d3cd5f46edc8a7f
Opcode Fuzzy Hash: 1017994d86901b2fdff76c26561b9472116ac59dcabf566404441b7ee412fdee
Instruction Fuzzy Hash: 6F219775204204ABFB249F68DC85FAB339CEB95724F20472BF914A72C0D678EC418B68

Function 0042C57B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0041875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,00426CC2,?,00433B72,00433B72,?), ref: 0041877B

gethostbyname.WSOCK32(?,00000000,?,?), ref: 0042C5A6
WSAGetLastError.WSOCK32(00000000), ref: 0042C5B2
_memmove.LIBCMT ref: 0042C5EE
inet_ntoa.WSOCK32(?), ref: 0042C5FA

Strings

dND, xrefs: 0042C5C8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
String ID: dND
API String ID: 2502553879-2949930476
Opcode ID: 20c2209cb65eda9325f5003bd6cf7d800a03f08df296afb14d865eafd888102c
Instruction ID: 9693dac0d1fd449fb21ec34ccee76c37f4e5a27a72e746fe91bb4da4753063b0
Opcode Fuzzy Hash: 20c2209cb65eda9325f5003bd6cf7d800a03f08df296afb14d865eafd888102c
Instruction Fuzzy Hash: BD216076A10208ABC700FBB4DD86DDFB7BCEF49314B50855AF901EB202DA35EE5187A5

Function 003CFEA7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 003CFED3
_memmove.LIBCMT ref: 003CFEE2
__fread_nolock.LIBCMT ref: 003CFF02
_fseek.LIBCMT ref: 003CFF58

Strings

AU3!, xrefs: 003CFECD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!
API String ID: 1268643489-3499719025
Opcode ID: d995055974ab43cd61165ce91abe6529a929ce6f6de9a67bcd6ac5ab0b3d95cf
Instruction ID: ca5ff845c61a7cb751b16cf9c4f74f58ccd380237f05f6a67aed1888102081ad
Opcode Fuzzy Hash: d995055974ab43cd61165ce91abe6529a929ce6f6de9a67bcd6ac5ab0b3d95cf
Instruction Fuzzy Hash: A01126329042546FCB12CB6488C1FED7B66AF0A300F2845ADF955DB282DA70AA44CBA1

Function 0042277D Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708dab46e181a718630dd45bb9673bfc3fb4fd4f9c579feaca0b90717e501591
Instruction ID: 6d1e0de578ced1c5c06306f51c2e69c65a1826ae82e66e8060462018d6a2dc45
Opcode Fuzzy Hash: 708dab46e181a718630dd45bb9673bfc3fb4fd4f9c579feaca0b90717e501591
Instruction Fuzzy Hash: 83819D74704214BBDB24DF54E980FABB7A8EF49310F90814FF9859B340D6B8A981DB69

Function 00435761 Relevance: 7.7, APIs: 5, Instructions: 220COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?), ref: 00435807
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00435815
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00435839
CloseHandle.KERNEL32(00000000), ref: 00435A07

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 67d1bc180988fac5fde113a22a2c0027dd1ad4130f1d78bad05cb2386894f532
Instruction ID: ca12d0fac5e9d76d333a87ebd6f56f09392713c19df0dfb15b3d79bdd8f87e97
Opcode Fuzzy Hash: 67d1bc180988fac5fde113a22a2c0027dd1ad4130f1d78bad05cb2386894f532
Instruction Fuzzy Hash: 58815BB1A043029FD310EF64C886B0BBBE4AF88750F14892EF599DB391D675ED44CB96

Function 003D49DA Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003D4A35
_memcpy_s.LIBCMT ref: 003D4AA6
__read.LIBCMT ref: 003D4B09
__filbuf.LIBCMT ref: 003D4B25

Part of subcall function 003D7E9A: __getptd_noexit.LIBCMT ref: 003D7E9A

_memset.LIBCMT ref: 003D4B66

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: da0022d54c5017018d13ecc256ab2e01e62d99c0ac8aad504544f68f7f230e75
Instruction ID: 358e4b57cf384128ef2de1100b782c37ac8fcfc4b723c120c8ef491d527975b0
Opcode Fuzzy Hash: da0022d54c5017018d13ecc256ab2e01e62d99c0ac8aad504544f68f7f230e75
Instruction Fuzzy Hash: 5C510633A00305DBCB228FB9A84469EB7B5EF50320F25826BE865A7390E330DE54DB54

Function 0040C2F0 Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0040C348
SetKeyboardState.USER32(00000080), ref: 0040C36C
PostMessageW.USER32(00000000,00000101,?,?), ref: 0040C3B0
PostMessageW.USER32(00000000,00000105,?,?), ref: 0040C3E8
SendInput.USER32(00000001,?,0000001C), ref: 0040C475

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: 8f76e4cfc8cd1e7e2f5df1e696acf86d1ede871df12cf0152707b2c72318c710
Instruction ID: 4ff912f06b5c1166732f0571a948ff70578e711c30290423f9cb12b9af8843e2
Opcode Fuzzy Hash: 8f76e4cfc8cd1e7e2f5df1e696acf86d1ede871df12cf0152707b2c72318c710
Instruction Fuzzy Hash: AB414C7251024CAADB10EF69D8C5BFF7B68EF46310F40C267FD846A282C379D9558BA4

Function 0042444F Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0042449A
GetProcAddress.KERNEL32(?,?), ref: 00424534
GetProcAddress.KERNEL32(?,00000000), ref: 00424553
GetProcAddress.KERNEL32(?,?), ref: 00424597
FreeLibrary.KERNEL32(?,?,?,?), ref: 004245B9

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 380ac4d0f18998bf66b438586a661bdf6a9e5985a3a8dd27a445d8e6c9fdceb3
Instruction ID: 1b64d53ca4a3732d1994bcd86686e502be3b90ddc60c368da43e694ed788eaa2
Opcode Fuzzy Hash: 380ac4d0f18998bf66b438586a661bdf6a9e5985a3a8dd27a445d8e6c9fdceb3
Instruction Fuzzy Hash: D9517EB5600214AFCB00EF64D881EAEB7B8EF89310F54815AFE05AB351C734ED41CB94

Function 00416308 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0041631D
ScreenToClient.USER32(?,?), ref: 0041633A
GetAsyncKeyState.USER32(?), ref: 00416377
GetAsyncKeyState.USER32(?), ref: 00416387
GetWindowLongW.USER32(?,000000F0), ref: 004163DD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 43fe64a106781becb963be0e0da1b115daab529b95bf59011efb98ec267ffcd7
Instruction ID: ce18972e6d6857f925ab474e8cb1766d83672cabf28293e31baae3c4537ac107
Opcode Fuzzy Hash: 43fe64a106781becb963be0e0da1b115daab529b95bf59011efb98ec267ffcd7
Instruction Fuzzy Hash: 1A413D75504214BBDB24CF65C884EEBBBB9EF45320F21465EF86593390CB34E980DB68

Function 0043D3C9 Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00467F04), ref: 0043D3F2
InterlockedDecrement.KERNEL32(00467F04), ref: 0043D407
Sleep.KERNEL32(0000000A), ref: 0043D40F
InterlockedIncrement.KERNEL32(00467F04), ref: 0043D41A
InterlockedDecrement.KERNEL32(00467F04), ref: 0043D524

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID:
API String ID: 327565842-0
Opcode ID: 974a51430418e7a2c0ed64c07dee04269c60074abdc7d070c0d8b2f882c66e1c
Instruction ID: 88156da8704b1fbc19b00b11c600615c59a2807a85c2c7df763b9878359e43ec
Opcode Fuzzy Hash: 974a51430418e7a2c0ed64c07dee04269c60074abdc7d070c0d8b2f882c66e1c
Instruction Fuzzy Hash: B341F271A002099BDB05DF64EDD5EAE7378EB58304F50412AF601EB351E778ED05CBAA

Function 0041C3AE Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0041C43C
GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0041C464
WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0041C4B0
WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0041C4D4
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0041C4E3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 051d240b5bf3d6c08c5618ea7149fbc0c119074ab493fbfbaa56db7091e68234
Instruction ID: 5b8bdf4767a33a8fdc639f515447eb813d0e848876f7ba77c81a14406f89b428
Opcode Fuzzy Hash: 051d240b5bf3d6c08c5618ea7149fbc0c119074ab493fbfbaa56db7091e68234
Instruction Fuzzy Hash: 034151B6A00209BBDB10EFA5DC89FAAB3A8BF44304F04859DF9059B241DB75EE44CB54

Function 00401C02 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00401C30
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00401C64
RegCloseKey.ADVAPI32(?), ref: 00401C85
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401CC7
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00401CF5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: 1f8ecdc9ea4514a7be58dec5866ac24d17f93df95b0211685dffd987d7e4a94e
Instruction ID: 7167200885304eb5496adb7ce0c83bad16845f2819c2630647f1d3d92d5b6b00
Opcode Fuzzy Hash: 1f8ecdc9ea4514a7be58dec5866ac24d17f93df95b0211685dffd987d7e4a94e
Instruction Fuzzy Hash: 48315EB6900108BAEB10DBD4EC85FFEB7BCEF49304F54456AF605A7181E674AE448BA4

Function 003F6995 Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003F69AE

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: RectWindow
String ID:
API String ID: 861336768-0
Opcode ID: 28249db4b92e88edeed64f12f86e7ec33318a794aee73aaa92a425aadee653ca
Instruction ID: d3aa3ce8fd4cbfd58978a1df16de5f66c9604d1a2923e75a3c864f5d7c9fd431
Opcode Fuzzy Hash: 28249db4b92e88edeed64f12f86e7ec33318a794aee73aaa92a425aadee653ca
Instruction Fuzzy Hash: E031B97260021E9FDB00CF68D989ABE7BA5EB45324F118225FD24DB381D770ED51CB90

Function 004077D0 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00407806
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 00407820
DefDlgProcW.USER32(?,0000007B,?,?), ref: 00407841
GetCursorPos.USER32(00000000), ref: 0040788E
TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 004078B5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CursorMenuPopupTrack$Proc
String ID:
API String ID: 1300944170-0
Opcode ID: 56a81ee48ac901a2c71bb5f867cb4f5eeaabf82226b110d6305a8f8112e73e8f
Instruction ID: 4183de8c8d978e902a1ea4d6d72052247f087e5ee8d1bb1be49e08fa10a4ef6d
Opcode Fuzzy Hash: 56a81ee48ac901a2c71bb5f867cb4f5eeaabf82226b110d6305a8f8112e73e8f
Instruction Fuzzy Hash: BF31F536A00108AFD724DF58DC88FAB7778EB89311F10816AF60497391DBB57C52CBA5

Function 004078C4 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004078F0
GetCursorPos.USER32(?), ref: 004078FB
ScreenToClient.USER32(?,?), ref: 00407917
WindowFromPoint.USER32(?,?), ref: 00407958
DefDlgProcW.USER32(?,00000020,?,?), ref: 004079D1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Client$CursorFromPointProcRectScreenWindow
String ID:
API String ID: 1822080540-0
Opcode ID: 0203b52038e59472512bd542d2f8a50163db8cb9bcba6aea5b699750e903bed6
Instruction ID: 0794c57c129004ae77797584ed65ec559a443e8cebab4b5ad268534029a1b4b0
Opcode Fuzzy Hash: 0203b52038e59472512bd542d2f8a50163db8cb9bcba6aea5b699750e903bed6
Instruction Fuzzy Hash: 8F319C74608205AFD710DF19D884A7B73A8FBC9314F144A2EF99097291D778E846CBA7

Function 00407B15 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00407B81
ScreenToClient.USER32(?,?), ref: 00407B9F
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00407BB2
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00407BF9
EndPaint.USER32(?,?), ref: 00407C37

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ClientPaintRectRectangleScreenViewportWindow
String ID:
API String ID: 659298297-0
Opcode ID: 52a1c8a2827ed176f104ca6a87c2c14729da4bfa1953b383daa94587bd5d4b40
Instruction ID: 984bb0ae96038f0008067d1dcd2a6704b1ec864cb4663b07806e832b4be0b072
Opcode Fuzzy Hash: 52a1c8a2827ed176f104ca6a87c2c14729da4bfa1953b383daa94587bd5d4b40
Instruction Fuzzy Hash: AD316F706083019FD320CF25C884F7B7BE8AB85724F04467EF9A4972E1D7B4A8448B6A

Function 00408743 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 00408AB5
EnableWindow.USER32(?,00000001), ref: 00408ACB
ShowWindow.USER32(?,00000000), ref: 00408B41
ShowWindow.USER32(?,00000004), ref: 00408B4D
EnableWindow.USER32(?,00000001), ref: 00408B62

Part of subcall function 00400D1F: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00400D3F
Part of subcall function 00400D1F: GetWindowLongW.USER32(?,000000F0), ref: 00400D81
Part of subcall function 00400D1F: GetWindowLongW.USER32(?,000000F0), ref: 00400DC1
Part of subcall function 00400D1F: SendMessageW.USER32(03DD1AA8,000000F1,00000000,00000000), ref: 00400DF5
Part of subcall function 00400D1F: SendMessageW.USER32(03DD1AA8,000000F1,00000001,00000000), ref: 00400E21

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$EnableMessageSend$LongShow
String ID:
API String ID: 142311417-0
Opcode ID: b4b614f1ce279ccc4030b48580f25708a7bb86667adf5f427386dae997f1aa54
Instruction ID: a2623fbb7db5a509849948b59f4a59adb15eeab2eb277bde46b54aef4c9fa61e
Opcode Fuzzy Hash: b4b614f1ce279ccc4030b48580f25708a7bb86667adf5f427386dae997f1aa54
Instruction Fuzzy Hash: D721B4B57443405BE7258F28C985BABB7E0ABA5345F08043FF9C1A63D1CBBC9845CA59

Function 003CF3B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(003CF1FC), ref: 003CF3BD
SHGetDesktopFolder.SHELL32(?,004690E8), ref: 003CF3D2
_wcsncpy.LIBCMT ref: 003CF3ED
SHGetPathFromIDListW.SHELL32(?,?), ref: 003CF427
_wcsncpy.LIBCMT ref: 003CF440

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcsncpy$DesktopFolderFromListMallocPath
String ID:
API String ID: 3170942423-0
Opcode ID: b254eceb3bf9402161267fac92bdf248a58148978bb5dbd36188272b12951db6
Instruction ID: df6c57db3ad97f07052d4c57109c6d2e1bf2aacfc3928b580b34d0d417a3655c
Opcode Fuzzy Hash: b254eceb3bf9402161267fac92bdf248a58148978bb5dbd36188272b12951db6
Instruction Fuzzy Hash: 60218276A01619AFCB14EBA4DC84DEFB37DEF88700F108698F905D7210E670AE41CBA0

Function 004093FE Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001002,00000000,?), ref: 004093D0
_memset.LIBCMT ref: 0040940E

Part of subcall function 003F0593: _wcspbrk.LIBCMT ref: 003F05A3

SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00409460
_wcslen.LIBCMT ref: 00409472
_wcslen.LIBCMT ref: 0040947F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen$_memset_wcspbrk
String ID:
API String ID: 1843234404-0
Opcode ID: 8577b0eaf09ed70658d5bb5de3d322cc805ab8a08a95499dc684ff19603f70ad
Instruction ID: 499d6ea12c2b6c5863cb8ab849780285873558bedd99cebce5d610b844c1ded1
Opcode Fuzzy Hash: 8577b0eaf09ed70658d5bb5de3d322cc805ab8a08a95499dc684ff19603f70ad
Instruction Fuzzy Hash: 90213A7760020896D730DF95EC81BEFB368EBA0310F10413FFE049A282E6B54D95C795

Function 00415071 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a86b66caceadebed0118ce48e6a444d0f0a783797bc24a0c87b2c688fe1d0f
Instruction ID: f015c84e13cdc8c58a14b25dff7b84710bf58f81dad69e27ea4b2e87e1ced381
Opcode Fuzzy Hash: 89a86b66caceadebed0118ce48e6a444d0f0a783797bc24a0c87b2c688fe1d0f
Instruction Fuzzy Hash: 3A21ED75200601DBCB10EF29D9C4CAB77A8EF8A320B40426AFE5587391CB34EC45CBA9

Function 00405776 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040577F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00405799
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004057D3
_wcslen.LIBCMT ref: 00405801
CharUpperBuffW.USER32(00000000,00000000), ref: 0040580B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
String ID:
API String ID: 3087257052-0
Opcode ID: 8ee80aeaf3ed93ae0eef8473fba6110b770af8de036a10ffe83203c6a575a439
Instruction ID: 677940fe3fe590d9a9ef03392d6729287eec1a718cee4ac1eb105c60cf86487c
Opcode Fuzzy Hash: 8ee80aeaf3ed93ae0eef8473fba6110b770af8de036a10ffe83203c6a575a439
Instruction Fuzzy Hash: D3110A7760151177E711A764AC06F6BB78CEF65360F048036F809EB380EB79E94587A9

Function 00419EDE Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00419F00
GetForegroundWindow.USER32 ref: 00419F18
GetDC.USER32(00000000), ref: 00419F55
GetPixel.GDI32(00000000,?,00000003), ref: 00419F60
ReleaseDC.USER32(00000000,00000000), ref: 00419F9C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d54def006a5fc93a7350c86fb2b9f1670656c81c848c4e6fc0141d2afe18efb7
Instruction ID: 5f43b515c9772eab88610e0915f2f0fac3549129c52ef1479b67d2bcefcf2f05
Opcode Fuzzy Hash: d54def006a5fc93a7350c86fb2b9f1670656c81c848c4e6fc0141d2afe18efb7
Instruction Fuzzy Hash: 3D21BE76A00101ABC704EBA4C949AAAB7A9FF85300F598579F90ADB741CB74EC00CB94

Function 00425005 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00424E62: inet_addr.WSOCK32(?), ref: 00424E86

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0042503B
WSAGetLastError.WSOCK32(00000000), ref: 0042504A
connect.WSOCK32(00000000,?,00000010), ref: 00425083
WSAGetLastError.WSOCK32(00000000), ref: 004250AA
closesocket.WSOCK32(00000000,00000000), ref: 004250BE

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: 7fc7f56b00bcc6e963acdf247f826eebaab089faa2d5483d6dfad8eca9efc9d6
Instruction ID: 058c18b60d317fa1ca59b799da66adc2bf7342937a925d2abd07f9ac64719ba0
Opcode Fuzzy Hash: 7fc7f56b00bcc6e963acdf247f826eebaab089faa2d5483d6dfad8eca9efc9d6
Instruction Fuzzy Hash: BF21C3322001109FD310EF68EC4AF6AB7E8EF45720F44825EF955DB291CBB4AC418799

Function 004070BF Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004070FC
ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0040713C
SelectObject.GDI32(?,00000000), ref: 0040714C
BeginPath.GDI32(?), ref: 00407161
SelectObject.GDI32(?,00000000), ref: 0040718A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: 41250485d5e421a674337651a38570fb731b261eacda1b05891e03d021081574
Instruction ID: 25f06d961b79e062df147e41fbbf21fc7b283ecddf7cb024e77dabe08b5c9b67
Opcode Fuzzy Hash: 41250485d5e421a674337651a38570fb731b261eacda1b05891e03d021081574
Instruction Fuzzy Hash: EA213E75C052159BC710DF69DD48A9A7BA8AB09310F10427BF924E73E1E7B4A841CBAE

Function 003DF619 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 003DF627

Part of subcall function 003D34DB: __FF_MSGBANNER.LIBCMT ref: 003D34F4
Part of subcall function 003D34DB: __NMSG_WRITE.LIBCMT ref: 003D34FB
Part of subcall function 003D34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,003D6A35,?,00000001,?,?,003D8179,00000018,0044D180,0000000C,003D8209), ref: 003D3520

_free.LIBCMT ref: 003DF63A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 31e1cd470dbdfc45039fd6eae84cb604cc32e3fca51e6d10270697f22bfe7927
Instruction ID: 8cb03330ca878961bed5ce3fd979aa9f2689128b7e55d4384656077aac37740f
Opcode Fuzzy Hash: 31e1cd470dbdfc45039fd6eae84cb604cc32e3fca51e6d10270697f22bfe7927
Instruction Fuzzy Hash: 7E11E733544614AFCB233F74B84565A3758EF453A1B624437F84A9EB61EB74CC40C664

Function 003F4569 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003F457F
QueryPerformanceCounter.KERNEL32(?), ref: 003F459C
Sleep.KERNEL32(00000000), ref: 003F45BB
QueryPerformanceCounter.KERNEL32(?), ref: 003F45C5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c843eb10fb3679297e4f5cc030aadf60f2f422ff9230c6f366e2f6d6ee9f22ae
Instruction ID: 8c6c6100bad17b8bf220df4775cadbea651fd9a0e866eb28729443a44d4d66ac
Opcode Fuzzy Hash: c843eb10fb3679297e4f5cc030aadf60f2f422ff9230c6f366e2f6d6ee9f22ae
Instruction Fuzzy Hash: 82116036D0052DD7CF01AF99E944AEEBB78FF56721F004166EA04A6240CA3095618BE5

Function 0042094D Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00420963
GetWindowTextW.USER32(00000000,?,00000100), ref: 0042097A
MessageBeep.USER32(00000000), ref: 00420992
KillTimer.USER32(?,0000040A), ref: 004209B4
EndDialog.USER32(?,00000001), ref: 004209CF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c55baebb3a20e5e0bf7fc85564de9845e2be49cb0bb7289eb5b02009b7ebdfc6
Instruction ID: 26033758b45286ee52ca723df42689f3acfa8ea261ef58b3db627ae6c251a0c0
Opcode Fuzzy Hash: c55baebb3a20e5e0bf7fc85564de9845e2be49cb0bb7289eb5b02009b7ebdfc6
Instruction Fuzzy Hash: 0501DD756003186BE7209B94EE4DF97B3BCFB05701F40455BF546921C1DBF4A9848B94

Function 00415615 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0041569D
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$Icon
String ID:
API String ID: 4023252218-0
Opcode ID: 08f1500b53f001ca747ec8ec5ed526bea73eee801eedbcaaecaf3da18e68320a
Instruction ID: 027eacb252d7b5fea47b1c468f2d09149eff7a5f9e3c3906649d92e327a2506f
Opcode Fuzzy Hash: 08f1500b53f001ca747ec8ec5ed526bea73eee801eedbcaaecaf3da18e68320a
Instruction Fuzzy Hash: B9014C74301A01DBDB20DF65D9C4AD677A8BB85310B904126F908C7254DB39DC81CBA9

Function 00415562 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,?), ref: 00415571
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DeleteDestroyObject$IconMessageSendWindow
String ID:
API String ID: 1489400265-0
Opcode ID: 8f192e6c970953c023cda4195204098a3fa022603480877142cd23f0087bd2a3
Instruction ID: 815973205d6a65d5bfe51cfb8d64c11c70551507d40c6a849137b85e31fb5430
Opcode Fuzzy Hash: 8f192e6c970953c023cda4195204098a3fa022603480877142cd23f0087bd2a3
Instruction Fuzzy Hash: 9B012C74300601EBDB14DF65DDC8A9673A8EB85711B804565FE05C7295C778DC818AA8

Function 0041557C Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003EFF70: InvalidateRect.USER32(?,00000000,00000001), ref: 003EFFFE

DestroyWindow.USER32(?), ref: 0041569D
DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
String ID:
API String ID: 1042038666-0
Opcode ID: 0daeb20b1a79a073a377f85232b93d22541798600c026d875e70055fb5f34b09
Instruction ID: 77bba084a7d7d79b6344cbffe1120f1f805772f8610a27d7629e2858a425441e
Opcode Fuzzy Hash: 0daeb20b1a79a073a377f85232b93d22541798600c026d875e70055fb5f34b09
Instruction Fuzzy Hash: 14014B74301601DBDB10EF65D9C899B73BCAF853507804525F905C7295C778DC818AB9

Function 003EFC95 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003EFCAA
StrokeAndFillPath.GDI32(?), ref: 003EFCC2
StrokePath.GDI32(?), ref: 003EFCCB
SelectObject.GDI32(?,00000000), ref: 003EFCDC
DeleteObject.GDI32(00000000), ref: 003EFCF2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c38061cd3072386f8e0b612c5434428174bda566b4f438efd222318734cfe8eb
Instruction ID: b414f94f736dc90552cd1ae526adf74373a8b16b558b14b7c4a81515a17701e2
Opcode Fuzzy Hash: c38061cd3072386f8e0b612c5434428174bda566b4f438efd222318734cfe8eb
Instruction Fuzzy Hash: B5F0A4751065549FD3119B29EE0CB5E3BACAB02321F25433AF915922F0DBF45445CB6E

Function 003D7726 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 003D7732

Part of subcall function 003D798C: __getptd_noexit.LIBCMT ref: 003D798F
Part of subcall function 003D798C: __amsg_exit.LIBCMT ref: 003D799C

__getptd.LIBCMT ref: 003D7749
__amsg_exit.LIBCMT ref: 003D7757
__lock.LIBCMT ref: 003D7767
__updatetlocinfoEx_nolock.LIBCMT ref: 003D777B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 312668c43af89e302f87ea69401315346976232d68bb165fbef0237735d669ae
Instruction ID: 020fa4352114a27375621ed8d91ddfb99ef63b1a916805f6f9dd8ec7b22d1e92
Opcode Fuzzy Hash: 312668c43af89e302f87ea69401315346976232d68bb165fbef0237735d669ae
Instruction Fuzzy Hash: 5BF09A339087109BD763BB78B803B6D72A0AF00721F21055BF450AF3C3EB789941AA99

Function 003D3C2E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 003D1810: _doexit.LIBCMT ref: 003D181C

___set_flsgetvalue.LIBCMT ref: 003D3C40

Part of subcall function 003D77D1: TlsGetValue.KERNEL32(?,003D792A,?,003D12DC,?,00000001), ref: 003D77DA
Part of subcall function 003D77D1: TlsSetValue.KERNEL32(00000000,?,003D12DC,?,00000001), ref: 003D77FB

___fls_getvalue@4.LIBCMT ref: 003D3C4B

Part of subcall function 003D77B1: TlsGetValue.KERNEL32(?,?,003D3C50,00000000), ref: 003D77BF

___fls_setvalue@8.LIBCMT ref: 003D3C5E
GetLastError.KERNEL32(00000000,?,00000000), ref: 003D3C67
ExitThread.KERNEL32 ref: 003D3C6E
GetCurrentThreadId.KERNEL32 ref: 003D3C74
__freefls@4.LIBCMT ref: 003D3C94

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 2403457894-0
Opcode ID: 021a2a24fef4e043e7403a0ea57af08056f86b263d46e4654406ca64d0fd50f5
Instruction ID: 12b1d2a58f55bed0c7ee14d1ab75c4ed3de338382a01aaaf700d70fa10eff0ba
Opcode Fuzzy Hash: 021a2a24fef4e043e7403a0ea57af08056f86b263d46e4654406ca64d0fd50f5
Instruction Fuzzy Hash: 64E0BF77804205679B133BF1AD1A8AF766C5D05750B110812BD10AB316FA68996186A6

Function 003D50CF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

Part of subcall function 003D1810: _doexit.LIBCMT ref: 003D181C

___set_flsgetvalue.LIBCMT ref: 003D50E0

Part of subcall function 003D77D1: TlsGetValue.KERNEL32(?,003D792A,?,003D12DC,?,00000001), ref: 003D77DA
Part of subcall function 003D77D1: TlsSetValue.KERNEL32(00000000,?,003D12DC,?,00000001), ref: 003D77FB

___fls_getvalue@4.LIBCMT ref: 003D50EB

Part of subcall function 003D77B1: TlsGetValue.KERNEL32(?,?,003D3C50,00000000), ref: 003D77BF

___fls_setvalue@8.LIBCMT ref: 003D50FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 003D5106
ExitThread.KERNEL32 ref: 003D510D
__freefls@4.LIBCMT ref: 003D5129

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 4247068974-0
Opcode ID: 58b00a0a90f34ac0c26d15de40e767c6a3ec321792404ffdde79bb775791e9b8
Instruction ID: 561ead2fcbbdefaa7d38d04bf7941d5690977ab4cf7680d1a5d27c70c544e4a2
Opcode Fuzzy Hash: 58b00a0a90f34ac0c26d15de40e767c6a3ec321792404ffdde79bb775791e9b8
Instruction Fuzzy Hash: 77E0EC3B804705ABDF133BF1BD1FE6E3A6D5E04740B510C22BD109A326FE6889619665

Function 0040F37B Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON

Download Yara Rule

Strings

), xrefs: 0040F37F
U, xrefs: 0040FAFE
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: )$U$\
API String ID: 0-3705770531
Opcode ID: 50144b89c54859c95b24de598fc930478a540556fc1afb34b9c92c589f2d229b
Instruction ID: 6f97fc6c1861b852fb08883d8b89bdd5f51332d1abe7a642ca1dcf4e1c33ca38
Opcode Fuzzy Hash: 50144b89c54859c95b24de598fc930478a540556fc1afb34b9c92c589f2d229b
Instruction Fuzzy Hash: 61C1C170A04209CFDB24CF69C9806AEBBF1FF89304F2481BAC856A7785D7399946CF55

Function 00429857 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004298D1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 708495834-557222456
Opcode ID: db3a861d659a091862c8d0b9d4cfc93df197c3dcf968a00572b412aa8c1f9d86
Instruction ID: 09672c6a3a2cebfdcf758ca7f52fd09b55c23d5564326bbd537281f9479ba8a1
Opcode Fuzzy Hash: db3a861d659a091862c8d0b9d4cfc93df197c3dcf968a00572b412aa8c1f9d86
Instruction Fuzzy Hash: 4B915D722083109FC310EF65D882D6BB7E8BF85310F44891EF5959B252DB74EE45CB96

Function 003E9B01 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_memmove.LIBCMT ref: 003C9FE6
VariantInit.OLEAUT32(00000000), ref: 003E9B15
VariantCopy.OLEAUT32(?,?), ref: 003E9B23
VariantClear.OLEAUT32(00000000), ref: 003E9B34

Strings

DZD, xrefs: 003C9DC8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$ClearCopyInit_malloc_memmove
String ID: DZD
API String ID: 441919481-3107441753
Opcode ID: f998fc5c96def7948132ce3223030469dfbc37c9fe4799caf291b2ee853f8f8e
Instruction ID: 67f39857bd3dc5c7fa038fd51f4cdb49fcd7ec0dfd51829ecc9356cc5436367e
Opcode Fuzzy Hash: f998fc5c96def7948132ce3223030469dfbc37c9fe4799caf291b2ee853f8f8e
Instruction Fuzzy Hash: 219127B46083A19FC721CF25C480B1AB7E1BF89300F658A6EE595CB390E371EC45CB92

Function 00426362 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003CF260: _wcslen.LIBCMT ref: 003CF262
Part of subcall function 003CF260: _wcscpy.LIBCMT ref: 003CF282

__wcsnicmp.LIBCMT ref: 004263D5
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0042647B

Strings

LPT, xrefs: 004263CF
dND, xrefs: 0042652B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT$dND
API String ID: 3035604524-2686393624
Opcode ID: 62a5daced3f51f7f95fbcadea4fa3ae46951c1f993190d2e6a9fefa7223982e2
Instruction ID: 759ffcc1b7300590143dc0234916507548c31d9339ca53a891b6280a2207ad85
Opcode Fuzzy Hash: 62a5daced3f51f7f95fbcadea4fa3ae46951c1f993190d2e6a9fefa7223982e2
Instruction Fuzzy Hash: BE51D1B5A00214AFDB10EFA4D881FAFB3B5EB88700F51855AF5059B341D778EE81CB99

Function 003F6528 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003F4300: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 003F4331

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003F6579

Part of subcall function 003F42C4: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 003F42F5

Part of subcall function 003F4394: GetWindowThreadProcessId.USER32(?,?), ref: 003F43C7
Part of subcall function 003F4394: OpenProcess.KERNEL32(00000438,00000000,?), ref: 003F43D8
Part of subcall function 003F4394: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 003F43EF

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003F65E9
SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 003F6669

Strings

@, xrefs: 003F6682

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a2da86936ab0789bcad78698dcd89becc505c6326814be83e09f25926084d3c5
Instruction ID: b66e664d0396bb47a94260f752cfe55f6dd2503a3e9e0d6aec2bb843d3748ae7
Opcode Fuzzy Hash: a2da86936ab0789bcad78698dcd89becc505c6326814be83e09f25926084d3c5
Instruction Fuzzy Hash: 5A517576A0021C6BCB14DBA8DD82FEEB778EF89300F004595F745EF141D6B5AA45CBA1

Function 0040ED22 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87

Strings

h, xrefs: 0040F704
^, xrefs: 0040ED2A
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: \$^$h
API String ID: 4104443479-3224561352
Opcode ID: 6937cd99c5ad476af00512a8da27156cf59f520fc84e579f4bf3945f0995227e
Instruction ID: 69a0315674cf64fbd201faea1d960ab2467377fd24e8d3a63dbe22360c305d49
Opcode Fuzzy Hash: 6937cd99c5ad476af00512a8da27156cf59f520fc84e579f4bf3945f0995227e
Instruction Fuzzy Hash: FA515F70E0020ADFCF28CF69C9909AEB7B6BF89304F28827AE415AB794D7345D45CB55

Function 0040F0AD Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87

Strings

h, xrefs: 0040F704
], xrefs: 0040F0AE
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: \$]$h
API String ID: 4104443479-3262404753
Opcode ID: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction ID: d699cfb4f922109d48927e9ad026e51a08a14ec7fea7399a35abbb88470cde4a
Opcode Fuzzy Hash: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction Fuzzy Hash: 37515E70E0020ADFCF28CF69C9909AEB7B6BF89304F28827AE415AB794D7345945CB55

Function 0040A79A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0040A7BE
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040A80D
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0040A845

Part of subcall function 00402252: GetLastError.KERNEL32 ref: 00402268

Strings

, xrefs: 0040A83E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
String ID:
API String ID: 3705125965-3916222277
Opcode ID: ffe5d79c91684502eb4b27d48e649c68ed4aea4f085ac16a06f8cd22d08ccd2c
Instruction ID: f296487671e3830da230b4a080edbbb86536bffad37c053dcc2c844839d62023
Opcode Fuzzy Hash: ffe5d79c91684502eb4b27d48e649c68ed4aea4f085ac16a06f8cd22d08ccd2c
Instruction Fuzzy Hash: 34310C3AA412047AD720EF55DC45FDFB7B8DB95710F00812FFA14A72C0D7B5650987A9

Function 0041072D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004107D5
GetWindowLongW.USER32(?,000000F0), ref: 004107F3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00410804

Strings

SysTreeView32, xrefs: 004107A4

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 15b93b4d2d724ce5c4732bfe16813c14d2275914db7c1f2fc3af0faa8948363a
Instruction ID: 480a78fee34709792f29a449334cac3bf1e925b48177e8faba306d8bf1d17f04
Opcode Fuzzy Hash: 15b93b4d2d724ce5c4732bfe16813c14d2275914db7c1f2fc3af0faa8948363a
Instruction Fuzzy Hash: BB417E71104205ABDB14DF28DC84FEB73A8EB49724F20471AF965972D0D7B8E8D1CB68

Function 0042592E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00425945
_wcslen.LIBCMT ref: 00425972
InternetCrackUrlW.WININET(?,00000000,?), ref: 0042597C

Strings

|, xrefs: 00425959

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CrackInternet_memset_wcslen
String ID: |
API String ID: 915713708-2343686810
Opcode ID: b60477f57cd7baf15c0a888203871eb1c182f6e38c0ea121352895300617cebe
Instruction ID: 6e50b16c749ede4dc9861275ecddc594cd3554ac0968813f21ec49c62578a80e
Opcode Fuzzy Hash: b60477f57cd7baf15c0a888203871eb1c182f6e38c0ea121352895300617cebe
Instruction Fuzzy Hash: FB415076A10219ABDB01EFA8D881FEEB7B4FF58310F40411AE600EB241DB716956CBE1

Function 003F4B10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 003F4B1E
GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 003F4B96
FreeLibrary.KERNEL32(?), ref: 003F4BAD

Strings

AU3_GetPluginDetails, xrefs: 003F4B90

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AU3_GetPluginDetails
API String ID: 145871493-4132174516
Opcode ID: 379e35be16cac91f405bd9c55d48f1af0aafe7d1575785341708cf6807797923
Instruction ID: f6839489be24e724ba01f58f86f21811a3577838ee8b918d141d34ab4e17000c
Opcode Fuzzy Hash: 379e35be16cac91f405bd9c55d48f1af0aafe7d1575785341708cf6807797923
Instruction Fuzzy Hash: 134149B9600205EFC710DF58D9C0E6AF7B5FF89300B5082A9EA5A8B311D731ED52CB91

Function 00410CE1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00410D73
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00410D8C
SendMessageW.USER32(?,00001002,00000000,?), ref: 00410DB4

Strings

SysMonthCal32, xrefs: 00410D3C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a944a191e2b4e9e7ff27b512ae20d71b1df465c0cd25c666bb45f9abafaab5c1
Instruction ID: 0c342ee6386e843d8446c530ce5604a27e90852fc422ca19cde8618af4472671
Opcode Fuzzy Hash: a944a191e2b4e9e7ff27b512ae20d71b1df465c0cd25c666bb45f9abafaab5c1
Instruction Fuzzy Hash: 48318775610208ABDB10DFA9DC81FEB73ADEB98724F104319FA14A72D0D6B4FC918B64

Function 0041094E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004109A5

Strings

msctls_updown32, xrefs: 00410988

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DestroyWindow
String ID: msctls_updown32
API String ID: 3375834691-2298589950
Opcode ID: 4fcca831d1572c60dfdc87a0690d12d39a937e2f78b35b968007c420d832063f
Instruction ID: fbcbf205fc063131f78fd97277e7373e07cda4df7b5ce18ab1a3bf83e4708563
Opcode Fuzzy Hash: 4fcca831d1572c60dfdc87a0690d12d39a937e2f78b35b968007c420d832063f
Instruction Fuzzy Hash: 22316476750205ABEB10DF54DC81FE73368EF95724F104116F6049B382CBB5A896CBA9

Function 0040DB89 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040DA4F
_memmove.LIBCMT ref: 0040DA5E

Strings

<, xrefs: 0040DB89
, xrefs: 0040DB90

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: $<
API String ID: 4104443479-428540627
Opcode ID: 25633cddd675a079ae9bcf3cf817b991244a8ab406dcbaae0e1ed4b17f95830f
Instruction ID: 571bc1e2063c8d72f51af3080678e1c43552b5e0613020cfdc44c881b2223785
Opcode Fuzzy Hash: 25633cddd675a079ae9bcf3cf817b991244a8ab406dcbaae0e1ed4b17f95830f
Instruction Fuzzy Hash: BE311070D002498EDF25CFA9C9847EEBBB2AF51310F1841AAD845BB3C2C7789E48CB51

Function 003CF490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 003CFE20: _wcslen.LIBCMT ref: 003CFE35
Part of subcall function 003CFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,004143ED,?,00000000,?,?), ref: 003CFE4E
Part of subcall function 003CFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 003CFE77

_strcat.LIBCMT ref: 003CF4B6

Part of subcall function 003CF700: _memset.LIBCMT ref: 003CF708

Part of subcall function 003CF540: _strlen.LIBCMT ref: 003CF548
Part of subcall function 003CF540: _memset.LIBCMT ref: 003CF663
Part of subcall function 003CF540: _memset.LIBCMT ref: 003CF66D
Part of subcall function 003CF540: _memset.LIBCMT ref: 003CF67A
Part of subcall function 003CF540: _sprintf.LIBCMT ref: 003CF69E

Strings

dND, xrefs: 003CF4A1
?T, xrefs: 003CF522

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset$ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
String ID: dND$?T
API String ID: 2423838495-3777224387
Opcode ID: 6982d78f5cee3ffef1ebd8ffbeced17c7ecef6e9a572c8af4ac408d35e325120
Instruction ID: 16cbce1f63b197726847de3492aa1ebdd9092eb6d622ef7124481b917b94d437
Opcode Fuzzy Hash: 6982d78f5cee3ffef1ebd8ffbeced17c7ecef6e9a572c8af4ac408d35e325120
Instruction Fuzzy Hash: 072137B26042506BC315EF34AC82E6EF299AB45300F108A3EF555C62C2EB34E9548792

Function 00410EA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00410F34
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00410F46
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00410F6D

Strings

Listbox, xrefs: 00410F07

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: db78c68b4b8a74aeca088e07f5f16bc96d10e360fa85e1a0b7d581acac4f89be
Instruction ID: 09e6e488317ca8a8e2a381657fc0665b5e27b269ed456e7cfd4f19e99c1e5021
Opcode Fuzzy Hash: db78c68b4b8a74aeca088e07f5f16bc96d10e360fa85e1a0b7d581acac4f89be
Instruction Fuzzy Hash: A0214175210208ABEB20CF69DC85FDB3369EB99724F10471AF924972D0C6B5ECC18B64

Function 0041D35A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0041D36B
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0041D3E1
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0041D424

Strings

dND, xrefs: 0041D3FB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: dND
API String ID: 2507767853-2949930476
Opcode ID: 720ebbc7ca002773f15fb8edad32f3705cd26497d18a08c70e1e91108f174b09
Instruction ID: d2e9ddb7a65f1c807fa182684b6c778e586906e494b38e6030b8482a8f98c356
Opcode Fuzzy Hash: 720ebbc7ca002773f15fb8edad32f3705cd26497d18a08c70e1e91108f174b09
Instruction Fuzzy Hash: 44215CB5A002099FCB14EFA4C885EEEB7B4FF49300F50806AE505AB351D774EE45CB95

Function 0041D52B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0041D549
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0041D5BF
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0041D5F5

Strings

dND, xrefs: 0041D53A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: dND
API String ID: 2507767853-2949930476
Opcode ID: dfdbda2a95358d1c703d33b9f1cf85c190ef18d37f550492964c4ceb7535aed5
Instruction ID: 6df050267e825075a4624cd91d93c615e9f198f07a006fe35ba301c8716a581c
Opcode Fuzzy Hash: dfdbda2a95358d1c703d33b9f1cf85c190ef18d37f550492964c4ceb7535aed5
Instruction Fuzzy Hash: 87212B76A00209AFCB14EFA5C885EEEB7B4FF48300F50856AF5059B261D774EE45CB54

Function 00410A42 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00410AB1
SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00410AC7
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00410AD5

Strings

msctls_trackbar32, xrefs: 00410A86

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0a5dcd85abf49a355b15d21439ee1caed578a77486c9744cff2443d142473632
Instruction ID: ae8ffc888a59854af629caf7ab295291bb3dc0e9a9612a89e51f638fc89fc1d5
Opcode Fuzzy Hash: 0a5dcd85abf49a355b15d21439ee1caed578a77486c9744cff2443d142473632
Instruction Fuzzy Hash: E3114271750319AAEB108E68DC81FDB7398AF58764F204216FB14A72C0D2F4EC918BA8

Function 003F5223 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

CLSIDFromString.OLE32(?,00000000), ref: 003F5244
SafeArrayAccessData.OLEAUT32(?,?), ref: 003F5293
SafeArrayUnaccessData.OLEAUT32(?), ref: 003F52C2

Strings

crts, xrefs: 003F52A0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
String ID: crts
API String ID: 943502515-3724388283
Opcode ID: a64a9b67d165cfaa3fc15bd7d4738fe1755c81dfcdd21811253b16fb00d4b0f1
Instruction ID: 62973d9372ac5a4305a3c30356d139bbfae868f9433a0f8d35b7982e6c959055
Opcode Fuzzy Hash: a64a9b67d165cfaa3fc15bd7d4738fe1755c81dfcdd21811253b16fb00d4b0f1
Instruction Fuzzy Hash: E4214D76600604AFC314CF8AE484CA6FBE8EF99761705C43AFA49CB721D330E851CB90

Function 004210CF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004210F8
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00421133

Strings

dND, xrefs: 00421147
dND, xrefs: 004210D7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$_memmove_wcslen
String ID: dND$dND
API String ID: 1589278365-91332234
Opcode ID: 7294a159d35a081405c272c71ae40ab2531531f5fc5eab1c943295bd48ebdfed
Instruction ID: b9d0fc7320c65e02f53a74313cf17e4d5ef69fbb79c9d929f49cfd10de8fde17
Opcode Fuzzy Hash: 7294a159d35a081405c272c71ae40ab2531531f5fc5eab1c943295bd48ebdfed
Instruction Fuzzy Hash: 5511E9766402147BE715BB68BC43FAB7398AFA9350F104036F9098F341DA7AED0543A9

Function 0042E0F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON

Download Yara Rule

APIs

Part of subcall function 00402654: _wcslen.LIBCMT ref: 00402680

CoInitialize.OLE32(00000000), ref: 0042E16E
CoCreateInstance.OLE32(00442A08,00000000,00000001,004428A8,?), ref: 0042E187
CoUninitialize.OLE32 ref: 0042E1A6

Strings

.lnk, xrefs: 0042E141, 0042E15E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 29190bbe17e1e2d82618ec8df7ffd81d7335c2fff1415341b5d6b058c4cabcf8
Instruction ID: 81000635bdadfaace7e4469c78c2ee2399eb2effe03b557990a249997ecc808c
Opcode Fuzzy Hash: 29190bbe17e1e2d82618ec8df7ffd81d7335c2fff1415341b5d6b058c4cabcf8
Instruction Fuzzy Hash: BF218E312482009FC700EF55D985F4ABBF4EF89725F14862EF9599B2E1C7B09844CB56

Function 00409642 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

GetMenuItemInfoW.USER32 ref: 00409680
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004096AA
DrawMenuBar.USER32 ref: 004096BA

Strings

0, xrefs: 00409662

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw_malloc
String ID: 0
API String ID: 772068139-4108050209
Opcode ID: 6825f85793ccab66afdddcc2c876989e341bd4fcbfd0be7024122ab65ebb7405
Instruction ID: 4f2e657c9448a514d2599a512fb8f185e1f2df0c06b5d254cf0c46eb2067b254
Opcode Fuzzy Hash: 6825f85793ccab66afdddcc2c876989e341bd4fcbfd0be7024122ab65ebb7405
Instruction Fuzzy Hash: 6111C6B6A00208AFDB10DF55EC46FABB774EF85314F00416AF9089B341DB759944CFA2

Function 004329E5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004329F1
_wcslen.LIBCMT ref: 00432A01
_wcslen.LIBCMT ref: 00432A47

Strings

3, 3, 8, 1, xrefs: 004329EB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$_wcscpy
String ID: 3, 3, 8, 1
API String ID: 3469035223-357260408
Opcode ID: acb2617f3c9165f93a516b68c27da296cfa7430a93837f583aab8868972c76ca
Instruction ID: 15937ed02b994bb123ca205f55807b229d89d8555541db3404719756931b0064
Opcode Fuzzy Hash: acb2617f3c9165f93a516b68c27da296cfa7430a93837f583aab8868972c76ca
Instruction Fuzzy Hash: B7F0446382065463C7307A91BEA167F3264AF48741F5474ABD806D7280F7688B81CF8A

Function 003F11F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 003F120B
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 003F121D

Strings

ICMP.DLL, xrefs: 003F1206
IcmpSendEcho, xrefs: 003F1217

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 88d2c2422ab20f934f5fb60b9a034ea6a696fe4e960c3b988e6602a1e48e841f
Instruction ID: 6eec47bc9045ef1b6a25537cf186f1965378bbbe69947bab0f05c823212e06f8
Opcode Fuzzy Hash: 88d2c2422ab20f934f5fb60b9a034ea6a696fe4e960c3b988e6602a1e48e841f
Instruction Fuzzy Hash: A4E0C27680034EEBE7204FA6E804626B7E8EB04351B10442AFD40E2500C7B4E48086A8

Function 003F122B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 003F123D
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 003F124F

Strings

ICMP.DLL, xrefs: 003F1238
IcmpCloseHandle, xrefs: 003F1249

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 8f5bee4fad501d3fea7499c64bbffa16aa6aa50110dc6d457f7074bb0c7fd61f
Instruction ID: 061a0702fc1c775d718aecc23bea6cef6d64a7b6190a8bf0c3874b6af99e8f59
Opcode Fuzzy Hash: 8f5bee4fad501d3fea7499c64bbffa16aa6aa50110dc6d457f7074bb0c7fd61f
Instruction Fuzzy Hash: 7EE0127554030AEBD7205FA7E84866677E8DF11752B50442AFE45E2550D7B4E48087A8

Function 003F125D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 003F126F
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 003F1281

Strings

IcmpCreateFile, xrefs: 003F127B
ICMP.DLL, xrefs: 003F126A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: 719c0a40c4782962cff8a8c9085332b2443dfce76b0fb855d0b159d87ae16a41
Instruction ID: e2a1cd31260feb6c6285a760e248c9f3fd5a4cc459a242af603b72da95103368
Opcode Fuzzy Hash: 719c0a40c4782962cff8a8c9085332b2443dfce76b0fb855d0b159d87ae16a41
Instruction Fuzzy Hash: 13E0C27440030AEFD7204FA6E90462277E8EB14322B50442AFD41E2500CBB4E4808AA8

Function 003F0BEC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 003F0BFE
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003F0C10

Strings

advapi32.dll, xrefs: 003F0BF9
RegDeleteKeyExW, xrefs: 003F0C0A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f4eedbdbc1de28a2d0c307d844d2b613bc6bc2e196fcc46a13db0c7a83b14c7b
Instruction ID: 0ff8bebc3be60d34304e04cf5fa9332653edd50dd385722b71c13c39603a78fe
Opcode Fuzzy Hash: f4eedbdbc1de28a2d0c307d844d2b613bc6bc2e196fcc46a13db0c7a83b14c7b
Instruction Fuzzy Hash: FDE0C2B540031AEFD7105F65D9046267BF8DB00315B10402AFD40A2101D7B4F480CAA8

Function 003F0D34 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 003F0D46
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003F0D58

Strings

kernel32.dll, xrefs: 003F0D41
GetSystemWow64DirectoryW, xrefs: 003F0D52

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 8108699ed2a4a1cf1c535910886885ddaa7dbf68cccd412dfce3dedc1bfe027c
Instruction ID: 8fb710180f095e2ec89ca603d1693fadd3863a19054d86663d7f0dea15389973
Opcode Fuzzy Hash: 8108699ed2a4a1cf1c535910886885ddaa7dbf68cccd412dfce3dedc1bfe027c
Instruction Fuzzy Hash: 92E0C27540070A9BDB205FE5E84462677ECAB01711F14802AF940E2500C7F4E4808AA8

Function 003F0DC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 003F0DD2
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003F0DE4

Strings

kernel32.dll, xrefs: 003F0DCD
GetModuleHandleExW, xrefs: 003F0DDE

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 5575851c38ea038ff0e3b978932b0df29de8817a37a0ff4a783fe1003cbe9f1a
Instruction ID: 24b7f4b5215b57c0148d61249145f7b0e2379947ae2b161880edb89f3bcf8106
Opcode Fuzzy Hash: 5575851c38ea038ff0e3b978932b0df29de8817a37a0ff4a783fe1003cbe9f1a
Instruction Fuzzy Hash: 29E0C27144070A9BD7104FA5D804B2677E8EB01311B10802AFA40E3500CBB8E4808BA8

Function 003D0870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,003CE7C8), ref: 003D087B
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 003D088D

Strings

IsWow64Process, xrefs: 003D0887
kernel32.dll, xrefs: 003D0876

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: fbd784a6b34d5b1d1a3d2e2f0c4186360e7b26d78e70abea4a2dfd3af7ebe5ec
Instruction ID: 60cc40299b30274d6e84f7073bbca4fdb08b3561314dc09f60c993b819d839d2
Opcode Fuzzy Hash: fbd784a6b34d5b1d1a3d2e2f0c4186360e7b26d78e70abea4a2dfd3af7ebe5ec
Instruction Fuzzy Hash: 13D0C9F5900B029BEB255F31E90871276E4AB01B53F20447EF886A1251DBF8C0809A68

Function 003D08E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,003CE820), ref: 003D08EB
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003D08FD

Strings

GetNativeSystemInfo, xrefs: 003D08F7
kernel32.dll, xrefs: 003D08E6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 63728112b80e4b7a9232376ce5c0d7d04ca58f28c1f8ae2b6af13b18e57fb2e5
Instruction ID: 3582261a19315d616c462ad71520e2d6196ca562b691a6c69485fcd5833f5b24
Opcode Fuzzy Hash: 63728112b80e4b7a9232376ce5c0d7d04ca58f28c1f8ae2b6af13b18e57fb2e5
Instruction Fuzzy Hash: 2CD0C7B5900B069BEB255F31D91971276E46B01782F10442EB842D1265D7F8C0908A64

Function 00411CA1 Relevance: 6.4, APIs: 4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad69d4f835da66b0240d1a2887717dcec1887452cda675f8e9d09b4d38d5a428
Instruction ID: e0cc0243d77bab10d19175d57757a73926dbd210d8e5d8856a09020d95af2fea
Opcode Fuzzy Hash: ad69d4f835da66b0240d1a2887717dcec1887452cda675f8e9d09b4d38d5a428
Instruction Fuzzy Hash: 6BE13E75600209AFCB14DF98D880EEAB7B9FF88714F108599EA09DB351D775EE81CB90

Function 0043812C Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

SetErrorMode.KERNEL32 ref: 00438188
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00438341

Part of subcall function 003F397D: GetFileAttributesW.KERNEL32(?), ref: 003F3984

SetErrorMode.KERNEL32(?), ref: 0043822A
SetErrorMode.KERNEL32(?), ref: 004382FA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorMode$AttributesFile_memmove_wcslen
String ID:
API String ID: 3884216118-0
Opcode ID: d802f4d3841f295e627105bd57aea2ce311ff774a445cf3a06978c83506d6cee
Instruction ID: eefce159a412432c01b0762feb6d209ae94a526c3a7aa818b93c23bb94981090
Opcode Fuzzy Hash: d802f4d3841f295e627105bd57aea2ce311ff774a445cf3a06978c83506d6cee
Instruction Fuzzy Hash: E06177726083419FC310EF25C881A5BB7E0BF89714F04892EF9999B342CA76ED45CB92

Function 004394BA Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004394C9
SysAllocString.OLEAUT32(00000000), ref: 00439592
VariantCopy.OLEAUT32(?,?), ref: 004395C9
VariantClear.OLEAUT32(?), ref: 0043960A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 44c904f0df312b5f55edc35fe50d3cdedd0b84832a6f73a44016bbf2eae9e3d7
Instruction ID: e87497c8b904c2c0e448a3ee328ad55b4c9e97ee613445846b1f82e4d1a602a0
Opcode Fuzzy Hash: 44c904f0df312b5f55edc35fe50d3cdedd0b84832a6f73a44016bbf2eae9e3d7
Instruction Fuzzy Hash: 2C51D6352002099ACB00FF29D846AAEB768EF88351F51853BFD05DB242DB759E15C7EA

Function 00409934 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004099A3
ScreenToClient.USER32(?,?), ref: 004099D9
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00409A45

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 496a7e4889bf488dc412d853343d73c477ac4d862e4170cd270c82beea3688ae
Instruction ID: b4b21ee06f13b49bc66c3dc87ff0c52c75329f7366ffba2b5056110dff04323e
Opcode Fuzzy Hash: 496a7e4889bf488dc412d853343d73c477ac4d862e4170cd270c82beea3688ae
Instruction Fuzzy Hash: 5F516C7060024A9FCB24CF68C881AAF77B5FF95310F10822EF955A7392DB74AD90CB94

Function 003D407F Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003D411A
__flush.LIBCMT ref: 003D4138
__write.LIBCMT ref: 003D415F
__flsbuf.LIBCMT ref: 003D418A

Part of subcall function 003D7E9A: __getptd_noexit.LIBCMT ref: 003D7E9A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction ID: 71db641c6f23026e118b63f5ee668d5039d923db3521818edfe16e342aaeb018
Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction Fuzzy Hash: 8B41C333A007049BDB278FA9A88569EBBB5AF90360F29852BE51597780D770DE81CB40

Function 004015F9 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?), ref: 00401621
GetWindowRect.USER32(?,?), ref: 004016A9
PtInRect.USER32(?,?,?), ref: 004016BB
MessageBeep.USER32(00000000), ref: 00401734

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: efd06b19ba878a255d5483bf9b55c289fb9ed3e9829885a833187292e3f10652
Instruction ID: 8e8eaf98b14f38ee8533626b08e5d6d396548698d71893de762f62851f771373
Opcode Fuzzy Hash: efd06b19ba878a255d5483bf9b55c289fb9ed3e9829885a833187292e3f10652
Instruction Fuzzy Hash: 2641D4787002059FCB14CF58D884EAAB7F5FF95310F1882BEE9149B3A0C775A841CB58

Function 0041D19C Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041D235
GetLastError.KERNEL32(?,00000000), ref: 0041D259
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0041D279
CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041D297

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 33b3491c2e68014bc43fa1441e75d8e31d987b1cc88085e64f9d8fd43e7cebf4
Instruction ID: 6db3f5de93cb290bc8dd666b6a494437ec30e426be8c9e23d4e2768d75a9bd42
Opcode Fuzzy Hash: 33b3491c2e68014bc43fa1441e75d8e31d987b1cc88085e64f9d8fd43e7cebf4
Instruction Fuzzy Hash: AE3192B5D00205AFCB10EF66C989A9AB7A8FF45314F14858EFC5897301CB79ED81C794

Function 003E075F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003E0793
__isleadbyte_l.LIBCMT ref: 003E07C6
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 003E07F7
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 003E0865

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 03ad3df904e225260317f5f85f9a26cec266be8ea4ac49c663a9818f1e37ece8
Instruction ID: 9109fd6bf2cc619c146e06d51a0d380426f7e6bf3c5c37f8b74e0f626113bfb2
Opcode Fuzzy Hash: 03ad3df904e225260317f5f85f9a26cec266be8ea4ac49c663a9818f1e37ece8
Instruction Fuzzy Hash: 9831D331A002A5EFDB2ADF65C881ABA3BB5FF01310B194669E4659B1D1D770ED80DB90

Function 00410311 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041033E
DefDlgProcW.USER32(?,00000138,?,?), ref: 0041038D
DefDlgProcW.USER32(?,00000133,?,?), ref: 004103DC
DefDlgProcW.USER32(?,00000134,?,?), ref: 0041040D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Proc$Parent
String ID:
API String ID: 2351499541-0
Opcode ID: 941ce1ab991ee23e7099210b28b16384922307e9ecf55ea146fc0336963f7763
Instruction ID: d85179a39b9b4668dbf51431686a4bf51e291b1250da6b4e29a00da38f9c438f
Opcode Fuzzy Hash: 941ce1ab991ee23e7099210b28b16384922307e9ecf55ea146fc0336963f7763
Instruction Fuzzy Hash: 2C3154362001086BD620DF29DC85DEB7768EF85335B14431BF9658B3D2CBF59892C769

Function 004029A4 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004029EA
TranslateMessage.USER32(?), ref: 00402A22
DispatchMessageW.USER32(?), ref: 00402A2C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00402A42

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 6522cdad73dd7a09d291c0ebae28f5a7ab9dbf91e8670763e1710796fe733791
Instruction ID: cfe0f132e1bc3a2e79e2e2b39781adbbc65937000332f63cb16d550460f8c2fd
Opcode Fuzzy Hash: 6522cdad73dd7a09d291c0ebae28f5a7ab9dbf91e8670763e1710796fe733791
Instruction Fuzzy Hash: 6D214C72A443465AE730DB64AD45FF777AC9B11310F00413FFE10921C1EAB89845CB6A

Function 00434345 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00434356

Part of subcall function 004038C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 004038E8
Part of subcall function 004038C5: GetCurrentThreadId.KERNEL32 ref: 004038EF
Part of subcall function 004038C5: AttachThreadInput.USER32(00000000), ref: 004038F6

GetCaretPos.USER32(?), ref: 0043436C
ClientToScreen.USER32(00000000,?), ref: 004343A2
GetForegroundWindow.USER32 ref: 004343A8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 44912006638093141fbc3feee76bc93ea571cc9afbc979b9af67ba86af3c64c0
Instruction ID: a202f3fd05b2b30adaa2f97ec8649e373154e55e4cb8a72094e48efcaf44b67c
Opcode Fuzzy Hash: 44912006638093141fbc3feee76bc93ea571cc9afbc979b9af67ba86af3c64c0
Instruction Fuzzy Hash: 3B21B772A00304AFD710EFA5CC86F9EB7B8AF44710F158469F515AB282D6B6AD408B90

Function 003CE2C0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003CE2E2
Shell_NotifyIconW.SHELL32(00000000,?), ref: 003CE3A7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 142a22ceabe93d1310ac3e6dff6cc7333be725b8f227e162f00bfcd43b3fcdce
Instruction ID: a5cb05a2ab4b6b55c51cb33ed3d44dfebdb911cab66be7f06807e046ae5cd878
Opcode Fuzzy Hash: 142a22ceabe93d1310ac3e6dff6cc7333be725b8f227e162f00bfcd43b3fcdce
Instruction Fuzzy Hash: 85318C746087819FE321CF25D855BA7BBE8AB45304F00092DE5DA87281E7B0B948CB56

Function 004279D8 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004279FE
_fprintf.LIBCMT ref: 00427A54
OutputDebugStringW.KERNEL32(00000000,?,00000000,?,?), ref: 00427A6C
__setmode.LIBCMT ref: 00427A9D

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __setmode$DebugOutputString_fprintf
String ID:
API String ID: 1792727568-0
Opcode ID: 9771f24bc64983e05f0af2eca1fb5dd52b4034c5a3142f6f28db6ae92fe9532f
Instruction ID: 1d73ce9fded30ea638c788d07234ac6fcc4a9ad986f195ffff8d145ac3fdb955
Opcode Fuzzy Hash: 9771f24bc64983e05f0af2eca1fb5dd52b4034c5a3142f6f28db6ae92fe9532f
Instruction Fuzzy Hash: 621123B3D0421477CB01BBB96C42AAFB73C9B15320F54446AF91577283E538AE0143BA

Function 0043A224 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0042F356: IsWindow.USER32(00000000), ref: 0042F386

GetWindowLongW.USER32(?,000000EC), ref: 0043A299
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0043A2B4
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0043A2CC
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0043A2DB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 98e6f331b4d173f4308e4dd0fcc2f53b8d66d0cd384c1ebf6e782608ceaca789
Instruction ID: f7f73e1303eb979c7f4017d47aaa0108d00ec2175ddcee87516eafd23f26d66f
Opcode Fuzzy Hash: 98e6f331b4d173f4308e4dd0fcc2f53b8d66d0cd384c1ebf6e782608ceaca789
Instruction Fuzzy Hash: FC21E132254514AFD310AB28EC45F9BB79CFF86330F24422AF859DB2A1C765AC51C7A8

Function 003F4CD7 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003F4C17: lstrlenW.KERNEL32(?), ref: 003F4C2A
Part of subcall function 003F4C17: lstrcpyW.KERNEL32(00000000,?), ref: 003F4C52
Part of subcall function 003F4C17: lstrcmpiW.KERNEL32(00000000,00000000), ref: 003F4C86

lstrlenW.KERNEL32(?), ref: 003F4D04

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

lstrcpyW.KERNEL32(00000000,?), ref: 003F4D2C
lstrcmpiW.KERNEL32(00000002,cdecl), ref: 003F4D72

Strings

cdecl, xrefs: 003F4D68

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen$_malloc
String ID: cdecl
API String ID: 3850814276-3896280584
Opcode ID: 0cdd31711a1bda98bf22a5ce2a1b64c241d52dea4bfcd4957c1f7fe8c8d10a7d
Instruction ID: 22eaf1087d06ce0f99ad2ba402b20727afb9ee63be36dd898424f503275ee91b
Opcode Fuzzy Hash: 0cdd31711a1bda98bf22a5ce2a1b64c241d52dea4bfcd4957c1f7fe8c8d10a7d
Instruction Fuzzy Hash: BB21D576101345BBD712AF24EC41DB773A9FF85350F41843AFA068B651EB31D945C7A1

Function 00408B95 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00408BC2
GetWindowLongW.USER32(?,000000EC), ref: 00408BEA
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00408C23
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00408C6C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 98dbbc68f8d6a9274b0f4265afa4dadae7bbd0d8072e6839f7ef734073b5d36a
Instruction ID: 25f11e074215598658dd716f8b63bf31345bc0d137e1105800df1d5eefaa56e3
Opcode Fuzzy Hash: 98dbbc68f8d6a9274b0f4265afa4dadae7bbd0d8072e6839f7ef734073b5d36a
Instruction Fuzzy Hash: B521C5721093009BE320CF18D988B9BBBE4FBD6325F500B2EF9D4962D0C7B98448C751

Function 00418A4E Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00418AAA
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00418ABC
accept.WSOCK32(00000000,00000000,00000000), ref: 00418ACB
WSAGetLastError.WSOCK32(00000000), ref: 00418AF0

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 917749089221c811913fe2a95911e784cb691d7bfb8a047742b408d017a4ac58
Instruction ID: daf3265408fbb9c50a15c69257334b5c99f56b12896047fee3ed448708dabcc5
Opcode Fuzzy Hash: 917749089221c811913fe2a95911e784cb691d7bfb8a047742b408d017a4ac58
Instruction Fuzzy Hash: 34219F766002049FD714DF68DC49BAAB7E8EF95310F14866EF949DB380DBB0AD808B94

Function 003F682A Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003F684C
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F685F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F6876
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003F688E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 65ec4dccd5e862e54b5faceb0e8caadd2267d2dd4f0d9f1a1c4de292eb900f00
Instruction ID: 5ce5f0a80a8ea29b1205b8e42a2c0bed0fe1e4ec7d5128f1c923a867b25353c8
Opcode Fuzzy Hash: 65ec4dccd5e862e54b5faceb0e8caadd2267d2dd4f0d9f1a1c4de292eb900f00
Instruction Fuzzy Hash: 78111275640208BFDB10DF68DC85FA9B7E8EF98750F10815AFD48DB240D671E9418FA0

Function 003F0165 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 003F01AF
GetStockObject.GDI32(00000011), ref: 003F01C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 003F01CF
ShowWindow.USER32(00000000,00000000), ref: 003F01EA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: 9106a45965a6df4f09067de560b9c3a7cfc12d7f5ff0006ee323c1bfe5208e14
Instruction ID: f6001f91d433666a3236cd86fb7aa34ff539ad811780c3cdd35c917dfdddda34
Opcode Fuzzy Hash: 9106a45965a6df4f09067de560b9c3a7cfc12d7f5ff0006ee323c1bfe5208e14
Instruction Fuzzy Hash: 03117376200508BBD71ACF59DC45FEBB3A9AF89B11F158219FA08932A1D774E841CBA4

Function 00403B8B Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00403BAA
MessageBoxW.USER32(?,?,?,?), ref: 00403BE0
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403BF6
CloseHandle.KERNEL32(00000000), ref: 00403BFD

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8f62ee410ad9bc74f3eeca19f50ea64ee4473f51420ff21e7b34b844fc9bbb59
Instruction ID: de6deb24d9a5be25e36b055008abb85d80ab524be7bfc76a332b87b658a0ef51
Opcode Fuzzy Hash: 8f62ee410ad9bc74f3eeca19f50ea64ee4473f51420ff21e7b34b844fc9bbb59
Instruction Fuzzy Hash: 2F11C276505218ABD710DF68ED08ADB7FAC9F87322F144266FD04E3381E6B49A1087E5

Function 003F0AF4 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003F0B0F
ScreenToClient.USER32(?,?), ref: 003F0B2E
ScreenToClient.USER32(?,?), ref: 003F0B4F
InvalidateRect.USER32(?,?,?,?,?), ref: 003F0B68

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7797bb7c61e4942d4094985d3e8f6b4e63451ff225af5db0d550d5465710200a
Instruction ID: 432c261d60d426c1c3a4d5583f5033ad1d835a16fea61597e14c5c2e59eef01b
Opcode Fuzzy Hash: 7797bb7c61e4942d4094985d3e8f6b4e63451ff225af5db0d550d5465710200a
Instruction Fuzzy Hash: 151174B9D00209AFCB14DF98C8809AEFBB9FF99310F10855AE955A3344D774AA41CFA0

Function 003F38ED Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003F3913

Part of subcall function 003D392E: __wsplitpath_helper.LIBCMT ref: 003D3970

__wsplitpath.LIBCMT ref: 003F3935
__wcsicoll.LIBCMT ref: 003F3959
__wcsicoll.LIBCMT ref: 003F396F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
String ID:
API String ID: 1187119602-0
Opcode ID: 227108a87a38af16b85804464b95bfb6512746552479d647c522da08bb5ece35
Instruction ID: 7ccd749ee1c7d1f823e2070059e81409c282bfaa334ae629c8ddf011b1671a10
Opcode Fuzzy Hash: 227108a87a38af16b85804464b95bfb6512746552479d647c522da08bb5ece35
Instruction Fuzzy Hash: 210144B7C0411DAACF15DB94DC81EFEB3BDAB44300F04869EB50957140EB719B988BE1

Function 003E1D53 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003E1D79

Part of subcall function 003E1BA5: __fltout2.LIBCMT ref: 003E1BD0

__cftog_l.LIBCMT ref: 003E1D9F
__cftoe_l.LIBCMT ref: 003E1DD1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 6ae40dba009a150ea76ba5f1898320b2e7ea01cb9345818092e085b7bdc0c272
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 2111807240019EFBCF135E86CC41CEE3F26BB19394B598614FE2898070D736C9B1AB81

Function 003F494A Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F4962
_wcslen.LIBCMT ref: 003F496A

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_wcscpy.LIBCMT ref: 003F4992
_wcscat.LIBCMT ref: 003F4999

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _wcslen$_malloc_wcscat_wcscpy
String ID:
API String ID: 1597257046-0
Opcode ID: 57483ae6d7dc438321cdf9863388d7fcf54b5adb9d2db89f9799cb8a6e06c5f6
Instruction ID: dfdf1fa70002e66c9392327eff5f3620b2cf6894317fe376d4fbc32d5524142f
Opcode Fuzzy Hash: 57483ae6d7dc438321cdf9863388d7fcf54b5adb9d2db89f9799cb8a6e06c5f6
Instruction Fuzzy Hash: F8016D72200240BFC325EBA9D886D2BB3BDEB89320B00852AF55A8B741DB35E8408760

Function 003DF4A4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,003D6433), ref: 003DF4A7
__malloc_crt.LIBCMT ref: 003DF4D6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003DF4E3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 8ddc48a40cbe9b7460fd0d9228a33c60be65ac8aee4e4984b429f6f15f5f8e4f
Instruction ID: c16d2f43a26ea0d12a88c33105af6051a914fd8bf4a0b88a83da298586dfe067
Opcode Fuzzy Hash: 8ddc48a40cbe9b7460fd0d9228a33c60be65ac8aee4e4984b429f6f15f5f8e4f
Instruction Fuzzy Hash: 84F0827B5015105E8B376B36BC858AB2A79DAD636531B8477F843C3306F6248E8182A1

Function 004272AF Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004272BF

Part of subcall function 004130A7: _memset.LIBCMT ref: 004130E3

_memmove.LIBCMT ref: 004272E4
_memset.LIBCMT ref: 004272F3
LeaveCriticalSection.KERNEL32(?), ref: 00427303

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 41be6930af6cdd182da3cfc83021f26968516a52c9e11c41f7373df680c84286
Instruction ID: aebcfd4e8a585b9aefe9f938156acaac0baddc6337f4ec56586bec68de4a637f
Opcode Fuzzy Hash: 41be6930af6cdd182da3cfc83021f26968516a52c9e11c41f7373df680c84286
Instruction Fuzzy Hash: D7F019BA200604AFC210AF95EC85D9BF7EDFB99721B00C91AF95A87601C674F8008BB0

Function 00415633 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004156AB
DeleteObject.GDI32(?), ref: 004156B9
DestroyIcon.USER32(?), ref: 004156C7
DestroyWindow.USER32(?), ref: 004156D5

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: DeleteDestroyObject$IconWindow
String ID:
API String ID: 3349847261-0
Opcode ID: 4b2aecc45ae82a4c5126274e182820fc9cf1f3fa3c62ca5692169b833662b663
Instruction ID: b4ae924f12f44b92c10eedb3caec1ef6a8cbae735e03ec35e6fba058f8c6ccbb
Opcode Fuzzy Hash: 4b2aecc45ae82a4c5126274e182820fc9cf1f3fa3c62ca5692169b833662b663
Instruction Fuzzy Hash: 7FF01974301601DBDB20EF6699C899B77ACAF853107804526F909C7295C768DC818AAD

Function 0040B574 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0040B581
InterlockedExchange.KERNEL32(?,?), ref: 0040B58F
LeaveCriticalSection.KERNEL32(?), ref: 0040B5A6
LeaveCriticalSection.KERNEL32(?), ref: 0040B5B8

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: ef99bf4ea133149b9045950d82bc68abd51cc3dd84245bb3e02f7aa8fa50980e
Instruction ID: d20f93ca3df3eb9516438216364cdc3baaaa675dcbb5d2d96c9013b533e70fb7
Opcode Fuzzy Hash: ef99bf4ea133149b9045950d82bc68abd51cc3dd84245bb3e02f7aa8fa50980e
Instruction Fuzzy Hash: CAF0BE3A241104AF82105B65FD48CD7B3ACFBAA7353404A3BF5019361097B2F805CBB9

Function 00407215 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004070BF: DeleteObject.GDI32(00000000), ref: 004070FC
Part of subcall function 004070BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0040713C
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040714C
Part of subcall function 004070BF: BeginPath.GDI32(?), ref: 00407161
Part of subcall function 004070BF: SelectObject.GDI32(?,00000000), ref: 0040718A

MoveToEx.GDI32(?,?,?,00000000), ref: 0040723B
LineTo.GDI32(?,?,?), ref: 0040724A
EndPath.GDI32(?), ref: 0040725A
StrokePath.GDI32(?), ref: 00407268

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: b28c811c12b0bd1e629b57b82d8ed77fc2ab50dee29c52462548ff9880677c5e
Instruction ID: 911912b8cbc9608fb119742cfb8d9b6d6b3877df29c0bd5cc2a7a4437b6d4277
Opcode Fuzzy Hash: b28c811c12b0bd1e629b57b82d8ed77fc2ab50dee29c52462548ff9880677c5e
Instruction Fuzzy Hash: 94F06D74109259BBE7119F14ED49FAF3B5CAF06310F408215FA01623D1C7B869418BBA

Function 003F0A7C Relevance: 6.0, APIs: 4, Instructions: 34processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F0A88
_memset.LIBCMT ref: 003F0A96
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00469568,00469554), ref: 003F0AD9
CloseHandle.KERNEL32(00000000), ref: 003F0AEA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9f60740cce05d168f12b7d6dbb720a88f3dca940105856ef7eb826db46012e46
Instruction ID: e0855f2d1c63910d327a04805370a042eb46852faec02d01846caa5cdc8f3196
Opcode Fuzzy Hash: 9f60740cce05d168f12b7d6dbb720a88f3dca940105856ef7eb826db46012e46
Instruction Fuzzy Hash: 59F0F8763C034476F6229B58EC47F96376CAB15F45F200026B7066E2E3E6F96C50865F

Function 003F6406 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 003F6425
GetWindowThreadProcessId.USER32(?,00000000), ref: 003F6438
GetCurrentThreadId.KERNEL32 ref: 003F643F
AttachThreadInput.USER32(00000000), ref: 003F6446

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 117b83248b4eb7d745d74b2c9144a6595d57de17e45c4be9dce3abb61612f1e7
Instruction ID: 9395f59d91c9f3d203923ad0552390ff371f74f4a24918ab4b3f8d9d1e2cdeab
Opcode Fuzzy Hash: 117b83248b4eb7d745d74b2c9144a6595d57de17e45c4be9dce3abb61612f1e7
Instruction Fuzzy Hash: 70F06D7528030877EB226BA19D0BFEA3B5CAF15B11F918021B704A90C0C6F4A5008769

Function 003F6BB5 Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003F6BC2
UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 003F6BD0
CloseHandle.KERNEL32(?,?,000000FF), ref: 003F6BE0
CloseHandle.KERNEL32(?,?,000000FF), ref: 003F6BE5

Part of subcall function 003F6ABB: GetProcessHeap.KERNEL32(00000000,?), ref: 003F6AC8
Part of subcall function 003F6ABB: HeapFree.KERNEL32(00000000), ref: 003F6ACF

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 31f21d993d97301efeaca72c41d3ff633cec44b56ed778782197c1d4b6cc7f6d
Instruction ID: a8f30152da8e467faea6c0badc1bf6f2778b2cd050192703c87f94684abdc86a
Opcode Fuzzy Hash: 31f21d993d97301efeaca72c41d3ff633cec44b56ed778782197c1d4b6cc7f6d
Instruction Fuzzy Hash: 05E06DBA100204ABC710EFA5DC48C57B7ECEF8A3303118A2AFD9583350CA74F840CEA4

Function 00432B6C Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00432B6C
GetDC.USER32(00000000), ref: 00432B75
GetDeviceCaps.GDI32(00000000,00000074), ref: 00432B81
ReleaseDC.USER32(00000000,?), ref: 00432BA2

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6393776b81b13923524c1332f5573f8b34bcc85af45372641df4d7a3dae4bd22
Instruction ID: 9d0c8ac8437982155f6de796f0df4dcfaa3c18e1d0a80e3e9c5ca22dcc462c50
Opcode Fuzzy Hash: 6393776b81b13923524c1332f5573f8b34bcc85af45372641df4d7a3dae4bd22
Instruction Fuzzy Hash: 18F0307A900209AFCB00DF75D989A6EB7B4FB45315B51846AFD05CB210DB759900DB90

Function 00432B1D Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00432B1D
GetDC.USER32(00000000), ref: 00432B26
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00432B32
ReleaseDC.USER32(00000000,?), ref: 00432B53

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4edfbe50f477c77071062f0665e88431354f27d6d17d862bb5370c0e72246c5b
Instruction ID: 798b584c4ae7cda5386b19f49a639da44bc3d398ea9234a8dba5e9e9694132a4
Opcode Fuzzy Hash: 4edfbe50f477c77071062f0665e88431354f27d6d17d862bb5370c0e72246c5b
Instruction Fuzzy Hash: BCF0A076900209EFCB00EFB4D94DA6EB7B4FB45311B01446AFD05CB200DA718900DB50

Function 003D506D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 003D5070

Part of subcall function 003D7913: GetLastError.KERNEL32(00000003,?,003D7994,?,003D1259,?,?,003D12DC,?,00000001), ref: 003D7917
Part of subcall function 003D7913: ___set_flsgetvalue.LIBCMT ref: 003D7925
Part of subcall function 003D7913: __calloc_crt.LIBCMT ref: 003D7939
Part of subcall function 003D7913: GetCurrentThreadId.KERNEL32 ref: 003D7969
Part of subcall function 003D7913: SetLastError.KERNEL32(00000000,?,003D12DC,?,00000001), ref: 003D7981

CloseHandle.KERNEL32(?,?,003D50BB), ref: 003D5084
__freeptd.LIBCMT ref: 003D508B
ExitThread.KERNEL32 ref: 003D5093

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 1454798553-0
Opcode ID: 257f27574a12e66ab313998b6f39889fd3e8008754e676d816a69b5f9139ac78
Instruction ID: 0470622e01625b241390f2f3c2263a8026e31ae491127c0146001c7b794584f2
Opcode Fuzzy Hash: 257f27574a12e66ab313998b6f39889fd3e8008754e676d816a69b5f9139ac78
Instruction Fuzzy Hash: 76D0A733405D1017C1332734680DA0E26659F41B31B150B01F8258B3D1EFA4CD4246E4

Function 004347F1 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 428COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00434BF2

Strings

dND, xrefs: 00434B73
dND, xrefs: 00434CC3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: dND$dND
API String ID: 1038674560-91332234
Opcode ID: 4512276314f49addcf2d37bf6c7741aebb9778ca1b512a38b3b65b4367013140
Instruction ID: 5b1ca4ee4fb8ae5b622c0f972725f2302bf72c415ddb782679d8d19091a256eb
Opcode Fuzzy Hash: 4512276314f49addcf2d37bf6c7741aebb9778ca1b512a38b3b65b4367013140
Instruction Fuzzy Hash: E1F14871A083019BC710EF28C881B5BB7E4AFC8714F04592EF9899B382D775EE45CB96

Function 003EF2DF Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 003EF4BD

Strings

Q\E, xrefs: 003EF4B7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _strncmp
String ID: Q\E
API String ID: 909875538-2189900498
Opcode ID: abf45efe6ff581399a88d1be6ebb2585124a23abbe6d120802f77bbfe4fdf5e2
Instruction ID: f73a971132fa66d37067d8786014ef10fa89f9eff43feda598b3f3a3b5a0ff70
Opcode Fuzzy Hash: abf45efe6ff581399a88d1be6ebb2585124a23abbe6d120802f77bbfe4fdf5e2
Instruction Fuzzy Hash: D3C1A3719052F99FDF338F1A84503AABBB5AF1A314F6543AAD8D4572C5D3F09E428B80

Function 00420A8D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(00000000,00000001), ref: 00420C8A

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 00405545: OleSetContainedObject.OLE32(?,00000000), ref: 004055C2

Part of subcall function 00411AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00411B16
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B6E
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B84
Part of subcall function 00411AB8: VariantCopy.OLEAUT32(?,?), ref: 00411B9D
Part of subcall function 00411AB8: VariantClear.OLEAUT32(?), ref: 00411C17

Strings

Container, xrefs: 00420BF8
AutoIt3GUI, xrefs: 00420BF3

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
String ID: AutoIt3GUI$Container
API String ID: 2652923123-3941886329
Opcode ID: 9d5f3222c934db772464969428f92d58c68431dbcc265457d9749b96f4cb4080
Instruction ID: a2b38440eaf1e937ddfecd6d0c32bc9553401bc30087c5a3c6c1f0c0f8af39c5
Opcode Fuzzy Hash: 9d5f3222c934db772464969428f92d58c68431dbcc265457d9749b96f4cb4080
Instruction Fuzzy Hash: 02A15BB17006019FDB10DFA9D880B66B7F4FF88704F60856AE909DB391EB75E801CBA4

Function 0040F36A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CF87
_strncmp.LIBCMT ref: 0040F9B9

Strings

U, xrefs: 0040FAFE
\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove_strncmp
String ID: U$\
API String ID: 2666721431-100911408
Opcode ID: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction ID: 94a716b4e99bf9c22778a3623fe8653906e8a020d50ebc888392d25aab5fb1ba
Opcode Fuzzy Hash: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction Fuzzy Hash: F5718070A00249CFDF24CF69C9906AEBBF2AF89304F24827ED456A7785D7385945CF15

Function 0043A059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

Part of subcall function 003C2390: _wcslen.LIBCMT ref: 003C239D
Part of subcall function 003C2390: _memmove.LIBCMT ref: 003C23C3

GetWindowTextW.USER32(?,?,00007FFF), ref: 0043A1B1

Strings

dND, xrefs: 0043A0A5
all, xrefs: 0043A08F

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: TextWindow_malloc_memmove_wcslen
String ID: all$dND
API String ID: 1060326413-3969675733
Opcode ID: 17435e64679d544e3adeda47493109738a34fd034d4d060da93f9ea6151b0d88
Instruction ID: 2d04795e82287737c69f0e9fb115b07fc99c9caab281db5d6bd86476b12c7629
Opcode Fuzzy Hash: 17435e64679d544e3adeda47493109738a34fd034d4d060da93f9ea6151b0d88
Instruction Fuzzy Hash: 23517B71604302AFD700EF64C886F5AB3E4AF88300F14892EF9599B382D775ED458BA2

Function 003F9911 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003F9AD8
_memcmp.LIBCMT ref: 003F9B2C

Strings

&, xrefs: 003F992A

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memcmp
String ID: &
API String ID: 2931989736-1010288
Opcode ID: e4ec872be7356281d1d324f642f7d22c1a81ccb08e70a796b1c9df88f88949bc
Instruction ID: 3f97b84bd7de7881253de79e0a59fa54ee888040967df98c91f2638a65db8cc1
Opcode Fuzzy Hash: e4ec872be7356281d1d324f642f7d22c1a81ccb08e70a796b1c9df88f88949bc
Instruction Fuzzy Hash: 2A515DB1A0011E9FDF19CF98D894BBFB7B5EB89300F15815AEE15A7244D374AE41CBA0

Function 0040D34B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040D0BA

Strings

\, xrefs: 0040CFD7

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction ID: 1f672778e18d2b2645cd47b89528aed1396b3787ac71612688917b6e2fd304e3
Opcode Fuzzy Hash: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction Fuzzy Hash: D851BD70E042498FDB24CFA9C8D02AEBBB2BF95314F28827BD465A73C1D2355986CB45

Function 0042614E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

dND, xrefs: 0042623B
dND, xrefs: 0042618C

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID:
String ID: dND$dND
API String ID: 0-91332234
Opcode ID: dbeb608e579c5aafa4b8e6a74ad6a220a8f1866d76d8978e2c692bda5ba9fb62
Instruction ID: 34be99a9b5832fe4d3844efdb63be37936406be6c040db9ae193a899964e5f72
Opcode Fuzzy Hash: dbeb608e579c5aafa4b8e6a74ad6a220a8f1866d76d8978e2c692bda5ba9fb62
Instruction Fuzzy Hash: 8A417C363042049BD310EF68E882F9AB3A5EF89310F54855EFA588B391D771ED05CB95

Function 004082B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040839F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004083B8

Strings

', xrefs: 00408312

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1a8980a7bf55fd30edb65796e3c3fc8c2e10f64e4acfbb0d90bf6c1dbff2b1e5
Instruction ID: 1d1b8e10fb3cbc7d574debcd5c7a89ed1432060900b9b3398ac4406cf6b769f9
Opcode Fuzzy Hash: 1a8980a7bf55fd30edb65796e3c3fc8c2e10f64e4acfbb0d90bf6c1dbff2b1e5
Instruction Fuzzy Hash: CF41A974A002099FCB04CF98D980AEEB7B5FB88700F14817EED48AB381DB716901CFA5

Function 00421B46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00421B5E
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00421BA0

Strings

dND, xrefs: 00421BAC

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: dND
API String ID: 3850602802-2949930476
Opcode ID: 1b6a0df7107ca9920711263dc50a2ce028250bbe8a60b66a4eb0f2d0c1792b32
Instruction ID: bd2c1af64901259cd78dca7a56dc411a553efba19ada53d998516d166ac45c7c
Opcode Fuzzy Hash: 1b6a0df7107ca9920711263dc50a2ce028250bbe8a60b66a4eb0f2d0c1792b32
Instruction Fuzzy Hash: 11212735A00219ABCB21EB55ED82EAFB778EF94311F51406AFD016B251DA34EE00C3A4

Function 00411297 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004112C0
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004112D0

Strings

edit, xrefs: 00411338

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ef2c046273822fe739ac98869c0af3e1080bbcd3a82a26c14a029e8abede712b
Instruction ID: 9fa420b289499aa116ed01d224a6b9e43c5b4d1c259b6aba792f9b1bc502111a
Opcode Fuzzy Hash: ef2c046273822fe739ac98869c0af3e1080bbcd3a82a26c14a029e8abede712b
Instruction Fuzzy Hash: CE2175755102056BEB108F68DC84EEB33ADEB99334F104316FE64E72E0C679DC818B68

Function 00436C5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00436C6A
GlobalMemoryStatusEx.KERNEL32 ref: 00436C7D

Strings

@, xrefs: 00436C75

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2d4d44cf9a10533011e3acda6b3dac671055c6276eeee5a10fd49063713a120c
Instruction ID: 77f28b5fe7e8e534cda328a0009848701d4afbd5d8bff64bf911ba0c989635f3
Opcode Fuzzy Hash: 2d4d44cf9a10533011e3acda6b3dac671055c6276eeee5a10fd49063713a120c
Instruction Fuzzy Hash: 7421BE30A09E11A7E2107B79AC4AB0F7BB8BF49714F059468FAD062090DF74512887AF

Function 003CF570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003CF5B9
_memmove.LIBCMT ref: 003CF5D3

Strings

?T, xrefs: 003E6511

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: _memmove
String ID: ?T
API String ID: 4104443479-3504941901
Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
Instruction ID: 668ef8122dacda540691a6a2d0588a5a69752b3110ead3d587419c8a04d54e9e
Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
Instruction Fuzzy Hash: 9F11B1B2510129AFC709DF64D8C1EAE73ADAB14344B50416DEA06CB641E731FE15C7D0

Function 00424E62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(?), ref: 00424E86
htons.WSOCK32(?), ref: 00424EE6

Strings

255.255.255.255, xrefs: 00424E9E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 580994ec81d43db725bceae029e2782050782e9dcf2c0d6c26e48c6634b3d950
Instruction ID: 1b706e7062be0f74de4ab7f4ed34c53902f3c11ee488f7978f675c163a01f701
Opcode Fuzzy Hash: 580994ec81d43db725bceae029e2782050782e9dcf2c0d6c26e48c6634b3d950
Instruction Fuzzy Hash: 1C11C136600208ABCB10DF68EC86FAB73A8FF89320F10415AF9149B282D675E8518759

Function 004024F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0040257F

Strings

<local>, xrefs: 0040253E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: 112cacd2f61e3e7f9d36fffb57641e7010a968f04a8abb0e781700d5fdf015e3
Instruction ID: 8a9741d8e87aa3b580c749acb4110661ac23a59584aab1bb34b2a364aa46fc1f
Opcode Fuzzy Hash: 112cacd2f61e3e7f9d36fffb57641e7010a968f04a8abb0e781700d5fdf015e3
Instruction Fuzzy Hash: F311C670580310BBE7208B509D5AFBBB3A8A715700F20405BF9427B6C0D6F8B944D75D

Function 0042907F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1D10: _wcslen.LIBCMT ref: 003C1D11
Part of subcall function 003C1D10: _memmove.LIBCMT ref: 003C1D57

SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 004290EB

Strings

ComboBox, xrefs: 0042908B
ListBox, xrefs: 004290B6

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 547829025-1403004172
Opcode ID: 049ef6642394ebc7911bd4b7a526d713c0bb07d9f2ae4b28d29271a205d3512f
Instruction ID: dc0cf9309113e7f5c58f9a49b882ad65108b7e2dd9233310bbaf9d422bb6f339
Opcode Fuzzy Hash: 049ef6642394ebc7911bd4b7a526d713c0bb07d9f2ae4b28d29271a205d3512f
Instruction Fuzzy Hash: 5801F93171112837CB10BAA9AC45BDFB75C9B45320F44806BFD08DB243C939DD4883E5

Function 0040CDB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000013,00000000), ref: 0040CDEE
_memmove.LIBCMT ref: 0040CE15

Strings

crts, xrefs: 0040CE02

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: ArrayCreateSafeVector_memmove
String ID: crts
API String ID: 564309351-3724388283
Opcode ID: 5cf959bac63272f574e1ab064fb47a1b551815820a04102a18a6fbf70eedd435
Instruction ID: a0dacc3e3ed0e023139b0ed98444c8b0eead25238ad2a34d403be68011571b7a
Opcode Fuzzy Hash: 5cf959bac63272f574e1ab064fb47a1b551815820a04102a18a6fbf70eedd435
Instruction Fuzzy Hash: D101A177900109AAC710DF59EC45F9A77ACEB44350F41412AFA08DB241D731EA15C7E0

Function 003F2175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003F2192
__fread_nolock.LIBCMT ref: 003F21A8

Strings

EA06, xrefs: 003F21DB

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: e9ed8be0c8246ab34aedfa83de9754da2073687d758bfbcf96524f3b3b83f2e4
Instruction ID: 17821a284ab0d6344cdde15ba5f11c6bd7a1c9c5185ec67b6aeefdfb931c68bc
Opcode Fuzzy Hash: e9ed8be0c8246ab34aedfa83de9754da2073687d758bfbcf96524f3b3b83f2e4
Instruction Fuzzy Hash: 4E014932804218BBCB19DB989C52AFEBBF49F05301F00859EF69697281D574A718C7A0

Function 00428B74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00428B89
SendMessageW.USER32(00000000,0000110A,00000000,00000000), ref: 00428BC2

Strings

dND, xrefs: 00428BA1

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: dND
API String ID: 3850602802-2949930476
Opcode ID: e3659cc7ffc99e722eb4bb07e24856e66147fdaeb59624b1e78622520288d32d
Instruction ID: 59c68609103348a32612587cd38544c349311cf9923c721ea3cd2897073eec7f
Opcode Fuzzy Hash: e3659cc7ffc99e722eb4bb07e24856e66147fdaeb59624b1e78622520288d32d
Instruction Fuzzy Hash: 0DF0967A7403147BE6149B95FC46F9B739CEBD9721F20401BFF049B281C9B5AC418668

Function 003C1D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003C1D11

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

_memmove.LIBCMT ref: 003C1D57

Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1546
Part of subcall function 003D14F7: std::exception::exception.LIBCMT ref: 003D1560
Part of subcall function 003D14F7: __CxxThrowException@8.LIBCMT ref: 003D1571

Strings

@EXITCODE, xrefs: 003C1D10, 003C1D53

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
String ID: @EXITCODE
API String ID: 2734553683-3436989551
Opcode ID: 9270d3e99fcdddf252fb1682547dda54f5c02964f7d1925a364703f4f0250711
Instruction ID: 4bbe07c0387ffd5e23a5a3720e81a538fcd1e89c45a08d93b2c34a4fe9badffe
Opcode Fuzzy Hash: 9270d3e99fcdddf252fb1682547dda54f5c02964f7d1925a364703f4f0250711
Instruction Fuzzy Hash: C9F0C2F3A006425FC355DB75DC46B3775E49B45700F04C92EE08BCAB81F679E4418B10

Function 00416069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 00416075

Part of subcall function 003D14F7: _malloc.LIBCMT ref: 003D1511

wsprintfW.USER32 ref: 004160A1

Strings

%d/%02d/%02d, xrefs: 0041609B

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 71864f04a979517cb636c3b1ff1b7ba44d2ce7432a65057c68e491de9217e7ea
Instruction ID: 91d552e6dc23d7864b169f8700260b0429481e75e667e79d7b236ad4674e0296
Opcode Fuzzy Hash: 71864f04a979517cb636c3b1ff1b7ba44d2ce7432a65057c68e491de9217e7ea
Instruction Fuzzy Hash: 33F0823274022866D7109BD9BD42FFEB3A8DB59B53F404167FA04E9180D6694850C7B5

Function 003D1871 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 003D1879

Part of subcall function 003D81EE: __mtinitlocknum.LIBCMT ref: 003D8204
Part of subcall function 003D81EE: __amsg_exit.LIBCMT ref: 003D8210
Part of subcall function 003D81EE: EnterCriticalSection.KERNEL32(?,?,?,003D78A9,0000000D,?,003D12DC,?,00000001), ref: 003D8218

Part of subcall function 003D8115: LeaveCriticalSection.KERNEL32(?,003D81EC,0000000A,003D81DC,0044D180,0000000C,003D8209,?,?,?,003D78A9,0000000D,?,003D12DC,?), ref: 003D8124

Strings

d=, xrefs: 003D1890
d=, xrefs: 003D1885

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave__amsg_exit__lock__mtinitlocknum
String ID: d=$d=
API String ID: 2136571680-2331161000
Opcode ID: e13a997be3c249fd506fcb3ec523a4d5ec038bb649275841ab37d92f4250a04f
Instruction ID: 05e2a298faf9b21b4bc63e5a4a78e0d8192349da10acd83826c7affc881efd0e
Opcode Fuzzy Hash: e13a997be3c249fd506fcb3ec523a4d5ec038bb649275841ab37d92f4250a04f
Instruction Fuzzy Hash: F6D01777600314ABCB012BB5BD0AA493FA4EB44BA2F420036FB0C8B2A2DD71D8018788

Function 00401B6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00401B85
PostMessageW.USER32(00000000), ref: 00401B8C

Part of subcall function 003F3187: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00468178), ref: 003F319E

Strings

Shell_TrayWnd, xrefs: 00401B7E

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7ae1ad6e571be15b2966314e0bc741a3c44a45c5e45a321dc422a081389f7815
Instruction ID: 29c906b99fbc9692b55921311b69a511dc28dc7826b75cc489b9b4456718ceff
Opcode Fuzzy Hash: 7ae1ad6e571be15b2966314e0bc741a3c44a45c5e45a321dc422a081389f7815
Instruction Fuzzy Hash: 39D05E76B803017AE624F3706D0FF8766549F15700F01483577019A1C0C4F5A4048659

Function 00401BA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00401BB1
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00401BC4

Part of subcall function 003F3187: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00468178), ref: 003F319E

Strings

Shell_TrayWnd, xrefs: 00401BAA

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bad609ad75525ff386ba39b95c6b5b730d1dc09f2f40462d2a8d5d61079a54da
Instruction ID: 7c64ab8a16578f00c03095a4964c25a376ac5fc58fbafe1a1e2254f65205a478
Opcode Fuzzy Hash: bad609ad75525ff386ba39b95c6b5b730d1dc09f2f40462d2a8d5d61079a54da
Instruction Fuzzy Hash: 67D0A776B8430177E724F3706D0FFC766549F11700F01483577059A1C0C4F594048658

Function 003F1DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003F1E05
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 003F1E1D

Strings

aut, xrefs: 003F1E11

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cac7ad14379c33ac754d409a76d703f34d34f9d1f91c1b288406324ab4c2b88d
Instruction ID: 15c781b21dcc7990a46c8ef846e03a270a55b24f34054bba0a3f11a171bfffe0
Opcode Fuzzy Hash: cac7ad14379c33ac754d409a76d703f34d34f9d1f91c1b288406324ab4c2b88d
Instruction Fuzzy Hash: 1ED05EBD5403086BE314DB90ED4FFA9B73CE744700F5082E5BE14561D1AAF06A54CAE9

Function 003F704A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003F7058

Part of subcall function 003D17FA: _doexit.LIBCMT ref: 003D1806

Strings

AutoIt, xrefs: 003F704C
Error allocating memory., xrefs: 003F7051

Memory Dump Source

Source File: 00000001.00000002.3095391502.00000000003C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003C0000, based on PE: true

Associated: 00000001.00000002.3095368618.00000000003C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095461598.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095478318.0000000000451000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095495201.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3095526549.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3c0000_file.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 8c7792019aab59bd52d66e3b8ee9d79133d01f49d0baea63d8d2cfe9a0d12d41
Instruction ID: 760057f2beeb4e11369e17b1df06b66fa1ddce331d3d9316919c91033202c067
Opcode Fuzzy Hash: 8c7792019aab59bd52d66e3b8ee9d79133d01f49d0baea63d8d2cfe9a0d12d41
Instruction Fuzzy Hash: E6B012313C030437F1042BA01E0BF4620002784F0BF310402F3252C5D304C5045001AD

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 7420, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
file.exe

Function 003CD7A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 138
windowCOMMON

Function 003CE700 Relevance: 10.7, APIs: 7, Instructions: 157
COMMON

Function 003CEE30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12
libraryloaderCOMMON

Function 003CE560 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
COMMON

Function 003D14F7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41
COMMON

Function 003CE6C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
registryCOMMON

Function 003D06E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
registryCOMMON

Function 003CF1D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52
COMMON

Function 003CD8B0 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON