Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522716
MD5:	52f3d33b2ce1ae6640a20e19506b7acb
SHA1:	09833b92ef643b687fc0e51c7bc6316011e30604
SHA256:	0d42c76532e1f811ba1e34911976f04fa2616dbe9af1f6f9cdf75193ad9f482b
Tags:	exesigneduser-jstrosch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 2360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 52F3D33B2CE1AE6640A20E19506B7ACB)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00403B58 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,

0_2_00403B58

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

DNS traffic detected: query: info.pillowkidguest.ru replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: s.itorrent.bz
Source: global traffic	DNS traffic detected: DNS query: info.pillowkidguest.ru
Source: global traffic	DNS traffic detected: DNS query: cdn.itorrent.bz

Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zip5
Source: file.exe	String found in binary or memory: http://cdn.itorrent.bz/itorrent-application/itorrent.zipFreeSpacer_setup.exe.
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.i
Source: file.exe	String found in binary or memory: http://g.itorrent.bz/support.ilbad
Source: file.exe, 00000000.00000003.1887309756.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001835622.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/Ts
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.png
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngU
Source: file.exe	String found in binary or memory: http://info.pillowkidguest.ru/logo.pnga8b13a8ef5c233e82e7c47bb5977f38a
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngm
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://info.pillowkidguest.ru/logo.pngs2
Source: file.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz//95
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/
Source: file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df%
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404/
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404T
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404j
Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/s/?version=1.0.0.404
Source: file.exe	String found in binary or memory: http://s.itorrent.bz/i/BUTTON###image/pngCan
Source: file.exe, 00000000.00000002.3001835622.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1887309756.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/l$J
Source: file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.itorrent.bz/w5
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx
Source: file.exe	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxF
Source: file.exe, 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxJ

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411CFB	0_2_00411CFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004360B3	0_2_004360B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437135	0_2_00437135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004341AD	0_2_004341AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D2E3	0_2_0042D2E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004345E2	0_2_004345E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00436625	0_2_00436625
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E68F	0_2_0041E68F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004338A1	0_2_004338A1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424950	0_2_00424950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434A17	0_2_00434A17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437B4C	0_2_00437B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DC2B	0_2_0041DC2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DCCB	0_2_0042DCCB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425C8F	0_2_00425C8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433D95	0_2_00433D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426F5F	0_2_00426F5F

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439BBF appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00438F67 appears 41 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004261A0 appears 61 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B56 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00439B89 appears 68 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040792F appears 31 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/1@11/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00406633 __EH_prolog3_GS,_memset,SHGetFolderPathW,CoCreateInstance,CoTaskMemFree,

0_2_00406633

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D6E LoadResource,LockResource,SizeofResource,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,CreateStreamOnHGlobal,GlobalFree,GdipAlloc,

0_2_00405D6E

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe	Command line argument: Debug	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: xD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: $C	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: @yD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: DyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: HyD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: LhD	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: prf	0_2_00412753
Source: C:\Users\user\Desktop\file.exe	Command line argument: NB	0_2_0042E7A0

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: --start
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: --install
Source: file.exe	String found in binary or memory: //d/ps/p/installed/i
Source: file.exe	String found in binary or memory: @openhttpieoperalauncheroperaoldyandexgooglechromeinternet explorerfirefoxffamigo01HKLMHKEY_LOCAL_MACHINE\DisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall<?xml version="1.0"?><d></d>//d/ps/p/rs/rname//d/ps/p/fs/f//d/ps/p/installed/i//d/machineid//d/guid//d/defbrowser//d/osexceptionl
Source: file.exe	String found in binary or memory: iTorrent.--installset-autoloadset-defaultset-firewall --
Source: file.exe	String found in binary or memory: dftsttfdp%ib%ipdfif--startpifip%ib%iContent-Type: application/xml;

Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 31

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004261E5 push ecx; ret		0_2_004261F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439B24 push ecx; ret		0_2_00439B37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425C8F EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00425C8F

Source: file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-31674

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004265DC _memset,IsDebuggerPresent,

0_2_004265DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042EC02 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0042EC02

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00425B2B GetProcessHeap,

0_2_00425B2B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004278D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278A7 SetUnhandledExceptionFilter,		0_2_004278A7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042687D cpuid

0_2_0042687D

Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0042F095
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0042F249
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0042F20C
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	0_2_004263F6
Source: C:\Users\user\Desktop\file.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_00435614
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_004358C8
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00435888
Source: C:\Users\user\Desktop\file.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00435945
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_004359C8
Source: C:\Users\user\Desktop\file.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_00435BBD
Source: C:\Users\user\Desktop\file.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00435CE7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00435D94
Source: C:\Users\user\Desktop\file.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00435E68

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424662 GetSystemTimeAsFileTime,

0_2_00424662

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004038C5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,LookupAccountNameW,GetLastError,LookupAccountNameW,

0_2_004038C5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040A723 __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0040A723

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	34 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	50%	ReversingLabs	Win32.PUA.ITorrent

Name	IP	Active	Malicious	Reputation
cdn.itorrent.bz	unknown	unknown	false	unknown
s.itorrent.bz	unknown	unknown	false	unknown
info.pillowkidguest.ru	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://s.itorrent.bz/w5	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz//	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxJ	file.exe, 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmp	false	unknown
http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxxF	file.exe	false	unknown
http://s.itorrent.bz/	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404T	file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://info.pillowkidguest.ru/logo.pngm	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://cdn.itorrent.bz/	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://cdn.itorrent.bz/itorrent-application/itorrent.zip	file.exe	false	unknown
http://info.pillowkidguest.ru/logo.pnga8b13a8ef5c233e82e7c47bb5977f38a	file.exe	false	unknown
http://info.pillowkidguest.ru/logo.png	file.exe	false	unknown
http://g.itorrent.bz/support.i	file.exe	false	unknown
http://info.pillowkidguest.ru/logo.pngU	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/l$J	file.exe, 00000000.00000002.3001835622.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1887309756.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df%	file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/s/?version=1.0.0.404	file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404j	file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/BUTTON###image/pngCan	file.exe	false	unknown
http://g.itorrent.bz/support.ilbad	file.exe	false	unknown
http://info.pillowkidguest.ru/logo.pngs2	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/44e838831f4e7f2973ae42fab2828498/df/?version=1.0.0.404/	file.exe, 00000000.00000003.1887608203.00000000006A4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001735411.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://s.itorrent.bz/i/	file.exe	false	unknown
http://info.pillowkidguest.ru/Ts	file.exe, 00000000.00000003.1887309756.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001835622.00000000006CF000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx	file.exe	false	unknown
http://cdn.itorrent.bz/itorrent-application/itorrent.zip5	file.exe, 00000000.00000002.3001735411.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://cdn.itorrent.bz/itorrent-application/itorrent.zipFreeSpacer_setup.exe.	file.exe	false	unknown
http://s.itorrent.bz//95	file.exe, 00000000.00000003.1887029003.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3001891613.00000000006EB000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522716
Start date and time:	2024-09-30 15:53:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal48.winEXE@1/1@11/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 63 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll/:AV
MD5:	FEEA5AAD375F1E916BF7E620A6DCD75B
SHA1:	94894605A205FFA9C0FD5D9BE23603C2AFEA3CF9
SHA-256:	D94B1765B6165ACCEA18A12F7DD87FA28A6964E8B3C709967B82DFF961DFF216
SHA-512:	E8A16FF53A2904A6BF0C20910ADF544BF73D7370B012C57A2CA05FC40C7DBFF9622691DF99310E6F131E203B49EAF525737A38CDFCDE817A4B601F71B10861E2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584703533786841
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	409'072 bytes
MD5:	52f3d33b2ce1ae6640a20e19506b7acb
SHA1:	09833b92ef643b687fc0e51c7bc6316011e30604
SHA256:	0d42c76532e1f811ba1e34911976f04fa2616dbe9af1f6f9cdf75193ad9f482b
SHA512:	f42ec9e70e823b9e8730a501d07c6c0a058a115799719ec903c1c872727278df0a6a2e794a9c1b7b0eb2cb054966e1d77e145772f9c81a4d603bcbced89a82c6
SSDEEP:	12288:eBTKRTSs8TSQS9VfUn04DBxGJK9iYH3yNMZEbikDT:YKRES/65uCKT
TLSH:	1C948C217789D075E0625132DE19A71525FEBC752F728B4B73D83F1E2AB11B0A239B22
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P....p..P....p..P....N..P....q.sP...(...P...P...Q...(...P....t..P....J..P...P...P....O..P..Rich.P.................

File Icon


Icon Hash:	1b694cccccc83317

Static PE Info

General

Entrypoint:	0x4250c2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x56DF32AA [Tue Mar 8 20:14:34 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	630e143197957138e0ff0c79adca7372

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	17/08/2015 02:00:00 17/08/2016 01:59:59
Subject Chain	CN="""TORRENT"", OOO", O="""TORRENT"", OOO", STREET="Admirala Tribuca, 37", L=Kaliningrad, S=Kaliningrad, PostalCode=236006, C=RU
Version:	3
Thumbprint MD5:	E91699A3735D838CB43DCF145A19BDD0
Thumbprint SHA-1:	83F7D7E1F123E5B027EB3AEE47C6F544A197D18E
Thumbprint SHA-256:	FD967613856DC0712693AF97D0F90901C05F682EE02E8589BF8E85004E3DF500
Serial:	138718A754F2731D87CEDDCB1E570C6C

Entrypoint Preview

Instruction
call 00007EFCD8DC0DEDh
jmp 00007EFCD8DB9EB4h
int3
int3
int3
int3
mov ecx, dword ptr [esp+08h]
mov eax, dword ptr [esp+04h]
push edi
push ebx
push esi
cmp dword ptr [00454BA0h], 01h
jc 00007EFCD8DBA204h
ja 00007EFCD8DBA133h
movzx edx, byte ptr [ecx]
mov ebx, edx
shl edx, 08h
or edx, ebx
je 00007EFCD8DBA11Fh
movd xmm3, edx
pshuflw xmm3, xmm3, 00h
movlhps xmm3, xmm3
pxor xmm0, xmm0
mov esi, ecx
or edi, FFFFFFFFh
movzx ebx, byte ptr [ecx]
add ecx, 01h
test ebx, ebx
je 00007EFCD8DBA04Fh
test ecx, 0000000Fh
jne 00007EFCD8DBA020h
movdqa xmm2, dqword ptr [ecx]
pcmpeqb xmm2, xmm0
pmovmskb ebx, xmm2
test ebx, ebx
jne 00007EFCD8DBA037h
mov edi, 0000000Fh
movd edx, xmm3
mov ebx, 00000FFFh
and ebx, eax
cmp ebx, 00000FF0h
jnbe 00007EFCD8DBA059h
movdqu xmm1, dqword ptr [eax]
pxor xmm2, xmm2
pcmpeqb xmm2, xmm1
pcmpeqb xmm1, xmm3
por xmm1, xmm2
pmovmskb ebx, xmm1
add eax, 10h
test ebx, ebx
je 00007EFCD8DBA004h
bsf ebx, ebx
sub eax, 10h
add eax, ebx
movzx ebx, byte ptr [eax]
test ebx, ebx
je 00007EFCD8DBA09Ch
add eax, 01h
cmp dl, bl
jne 00007EFCD8DB9FEEh
mov edx, eax
lea ecx, dword ptr [esi+01h]
mov ebx, 00000FFFh

Rich Headers

Programming Language:

[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d9d4	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x101e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x62a00	0x13f0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x48e70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x3fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3df35	0x3e000	d67fca22046da497bc4b28da073a9d5d	False	0.570769279233871	data	6.654122576566693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x10086	0x10200	c00f28a76406e71d7f9c92121b80ac66	False	0.3649012839147287	DOS executable (COM, 0x8C-variant)	4.727771105703194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50000	0x9c60	0x4200	f61727bebeb83ca9d4b8c254e486090d	False	0.16844223484848486	data	2.558325233753619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0x101e0	0x10200	ee0e6d6bbdffc0ad2b719bb1beb37532	False	0.516124636627907	data	6.453843363709768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x5a2dc	0x2b44	PNG image data, 244 x 65, 8-bit/color RGBA, non-interlaced	English	Great Britain	1.000993138317082
PNG	0x5ce20	0x110c	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	Great Britain	1.0025206232813932
TEXT	0x5df2c	0x65ee	Unicode text, UTF-8 text, with very long lines (936), with CRLF line terminators	English	United States	0.22005058634168775
RT_BITMAP	0x6451c	0x105a	Device independent bitmap graphic, 37 x 37 x 24, image size 4146, resolution 2834 x 2834 px/m	English	United States	0.5217391304347826
RT_ICON	0x65578	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.7189716312056738
RT_ICON	0x659e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.6430327868852459
RT_ICON	0x66368	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.5302532833020638
RT_ICON	0x67410	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.45435684647302904
RT_GROUP_ICON	0x699b8	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x699f8	0x250	data	English	United States	0.48817567567567566
RT_MANIFEST	0x69c48	0x596	ASCII text	English	United States	0.4258741258741259

Imports

DLL	Import
gdiplus.dll	GdipAlloc, GdipFree, GdipCloneImage, GdipGetImageEncodersSize, GdipGetImageEncoders, GdipLoadImageFromStream, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdiplusShutdown, GdiplusStartup, GdipDrawImageRectI, GdipDeleteGraphics, GdipCreateFromHDC, GdipSaveImageToStream, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdipGetImagePixelFormat, GdipBitmapLockBits, GdipGetImageWidth, GdipGetImageHeight
KERNEL32.dll	GetModuleHandleW, LocalFlags, WriteFile, OpenProcess, Sleep, FormatMessageW, GetFileAttributesW, CreateFileW, MultiByteToWideChar, FlushFileBuffers, GetTempPathW, GetFileSizeEx, GetLastError, SetLastError, RegisterWaitForSingleObject, LocalAlloc, CreateFileMappingW, CreateEventW, WaitForMultipleObjects, lstrcmpiW, GetCurrentThreadId, DuplicateHandle, ReleaseMutex, CloseHandle, DeleteFileW, GetCurrentProcessId, UnregisterWaitEx, LocalFree, MulDiv, GetComputerNameW, GetSystemDirectoryW, GetVolumeInformationW, InterlockedDecrement, InterlockedExchange, ResetEvent, WideCharToMultiByte, FindResourceExW, LoadResource, LockResource, SizeofResource, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, VerSetConditionMask, VerifyVersionInfoW, GetModuleFileNameW, MoveFileW, SetEvent, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetVersionExW, ExpandEnvironmentStringsA, GetFileAttributesA, GetExitCodeProcess, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, RtlUnwind, GetCommandLineW, LoadLibraryExW, GetProcAddress, ExitThread, CreateThread, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, IsDebuggerPresent, EncodePointer, HeapAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetStdHandle, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, GetProcessHeap, TlsSetValue, TlsFree, GetStartupInfoW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetFileType, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, InterlockedCompareExchange, WaitForSingleObject, SetFilePointerEx, InterlockedIncrement, UnmapViewOfFile, MapViewOfFile, CreateMutexW, GetConsoleMode, GetConsoleCP, OutputDebugStringW, HeapReAlloc, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStringTypeW, SetStdHandle, WriteConsoleW, InitializeCriticalSection
USER32.dll	PostMessageW, LoadBitmapW, FillRect, GetDlgItem, LoadIconW, AdjustWindowRect, MoveWindow, UpdateWindow, MessageBoxW, DrawTextExW, SetCursor, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, PostQuitMessage, BeginPaint, GetMessageW, FindWindowW, GetWindowTextW, GetSysColorBrush, GetSysColor, GetClientRect, GetWindowRect, SetWindowLongW, RegisterClassW, GetWindowLongW, SetWindowTextW, DestroyIcon, GetIconInfo, SendMessageW, GetDC, ReleaseDC, GetSystemMetrics, DestroyWindow, RemovePropW, RegisterWindowMessageW, SetTimer, KillTimer, DrawTextW, EndPaint, TranslateMessage, RegisterClassExW, ShowWindow, SendMessageTimeoutW, IsWindow, CreateWindowExW, CallWindowProcW, DefWindowProcW, DispatchMessageW, EnableWindow
GDI32.dll	SetBkMode, GetDeviceCaps, GetObjectW, CreateFontW, SetBkColor, DeleteObject, SelectObject, DeleteDC, GetStockObject, CreateCompatibleDC, BitBlt, SetTextColor, GetCharWidth32W
ADVAPI32.dll	CryptAcquireContextW, RegQueryValueExW, RegEnumKeyExA, RegQueryInfoKeyW, RegOpenKeyA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, CryptHashData, ConvertSidToStringSidW, CryptDestroyHash, CryptCreateHash, LookupAccountNameW, CryptGetHashParam, CryptReleaseContext
SHELL32.dll	ShellExecuteW, ShellExecuteExW, SHGetFolderPathW, SHGetFileInfoW
ole32.dll	CreateStreamOnHGlobal, CoTaskMemFree, CoInitializeEx, CoUninitialize, GetHGlobalFromStream, CoCreateInstance
OLEAUT32.dll	VarI4FromStr, VarUI8FromStr
WINHTTP.dll	WinHttpQueryDataAvailable, WinHttpReceiveResponse, WinHttpWriteData, WinHttpSetTimeouts, WinHttpReadData, WinHttpCrackUrl, WinHttpOpenRequest, WinHttpOpen, WinHttpQueryOption, WinHttpSetStatusCallback, WinHttpQueryHeaders, WinHttpCloseHandle, WinHttpConnect, WinHttpSendRequest, WinHttpSetOption
urlmon.dll	ObtainUserAgentString
SHLWAPI.dll	StrCmpNA, PathAppendW, AssocQueryStringW, AssocQueryStringA, StrCmpNW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 15:55:18.855915070 CEST	64116	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:19.281646013 CEST	61754	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:19.289067030 CEST	52087	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:19.555239916 CEST	53	61754	1.1.1.1	192.168.2.8
Sep 30, 2024 15:55:19.857218981 CEST	64116	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:20.287462950 CEST	52087	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:20.855289936 CEST	64116	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:21.277146101 CEST	52087	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:22.870874882 CEST	64116	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:23.299746037 CEST	52087	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:26.886384010 CEST	64116	53	192.168.2.8	1.1.1.1
Sep 30, 2024 15:55:27.292579889 CEST	52087	53	192.168.2.8	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 15:55:18.855915070 CEST	192.168.2.8	1.1.1.1	0xa4a6	Standard query (0)	s.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:19.281646013 CEST	192.168.2.8	1.1.1.1	0xb116	Standard query (0)	info.pillowkidguest.ru	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:19.289067030 CEST	192.168.2.8	1.1.1.1	0x7673	Standard query (0)	cdn.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:19.857218981 CEST	192.168.2.8	1.1.1.1	0xa4a6	Standard query (0)	s.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:20.287462950 CEST	192.168.2.8	1.1.1.1	0x7673	Standard query (0)	cdn.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:20.855289936 CEST	192.168.2.8	1.1.1.1	0xa4a6	Standard query (0)	s.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:21.277146101 CEST	192.168.2.8	1.1.1.1	0x7673	Standard query (0)	cdn.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:22.870874882 CEST	192.168.2.8	1.1.1.1	0xa4a6	Standard query (0)	s.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:23.299746037 CEST	192.168.2.8	1.1.1.1	0x7673	Standard query (0)	cdn.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:26.886384010 CEST	192.168.2.8	1.1.1.1	0xa4a6	Standard query (0)	s.itorrent.bz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 15:55:27.292579889 CEST	192.168.2.8	1.1.1.1	0x7673	Standard query (0)	cdn.itorrent.bz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 15:55:19.555239916 CEST	1.1.1.1	192.168.2.8	0xb116	Name error (3)	info.pillowkidguest.ru	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:55:18
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	409'072 bytes
MD5 hash:	52F3D33B2CE1AE6640A20E19506B7ACB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	1971
Total number of Limit Nodes:	53

Executed Functions

Function 00411CFB Relevance: 49.7, APIs: 14, Strings: 14, Instructions: 693windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,00000003,7055389B,7055389B), ref: 00411E02
MessageBoxW.USER32(00447640,00447600,00000004,00000001), ref: 00411FE7
ShowWindow.USER32(00000000,?,?,?,?,?,?,7055389B), ref: 00411FFB
MessageBoxW.USER32(00447750,?,00000004,00000001), ref: 0041207D
DestroyWindow.USER32(?,?,?,?,?,?,?,7055389B), ref: 0041215A
PostQuitMessage.USER32(00000000), ref: 00412166
char_traits.LIBCPMT ref: 00412191
LeaveCriticalSection.KERNEL32(?), ref: 004123B9
ShowWindow.USER32(?,00000000,?,7055389B), ref: 0041248F
ShowWindow.USER32(?,00000005,?,0068C430,?,7055389B), ref: 004124BD
IsDlgButtonChecked.USER32(?,00000003), ref: 0041254F
char_traits.LIBCPMT ref: 00412618
char_traits.LIBCPMT ref: 00412647
PostMessageW.USER32(00000010,00000000,00000000,7055389B), ref: 00412700

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 00413041: __EH_prolog3_catch.LIBCMT ref: 00413048

Strings

x6E, xrefs: 00412019
Unknown message type in WM_OPTIONS_WINDOW, xrefs: 00411DD0
Bad partner index, xrefs: 0041224F
qD, xrefs: 004126E5
.torrent, xrefs: 0041260F, 0041261F, 00412620
Unknown message type in WM_LICENSE_WINDOW, xrefs: 00411EF3
finish, xrefs: 004126EA
.tor, xrefs: 0041263D, 0041264E, 0041264F
8Ui, xrefs: 00412171
Unknown message type in WM_PROGRESS_WINDOW, xrefs: 00412736
HsD, xrefs: 0041218B
Can't printf packet, xrefs: 004122C8
rg%ib%io%iv%i, xrefs: 00412290
Unknown message type in WM_PARTNER_WINDOW, xrefs: 004121E7

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Message$Showchar_traits$Post$ButtonCallCheckedCriticalDestroyH_prolog3H_prolog3_catchLeaveProcQuitSection
String ID: .tor$.torrent$8Ui$Bad partner index$Can't printf packet$HsD$Unknown message type in WM_LICENSE_WINDOW$Unknown message type in WM_OPTIONS_WINDOW$Unknown message type in WM_PARTNER_WINDOW$Unknown message type in WM_PROGRESS_WINDOW$finish$rg%ib%io%iv%i$x6E$qD
API String ID: 665256869-1879039627
Opcode ID: a07d09f1dcb187c5757040072c1437c2faa3bf4e08f83b37e0ee4dca3b7120e8
Instruction ID: 33eadd8d330f0ebdc9b208a5839545f040f049dd7a3d6ca243191253dd2364db
Opcode Fuzzy Hash: a07d09f1dcb187c5757040072c1437c2faa3bf4e08f83b37e0ee4dca3b7120e8
Instruction Fuzzy Hash: E042FF70204341ABD734EF24DD82BEA77A1EB84305F10052FF645972E2DB78AA95CB5E

Function 00412753 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 331
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C87: __EH_prolog3_GS.LIBCMT ref: 00405C8E
Part of subcall function 00405C87: StrCmpNA.SHLWAPI(http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx,###,00000003,00000064,00412778), ref: 00405C9F
Part of subcall function 00405C87: StrCmpNA.SHLWAPI(FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent,###,00000003), ref: 00405D0F

_wcsstr.LIBCMT ref: 00412791

Part of subcall function 00406B6C: __EH_prolog3_GS.LIBCMT ref: 00406B73

Part of subcall function 00406BFE: char_traits.LIBCPMT ref: 00406C2C

Part of subcall function 00405427: char_traits.LIBCPMT ref: 00405436

Part of subcall function 00405457: char_traits.LIBCPMT ref: 00405468

MessageBoxW.USER32(00000000,?,Debug,00000000), ref: 0041293C
CoInitializeEx.COMBASE(00000000,00000002), ref: 0041295A
GdiplusStartup.GDIPLUS($C,00458B68,00000000,00000001,00000000,00000001,00000000), ref: 00412A82

Strings

Xml , xrefs: 004127C0
@yD, xrefs: 00412B8C
Can't initialize COM., xrefs: 0041297D
$C, xrefs: 00412A7D
Can't init instance., xrefs: 00412B09
prf, xrefs: 00412BC0
File , xrefs: 004127D5, 004127E1
Debug, xrefs: 00412935
xD, xrefs: 00412A45
LyD, xrefs: 00412B7E
DyD, xrefs: 00412B96
Can't startup gdi., xrefs: 00412AA5
HyD, xrefs: 00412B9F
LhD, xrefs: 00412BA9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits$H_prolog3_$GdiplusInitializeMessageStartup_wcsstr
String ID: @yD$Can't init instance.$Can't initialize COM.$Can't startup gdi.$Debug$DyD$File $HyD$LhD$LyD$Xml $prf$$C$xD
API String ID: 477194047-138553265
Opcode ID: 5a1ca54444459b2d6b18834eefb528ca5effb46b6a2be1f65a90938802dee261
Instruction ID: c003cbd680389d117011cfd028a62eb46d96ef8adfd85da0382363bc62787e93
Opcode Fuzzy Hash: 5a1ca54444459b2d6b18834eefb528ca5effb46b6a2be1f65a90938802dee261
Instruction Fuzzy Hash: C7B1C271608240ABC324EF66DD55EEB37A8EF80344F10453FB14AA31D1EF786945CA5E

Function 00403B58 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 00403B81
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 00403B91
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00403BAC
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000), ref: 00403BBA
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00403BD5
CryptDestroyHash.ADVAPI32(?,?,?,00000000), ref: 00403BE2
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,00000000), ref: 00403BFB
CryptDestroyHash.ADVAPI32(?,?,?,00000000), ref: 00403C08
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000), ref: 00403C12

Strings

0123456789abcdef, xrefs: 00403C21

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Crypt$Hash$Context$AcquireDestroyRelease$CreateDataParam
String ID: 0123456789abcdef
API String ID: 1661621369-1757737011
Opcode ID: 43045024b09dc7631611690433c13a50f0bbdab386900a4d703ddeef891f8c0d
Instruction ID: bc38debdc742b029609f526077eabf805d7697855b54a8378deaaef5b18a35ee
Opcode Fuzzy Hash: 43045024b09dc7631611690433c13a50f0bbdab386900a4d703ddeef891f8c0d
Instruction Fuzzy Hash: 6441C471A00208AFEB159FA8ED84DAF7BBDEF05749F10443AF441BB192D675AE05CB24

Function 00405D6E Relevance: 15.1, APIs: 10, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadResource.KERNEL32(00000000), ref: 00405D7B
LockResource.KERNEL32(00000000), ref: 00405D8D
SizeofResource.KERNEL32(00000000), ref: 00405D9D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00405DAC
GlobalLock.KERNEL32(00000000), ref: 00405DB9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$GlobalLock$AllocLoadSizeof
String ID:
API String ID: 1996038147-0
Opcode ID: b004d87adf5ba2c39b8a5ee17eaeca9c4d6e5bdf3cde0c9e78690ccaf8f8f4bf
Instruction ID: 5ac23d2c3a7e5d83a8137c5d197287e9651326da28d63db20a9c5642a9519fd0
Opcode Fuzzy Hash: b004d87adf5ba2c39b8a5ee17eaeca9c4d6e5bdf3cde0c9e78690ccaf8f8f4bf
Instruction Fuzzy Hash: A5119370A00605BBDB105BB1FC4DE6F7ABCEF85741700403AF805E2291EA78CD019A78

Function 00406633 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 146
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040663D

Part of subcall function 00406221: _memset.LIBCMT ref: 00406242
Part of subcall function 00406221: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 00406266
Part of subcall function 00406221: VerifyVersionInfoW.KERNEL32(0000011C,00000002,00000000), ref: 00406277

_memset.LIBCMT ref: 0040666B
CoTaskMemFree.OLE32(?,?), ref: 004067A3

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040667F

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

CoCreateInstance.OLE32(0043F4F0,00000000,00000001,004468FC,?,000002EC,00411331,itorrent\itorrent.exe,0000003C,00411946,0000006C,00412404,7055389B), ref: 004066C0

Strings

Can't get folder path, xrefs: 00406745
Can't get path manager, xrefs: 00406811
Can't get path, xrefs: 004067EC

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memset$ConditionCreateFolderFreeH_prolog3H_prolog3_InfoInstanceMaskPathTaskVerifyVersionchar_traits
String ID: Can't get folder path$Can't get path$Can't get path manager
API String ID: 4026707909-2805621233
Opcode ID: 81dcc16906efb652ea751b207e3a15f3806304d20ab782840d7ff05f67d28757
Instruction ID: c01d32105f18e8912d9fb6099837e8e123656b14f71b8509aab5ed271e7fbad6
Opcode Fuzzy Hash: 81dcc16906efb652ea751b207e3a15f3806304d20ab782840d7ff05f67d28757
Instruction Fuzzy Hash: C1517370A002199BDB10EB61CD89BAEB778AF54744F1041FEA40AB72D1DB789F85CF18

Function 004038C5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004038CC

Part of subcall function 00404396: _Allocate.LIBCPMT ref: 00404402
Part of subcall function 00404396: _memmove.LIBCMT ref: 00404447
Part of subcall function 00404396: _memmove.LIBCMT ref: 00404465

LookupAccountNameW.ADVAPI32(00000000,?,?,00000044,?,?,?), ref: 0040392E
GetLastError.KERNEL32(?,00000044,?,?,?,?,00000000,00000400,?,00000028,00403AB2), ref: 0040393A
LookupAccountNameW.ADVAPI32(00000000,?,?,00000044,?,00000400,?), ref: 00403985

Strings

D, xrefs: 00403945

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AccountLookupName_memmove$AllocateErrorH_prolog3Last
String ID: D
API String ID: 1100625174-2746444292
Opcode ID: d4a8b213432b8f047ee80fa7da85489527dc22c91a46bc83829160262a276fce
Instruction ID: 6870c5936976370a109db7df4a4692874476ba3b098b2c310132ad7c6a934029
Opcode Fuzzy Hash: d4a8b213432b8f047ee80fa7da85489527dc22c91a46bc83829160262a276fce
Instruction Fuzzy Hash: 5331E9B6C0111EABCB01DFD5D9849EFBBBDFF48315F14142BE915B2240DB789A058BA8

Function 0041444F Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 426
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00414456

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

CreateWindowExW.USER32(00000000,Static,00447DF8,50000000,00000000,?,00000000,?,?,00000001,00000000,00000000), ref: 00414508
SendMessageW.USER32(00000000,00000030,00000001), ref: 00414519
CreateWindowExW.USER32(00000000,Static,iTorrent - ,5000000D,00000000,?,00000000,?,?,00000004,00000000,00000000), ref: 004145B7
SendMessageW.USER32(00000000,00000030,00000001), ref: 004145C8

Part of subcall function 0041390D: GetDlgItem.USER32(?,00000004), ref: 0041391B
Part of subcall function 0041390D: ShowWindow.USER32(00000000,?,00413995,004479DC,004479B4,?,?,00000001,004105F9), ref: 00413922

char_traits.LIBCPMT ref: 00414606
GdipGetImageWidth.GDIPLUS(00000002,?,.file,00000001,00000000), ref: 0041468F
GdipGetImageHeight.GDIPLUS(00000002,?), ref: 004146B8
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000002,00000000,00000000,00000000), ref: 00414918
FindResourceExW.KERNEL32(00000000,PNG,00000083,00000000), ref: 0041492A

Part of subcall function 00405D6E: LoadResource.KERNEL32(00000000), ref: 00405D7B

Strings

Static, xrefs: 00414500, 004145B1, 0041475B, 004147F9, 0041488C, 00414912
PNG, xrefs: 00414924
iTorrent - , xrefs: 004145AC, 00414887
.file, xrefs: 00414617
iTorrentWelcome, xrefs: 00414473

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$Window$Font$GdipImageMessageResourceSend$FindH_prolog3_HeightItemLoadShowWidthchar_traits
String ID: .file$PNG$Static$iTorrent - $iTorrentWelcome
API String ID: 114926083-384642819
Opcode ID: 94347e9e1a9b5db89121c381e93682727429d4daaca01b73afb2f724f0436460
Instruction ID: a03778d6209eea219e0747b544b5621170a06d561913e29083beabcdbd216bb4
Opcode Fuzzy Hash: 94347e9e1a9b5db89121c381e93682727429d4daaca01b73afb2f724f0436460
Instruction Fuzzy Hash: 10E12C71E40304ABEB11AFB5CC46FAE7BB9AF04705F10453AF601BB2D2E6799905CB58

Function 00402216 Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpReceiveResponse.WINHTTP(?,00000000,?,?,?,?,?,?,0044A5F0,00000094), ref: 00402358

Strings

FILE-API-COULD-NOT-MAP-FILE, xrefs: 00402526
bytes, xrefs: 00402663
Resource unavailable, xrefs: 00402799
WINTHTTP-API-QUERY-HEADERS, xrefs: 0040274E
FILE-API-COULD-NOT-WRITE-FILE, xrefs: 004024B0
FILE-API-COULD-NOT-CREATE-FILE, xrefs: 004023A7
Got invalid header, xrefs: 00402747

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HttpReceiveResponse
String ID: FILE-API-COULD-NOT-CREATE-FILE$FILE-API-COULD-NOT-MAP-FILE$FILE-API-COULD-NOT-WRITE-FILE$Got invalid header$Resource unavailable$WINTHTTP-API-QUERY-HEADERS$bytes
API String ID: 3708229387-1782802258
Opcode ID: 7f2a08a2523ca3bb4cfb8053cadc7d544b1407f29afe73e6ebad0e6ff8d6c699
Instruction ID: b938960f7b11265ca264575212783bdfd29e9699cf5e21ea2c4ac082b02322c1
Opcode Fuzzy Hash: 7f2a08a2523ca3bb4cfb8053cadc7d544b1407f29afe73e6ebad0e6ff8d6c699
Instruction Fuzzy Hash: 6EF13B71900204DFDF18CF68CA987AE7BB4AF44314F2441BBE805AB2D6D7B88945CF59

Function 00402979 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 345
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401CD0: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401D04

LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,?,?,?,?,?,?,?,0044A680,00000080), ref: 00402A26
ObtainUserAgentString.URLMON(00000000,00000000,00000400), ref: 00402A43
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,10000000), ref: 00402A76

Strings

(cD, xrefs: 00402BFE
Range: bytes=%1!I64u!-, xrefs: 00402D4F
WINHTTP-API-SEND-REQUEST, xrefs: 00402D83

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AgentAllocCallFilterFunc@8HttpLocalObtainOpenStringUser
String ID: Range: bytes=%1!I64u!-$(cD$WINHTTP-API-SEND-REQUEST
API String ID: 116706778-1993903230
Opcode ID: a8edad8e918f0472be7f5c161eba11fd8b02739d1e40bb5cf1f014af92c352bd
Instruction ID: 1d278322118d6ba96d209768847366fb05d794d4bbc19de4b4999fe6f6f4a19a
Opcode Fuzzy Hash: a8edad8e918f0472be7f5c161eba11fd8b02739d1e40bb5cf1f014af92c352bd
Instruction Fuzzy Hash: 82D14B709007099FEB24DF65CA88AAEBBB5BF48304F10453EE955B72D0D7B8AD45CB18

Function 0040FDC7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040FDCE

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

GetSysColorBrush.USER32(0000000F), ref: 0040FDF3

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

CreateWindowExW.USER32(00000000,EDIT,00445D78,50A00044,?,?,00000000,?,00000001,00000001,00000000,00000000), ref: 0040FE7D
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040FE91

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

GetWindowLongW.USER32(?,000000FC), ref: 0040FEAD
SetWindowLongW.USER32(?,000000EB,00000000), ref: 0040FEC8
SetWindowLongW.USER32(?,000000FC,Function_0000FCD4), ref: 0040FED4
CreateWindowExW.USER32(00000000,Static,00447000,50000000,?,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0040FF34
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040FF47
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000001,00000000,00000000,00000000), ref: 0040FF9A
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000001,00000000,00000000,00000000), ref: 0040FFCA

Strings

Static, xrefs: 0040FF2E, 0040FF94, 0040FFC4
iTorrentLicense, xrefs: 0040FDFB
EDIT, xrefs: 0040FE77

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateWindow$FontLong$MessageSend$BrushColorH_prolog3_malloc
String ID: EDIT$Static$iTorrentLicense
API String ID: 1542350560-3723335058
Opcode ID: 4d3484bd485e8c698ad6d173f35b872cdb20d9edc5abe095ef18aa431a18fbb7
Instruction ID: 728fdf10bdbda5bda2f19fa9de87d07016514754f92681bba7c09195c2e047ef
Opcode Fuzzy Hash: 4d3484bd485e8c698ad6d173f35b872cdb20d9edc5abe095ef18aa431a18fbb7
Instruction Fuzzy Hash: C351A771A40214BBEB116FB59C46F2B3E69EF44B15F10447AF904BF2C2DAB9D9108B68

Function 004108DA Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 161
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00410902
LoadIconW.USER32(00400000,00000002), ref: 00410948
LoadCursorW.USER32(00000000,00007F00), ref: 00410956
LoadIconW.USER32(?,00000002), ref: 0041097E
RegisterClassExW.USER32(00000030), ref: 0041098D

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

AdjustWindowRect.USER32(?,00C80000,00000000), ref: 004109C7
CreateWindowExW.USER32(00000000,itorrent-class-name,?,00C80000,80000000,00000000,?,?,00000000,00000000,00000000,00000001), ref: 00410A99
GetSystemMetrics.USER32(00000000), ref: 00410ABF
GetSystemMetrics.USER32(00000001), ref: 00410AC5
MoveWindow.USER32(00000000,00000000,?,?,00000000), ref: 00410AEE
ShowWindow.USER32(?), ref: 00410B14
KiUserCallbackDispatcher.NTDLL(?,?,00000001,00000000), ref: 00410B20

Strings

itorrent-class-name, xrefs: 00410974, 00410A93
0, xrefs: 00410915

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Load$IconMetricsSystem$AdjustCallbackClassCreateCursorDispatcherMoveRectRegisterShowUser_memset
String ID: 0$itorrent-class-name
API String ID: 1695166324-3785640383
Opcode ID: 5bba661acd20567c8bc2cc06b7b376dc001007c0376515433906ecbc8142f826
Instruction ID: 14dfdfadd086018d3ef7d7ec4999bc9cebe3d057be21e3b376fcf857133ddd08
Opcode Fuzzy Hash: 5bba661acd20567c8bc2cc06b7b376dc001007c0376515433906ecbc8142f826
Instruction Fuzzy Hash: AC5140B1D00218AFDB249F65DC45BDA77B8EB08345F4040FAA509A7291DBB49EC5CF58

Function 0040F5FF Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 200
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040F606

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

CreateWindowExW.USER32(00000000,Static,iTorrent ,50000000,00000000,?,00000000,?,?,00000001,00000000,00000000), ref: 0040F6B0
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040F6C1
CreateWindowExW.USER32(00000000,Static,00445D78,50000000,00000000,?,00000000,?,?,00000002,00000000,00000000), ref: 0040F73B
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040F74C

Part of subcall function 00405BC7: CreateWindowExW.USER32(00000000,BUTTON,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00405BF7

SendMessageW.USER32(?,00000030,00000001), ref: 0040F7D6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0040F7E4
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000005,00000000,00000000,00000000), ref: 0040F80D
FindResourceExW.KERNEL32(00000000,PNG,00000083,00000000), ref: 0040F81F

Strings

Static, xrefs: 0040F6A9, 0040F734, 0040F807
PNG, xrefs: 0040F819
iTorrentFinish, xrefs: 0040F621
iTorrent , xrefs: 0040F6A4

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$MessageSendWindow$Font$FindH_prolog3Resource
String ID: PNG$Static$iTorrent $iTorrentFinish
API String ID: 1804301274-2355466141
Opcode ID: 3013e456cbbde5696532feb72056ab8acf501e300e12b2342dfa31e9ed72316e
Instruction ID: 41f152dcd5fd888cc1da02dd0585f07ec842f104924a7fd92865494d370ae4fb
Opcode Fuzzy Hash: 3013e456cbbde5696532feb72056ab8acf501e300e12b2342dfa31e9ed72316e
Instruction Fuzzy Hash: 46614171F40305BBEB11AFB1DC4AF6F7A69AF15705F10843AB605BF1C2DAB999008B58

Function 00413C38 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 160
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00413C3F

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

GetSysColorBrush.USER32(0000000F), ref: 00413C61

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50000000,00000000,00000000,00000000,?,?,00000064,00000000,00000000), ref: 00413CF7
SendMessageW.USER32(00000000,0000040A,00000001,00000000), ref: 00413D0E
SendMessageW.USER32(00000000,00000401,00000000,03E80000), ref: 00413D1C
CreateWindowExW.USER32(00000000,Static,00445D78,50000000,00000000,00000000,?,00000000,?,00000065,00000000,00000000), ref: 00413D79
SendMessageW.USER32(00000000,00000030,00000001), ref: 00413D86

Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB02
Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB29

CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000), ref: 00413DCF

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000004,00000000,00000000,00000000), ref: 00413DFF

Strings

iTorrentProgress, xrefs: 00413C69
Static, xrefs: 00413D71, 00413D76, 00413DCC, 00413DF8
msctls_progress32, xrefs: 00413CF1

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$Font$Window$MessageSend$BrushColorH_prolog3_malloc
String ID: Static$iTorrentProgress$msctls_progress32
API String ID: 267330387-4176076747
Opcode ID: 30098239b0446a19a158b6fcf7fa5b2db47ffbf1a21ef79790b277f1b9fba87e
Instruction ID: a2a72de0fe20205cdbfba1df0d0e3325bb776ee26a69da0e23c3975f614788ff
Opcode Fuzzy Hash: 30098239b0446a19a158b6fcf7fa5b2db47ffbf1a21ef79790b277f1b9fba87e
Instruction Fuzzy Hash: 0A419871B803007BFB106FB29C4BF6B3A69EF44B05F10846ABA04BF1C1D6B99D01866C

Function 0040FAAE Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

Part of subcall function 004034A0: MulDiv.KERNEL32(?,00000048), ref: 004034B3

CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB02
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB29

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 0040E49D: CreateWindowExW.USER32(00000000,?,00445D78,40000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E4F2
Part of subcall function 0040E49D: SetWindowLongW.USER32(00000000,000000EB), ref: 0040E4FF

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

CreateWindowExW.USER32(00000000,Static,?,50000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040FBA5
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0040FBB9
CreateWindowExW.USER32(00000000,Static,?,50000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0040FC0D
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0040FC21
GetModuleHandleW.KERNEL32(00000000,00000082), ref: 0040FC2E
LoadBitmapW.USER32(00000000), ref: 0040FC35

Strings

Static, xrefs: 0040FB9E, 0040FC06
Calibri, xrefs: 0040FADE, 0040FB0E
iTorrentHeader, xrefs: 0040FB39

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$Font$Window$MessageSend$BitmapHandleLoadLongModule
String ID: Calibri$Static$iTorrentHeader
API String ID: 370662089-2786395957
Opcode ID: a4a7b8f18eea82c50bb9a891c8dafe0cf429e6e5bdcca20dfb5899dcfa65fe70
Instruction ID: 0a8a5a01e9bc8f247a4b71e8012727283a17c4d7533d367f77f3fd1e9a4f749e
Opcode Fuzzy Hash: a4a7b8f18eea82c50bb9a891c8dafe0cf429e6e5bdcca20dfb5899dcfa65fe70
Instruction Fuzzy Hash: AF4151B1A40314BEFB115FB1CC4AF6B3E6CEF05B55F00856ABA04EF1C1D6B999108BA4

Function 0040F85A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040F864
GetDlgItem.USER32(?,00000001), ref: 0040F881
SetWindowTextW.USER32(00000000), ref: 0040F884
GetDlgItem.USER32(?,00000002), ref: 0040F8D4
SetWindowTextW.USER32(00000000), ref: 0040F8D7
GetDlgItem.USER32(?,00000003), ref: 0040F927
ShowWindow.USER32(00000000), ref: 0040F92A

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Strings

Can't set title, xrefs: 0040F8A9
Can't set text, xrefs: 0040F8FF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemWindow$H_prolog3Text$H_prolog3_catchShowchar_traits
String ID: Can't set text$Can't set title
API String ID: 749598868-3025945671
Opcode ID: bfc8e40e0dd567e4df545333b0ef3a7c4005f144a73b76090d9ac0179e53f548
Instruction ID: dd74d8b56621528f40f95567f7c43380087b9a40a2ade6baff2560dbbbc3aa45
Opcode Fuzzy Hash: bfc8e40e0dd567e4df545333b0ef3a7c4005f144a73b76090d9ac0179e53f548
Instruction Fuzzy Hash: EA218C70950208EBEB24EB21DD06BDBB774AB54704F5041BEE455A31E1EB79AE09CE18

Function 00413A48 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00413A4F

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

GetSysColorBrush.USER32(0000000F), ref: 00413A74

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000002,00000000,00000000,00000000), ref: 00413AE6
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000002,00000000,00000000,00000000), ref: 00413B16
SendMessageW.USER32(?,00000030,00000001), ref: 00413BBE
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00413BCF

Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB02
Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB29

Strings

Static, xrefs: 00413ADA, 00413B0F
iTorrentOptions, xrefs: 00413A7C

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$Font$MessageSendWindow$BrushColorH_prolog3__malloc
String ID: Static$iTorrentOptions
API String ID: 444723301-2875620399
Opcode ID: 7950f924ce1b16aa7e9ace37528d4308d0ed48beea05294f43eecb2e6ebde7c2
Instruction ID: b2494b83cfcfe630cf29c41a34e28038c01e93297173268f87f7fe030d4191dd
Opcode Fuzzy Hash: 7950f924ce1b16aa7e9ace37528d4308d0ed48beea05294f43eecb2e6ebde7c2
Instruction Fuzzy Hash: 6241A471B80605BBFB11AFA19C46FAE7A78EF04745F10446AF6047B1C1DBB96E018B68

Function 00405C87 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00405C8E
StrCmpNA.SHLWAPI(http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx,###,00000003,00000064,00412778), ref: 00405C9F
StrCmpNA.SHLWAPI(FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent,###,00000003), ref: 00405D0F

Part of subcall function 004057A5: __EH_prolog3.LIBCMT ref: 004057AC

Strings

http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx, xrefs: 00405CD7, 00405CFD
###, xrefs: 00405C95, 00405D05
http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx, xrefs: 00405C9A, 00405CAE
FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent, xrefs: 00405D0A, 00405D19
FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent, xrefs: 00405D40, 00405D62

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: ###$FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent$FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent$http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx$http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx
API String ID: 3355343447-2257282289
Opcode ID: aa6765c9d63f3b433cf871d83633ee629f8a3912906d01184337e2ffca646b31
Instruction ID: 1f940260cc4e7a35830145308c40484e2a74c8b3c35771e47d7e876c49532998
Opcode Fuzzy Hash: aa6765c9d63f3b433cf871d83633ee629f8a3912906d01184337e2ffca646b31
Instruction Fuzzy Hash: 4B21B270510608EAD710EBA5DC96AAE7778EF85709F10413FB501B70E2EB785A05DA2D

Function 00404396 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 00404402
_memmove.LIBCMT ref: 00404447
_memmove.LIBCMT ref: 00404465
_memmove.LIBCMT ref: 004044BA
_memmove.LIBCMT ref: 0040453B
_memmove.LIBCMT ref: 00404557

Strings

vector<T> too long, xrefs: 00404594

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove$Allocate
String ID: vector<T> too long
API String ID: 164242391-3788999226
Opcode ID: a4f50502c6685bb4d26e1917730b3b833774906c7820b4303b9d1d1731f7ad05
Instruction ID: dfcf6607a34df03d6688fcf37bd0f3a95ca58e386c30b3a6d53f84984c8bdd72
Opcode Fuzzy Hash: a4f50502c6685bb4d26e1917730b3b833774906c7820b4303b9d1d1731f7ad05
Instruction Fuzzy Hash: A0718F726005159FCF18DF6CC9809AE77A6FFC8310719826AED16AB389DB34ED11CB94

Function 0040FD20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040FD27
FindResourceExW.KERNEL32(00000000,TEXT,00000083,00000000,00000034,0040FEDE), ref: 0040FD3C
LoadResource.KERNEL32(00000000,00000000), ref: 0040FD4B
LockResource.KERNEL32(00000000), ref: 0040FD56
SizeofResource.KERNEL32(00000000,00000000), ref: 0040FD65

Part of subcall function 004057A5: __EH_prolog3.LIBCMT ref: 004057AC

SetWindowTextW.USER32(?,?), ref: 0040FDA3

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Strings

TEXT, xrefs: 0040FD35

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$FindH_prolog3H_prolog3_LoadLockSizeofTextWindow_memmove
String ID: TEXT
API String ID: 1530068808-220088947
Opcode ID: 9fd67bc6934bd1d7a2b6b74ec5eff0c6db712d3369842b4335e4e0abdc827711
Instruction ID: ffca23573cf0b310e813f6b9f6352eb1531273f627825206d8a75a95b5c88b1f
Opcode Fuzzy Hash: 9fd67bc6934bd1d7a2b6b74ec5eff0c6db712d3369842b4335e4e0abdc827711
Instruction Fuzzy Hash: 18117330A40215EBDF20EBA1EC46FEE7B74AF48704F14103AF601B61D1DAB49908CB69

Function 004103D1 Relevance: 10.7, APIs: 7, Instructions: 186COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000001), ref: 00410435
IsDlgButtonChecked.USER32(?,00000002), ref: 00410445
IsDlgButtonChecked.USER32(?,00000003), ref: 00410455
ShowWindow.USER32(?,00000000), ref: 0041046F
ShowWindow.USER32(?,00000000), ref: 00410497
ShowWindow.USER32(?,00000000), ref: 004104E9
ShowWindow.USER32(?,00000005), ref: 004105FE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ShowWindow$ButtonChecked
String ID:
API String ID: 2451004236-0
Opcode ID: fd69d458e3f2d709d3aaf2677d15010d008cfffb2c6ed55db2705e7b28e3f8bb
Instruction ID: 9dd745d460c098b5cad52229b3db96fefe38c44677978b04dc7033ab2fb2ccac
Opcode Fuzzy Hash: fd69d458e3f2d709d3aaf2677d15010d008cfffb2c6ed55db2705e7b28e3f8bb
Instruction Fuzzy Hash: 8B51A371640304BFDB119F54CD86BAB77A5AB5470AF04007AFD016B2A2DFB8ED848B5C

Function 00407617 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00407621
_memset.LIBCMT ref: 0040763E
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00407653

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

char_traits.LIBCPMT ref: 0040767B

Part of subcall function 004080DC: swprintf.LIBCMT ref: 00408108

Part of subcall function 00405427: char_traits.LIBCPMT ref: 00405436

Part of subcall function 00405457: char_traits.LIBCPMT ref: 00405468

Part of subcall function 00406203: GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

MoveFileW.KERNEL32(?,?), ref: 00407786

Strings

.exe, xrefs: 00407673, 0040767A, 00407682, 00407683

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits$File$AttributesH_prolog3_ModuleMoveName_memsetswprintf
String ID: .exe
API String ID: 1296388361-4119554291
Opcode ID: d85803e56c07a991bfd5da3bef13817f8006fdaa17c246fc2c3b618dd8e93da3
Instruction ID: 7550a825539bbf9bb6364d37b0b9eba6cc533bc24da2e27e6ccc6124807fed6b
Opcode Fuzzy Hash: d85803e56c07a991bfd5da3bef13817f8006fdaa17c246fc2c3b618dd8e93da3
Instruction Fuzzy Hash: 6F416271911118AEEB10EB61CC99BEE7378EF10748F0042BEA105B31D1DB785F85CB65

Function 00413F0D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00413F14

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

GetSysColorBrush.USER32(0000000F), ref: 00413F36

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

CreateWindowExW.USER32(00000000,STATIC,00447DAC,50000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00413FC8
SendMessageW.USER32(00000000,00000030,00000001), ref: 00413FDF

Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB02
Part of subcall function 0040FAAE: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040FB29

Strings

iTorrentWaiting, xrefs: 00413F3E
STATIC, xrefs: 00413FC0

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$Font$BrushColorH_prolog3MessageSendWindow_malloc
String ID: STATIC$iTorrentWaiting
API String ID: 1467136806-3420226059
Opcode ID: c3e6ba9ebe4d2931048ca258b2223e07924524df32edc26164d611359715a597
Instruction ID: 8ef63a9f65442ea3e7d84a3a82d08e70579734f639bcddaed216e3b46bfcc4f5
Opcode Fuzzy Hash: c3e6ba9ebe4d2931048ca258b2223e07924524df32edc26164d611359715a597
Instruction Fuzzy Hash: 2A2171B1A50210BBEB11AF729D46E6F7E68EF44705F00447EF905AB281DBB98A018768

Function 00415938 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Part of subcall function 0040A036: __EH_prolog3_GS.LIBCMT ref: 0040A03D
Part of subcall function 0040A036: _memmove.LIBCMT ref: 0040A145

Part of subcall function 00414A14: __EH_prolog3.LIBCMT ref: 00414A1E
Part of subcall function 00414A14: FindWindowW.USER32(itorrent-class-name,00000000), ref: 00414A2D
Part of subcall function 00414A14: SendMessageTimeoutW.USER32(00000000,?,00000000,00000000,00000BB8,00000000), ref: 00414A43

EnterCriticalSection.KERNEL32(0045869C,00000001,00000000,?,00000024,00000001), ref: 00415C8B

Part of subcall function 00416014: __EH_prolog3_catch.LIBCMT ref: 0041601B

LeaveCriticalSection.KERNEL32(0045869C,?,00000000,000000FF,?), ref: 00415CB6

Strings

data, xrefs: 00415A46
Can't get xml, xrefs: 004159AB
Can't parse partners xml, xrefs: 00415C64
Can't unpack data, xrefs: 00415BC8

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalH_prolog3H_prolog3_catchSection$EnterFindH_prolog3_LeaveMessageSendTimeoutWindow_memmovechar_traits
String ID: Can't get xml$Can't parse partners xml$Can't unpack data$data
API String ID: 3514792492-2327074062
Opcode ID: ed8c760e852ef18c81077a5c6172fe04e3b924a805f6b88357eedae1194ba30a
Instruction ID: 03e0a1f2baa0e63ae8fd6d94dcc5a8610a6a94514ee2958c60ec22e053a70be1
Opcode Fuzzy Hash: ed8c760e852ef18c81077a5c6172fe04e3b924a805f6b88357eedae1194ba30a
Instruction Fuzzy Hash: C4A194710083859BD335EB15C885BEFB7E8AFD4708F10492EF48952192EF785A49C7AB

Function 00414117 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,?), ref: 00414136
GdipCreateFromHDC.GDIPLUS(00000000,00000000), ref: 0041414D
GdipGetImageHeight.GDIPLUS(?,00000000), ref: 004141BB
GdipGetImageWidth.GDIPLUS(?,00000000), ref: 004141DC
EndPaint.USER32(?,?), ref: 00414241
GdipDeleteGraphics.GDIPLUS(?), ref: 0041424A

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

Part of subcall function 0040F3B5: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,00000000,00000000,?,?,0040E7BE,?,?,?,?), ref: 0040F3E0

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Gdip$Image$Paint$BeginCreateDeleteDrawFromGraphicsHeightRectWidth
String ID:
API String ID: 3674361125-0
Opcode ID: a7115d03ca896a7c9ac221be6fc0e5871e4791cfbbba85e33340d8583082e9e8
Instruction ID: 254ed59419ce1301e58b23c2c31be8fd1e9f868bcacadb03e2f24646502d89a9
Opcode Fuzzy Hash: a7115d03ca896a7c9ac221be6fc0e5871e4791cfbbba85e33340d8583082e9e8
Instruction Fuzzy Hash: 5841F671E003189BDB11DFE1D885AAEBBB8FB04701F10417AE905AB296EB749948CB54

Function 00401D74 Relevance: 9.1, APIs: 6, Instructions: 90registrysynchronizationCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00458704), ref: 00401D89
CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00401DA3
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401DB0
_memset.LIBCMT ref: 00401DF5
RegisterWaitForSingleObject.KERNEL32(?,000000FF,00402979,?,000000FF,00000000), ref: 00401E4D
_memset.LIBCMT ref: 00401E65

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create_memset$EventIncrementInterlockedMutexObjectRegisterSingleWait
String ID:
API String ID: 1833494848-0
Opcode ID: 8f3ea080f5909efb5ad4b17d097164667e4eecb0757520fd3afd6588928d7abd
Instruction ID: c68b0f7afdb6d0b44564a3354cfc5c327a5b1ae1362e248b0ea759e646b38897
Opcode Fuzzy Hash: 8f3ea080f5909efb5ad4b17d097164667e4eecb0757520fd3afd6588928d7abd
Instruction Fuzzy Hash: F63103B1900B04EFE7308F6AD9C8853FBF8FB087447904A3EE59A82A51D374A904CF65

Function 00414A14 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34windowtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00414A1E
FindWindowW.USER32(itorrent-class-name,00000000), ref: 00414A2D
SendMessageTimeoutW.USER32(00000000,?,00000000,00000000,00000BB8,00000000), ref: 00414A43

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Strings

itorrent-class-name, xrefs: 00414A28
can't send message, xrefs: 00414A67

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3$FindH_prolog3_catchMessageSendTimeoutWindowchar_traits
String ID: can't send message$itorrent-class-name
API String ID: 2380652074-242733843
Opcode ID: c293e405a5ad83a1a7cd74c49249aeb787a6cfcd64cf7fdd45ef6b0baa098a30
Instruction ID: a5902802bd7f2a89dc1fb4598dcc9552141cbded24a7b90d661c28a038e26ef9
Opcode Fuzzy Hash: c293e405a5ad83a1a7cd74c49249aeb787a6cfcd64cf7fdd45ef6b0baa098a30
Instruction Fuzzy Hash: 21F06D31A41244E7EB24EB62CC09F9B7A38EBC4794F4042AEB415A21D1EB795E41CA2D

Function 00401C0E Relevance: 7.6, APIs: 5, Instructions: 63memorysynchronizationCOMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(004586F4,00000001,00000000), ref: 00401C1A
LocalAlloc.KERNEL32(00000040,00000024,?,?,004028FF,0044A660,00000010,004031CF,0044A708,00000040,00405325), ref: 00401C50
InterlockedIncrement.KERNEL32(00458704), ref: 00401C67
CreateMutexW.KERNEL32(00000000,00000000,00000000,?,?,004028FF,0044A660,00000010,004031CF,0044A708,00000040,00405325), ref: 00401C88
InterlockedCompareExchange.KERNEL32(004586F4,00000002,00000001), ref: 00401CC5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Interlocked$CompareExchange$AllocCreateIncrementLocalMutex
String ID:
API String ID: 3012754271-0
Opcode ID: b39fb9e0a3e9803ab504a51884403c29bf13b5b70fb1193f3a7a58915466322f
Instruction ID: ce7a2835e7ce0243f2117c960c92dd9d6b795060a416a0aed5c1d803c5a39948
Opcode Fuzzy Hash: b39fb9e0a3e9803ab504a51884403c29bf13b5b70fb1193f3a7a58915466322f
Instruction Fuzzy Hash: 6911B470A853019FE7208F65AC89B167BE4EB14705F20453EE186A72A2CFB8D844CB5D

Function 004138C8 Relevance: 7.5, APIs: 5, Instructions: 28COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004138CE
ShowWindow.USER32(00000000,00000005,?,00413935,004479D0,00000001,?,00413995,004479DC,004479B4,?,?), ref: 004138DF
SetWindowTextW.USER32(00000000,00000000), ref: 004138E9
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 004138F9
ShowWindow.USER32(00000000,00000000,?,00413935,004479D0,00000001,?,00413995,004479DC,004479B4,?,?), ref: 00413904

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Show$CallbackDispatcherItemTextUser
String ID:
API String ID: 3009180066-0
Opcode ID: 3df1d8774f34f60644f68aedfe049b27b8c98bafc3cc74ece59a92cd6ffba44d
Instruction ID: a9f365e17780173bf2c17dc90666567f9e851d3e94579d76190df5339c1d2214
Opcode Fuzzy Hash: 3df1d8774f34f60644f68aedfe049b27b8c98bafc3cc74ece59a92cd6ffba44d
Instruction Fuzzy Hash: EAE06DB0401114BBD7111B60AC0CFEF3E6CEF09392F448075F90589060C7798A598BAD

Function 0041154F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411559
char_traits.LIBCPMT ref: 004116CE

Part of subcall function 0040532C: __EH_prolog3_GS.LIBCMT ref: 00405336

Part of subcall function 00410615: ShowWindow.USER32(?,00000000,?,00411580,0000009C,0041243E,7055389B), ref: 00410644

Strings

<tD, xrefs: 004115C0
\tD, xrefs: 00411571

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$ShowWindowchar_traits
String ID: <tD$\tD
API String ID: 1583159508-3212539840
Opcode ID: 187e3ae5121366d6cf71a609f4042e82354bf5ff609e8d0ca2fb2d5f2095b554
Instruction ID: ea5f8b0a1890d54aa32068c50903125ca2b85fda49d5b0a40865c06dde4e03ec
Opcode Fuzzy Hash: 187e3ae5121366d6cf71a609f4042e82354bf5ff609e8d0ca2fb2d5f2095b554
Instruction Fuzzy Hash: 8441A571A00200BBC724EF66DC56DAE77B8DF8534AB10413FB506672E2DB789E44CA6C

Function 0040DD05 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55windowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(itorrent-class-name,00000000), ref: 0040DD43
SendMessageTimeoutW.USER32(00000000,?,?,?,00000000,00000BB8,00000000), ref: 0040DD56

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Strings

itorrent-class-name, xrefs: 0040DD3E
can't send message, xrefs: 0040DD7A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FindH_prolog3H_prolog3_catchMessageSendTimeoutWindowchar_traits
String ID: can't send message$itorrent-class-name
API String ID: 3422181065-242733843
Opcode ID: b843819ff71e2acda081fc91101f02dfae0078d9b181fb62d8f63b876061580a
Instruction ID: 2022d90520a29f8c03f4c7d797f171016e2f1ec82433d37ee9bad13f432537bb
Opcode Fuzzy Hash: b843819ff71e2acda081fc91101f02dfae0078d9b181fb62d8f63b876061580a
Instruction Fuzzy Hash: 6711A572648704AFD324DF55DC45F57B7ACEB84764F00473EB869922D0EB349C08C66A

Function 00403A22 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00403A2C
InterlockedCompareExchange.KERNEL32(00458710,00000001,00000000), ref: 00403A6A

Part of subcall function 00403832: __EH_prolog3_GS.LIBCMT ref: 00403839
Part of subcall function 00403832: GetComputerNameW.KERNEL32(00000000,?), ref: 00403861

_memset.LIBCMT ref: 00403A97

Part of subcall function 004038C5: __EH_prolog3.LIBCMT ref: 004038CC
Part of subcall function 004038C5: LookupAccountNameW.ADVAPI32(00000000,?,?,00000044,?,?,?), ref: 0040392E
Part of subcall function 004038C5: GetLastError.KERNEL32(?,00000044,?,?,?,?,00000000,00000400,?,00000028,00403AB2), ref: 0040393A
Part of subcall function 004038C5: LookupAccountNameW.ADVAPI32(00000000,?,?,00000044,?,00000400,?), ref: 00403985

InterlockedCompareExchange.KERNEL32(00458710,00000002,00000001), ref: 00403B3F

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Name$AccountCompareExchangeH_prolog3_InterlockedLookup$ComputerErrorH_prolog3Last_memset
String ID:
API String ID: 948639594-0
Opcode ID: d3241d605ed008ceaad431133dc90c281880e0e23d26046d27db68e369687634
Instruction ID: e36c548cc8532812103bb00674b640a8bb1c579074a91dbbcbc07500ddde12d6
Opcode Fuzzy Hash: d3241d605ed008ceaad431133dc90c281880e0e23d26046d27db68e369687634
Instruction Fuzzy Hash: CB311D709002099EDF20DFA6DC86AAE7BB8EB54309F60457EA445B7192DF385F05CF58

Function 0040F549 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 0040F568
GdipCreateFromHDC.GDIPLUS(00000000,00000000), ref: 0040F57B
EndPaint.USER32(?,?), ref: 0040F5DD
GdipDeleteGraphics.GDIPLUS(00000000), ref: 0040F5E4

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

Part of subcall function 0040F3B5: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,00000000,00000000,?,?,0040E7BE,?,?,?,?), ref: 0040F3E0

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Gdip$Paint$BeginCreateDeleteDrawFromGraphicsImageRect
String ID:
API String ID: 592685484-0
Opcode ID: 0a103ca5ba2061105722b5abfc3ed988cc725e8c922bdb30184cd3f89d5cad9e
Instruction ID: 708799fc8ffc8ede8b9af7f270b7d69b0e9536f5fc83431f7467b01dd581b625
Opcode Fuzzy Hash: 0a103ca5ba2061105722b5abfc3ed988cc725e8c922bdb30184cd3f89d5cad9e
Instruction Fuzzy Hash: 6A211D71E00218ABDB11EFE1DC85AAEBBB8FF04715F00407AE905AF295DB749909CB54

Function 0040377E Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004037B6
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004037CA
_wcspbrk.LIBCMT ref: 004037E4
GetVolumeInformationW.KERNEL32(?,00000000,00000000,0045870C,00000000,00000000,00000000,00000000), ref: 00403807

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DirectoryInformationSystemVolume_memset_wcspbrk
String ID:
API String ID: 4207159501-0
Opcode ID: 3851bd57c96e60d986f4afca600b6817bce527d205386beda2cef5a5b6028ce1
Instruction ID: 8d3c35e09ee49b6649952880435fb990dbf5a3863dc0abe60ee6a35b4de795e5
Opcode Fuzzy Hash: 3851bd57c96e60d986f4afca600b6817bce527d205386beda2cef5a5b6028ce1
Instruction Fuzzy Hash: AB118671600358A6DB24DF65AC4AF977BBCEB85705F5044BEE804A3181EE7896448758

Function 004013BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Winhttp.dll,0044A450,00000010), ref: 004013E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000409,00000000,00000000,00000000,?,?,?,?,?,?,?,0044A450,00000010), ref: 00401414

Strings

Winhttp.dll, xrefs: 004013DF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FormatHandleMessageModule
String ID: Winhttp.dll
API String ID: 2046974992-1936088768
Opcode ID: 3f3a43dfaef07a0e8d3274fae0f0b3ac11d86639cd491b6004b7c5f929e18ab0
Instruction ID: 307b5429638d1c4b25c0efe9815543af61af06daa379b25b45bdec2b25166015
Opcode Fuzzy Hash: 3f3a43dfaef07a0e8d3274fae0f0b3ac11d86639cd491b6004b7c5f929e18ab0
Instruction Fuzzy Hash: 33F0A735B8021467FF149660DC46FEE72B5AB88705F60803AF601F61D2DAEC9C498669

Function 0040205C Relevance: 4.6, APIs: 3, Instructions: 79sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000012C,?,?,?,?,?,?,0044A5B0,00000024), ref: 004020A5
SetEvent.KERNEL32(?,?,?,?,?,?,?,0044A5B0,00000024), ref: 004020B5
LocalFree.KERNEL32(?), ref: 00402151

Part of subcall function 004013BB: GetModuleHandleW.KERNEL32(Winhttp.dll,0044A450,00000010), ref: 004013E4
Part of subcall function 004013BB: FormatMessageW.KERNEL32(00001000,00000000,?,00000409,00000000,00000000,00000000,?,?,?,?,?,?,?,0044A450,00000010), ref: 00401414

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EventFormatFreeHandleLocalMessageModuleSleep
String ID:
API String ID: 1208760597-0
Opcode ID: 34bbda023f88af172650f5bbb7bae63511b0514b416d847a766aa1df86f5dd56
Instruction ID: 4ed066714402e564278107c9e41f844459bfb99c173ae935f3f9eea081d3dd61
Opcode Fuzzy Hash: 34bbda023f88af172650f5bbb7bae63511b0514b416d847a766aa1df86f5dd56
Instruction Fuzzy Hash: D7314A74A00755DFDB20CF68CA8869EBBF1BF08300F10453EEA46A72D1D7B4A905CB55

Function 0040459F Relevance: 4.6, APIs: 3, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004045A6
_Allocate.LIBCPMT ref: 004045F4
_memmove.LIBCMT ref: 0040464B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateH_prolog3_catch_memmove
String ID:
API String ID: 1361164945-0
Opcode ID: 9ec0de90a9d7fcdd0df470cffc4ba2d5c64b30482fa4997d5e23780b65fb35c8
Instruction ID: 94b98c7b50c0e357ab663e93cb74f291f9b316895d6d4c31291414a55532675c
Opcode Fuzzy Hash: 9ec0de90a9d7fcdd0df470cffc4ba2d5c64b30482fa4997d5e23780b65fb35c8
Instruction Fuzzy Hash: 6721D7B1704201AFDB24DF29D94052EB7E5ABC5710B204A3FEA52B73C0E779AE418799

Function 00423D6A Relevance: 4.5, APIs: 3, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00423D82

Part of subcall function 004233F8: __FF_MSGBANNER.LIBCMT ref: 0042340F
Part of subcall function 004233F8: __NMSG_WRITE.LIBCMT ref: 00423416
Part of subcall function 004233F8: RtlAllocateHeap.NTDLL(00660000,00000000,00000001,?,?,?,?,004011E6), ref: 0042343B

std::exception::exception.LIBCMT ref: 00423DA0
__CxxThrowException@8.LIBCMT ref: 00423DB5

Part of subcall function 004274A2: RaiseException.KERNEL32(?,?,00438F94,?,?,?,?,?,?,?,00438F94,?,0044D650,?), ref: 004274F7

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 6f1030be720939e8951f76b3420b6e3d4ea339633f594cd4e827a920ca4b4c1f
Instruction ID: 8a562d6bdb557be7452c0151b22a5cd5c309c3df1999a798643c3039cde3d4a7
Opcode Fuzzy Hash: 6f1030be720939e8951f76b3420b6e3d4ea339633f594cd4e827a920ca4b4c1f
Instruction Fuzzy Hash: CFF0D63160022D62CB00BEA5F815ADE7BAC9F01355F90406BFC0495142DBBC9B4495DD

Function 0040FCD4 Relevance: 4.5, APIs: 3, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040FCDD
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0040FD01
CallWindowProcW.USER32(00000000,?,00000115,?,?), ref: 0040FD15

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CallLongMessageProcSend
String ID:
API String ID: 1710423600-0
Opcode ID: 1f77e6b3df5d134f099b137f7e1addfa66afec787ccef4aac6bd8d4b50375db5
Instruction ID: 2f91cdc8fa920bc7c215477432e628487fa6370c30f5ef08a0ea97e1865c7a30
Opcode Fuzzy Hash: 1f77e6b3df5d134f099b137f7e1addfa66afec787ccef4aac6bd8d4b50375db5
Instruction Fuzzy Hash: F0F0A536440218FBDF215F80EC09F9A3F66FB04761F108535FA56690F0C7B69964EB88

Function 00413768 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

Part of subcall function 004034DA: MulDiv.KERNEL32(?,00000060), ref: 004034ED

Part of subcall function 0040E49D: CreateWindowExW.USER32(00000000,?,00445D78,40000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E4F2
Part of subcall function 0040E49D: SetWindowLongW.USER32(00000000,000000EB), ref: 0040E4FF

Part of subcall function 00405BC7: CreateWindowExW.USER32(00000000,BUTTON,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00405BF7

SendMessageW.USER32(?,00000030,00000001,000007E9), ref: 004138A7

Strings

iTorrentNavigationButtons, xrefs: 004137B4

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$FontWindow$LongMessageSend
String ID: iTorrentNavigationButtons
API String ID: 2996320595-1664891198
Opcode ID: 26bbc0279171d5119fb7f9182f3d60f7d03dd7957a3dd70ad5ccc57641d433dc
Instruction ID: a2f05c57cc26bc3731ab7a79e00e81dd5b6649b0c14f3c3b2f548202be867a25
Opcode Fuzzy Hash: 26bbc0279171d5119fb7f9182f3d60f7d03dd7957a3dd70ad5ccc57641d433dc
Instruction Fuzzy Hash: BD416D72B40205ABDB14DFA5CC56FAFBBB8EB48704F10452EB601BB1C1D6B4A905CB58

Function 0040532C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405336

Part of subcall function 004057A5: __EH_prolog3.LIBCMT ref: 004057AC

Part of subcall function 00405427: char_traits.LIBCPMT ref: 00405436

Part of subcall function 00405457: char_traits.LIBCPMT ref: 00405468

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Part of subcall function 00405283: InterlockedExchange.KERNEL32(004585B4,00000001), ref: 004052C4
Part of subcall function 00405283: ResetEvent.KERNEL32 ref: 004052D4

Strings

http://s.itorrent.bz/i/, xrefs: 0040535D

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits$EventExchangeH_prolog3H_prolog3_InterlockedReset_memmove
String ID: http://s.itorrent.bz/i/
API String ID: 1624662650-3304919266
Opcode ID: 5d7a520cb703daf64d2334d41863f1741aea78d79575678961b9c8f46d9ebd25
Instruction ID: e5304d23fb56f1f56c4bdf6b07e9e27f2e8f83a646b3398d09241fe9b780a36c
Opcode Fuzzy Hash: 5d7a520cb703daf64d2334d41863f1741aea78d79575678961b9c8f46d9ebd25
Instruction Fuzzy Hash: DB218F718011549ACB14FBA1DC41FDEBB78EF96308F0040AEA145B3186DF381B49CF26

Function 00411306 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041130D

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 00406633: __EH_prolog3_GS.LIBCMT ref: 0040663D
Part of subcall function 00406633: _memset.LIBCMT ref: 0040666B
Part of subcall function 00406633: SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040667F

Part of subcall function 00406857: __EH_prolog3.LIBCMT ref: 0040685E
Part of subcall function 00406857: PathAppendW.SHLWAPI(00000000,?,0000000C,004069FA,?,itorrent-application.exe,0000003C,0040756C), ref: 004068C1

Strings

itorrent\itorrent.exe, xrefs: 00411319

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_Path$AppendFolderH_prolog3_memsetchar_traits
String ID: itorrent\itorrent.exe
API String ID: 3000136504-428485718
Opcode ID: 3f2f096c239c7e203c40f53230cc7cee27990187422e16f5e1f3c474985c9e4c
Instruction ID: bac4b175f3958acafe5ec37a269995df8cdfe15ddf5df44272d4d6bc2642ff0b
Opcode Fuzzy Hash: 3f2f096c239c7e203c40f53230cc7cee27990187422e16f5e1f3c474985c9e4c
Instruction Fuzzy Hash: 47F05E71E041449ADB18FBA6D892AEDB6709F88704F50802FF511772C1DFB81E06C759

Function 00405BC7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,BUTTON,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00405BF7

Strings

BUTTON, xrefs: 00405BF1

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateWindow
String ID: BUTTON
API String ID: 716092398-3405671355
Opcode ID: 0976db21665150e728b6e0bec13a01459411c321d6fd22b2cfd6a2c934d6ddab
Instruction ID: cb5bb712cf724718036834a1515b45ee0ee342fb5718bc70c8ae12edbfad662f
Opcode Fuzzy Hash: 0976db21665150e728b6e0bec13a01459411c321d6fd22b2cfd6a2c934d6ddab
Instruction Fuzzy Hash: B6E0ED76110209BFDF158F94DC05DDA7BA9EB0C350F004529FE4492210D276D830DF94

Function 004100DC Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004100E3

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

_memmove.LIBCMT ref: 00410242

Part of subcall function 0041444F: __EH_prolog3_GS.LIBCMT ref: 00414456
Part of subcall function 0041444F: CreateWindowExW.USER32(00000000,Static,00447DF8,50000000,00000000,?,00000000,?,?,00000001,00000000,00000000), ref: 00414508
Part of subcall function 0041444F: SendMessageW.USER32(00000000,00000030,00000001), ref: 00414519

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$CreateMessageSendWindow_malloc_memmove
String ID:
API String ID: 213686801-0
Opcode ID: 674ff1a0446d0ebce77cad0dcf2fbcbb0bcba57922ea5296775ccbb1c1fe51a4
Instruction ID: cf1365db9e36f3fe3433c11f714061fae5af75ae3dae2beb034331713039c458
Opcode Fuzzy Hash: 674ff1a0446d0ebce77cad0dcf2fbcbb0bcba57922ea5296775ccbb1c1fe51a4
Instruction Fuzzy Hash: A04186B0E11314FADB149FB9AD05ADE7AF5AB48701F10012FF504E7281DB7D8A809B5C

Function 0040DEF8 Relevance: 3.1, APIs: 2, Instructions: 120COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,7055389B,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040DF70
CoUninitialize.OLE32 ref: 0040DFDA

Part of subcall function 0040DD05: FindWindowW.USER32(itorrent-class-name,00000000), ref: 0040DD43
Part of subcall function 0040DD05: SendMessageTimeoutW.USER32(00000000,?,?,?,00000000,00000BB8,00000000), ref: 0040DD56

Part of subcall function 00401CD0: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401D04

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallFilterFindFunc@8InitializeMessageSendTimeoutUninitializeWindow
String ID:
API String ID: 3160900150-0
Opcode ID: b6be8f0c1745c311022a3873f2f9863ba97cc8d3a31f1207c33aedeea5871022
Instruction ID: 92c7aa3c30d3524f290666d40b10d53197d06d95191621355e96eca957434557
Opcode Fuzzy Hash: b6be8f0c1745c311022a3873f2f9863ba97cc8d3a31f1207c33aedeea5871022
Instruction Fuzzy Hash: 5E412530604221ABCB14DF26D841A26B7A5FF84754F54853EF946AB3C1CB39EC15CBA9

Function 00405283 Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 004028EE: @_EH4_CallFilterFunc@8.LIBCMT ref: 0040293E

InterlockedExchange.KERNEL32(004585B4,00000001), ref: 004052C4
ResetEvent.KERNEL32 ref: 004052D4

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallEventExchangeFilterFunc@8InterlockedReset
String ID:
API String ID: 1908020965-0
Opcode ID: 1d69a598f727ffd9df85056eadd5e4eee1e9e08fdb52f713ad52038464657bff
Instruction ID: 7569721b6002eb3639a4ac76410eb4389159f527074c472e0e5f513fd6d0fc64
Opcode Fuzzy Hash: 1d69a598f727ffd9df85056eadd5e4eee1e9e08fdb52f713ad52038464657bff
Instruction Fuzzy Hash: 6E113A70904609DFCF14DFA999055AEBBF8EB04305B10007EE845F7281EB789A048FA9

Function 00403832 Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00403839
GetComputerNameW.KERNEL32(00000000,?), ref: 00403861

Part of subcall function 00404FB3: __EH_prolog3_catch.LIBCMT ref: 00404FBA

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerH_prolog3_H_prolog3_catchName
String ID:
API String ID: 956767328-0
Opcode ID: effbc79be8bebc1077bc9ea17bef86e5566fb28ddb3ebd15134279ec9c2dbf9f
Instruction ID: 668ca50507ffed8530ddbc0ed6b8868e0dea4c47056d38f7951ea06b0d489dfe
Opcode Fuzzy Hash: effbc79be8bebc1077bc9ea17bef86e5566fb28ddb3ebd15134279ec9c2dbf9f
Instruction Fuzzy Hash: 15011671D012199BDB05EFA5E885EEEB6B9EF44704F50803FF901B6281DB785E048B59

Function 0040215F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000000C,?,?,?,?,?,?,0044A5D0,0000000C), ref: 00402179

Strings

WINHTTP-API-SEND-REQUEST, xrefs: 0040219D

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocLocal
String ID: WINHTTP-API-SEND-REQUEST
API String ID: 3494564517-4945329
Opcode ID: 954a9a3123a20bce4e95129222deea2c821534cef3a2db97455d659f1f924333
Instruction ID: 8e94b1e048235f17d67f5e1c50992b9694df62bbdc7251cc7ad3766ab22ba950
Opcode Fuzzy Hash: 954a9a3123a20bce4e95129222deea2c821534cef3a2db97455d659f1f924333
Instruction Fuzzy Hash: C8115274514705DBE7249F108709B2ABAA1BB04344F64C52FA2A66E3C1CBFD8841DB5A

Function 0040E49D Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,?,00445D78,40000000,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E4F2
SetWindowLongW.USER32(00000000,000000EB), ref: 0040E4FF

Part of subcall function 0040E40C: RegisterClassW.USER32(00000000), ref: 0040E484

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ClassCreateLongRegister
String ID:
API String ID: 3115397960-0
Opcode ID: b1476544bcde4fdae7f6168dd8835245cb4384ae864d72798d68ce068ccfaa5b
Instruction ID: de94d7c2e28488796459062a6801303765502e19b291a76bbd2ac58994dbb77b
Opcode Fuzzy Hash: b1476544bcde4fdae7f6168dd8835245cb4384ae864d72798d68ce068ccfaa5b
Instruction Fuzzy Hash: D3016272510205BFDF048F55DC09EEB7BA9EF48260F00862EF91693160D676EC20DF64

Function 0041390D Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000004), ref: 0041391B
ShowWindow.USER32(00000000,?,00413995,004479DC,004479B4,?,?,00000001,004105F9), ref: 00413922

Part of subcall function 004138C8: GetDlgItem.USER32(?,00000001), ref: 004138CE
Part of subcall function 004138C8: ShowWindow.USER32(00000000,00000005,?,00413935,004479D0,00000001,?,00413995,004479DC,004479B4,?,?), ref: 004138DF
Part of subcall function 004138C8: SetWindowTextW.USER32(00000000,00000000), ref: 004138E9
Part of subcall function 004138C8: KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 004138F9

Part of subcall function 004138C8: ShowWindow.USER32(00000000,00000000,?,00413935,004479D0,00000001,?,00413995,004479DC,004479B4,?,?), ref: 00413904

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Show$Item$CallbackDispatcherTextUser
String ID:
API String ID: 2832717868-0
Opcode ID: 1976d3b9705ca906daaab56296d3c48859cd71da050c80c3c7c9aa46e6e66fa8
Instruction ID: 6f314b82b3daf7277c23850297a14479244c6b2bf14b5ba8ead05a76500dd9b9
Opcode Fuzzy Hash: 1976d3b9705ca906daaab56296d3c48859cd71da050c80c3c7c9aa46e6e66fa8
Instruction Fuzzy Hash: BCF0A07678020433DE242B665C0AFEF3F5ACBC8B31F048035FA084A1D1C9B645959194

Function 00405242 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00401CD0: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401D04

InterlockedDecrement.KERNEL32(004585B4), ref: 00405269
SetEvent.KERNEL32 ref: 00405279

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallDecrementEventFilterFunc@8Interlocked
String ID:
API String ID: 4133710543-0
Opcode ID: fe9a648f2fdd4e81a0ae6a2a1d556a9dbdb0e1d07d3134d83d37dbc69bcad8ef
Instruction ID: be76d08ba9279ed93ec029bafc47a4bde4fee03edb845fc57e38135634a852ba
Opcode Fuzzy Hash: fe9a648f2fdd4e81a0ae6a2a1d556a9dbdb0e1d07d3134d83d37dbc69bcad8ef
Instruction Fuzzy Hash: C8E0863020424CDBCF20BF75D94599B7B99DF60752B04807FBC86A62A2EE34D815DE1C

Function 0040E071 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E078

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 8fd4919bb3321dfc137b7ffdf4e30d62ccebd8a60f3b6359af548321e3e13bba
Instruction ID: bf3a591855367322f8947fe7c89c3e6f27e2787d064bc30adee706ecd34b53c2
Opcode Fuzzy Hash: 8fd4919bb3321dfc137b7ffdf4e30d62ccebd8a60f3b6359af548321e3e13bba
Instruction Fuzzy Hash: B131C170900318DBDB14DFA6D945B9EBBB1AF04314F50882FE941BB6C1D7B8AA15CB58

Function 00410666 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00410670

Part of subcall function 00406500: __EH_prolog3_GS.LIBCMT ref: 0040650A
Part of subcall function 00406500: _memset.LIBCMT ref: 0040652F
Part of subcall function 00406500: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00406550

Part of subcall function 00406961: __EH_prolog3_GS.LIBCMT ref: 00406968

Part of subcall function 00406B6C: __EH_prolog3_GS.LIBCMT ref: 00406B73

Part of subcall function 0040DD05: FindWindowW.USER32(itorrent-class-name,00000000), ref: 0040DD43
Part of subcall function 0040DD05: SendMessageTimeoutW.USER32(00000000,?,?,?,00000000,00000BB8,00000000), ref: 0040DD56

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$FindFolderMessagePathSendTimeoutWindow_memset
String ID:
API String ID: 2045075680-0
Opcode ID: c34bb9514d26797b4d61bbaa6bcef88f3a8b79c0706fd343ff11ea23375afb23
Instruction ID: bd9c5b4029ddc4b5b14556117afac751290a25f31be6dcf428b13ea730817b6c
Opcode Fuzzy Hash: c34bb9514d26797b4d61bbaa6bcef88f3a8b79c0706fd343ff11ea23375afb23
Instruction Fuzzy Hash: 09214F70901244AEE714EBA5D892FDEB774AF54308F50416EF206771C2EFB91E48CA6A

Function 00404113 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404168

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3aa9390b80d65919700f0d847eb3e7dba5f69850868eb326f71a7f03eb72945e
Instruction ID: 5266540f0ccade041116b49708426db28b9b2cd6d9107cbdd913eff5253ecd6a
Opcode Fuzzy Hash: 3aa9390b80d65919700f0d847eb3e7dba5f69850868eb326f71a7f03eb72945e
Instruction Fuzzy Hash: AF01C4B0300214A7CA309E199D48E17BBB9DBE1B94B10043FFE556B281C7799D8283A9

Function 004027DC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 004032D7: InterlockedCompareExchange.KERNEL32(00458700,00000001,00000000), ref: 004032F2
Part of subcall function 004032D7: @_EH4_CallFilterFunc@8.LIBCMT ref: 00403318

WinHttpQueryOption.WINHTTP(?,0000002D,00000000,00000004,?,?,?,?,?,?,?,?,?,0044A640,00000018), ref: 0040280D

Part of subcall function 00401CD0: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401D04

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallFilterFunc@8$CompareExchangeHttpInterlockedOptionQuery
String ID:
API String ID: 342496516-0
Opcode ID: 0316bfc44713fbd160e18318ac445caae2788ab8ef5872a50374c19b1f383303
Instruction ID: 23c20c00a59ac8856068a7cfdb68a5b7080264f1448a1c616cae31e354ed7b0d
Opcode Fuzzy Hash: 0316bfc44713fbd160e18318ac445caae2788ab8ef5872a50374c19b1f383303
Instruction Fuzzy Hash: 7F1170369412199BDF11AFA1CA09BEF7671BF08305F04422BE901762D1C7BD8A15DBAD

Function 004028EE Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00401C0E: InterlockedCompareExchange.KERNEL32(004586F4,00000001,00000000), ref: 00401C1A

Part of subcall function 004032D7: InterlockedCompareExchange.KERNEL32(00458700,00000001,00000000), ref: 004032F2
Part of subcall function 004032D7: @_EH4_CallFilterFunc@8.LIBCMT ref: 00403318

@_EH4_CallFilterFunc@8.LIBCMT ref: 0040293E

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallCompareExchangeFilterFunc@8Interlocked
String ID:
API String ID: 1286560512-0
Opcode ID: 70a45d6c7e8d70a6d568dee7e825a9ce6a202e904796f6987640f99755cc6958
Instruction ID: e43d089a9a5ad46b44628dfb7922b71590fd97a8ed18051ea5f7b3d494a4be53
Opcode Fuzzy Hash: 70a45d6c7e8d70a6d568dee7e825a9ce6a202e904796f6987640f99755cc6958
Instruction Fuzzy Hash: 7C018471F0112987DF14EAB18545BBEB2646F44719F54412EE410B72C2DBBCAA02CB59

Function 0040F3B5 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,00000000,00000000,?,?,0040E7BE,?,?,?,?), ref: 0040F3E0

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DrawGdipImageRect
String ID:
API String ID: 2615643336-0
Opcode ID: f9c6cad2bc47a2c1e7e80aba37559eb6afd511dcf033ae19184b0cafe6c434aa
Instruction ID: 79d3491990a948015b7396c0fe7cf8450c1a465bcc16ed5d694a72f56a678ef0
Opcode Fuzzy Hash: f9c6cad2bc47a2c1e7e80aba37559eb6afd511dcf033ae19184b0cafe6c434aa
Instruction Fuzzy Hash: 94F0F875204204AFA720DB2AE884C27BBECEB887A0315C07AFD09D7761D670EC04DA64

Function 004082E8 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000007E9,00000001,00000000), ref: 00408318

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aeaa011d510f7a8c5bf90ee4cdf5a67ec8c24c794ec7388661ee39791820fe25
Instruction ID: dc583202dff9a4218e0daa36061b640b6729f6d3e5afef363736e77094788894
Opcode Fuzzy Hash: aeaa011d510f7a8c5bf90ee4cdf5a67ec8c24c794ec7388661ee39791820fe25
Instruction Fuzzy Hash: B9F08235140609BBDF214E40CE01F6B3B55FB84F10F00843ABE55B61E1CAB79860EB59

Function 00413719 Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000111,00000002,00000000), ref: 0041374B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 95dbffa1924bcae8724867c76b01cb424e02993734de465939781a04aa05f91f
Instruction ID: 865921a0c2df3a8d8c525ca2dd410d97855f0108af456c7b7e3e16d034cd462a
Opcode Fuzzy Hash: 95dbffa1924bcae8724867c76b01cb424e02993734de465939781a04aa05f91f
Instruction Fuzzy Hash: 72F0A7B5100108BBDF240E46DC48EEB7B69DF80722F00C02AFA1A662A0D7759961D764

Function 00410615 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,00411580,0000009C,0041243E,7055389B), ref: 00410644

Part of subcall function 0040F85A: __EH_prolog3.LIBCMT ref: 0040F864
Part of subcall function 0040F85A: GetDlgItem.USER32(?,00000001), ref: 0040F881
Part of subcall function 0040F85A: SetWindowTextW.USER32(00000000), ref: 0040F884
Part of subcall function 0040F85A: GetDlgItem.USER32(?,00000002), ref: 0040F8D4
Part of subcall function 0040F85A: SetWindowTextW.USER32(00000000), ref: 0040F8D7
Part of subcall function 0040F85A: GetDlgItem.USER32(?,00000003), ref: 0040F927
Part of subcall function 0040F85A: ShowWindow.USER32(00000000), ref: 0040F92A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Item$ShowText$H_prolog3
String ID:
API String ID: 4168919072-0
Opcode ID: f1d9ea082a38186a43606ba2e145868ed12ef60976f4cfec5558c8d9d83c833b
Instruction ID: 95b2cb5853ba0c240e76f10601e9c141e5e3414a335874457e6c9d5a09da6e6a
Opcode Fuzzy Hash: f1d9ea082a38186a43606ba2e145868ed12ef60976f4cfec5558c8d9d83c833b
Instruction Fuzzy Hash: A0E0C235505308BFC765DFA8E9A286277E4B708343355413DE9069B332DE75A655CB0C

Function 00408227 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GdipLoadImageFromStream.GDIPLUS(?,00000004,00000000,?,00405E0D,?), ref: 0040823D

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FromGdipImageLoadStream
String ID:
API String ID: 3292405956-0
Opcode ID: c528bf07c7d919c4e62638fc022b2e6d18728a4da6385d23c9b2e19c8937e459
Instruction ID: 7989904027b07a6b6a4de08db85828f65adb4cd9ff2ac3a1bcc9cb8b60cfb2a0
Opcode Fuzzy Hash: c528bf07c7d919c4e62638fc022b2e6d18728a4da6385d23c9b2e19c8937e459
Instruction Fuzzy Hash: AED0C7B2500714AFD3115F49DC00B92BBECEB19761F11843BE959C3A20D7B1AC548BD4

Function 00406203 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 764fac2e8fbf55d0d209812d4278c3f2f0950fbfee0a6dfb5b18e54bb2438438
Instruction ID: 3acc1bba6fe9250dac20ed5de61099a30abc45875877385f2527a4616a95420f
Opcode Fuzzy Hash: 764fac2e8fbf55d0d209812d4278c3f2f0950fbfee0a6dfb5b18e54bb2438438
Instruction Fuzzy Hash: 2AC012300006045ADD285FB89A4815633117A9336A7A616FDD8779E5F2D23A883BDE18

Function 004012C9 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,0040132B,?,00000000,?,00000000,00000000,00000002), ref: 004012D8

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cfaa3d518079ea921169961b9f67efe39045ed32a5a7b471eddeac3bf3b24d2a
Instruction ID: 57364a660a17844b1e2c4155598bf2ba4be5a8d9723bb35b302bda452d35a581
Opcode Fuzzy Hash: cfaa3d518079ea921169961b9f67efe39045ed32a5a7b471eddeac3bf3b24d2a
Instruction Fuzzy Hash: 80D05E311181218BDB340E58B4443D273E45B11335F1106BFD0E0A11F0E37508C3CB48

Function 0040347D Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,000020B8,00000000,0040341B,0044A768,00000014,00402920,00000000,0044A660,00000010,004031CF,0044A708,00000040,00405325), ref: 00403487

Part of subcall function 00401D74: InterlockedIncrement.KERNEL32(00458704), ref: 00401D89
Part of subcall function 00401D74: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 00401DA3
Part of subcall function 00401D74: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401DB0
Part of subcall function 00401D74: _memset.LIBCMT ref: 00401DF5
Part of subcall function 00401D74: RegisterWaitForSingleObject.KERNEL32(?,000000FF,00402979,?,000000FF,00000000), ref: 00401E4D
Part of subcall function 00401D74: _memset.LIBCMT ref: 00401E65

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create_memset$AllocEventIncrementInterlockedLocalMutexObjectRegisterSingleWait
String ID:
API String ID: 776868893-0
Opcode ID: e61d3bdc11ef1b1f56088c94409b99b2c9a9fba792d46c415c5e10c5ca171d39
Instruction ID: ff94d46f0bf551bc38da25d8bbc101c6da522402658c84efb967a27928ea67d4
Opcode Fuzzy Hash: e61d3bdc11ef1b1f56088c94409b99b2c9a9fba792d46c415c5e10c5ca171d39
Instruction Fuzzy Hash: AEC0123175431046D7756F35681DA562A988B00715B00093B6645EA1D1EA79CD018249

Non-executed Functions

Function 0041DC2B Relevance: 54.9, APIs: 1, Strings: 30, Instructions: 693COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041DC76

Strings

string-length, xrefs: 0041E24B
contains, xrefs: 0041DF11
string, xrefs: 0041E203
namespace-uri, xrefs: 0041E058
substring-after, xrefs: 0041E30E
sum, xrefs: 0041E390
floor, xrefs: 0041DE83
round, xrefs: 0041E3DE
true, xrefs: 0041E1C5
false, xrefs: 0041DE4D
ThD, xrefs: 0041DE07
substring, xrefs: 0041E34B
name, xrefs: 0041E02B
translate, xrefs: 0041E188
starts-with, xrefs: 0041E294
substring-before, xrefs: 0041E2D1
last, xrefs: 0041DD53
count, xrefs: 0041DEC8
Function has to be applied to node set, xrefs: 0041DCF7, 0041E452
position, xrefs: 0041E419
concat, xrefs: 0041DF5E
number, xrefs: 0041E10E
not, xrefs: 0041E0D4
lang, xrefs: 0041DD99
Out of memory, xrefs: 0041DC3D, 0041DC94
Unrecognized function or wrong parameter count, xrefs: 0041E449
local-name, xrefs: 0041DDD3
normalize-space, xrefs: 0041E07E
ceiling, xrefs: 0041DF94
boolean, xrefs: 0041DFD8

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: Function has to be applied to node set$Out of memory$ThD$Unrecognized function or wrong parameter count$boolean$ceiling$concat$contains$count$false$floor$lang$last$local-name$name$namespace-uri$normalize-space$not$number$position$round$starts-with$string$string-length$substring$substring-after$substring-before$sum$translate$true
API String ID: 4104443479-292099856
Opcode ID: 00c1030bac0152f232b82cfa2fa631db5cdf3bcd992ecc23c22cd4d482a3f4ca
Instruction ID: dd2a558a63235b3a275755d240b47145ee984e9e40b6e92bab569130a6b2bb24
Opcode Fuzzy Hash: 00c1030bac0152f232b82cfa2fa631db5cdf3bcd992ecc23c22cd4d482a3f4ca
Instruction Fuzzy Hash: A132B078B006029BCB149F1AD4A45EA7796AF86314B18C45FE9068B391DF7DCDC2CB8D

Function 004263F6 Relevance: 16.7, APIs: 11, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtGetLocaleInfoA.LIBCMT ref: 00426448

Part of subcall function 0042F095: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042F0A1
Part of subcall function 0042F095: __crtGetLocaleInfoA_stat.LIBCMT ref: 0042F0B6

GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 0042645A
___crtGetLocaleInfoA.LIBCMT ref: 0042647A
___crtGetLocaleInfoA.LIBCMT ref: 004264BC
__calloc_crt.LIBCMT ref: 0042648F

Part of subcall function 004260BF: __calloc_impl.LIBCMT ref: 004260CE

__calloc_crt.LIBCMT ref: 004264D1
_free.LIBCMT ref: 004264E9
_free.LIBCMT ref: 00426529
__calloc_crt.LIBCMT ref: 00426553
_free.LIBCMT ref: 00426579
__invoke_watson.LIBCMT ref: 004265C9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt__invoke_watson
String ID:
API String ID: 1731282729-0
Opcode ID: 2891f7f746bfcc08d5776edf2e941d83e6da90e5c3001e4ca6aca0ca3295f226
Instruction ID: b45ed7a188d37cc480fdbc60ee6aefe836d3705baec1dd2b2ffc4f9a3fe51c1b
Opcode Fuzzy Hash: 2891f7f746bfcc08d5776edf2e941d83e6da90e5c3001e4ca6aca0ca3295f226
Instruction Fuzzy Hash: 1C51A971A00225ABDF20AF75FC41B6B77B9EF04310F9140AAF94892241EF39CD94CB69

Function 0041E68F Relevance: 11.5, Strings: 9, Instructions: 269COMMON

Download Yara Rule

Strings

Out of memory, xrefs: 0041E7BB
Unknown variable: variable set is not provided, xrefs: 0041E86F
Unmatched braces, xrefs: 0041E852
Unrecognized function call, xrefs: 0041E6FF
Unmatched square brace, xrefs: 0041E9A0
Predicate has to be applied to node set, xrefs: 0041E999
No comma between function arguments, xrefs: 0041E78D
Unknown variable: variable set does not contain the given name, xrefs: 0041E88C
Unrecognizable primary expression, xrefs: 0041E8DD

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: No comma between function arguments$Out of memory$Predicate has to be applied to node set$Unknown variable: variable set does not contain the given name$Unknown variable: variable set is not provided$Unmatched braces$Unmatched square brace$Unrecognizable primary expression$Unrecognized function call
API String ID: 0-3813216300
Opcode ID: 5252733e0a5684f79bab422b6ab25595581707d1f63b8439a664b84db0d7b7d2
Instruction ID: 01272e44c623096963bb3a2eb6df8d26170ca37a4bf71b21bc6642ef08071c1b
Opcode Fuzzy Hash: 5252733e0a5684f79bab422b6ab25595581707d1f63b8439a664b84db0d7b7d2
Instruction Fuzzy Hash: 4F9126746047018BD720FF2BC4415EBB7E5EF44704B50892FE85AC7291DB78E98ACB8A

Function 00435CE7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00435CFE
_wcscmp.LIBCMT ref: 00435D0F
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00435FAD,?,00000000), ref: 00435D2B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00435FAD,?,00000000), ref: 00435D55

Strings

ACP, xrefs: 00435CF8
OCP, xrefs: 00435D09

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: bd02c2f78d9f965cf9d33363220fe477c8f8661e286fb4df1c28877fb5a6d962
Instruction ID: 1b7f410931fcb0878abe7377ea319cad40b6847f393f2ecf2253e92768810b8c
Opcode Fuzzy Hash: bd02c2f78d9f965cf9d33363220fe477c8f8661e286fb4df1c28877fb5a6d962
Instruction Fuzzy Hash: E101D235241905AAEB109E65EC09FDB73A8AF0C765F10D427F904DE190EB28DA81878C

Function 0040A723 Relevance: 4.6, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040A72D
_memset.LIBCMT ref: 0040A74A
GetVersionExW.KERNEL32(?), ref: 0040A75F

Part of subcall function 0040DCB3: swprintf.LIBCMT ref: 0040DCDB

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_Version_memmove_memsetswprintf
String ID:
API String ID: 4236661430-0
Opcode ID: 02e30233b3e23df57af844f2654d147a4014cec4e5117c52e53ae322f5b99df3
Instruction ID: c0de6514043eb7f622a24806a7c7daaada07686435340e00f8371b03e72e0744
Opcode Fuzzy Hash: 02e30233b3e23df57af844f2654d147a4014cec4e5117c52e53ae322f5b99df3
Instruction Fuzzy Hash: 0111A3B1D001089FEB04EBA4DC92BEE7778EF54348F5040BAF109B7182DAB95E45CB55

Function 004278D8 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004266DA,?,?,?,00000001), ref: 004278DD
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004278E6

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 38b3e6874888d3a42b5397abe011dc5c6b01961766eb3b81d8264b20c528dda9
Instruction ID: af6de2e61c71192848096d70edd5c8408ffed4fca3a895c46d12f408ea406cc4
Opcode Fuzzy Hash: 38b3e6874888d3a42b5397abe011dc5c6b01961766eb3b81d8264b20c528dda9
Instruction Fuzzy Hash: 79B09231444208FFEE002B91FD09B883F28EB04672F001130F60D480708BA258549A99

Function 0042F20C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(0042F1F8,00000001,?,004351C2,00435260,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042F23A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 38001fd31d1add0093c49b9527e5aca8a2cd63c3bb6e206131bfe828f7e2f9bf
Instruction ID: 9cc43e68d90e22861979d7e59596372d6bab58e04aa4918d4e4cb832f1511fe7
Opcode Fuzzy Hash: 38001fd31d1add0093c49b9527e5aca8a2cd63c3bb6e206131bfe828f7e2f9bf
Instruction Fuzzy Hash: 14E04F35150308EBCB01CF94FC05BA937A4B708B21F944431B5085A1A1C676E4A0DF5C

Function 0042F249 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,0042AB86,?,0042AB86,?,20001004,?,00000002,?,00000004,?,00000000), ref: 0042F270

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f8af4819089cf00e42733982af5ee5bd8d28f682a3fe1c23c77db3c80989f079
Instruction ID: b3f803decc9e7ba590f29807339ab5c22a421047010f3369bfce5bbc694bfc38
Opcode Fuzzy Hash: f8af4819089cf00e42733982af5ee5bd8d28f682a3fe1c23c77db3c80989f079
Instruction Fuzzy Hash: 55D0123A040108FF8F019FD0FC0586A3B69FB08314B844466F91845121DA36E8209B29

Function 004278A7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 004278AD

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b5a942b7675521a605ffe18ce34dd21548eb4d05a3e796add064e69d7b2c77c5
Instruction ID: 10f971bb0326bd7009c60a64240b1fbb5a1fdfcc27efec36c7c6e23c0b953b6c
Opcode Fuzzy Hash: b5a942b7675521a605ffe18ce34dd21548eb4d05a3e796add064e69d7b2c77c5
Instruction Fuzzy Hash: 61A0113000020CFB8E002B82FC088883F2CEA002B2B000030F80C000208BA2A8A08A88

Function 00425B2B Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00424FB4,0044D308,00000014), ref: 00425B2B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 00b80de3463a0d9e6ea1085b6c1fe51a06b18940714df758908610c8ec8d5998
Instruction ID: 142edf32b74de3a78c56cb3a2f6e40ecc835f1eb8f0eb077e2109450793ec1c1
Opcode Fuzzy Hash: 00b80de3463a0d9e6ea1085b6c1fe51a06b18940714df758908610c8ec8d5998
Instruction Fuzzy Hash: 30B012B1701202C7CB090B39BC1400936E45748206304903D7003C5160EF30CD509F0C

Function 004345E2 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 02bad44cecd2c6049edf1280c85819ca2a502d08f75b982852eefa0f76671011
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 1BC1E77220909309EF6D4A3988341BFFAA05EE67B171A275FD4B3CB2C4EF18E564D614

Function 00434A17 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 7672d54e93f85cd8a16eeab0d7a5c4c3aa7c5d02c8e32d07cf552138fea52549
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F6C1E97220909309EF6D4639C8341BFFBA15AE67B171A275FD4B3CB2C4EE18E564C524

Function 004341AD Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 110388b41a8a85aa8984566e8cc88d65fb3d77f316fe50e055081a62d4041e4a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 7FC1D9722090530AEF5D4A39C8340BFFAA15BE57B171A276FD8B3CB2C4EE18E564D614

Function 00433D95 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 7e0835685f72089923f2dc3e572eb494ea09dd40ccd7b53904858578875af7d6
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8FC1F77220945309EF6D4A39C83407FBBB15AE57B271A276FD4B3CB2C4EE28D664C614

Function 00424950 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 3552f0cd7b9b658e97edb6d4a675185b2e94d444d86f84920ccf4e9a3b1d9c2a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F51138F730007143D614CA3EF4B46B7E795EBC63247AD436BD0814B758D12AA9C5D90C

Function 0040EB3A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 439windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040EB44

Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
Part of subcall function 0040E337: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

GetSysColorBrush.USER32(0000000F), ref: 0040EB8B

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000001,00000000,00000000,00000000), ref: 0040EC02
CreateWindowExW.USER32(00000000,Static,00445D78,50000005,00000000,00000000,00000000,00000001,00000001,00000000,00000000,00000000), ref: 0040EC36
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000001,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040EC61
CreateWindowExW.USER32(00000000,SysLink,?,50000000,?,?,?,00000000,00000001,00000000,00000000,00000000), ref: 0040ECE9
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040ECFD
GetDC.USER32(?), ref: 0040ED18
_memset.LIBCMT ref: 0040EE28
GetSystemMetrics.USER32(00000047), ref: 0040EE66
SelectObject.GDI32 ref: 0040EEC0
DrawTextExW.USER32(?,?,000000FF,?,00000410,00000014), ref: 0040EEE3
SendMessageW.USER32(?,00000030,00000001), ref: 0040EF5F
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0040EF70
DeleteDC.GDI32(?), ref: 0040EFFF
CreateWindowExW.USER32(00000000,SysLink,?,50000000,?,?,?,00000000,00000004,?,00000000,00000000), ref: 0040F0F0
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040F104

Strings

Static, xrefs: 0040EBFC, 0040EC30
iTorretPartner, xrefs: 0040EB93
Calibri, xrefs: 0040EC43
SysLink, xrefs: 0040ECE3, 0040F0E9
<\br>, xrefs: 0040F04B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Create$FontMessageSendWindow$BrushColorDeleteDrawH_prolog3_MetricsObjectSelectSystemText_malloc_memset
String ID: <\br>$Calibri$Static$SysLink$iTorretPartner
API String ID: 3734728168-218324882
Opcode ID: 0d9aa247b02eee198412bbbb28e29d8c53bba193d96e6fc9d60c859a00f26050
Instruction ID: f7c31dfe1de222369878051e5d4a65a24d521bc2a574b3db0c5e1926632f38d1
Opcode Fuzzy Hash: 0d9aa247b02eee198412bbbb28e29d8c53bba193d96e6fc9d60c859a00f26050
Instruction Fuzzy Hash: 99029171A00215AFDB20DF65CC89F9ABBB5EF44304F1041EAF508AB291DB75AE85CF58

Function 00405F17 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 197windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405F21
_memset.LIBCMT ref: 00405F3D
SHGetFileInfoW.SHELL32(?,00000080,?,000002B4,00000110), ref: 00405F5C
GetIconInfo.USER32(?,?), ref: 00405F81
GetObjectW.GDI32(?,00000018,?), ref: 00405FA9
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00405FCD
GdipGetImageHeight.GDIPLUS(?,?), ref: 00406009
GdipGetImageWidth.GDIPLUS(?,?), ref: 00406033
GdipGetImagePixelFormat.GDIPLUS(?,?), ref: 0040606A
GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?), ref: 0040608C
GdipCreateBitmapFromScan0.GDIPLUS(?,?,?,0026200A,?,?), ref: 004060D6
GdipBitmapUnlockBits.GDIPLUS(?,?), ref: 004060FF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00406120
GdipDisposeImage.GDIPLUS(?), ref: 004061E8

Part of subcall function 00405E25: GdipGetImageEncodersSize.GDIPLUS(?,?,0044AAF8,0000001C,0040613A), ref: 00405E47
Part of subcall function 00405E25: _malloc.LIBCMT ref: 00405E58
Part of subcall function 00405E25: @_EH4_CallFilterFunc@8.LIBCMT ref: 00405E72

GdipSaveImageToStream.GDIPLUS(?,?,?,00000000), ref: 00406146
_memset.LIBCMT ref: 0040616C
GetHGlobalFromStream.OLE32(?,?), ref: 004061A9
GdipAlloc.GDIPLUS(00000010), ref: 004061B1
DestroyIcon.USER32(?), ref: 004061E1
GdipDisposeImage.GDIPLUS(?), ref: 004061F5

Strings

0iD, xrefs: 004060A8
0iD, xrefs: 00405FB5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Gdip$Image$Bitmap$CreateFromStream$BitsDisposeGlobalIconInfo_memset$AllocCallDestroyEncodersFileFilterFormatFunc@8H_prolog3_HeightLockObjectPixelSaveScan0SizeUnlockWidth_malloc
String ID: 0iD$0iD
API String ID: 1811296648-2033341097
Opcode ID: 369f2c2faa093f7e23144f7d859fa1ec431cc9f10f85c9bea900f7f74f1185d6
Instruction ID: c2310c256fee42b348955dbd8a2c8a4d8f8b7f20bac021223fe14250f8c2c259
Opcode Fuzzy Hash: 369f2c2faa093f7e23144f7d859fa1ec431cc9f10f85c9bea900f7f74f1185d6
Instruction Fuzzy Hash: 2381A4B1D10228AFDB629F64CC84B9DB7FDAF08701F4050FAE909A6261D7749F988F14

Function 0040AB8E Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 266registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040AB98
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,?), ref: 0040AD7A
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000001,00000000), ref: 0040ADDA
RegCloseKey.ADVAPI32(?), ref: 0040ADF2
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040AE24
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 0040AE9F
RegCloseKey.ADVAPI32(?), ref: 0040AEAB
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040AEDE
RegCloseKey.ADVAPI32(?), ref: 0040AEF0

Part of subcall function 0040DC5E: _memcmp.LIBCMT ref: 0040DC8E

_memset.LIBCMT ref: 0040AF19
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 0040AF56
RegCloseKey.ADVAPI32(?), ref: 0040AF60

Strings

HKLM, xrefs: 0040ABFF
XjD, xrefs: 0040AED3
HKEY_LOCAL_MACHINE, xrefs: 0040AC19

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Close$QueryValue$Ios_base_dtorstd::ios_base::_$H_prolog3_Open_memcmp_memset
String ID: HKEY_LOCAL_MACHINE$HKLM$XjD
API String ID: 3935406371-4261972424
Opcode ID: 2500f77a7c44371c49748dff05714a83dd6c6678d8f9533a268f9b92aab20f84
Instruction ID: f0804e70ace95674ef501eb3e146ac404a74af6e9c1c1e85689251813562c2a3
Opcode Fuzzy Hash: 2500f77a7c44371c49748dff05714a83dd6c6678d8f9533a268f9b92aab20f84
Instruction Fuzzy Hash: 54B15F70A002299BEB24DB25CC81BADB7F9BF44305F1480EEA189762C1DF795E84CF95

Function 00406A19 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406A23

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 00406203: GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

_wcsstr.LIBCMT ref: 00406A65
_wcsstr.LIBCMT ref: 00406A7A
_wcsstr.LIBCMT ref: 00406A8F
_memset.LIBCMT ref: 00406AB2

Part of subcall function 0040814F: vswprintf.LIBCMT ref: 0040817E

_memset.LIBCMT ref: 00406B1D
ShellExecuteExW.SHELL32(0000003C), ref: 00406B60

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Strings

.tor, xrefs: 00406A74
Buffer is to small, xrefs: 00406AF2
magnet:, xrefs: 00406A89
.torrent, xrefs: 00406A5F
open, xrefs: 00406B4B
/select,"%s", xrefs: 00406AC1
<, xrefs: 00406B25

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsstr$_memsetchar_traits$AttributesExecuteFileH_prolog3H_prolog3_H_prolog3_catchShellvswprintf
String ID: .tor$.torrent$/select,"%s"$<$Buffer is to small$magnet:$open
API String ID: 704264854-4123487340
Opcode ID: 75c90b2619ce1bfbfea703ecf74f0d8971c150563373a7ddae02cd2ccae2eecf
Instruction ID: 212b6c8557b5fdd9c3aff150e2e9ced611f0d46174c403d626fc3777eed81db7
Opcode Fuzzy Hash: 75c90b2619ce1bfbfea703ecf74f0d8971c150563373a7ddae02cd2ccae2eecf
Instruction Fuzzy Hash: D93161B1D0022859EB20AB21DC02F9A7778AF51318F5101AFB509B61C2EF7C6B85CE5D

Function 00406F68 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406F72
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,000004EC,0041255F), ref: 00406F85

Part of subcall function 00406D16: __EH_prolog3_GS.LIBCMT ref: 00406D1D

Part of subcall function 00406203: GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

char_traits.LIBCPMT ref: 00406FD7
char_traits.LIBCPMT ref: 00406FF6
_memset.LIBCMT ref: 00407116
_memset.LIBCMT ref: 00407183
ShellExecuteExW.SHELL32(0000003C), ref: 004071DE

Strings

.tor, xrefs: 00406FF0, 00406FF5, 00406FFD, 00406FFE
\itorrent\itorrent.exe, xrefs: 00407155
.torrent, xrefs: 00406FD1, 00406FD6, 00406FDE, 00406FDF
open, xrefs: 004071C8
<, xrefs: 0040718B
--open=", xrefs: 00407021, 004070A5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3__memsetchar_traits$AttributesExecuteFileFolderPathShell
String ID: --open="$.tor$.torrent$<$\itorrent\itorrent.exe$open
API String ID: 4193501842-3462142208
Opcode ID: f4ae6e7149f36a7cfdabc5e4a40df40ae3c7b7fb17e9a311e54cc06aef381cba
Instruction ID: f1d9275b18be2ccb85f51f7cd8635cb2fe1089ba137f86c06f2eecf062f57159
Opcode Fuzzy Hash: f4ae6e7149f36a7cfdabc5e4a40df40ae3c7b7fb17e9a311e54cc06aef381cba
Instruction Fuzzy Hash: 806112B18011589ADB21EB65CC85FDEB77C9F95308F1045EFA60973182EB781F48CE29

Function 0040A7D6 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 140COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040A7E0
AssocQueryStringA.SHLWAPI(00000000,00000002,http,open,?,?), ref: 0040A814

Strings

firefox, xrefs: 0040A94F, 0040A954, 0040A95C, 0040A95D
http, xrefs: 0040A806
operaold, xrefs: 0040A8D1
amigo, xrefs: 0040A975, 0040A97A, 0040A982, 0040A983
launcher, xrefs: 0040A8B0, 0040A8B5, 0040A8BD, 0040A8BE
internet explorer, xrefs: 0040A930, 0040A935, 0040A93D, 0040A93E
open, xrefs: 0040A801
chrome, xrefs: 0040A929
yandex, xrefs: 0040A8E5, 0040A8EA, 0040A8F2, 0040A8F3, 0040A904
google, xrefs: 0040A90A, 0040A90F, 0040A917, 0040A918
opera, xrefs: 0040A88F, 0040A894, 0040A89F, 0040A8DB

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AssocH_prolog3_QueryString
String ID: amigo$chrome$firefox$google$http$internet explorer$launcher$open$opera$operaold$yandex
API String ID: 4091812397-2656646387
Opcode ID: 16eade287d4c975c282bde898b1b5c5d2e2d40b3f03e88ed2727a6d46930e4c3
Instruction ID: 1ca0e9bf9c97b3c973a072714cd0145f7793694ff2ff57f7b62195b4a4ae5754
Opcode Fuzzy Hash: 16eade287d4c975c282bde898b1b5c5d2e2d40b3f03e88ed2727a6d46930e4c3
Instruction Fuzzy Hash: 4E41A6B1A10214ABE724EB14CC82DFE76799F42724F2146AFB016711D1EB786F45CA1E

Function 0040B406 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 376COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0040B410

Part of subcall function 0041F6AD: __EH_prolog3_GS.LIBCMT ref: 0041F6B4

Part of subcall function 0040AB8E: __EH_prolog3_GS.LIBCMT ref: 0040AB98

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Part of subcall function 0041F5DC: __EH_prolog3_GS.LIBCMT ref: 0041F5E3

Part of subcall function 0040A7D6: __EH_prolog3_GS.LIBCMT ref: 0040A7E0
Part of subcall function 0040A7D6: AssocQueryStringA.SHLWAPI(00000000,00000002,http,open,?,?), ref: 0040A814

Strings

//d/defbrowser, xrefs: 0040B888
//d/machineid, xrefs: 0040B7CF
<?xml version="1.0"?><d></d>, xrefs: 0040B46F
//d/guid, xrefs: 0040B82C
//d/ps/p/fs/f, xrefs: 0040B5AF
$iD, xrefs: 0040B957, 0040B960
name, xrefs: 0040B4E4, 0040B601, 0040B705
//d/ps/p/installed/i, xrefs: 0040B6B3
//d/ps/p/rs/r, xrefs: 0040B492
//d/os, xrefs: 0040B8EE
0Rg, xrefs: 0040B831, 0040B86A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$AssocH_prolog3_catch_QueryString_memmove
String ID: $iD$//d/defbrowser$//d/guid$//d/machineid$//d/os$//d/ps/p/fs/f$//d/ps/p/installed/i$//d/ps/p/rs/r$0Rg$<?xml version="1.0"?><d></d>$name
API String ID: 1042467588-1638684382
Opcode ID: e73b2d61270da91b5a81bc98c462a2675a3b2cf4469aae1f846bd2b321e783f1
Instruction ID: d76b2f650c13571c75fc5c3975ccd6c63a0524fb5aa4f1e8f787a0c2f55eadc5
Opcode Fuzzy Hash: e73b2d61270da91b5a81bc98c462a2675a3b2cf4469aae1f846bd2b321e783f1
Instruction Fuzzy Hash: ECF15C71D012189BDB24EBA4CD55BDDB7B4AF14308F1004EEE549B7282EB786F88CB59

Function 0040F93C Relevance: 21.1, APIs: 14, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00FFFFFF), ref: 0040F99E
GetStockObject.GDI32(00000000), ref: 0040F9A6
GetClientRect.USER32(?,?), ref: 0040F9B7
FillRect.USER32(?,?,00000000), ref: 0040F9C5
BeginPaint.USER32(?,?), ref: 0040F9D6
CreateCompatibleDC.GDI32(00000000), ref: 0040F9E9
SelectObject.GDI32(00000000,?), ref: 0040F9F7
GetObjectW.GDI32(?,00000018,?), ref: 0040FA09
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0040FA47
SelectObject.GDI32(00000000,00000000), ref: 0040FA53
DeleteDC.GDI32(00000000), ref: 0040FA5A
EndPaint.USER32(?,?), ref: 0040FA6A
DeleteObject.GDI32(?), ref: 0040FA7F
DeleteObject.GDI32(?), ref: 0040FA84

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$Delete$PaintRectSelect$BeginClientColorCompatibleCreateFillStock
String ID:
API String ID: 4023296310-0
Opcode ID: 1a3314baad03eca1980ec1e35441a67d4816b03bef98c5e8db4810d4407adde9
Instruction ID: 18a01c523534795561b10c64a133362bf040a50cf47bbf0961f21ff9f5858b99
Opcode Fuzzy Hash: 1a3314baad03eca1980ec1e35441a67d4816b03bef98c5e8db4810d4407adde9
Instruction Fuzzy Hash: A0414E72604305AFD710DF65DC48E5B7BB8FB48310F00593AF945926A1C774E9188F6A

Function 00414265 Relevance: 19.6, APIs: 13, Instructions: 140COMMON

Download Yara Rule

APIs

GetCharWidth32W.GDI32(?,00000020,00000020,?,?), ref: 004142B3
GetDlgItem.USER32(?,00000004), ref: 004142BE
GetWindowTextW.USER32(00000000,?,00000100), ref: 004142D1
_wcsstr.LIBCMT ref: 004142E3
SetTextColor.GDI32(?,00000000), ref: 004142F5
SetBkMode.GDI32(?,00000001), ref: 00414306
SelectObject.GDI32(?), ref: 0041431B
DrawTextExW.USER32(?,?,?,?,00008410,00000014), ref: 00414378
DrawTextW.USER32(?,?,?,?,00008010), ref: 00414395
SelectObject.GDI32(?,?), ref: 004143F7
DrawTextExW.USER32(?,?,000000FF,?,00000050,00000014), ref: 00414416
SetBkMode.GDI32(?,?), ref: 00414425
SetTextColor.GDI32(?,?), ref: 00414434

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Text$Draw$ColorModeObjectSelect$CharItemWidth32Window_wcsstr
String ID:
API String ID: 2368306080-0
Opcode ID: 87c8e5fe06cd33e68f9cd46dd9978dcdef1c7ab8bc6e35990bf884b91bdabd1a
Instruction ID: 541550f45bf0a577c103bbec627b4e515e91e1287cf71a6f34bc75e33a74a6f0
Opcode Fuzzy Hash: 87c8e5fe06cd33e68f9cd46dd9978dcdef1c7ab8bc6e35990bf884b91bdabd1a
Instruction Fuzzy Hash: B35130B1900218AFDF159F54DC85BEA7779FB08300F4041F5FA05A61A1DB719E99CF98

Function 0040AF75 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040AFC7
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,7055389B), ref: 0040AFFD
RegCloseKey.ADVAPI32(?,?,?,?,7055389B,?,?,?,?,0043D55D,000000FF), ref: 0040B00D
_memset.LIBCMT ref: 0040B057
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040B07A
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 0040B0CA
_memset.LIBCMT ref: 0040B117
RegQueryValueExW.ADVAPI32(?,DisplayName,00000000,00000000,?,00000800), ref: 0040B144
RegCloseKey.ADVAPI32(?), ref: 0040B152
RegCloseKey.ADVAPI32(?), ref: 0040B21B

Strings

DisplayName, xrefs: 0040B139

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Close$OpenQuery_memset$EnumInfoValue
String ID: DisplayName
API String ID: 4115459675-3786665039
Opcode ID: 7dd6568487ecf3bc725f41336c05b8e7f0d34bfb483fa9fb6d04fb273294813c
Instruction ID: 144dbe2e757f2f4985787b3fadc91b2d135954a141e078a8bc2745067885a018
Opcode Fuzzy Hash: 7dd6568487ecf3bc725f41336c05b8e7f0d34bfb483fa9fb6d04fb273294813c
Instruction Fuzzy Hash: 57815C75900128AFDB28DF14DC95BEAB7B8EB05304F1041EAE619B2191DB355F88CF99

Function 0040DDAF Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040DDB9

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 00406203: GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

DeleteFileW.KERNEL32(?,00000001,00000000,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040DDE8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184,0040DFA6,?,00000000), ref: 0040DDFE
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184), ref: 0040DE5B
CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184,0040DFA6,?,00000000), ref: 0040DE67
CloseHandle.KERNEL32(00000000,?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184,0040DFA6,?,00000000), ref: 0040DE92
DeleteFileW.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184,0040DFA6,?,00000000), ref: 0040DEAB
DeleteFileW.KERNEL32(?,?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,00000184,0040DFA6,?,00000000), ref: 0040DEEA

Strings

Can't create file., xrefs: 0040DE25
Can't write into file, xrefs: 0040DE8B
can't unzip, xrefs: 0040DECF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Delete$CloseHandle$AttributesCreateH_prolog3_Writechar_traits
String ID: Can't create file.$Can't write into file$can't unzip
API String ID: 1041538757-295860728
Opcode ID: f6d36239a41848457fd82fbce1256d1e90007453654904a8da5e3a4ce0339fa4
Instruction ID: 4253ead06432f5fcbbb7e2ce94929fb0bfdea561c01916292099495b58fe3e2f
Opcode Fuzzy Hash: f6d36239a41848457fd82fbce1256d1e90007453654904a8da5e3a4ce0339fa4
Instruction Fuzzy Hash: 2A31BE70C00114ABDB28EBA1CC49BEEB778AF59314F00817EF506762D1DB385E48CB68

Function 0040D1C2 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040D287
_memmove.LIBCMT ref: 0040D2B9
_memmove.LIBCMT ref: 0040D2EE
_memmove.LIBCMT ref: 0040D376
_memmove.LIBCMT ref: 0040D3ED
_memmove.LIBCMT ref: 0040D458
_memmove.LIBCMT ref: 0040D49C
_memmove.LIBCMT ref: 0040D4D9

Strings

string too long, xrefs: 0040D501
invalid string position, xrefs: 0040D50B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 198aeaef6a32dbd09c69d4550dae73d903ff877653bbd5ba4ee90b087fdf51a6
Instruction ID: bc122013e4202fd5fbf91448f186c4fd0103758f21e97906f5fe699026bb53c5
Opcode Fuzzy Hash: 198aeaef6a32dbd09c69d4550dae73d903ff877653bbd5ba4ee90b087fdf51a6
Instruction Fuzzy Hash: 60D13C71E00315DFCB20CF88D98199AB7B5BF88704B24493EE941E7341D738EA598BA9

Function 00409B21 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409B28
std::_Lockit::_Lockit.LIBCPMT ref: 00409B32

Part of subcall function 004393B0: __lock.LIBCMT ref: 004393C1

int.LIBCPMT ref: 00409B49

Part of subcall function 004095F0: std::_Lockit::_Lockit.LIBCPMT ref: 00409601

std::locale::_Getfacet.LIBCPMT ref: 00409B52
ctype.LIBCPMT ref: 00409B6C
std::bad_exception::bad_exception.LIBCMT ref: 00409B80
__CxxThrowException@8.LIBCMT ref: 00409B8E
std::_Facet_Register.LIBCPMT ref: 00409BA4

Strings

bad cast, xrefs: 00409B78
QE, xrefs: 00409B3B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: QE$bad cast
API String ID: 2017145326-2735596557
Opcode ID: fd2251292eb0867b88d1a95ed54d19448e67e80e1c0e61218183979806b6751d
Instruction ID: 17104c48661f21eaaf1db8c8683a270d0f529b345491ddce3e4a4550693cb700
Opcode Fuzzy Hash: fd2251292eb0867b88d1a95ed54d19448e67e80e1c0e61218183979806b6751d
Instruction Fuzzy Hash: A8017C31A006149BCB14EB61E842AAE7364BB48324F20152FE401772D3CF7DAD00CB98

Function 0040721E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00407228

Part of subcall function 0041F5DC: __EH_prolog3_GS.LIBCMT ref: 0041F5E3

Part of subcall function 00405851: __EH_prolog3.LIBCMT ref: 00405858

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Strings

//checks, xrefs: 0040729C
check, xrefs: 00407329
<?xml version="1.0"?><checks></checks>, xrefs: 00407262
content, xrefs: 004073B3
when, xrefs: 004073DF
type, xrefs: 0040736B
$iD, xrefs: 00407463, 0040746C
url, xrefs: 004072CF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$H_prolog3_memmove
String ID: $iD$//checks$<?xml version="1.0"?><checks></checks>$check$content$type$url$when
API String ID: 448379309-1664345494
Opcode ID: b80dc27e736c35f02b943c3d308e4b403c98a872a2e1f7c98542a463872f2caf
Instruction ID: aba2335a108dca9bbb128d6fe9e6a0bb2298540d490b94bd0073ea5d2e5761b8
Opcode Fuzzy Hash: b80dc27e736c35f02b943c3d308e4b403c98a872a2e1f7c98542a463872f2caf
Instruction Fuzzy Hash: 7771C271D012189ADF14EFA1D885BEDB7B9AF04304F1044ABE505B7181DB78AF88CF5A

Function 0040D828 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D82F
std::_Lockit::_Lockit.LIBCPMT ref: 0040D839

Part of subcall function 004393B0: __lock.LIBCMT ref: 004393C1

int.LIBCPMT ref: 0040D850

Part of subcall function 004095F0: std::_Lockit::_Lockit.LIBCPMT ref: 00409601

std::locale::_Getfacet.LIBCPMT ref: 0040D859
ctype.LIBCPMT ref: 0040D873
std::bad_exception::bad_exception.LIBCMT ref: 0040D887
__CxxThrowException@8.LIBCMT ref: 0040D895
std::_Facet_Register.LIBCPMT ref: 0040D8AB

Strings

bad cast, xrefs: 0040D87F

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2017145326-3145022300
Opcode ID: c1080736745e3c33a9aed501182a711e8bd6542b3e2751d62e058be6eee30fe8
Instruction ID: 8676ee6086b56fcf14aab3e5aa4defeafc6ec2ee5079ad56fc6bda837db51ad3
Opcode Fuzzy Hash: c1080736745e3c33a9aed501182a711e8bd6542b3e2751d62e058be6eee30fe8
Instruction Fuzzy Hash: E0018E32D006149BCB04FBA1D852AAD7364AF48728F20452FE8117B2D2CF7C9D05CB9D

Function 0042A4CD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000008,00000000,?,?,00000000,00000000,00000100,00000000,?,?,?,?,0042A703,?,00000008,?), ref: 0042A536
_malloc.LIBCMT ref: 0042A588
MultiByteToWideChar.KERNEL32(00000008,00000001,?,?,00000000,00000000,?,?,?,0042A703,?,00000008,?,?,?,?), ref: 0042A5B6
_malloc.LIBCMT ref: 0042A656

Part of subcall function 004233F8: __FF_MSGBANNER.LIBCMT ref: 0042340F
Part of subcall function 004233F8: __NMSG_WRITE.LIBCMT ref: 00423416
Part of subcall function 004233F8: RtlAllocateHeap.NTDLL(00660000,00000000,00000001,?,?,?,?,004011E6), ref: 0042343B

WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0042A6A5
__freea.LIBCMT ref: 0042A6AE
__freea.LIBCMT ref: 0042A6B5

Strings

9E(j, xrefs: 0042A51F

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea_malloc$AllocateHeap
String ID: 9E(j
API String ID: 442409405-705430000
Opcode ID: 253a7d083789c16bb4497e9c23e87dbb566d67de0742e3419c3ba9106a75ca69
Instruction ID: eae4b8fc467da8829f52f0b5777bbfb99bdecfffda808a4d31fcec4edae714b2
Opcode Fuzzy Hash: 253a7d083789c16bb4497e9c23e87dbb566d67de0742e3419c3ba9106a75ca69
Instruction Fuzzy Hash: 0351E172700225AFEF249F55EC45EAF37A9EB54314F98052AFC05E7250D738DC60C6AA

Function 00406291 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 162comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040629B

Part of subcall function 00406221: _memset.LIBCMT ref: 00406242
Part of subcall function 00406221: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 00406266
Part of subcall function 00406221: VerifyVersionInfoW.KERNEL32(0000011C,00000002,00000000), ref: 00406277

_memset.LIBCMT ref: 004062CD
CoTaskMemFree.OLE32(?,?), ref: 00406440

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 004062E1

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

CoCreateInstance.OLE32(0043F4F0,00000000,00000001,004468FC,?,0000039C,00406D6B,00000001,00000000,00000054,0041256B), ref: 0040635D

Strings

Can't get folder path, xrefs: 004063E2
Can't get path manager, xrefs: 004064AD
Can't get path, xrefs: 00406305, 00406488

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memset$ConditionCreateFolderFreeH_prolog3H_prolog3_H_prolog3_catchInfoInstanceMaskPathTaskVerifyVersionchar_traits
String ID: Can't get folder path$Can't get path$Can't get path manager
API String ID: 1415865164-2805621233
Opcode ID: 5f908d3b0e1b2593efe7d562c91a9fdeb02cd0ca8d4c057800c5db6346feb313
Instruction ID: cda54d0edd6cc6a380d5e662025ca81617251cfa486a44f9c08fafff5f68c7d9
Opcode Fuzzy Hash: 5f908d3b0e1b2593efe7d562c91a9fdeb02cd0ca8d4c057800c5db6346feb313
Instruction Fuzzy Hash: F0518470A00219ABDB20DB61CC49BAEB778AF94704F1141FEA44AB71D1DB789F85CF19

Function 00411A33 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411A3D
_memset.LIBCMT ref: 00411A9E

Part of subcall function 004135A4: vswprintf.LIBCMT ref: 004135D3

Part of subcall function 0041079B: __EH_prolog3_GS.LIBCMT ref: 004107A2

Part of subcall function 0040B25D: __EH_prolog3_GS.LIBCMT ref: 0040B264

Strings

pif, xrefs: 00411C69
x6E, xrefs: 00411C78
Content-Type: application/xml;, xrefs: 00411B8B
x6E, xrefs: 00411C5B
x6E, xrefs: 00411A73
ip%ib%i, xrefs: 00411AAB

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$_memsetvswprintf
String ID: Content-Type: application/xml;$ip%ib%i$pif$x6E$x6E$x6E
API String ID: 4124506358-3644493703
Opcode ID: 8d647bbd49e4cdce378f12b6fa3485bc0664f3254850d1bad4daf1daeff0d60f
Instruction ID: 65d12f4c91cbe42406175b64e498fdc30aa3fbb403da9430d641dee05db7ce33
Opcode Fuzzy Hash: 8d647bbd49e4cdce378f12b6fa3485bc0664f3254850d1bad4daf1daeff0d60f
Instruction Fuzzy Hash: 8151F7719002049BD724EF60CD86FE9B375AB50349F5080AEE506673D2EF78BE89CB58

Function 004180AD Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004180B7

Part of subcall function 0040BB7F: __EH_prolog3.LIBCMT ref: 0040BB86

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004181F1

Part of subcall function 0040CAE1: __EH_prolog3_catch.LIBCMT ref: 0040CAE8

Part of subcall function 0040C966: __EH_prolog3_catch.LIBCMT ref: 0040C96D

Strings

"; filename=", xrefs: 0041811F
Content-Disposition: form-data; name=", xrefs: 0041810A
XjD, xrefs: 004181E6
"Content-Type: text/plain, xrefs: 00418134
--4jhf94jdfksjhf452f186c710c89c4--, xrefs: 00418160
--4jhf94jdfksjhf452f186c710c89c4, xrefs: 004180FA

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_catch$H_prolog3H_prolog3_Ios_base_dtorstd::ios_base::_
String ID: --4jhf94jdfksjhf452f186c710c89c4$Content-Disposition: form-data; name="$"Content-Type: text/plain$"; filename="$--4jhf94jdfksjhf452f186c710c89c4--$XjD
API String ID: 1279379151-4271319089
Opcode ID: 52c36b5fdd49bb6d37e744863eec194dd96ed2336a592a43435246916bba976c
Instruction ID: 4b995c2a744c1ddece03d463ebd6e9d0b7c18df028cc2e0fe8b65ffdd6eb92b1
Opcode Fuzzy Hash: 52c36b5fdd49bb6d37e744863eec194dd96ed2336a592a43435246916bba976c
Instruction Fuzzy Hash: EE415D70E00218CBDF14EFA5C8917DEB7B1AF58304F10856EE405B7282EB789E45CB98

Function 00410BE3 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00410BED
char_traits.LIBCPMT ref: 00410CCB
char_traits.LIBCPMT ref: 00410D2A
char_traits.LIBCPMT ref: 00410D52

Strings

ILIGHT=1, xrefs: 00410D24, 00410D29, 00410D31
rp%ib%i, xrefs: 00410EA1
--partner 350760 --distr /passive /msicl ", xrefs: 00410D65

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits$H_prolog3_
String ID: ILIGHT=1$--partner 350760 --distr /passive /msicl "$rp%ib%i
API String ID: 1272491415-1483123067
Opcode ID: 5663259c243dc02f892eddd9eff1ea7f81b4e1aa06a1de34d7789f12ec617c51
Instruction ID: 26454d8ca1d1010b6d5119bef454d6ffad1006b850a88020fd325884435a407d
Opcode Fuzzy Hash: 5663259c243dc02f892eddd9eff1ea7f81b4e1aa06a1de34d7789f12ec617c51
Instruction Fuzzy Hash: EA91B4719042449EDB14EF65CC91BEEB774AF54308F1041AFE4096B2C2EBB86EC9CB59

Function 00411361 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411368
char_traits.LIBCPMT ref: 004113A3

Part of subcall function 004069BD: __EH_prolog3_GS.LIBCMT ref: 004069C4

Part of subcall function 0040E246: __EH_prolog3.LIBCMT ref: 0040E24D

Strings

set-firewall, xrefs: 00411473
HsD, xrefs: 00411392
--install, xrefs: 004113FB
set-default, xrefs: 0041143F
set-autoload, xrefs: 00411408

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_$H_prolog3char_traits
String ID: --install$HsD$set-autoload$set-default$set-firewall
API String ID: 2082697881-219580848
Opcode ID: dfc987fb44fc86c8156e66c2880e7ad32ad173f73f139ab832ad5a5e5ede8716
Instruction ID: fa1b93f12dd47e36ae9365630b89337ca43310f328a9a2e76c0d5b1c177d9476
Opcode Fuzzy Hash: dfc987fb44fc86c8156e66c2880e7ad32ad173f73f139ab832ad5a5e5ede8716
Instruction Fuzzy Hash: B441C2B0900244AEDB11EFA5DD52BEE77A89B14309F10406FE601732E2DBB85F48CB69

Function 0040500B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 00405069
_memmove.LIBCMT ref: 0040507F
_memmove.LIBCMT ref: 0040508B
_memmove.LIBCMT ref: 004050A0
_memmove.LIBCMT ref: 004050DE

Strings

vector<T> too long, xrefs: 00405118
7;@, xrefs: 00405012, 004050DA, 00405085, 00405084, 004050D9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove$Allocate
String ID: 7;@$vector<T> too long
API String ID: 164242391-310408468
Opcode ID: 3a38c6e5aa2ddd81e7ca97e13ed13f45947669089b0a7f624e790382fe837168
Instruction ID: 846c4cfc3cd499f754bbaa1b7810af9ea4576ad6024d936176250d48cf1bf8ef
Opcode Fuzzy Hash: 3a38c6e5aa2ddd81e7ca97e13ed13f45947669089b0a7f624e790382fe837168
Instruction Fuzzy Hash: 8931A6317003046FCB18DF79DC8595B3B6AEB88315724853EF505E73A2DE79E5048A9C

Function 004014A5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00401437: LocalAlloc.KERNEL32(00000040,?,0040147B), ref: 00401447

GetTempPathW.KERNEL32(000007FF,00000000,?,?,?,?,?,?,?,?,0044A470,00000018), ref: 004014D6
InterlockedIncrement.KERNEL32(004586F8), ref: 004014F2
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,0044A470,00000018), ref: 004014FA
GetCurrentThreadId.KERNEL32 ref: 00401502

Part of subcall function 0040138B: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 004013AE

@_EH4_CallFilterFunc@8.LIBCMT ref: 00401540
@_EH4_CallFilterFunc@8.LIBCMT ref: 0040158F

Strings

%1!X!%2!X!%3!X!.tmp, xrefs: 0040150B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallCurrentFilterFunc@8$AllocFormatIncrementInterlockedLocalMessagePathProcessTempThread
String ID: %1!X!%2!X!%3!X!.tmp
API String ID: 895105491-2542139142
Opcode ID: 17b2f3322326ef919418e8528f8c480b59b22b2ba456cc8b28584e246cd9f1df
Instruction ID: 030fafe0c2975669cb7042466d1401b9c3cc9c1d745b3c4a0464b4ee223eca41
Opcode Fuzzy Hash: 17b2f3322326ef919418e8528f8c480b59b22b2ba456cc8b28584e246cd9f1df
Instruction Fuzzy Hash: ED21D770E002256BDB10EFB49C45AAE76B4AF88715B54013AE416F72E2EA3C8905CB69

Function 0043BB24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 0043BB45
FindMITargetTypeInstance.LIBCMT ref: 0043BB7E

Part of subcall function 0043B7E4: PMDtoOffset.LIBCMT ref: 0043B876

FindVITargetTypeInstance.LIBCMT ref: 0043BB85
PMDtoOffset.LIBCMT ref: 0043BB96
std::bad_exception::bad_exception.LIBCMT ref: 0043BBBF
__CxxThrowException@8.LIBCMT ref: 0043BBCD

Strings

Bad dynamic_cast!, xrefs: 0043BBB7

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Find$InstanceOffsetTargetType$CompleteException@8ObjectThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1565299582-2956939130
Opcode ID: 247727003ec0a2bc7ea7e4db58ce68e8253137726b72f01529c68a74c4b03ecd
Instruction ID: c701a43b06601729c5de3573edf4b4d4ae75f9a7e87b509fe8e824d4d288e2d9
Opcode Fuzzy Hash: 247727003ec0a2bc7ea7e4db58ce68e8253137726b72f01529c68a74c4b03ecd
Instruction Fuzzy Hash: D3216272A002149FDB00DFA5DC42BAEB764EF4C715F54101FFA1597246DF39AA01DBA8

Function 0040E169 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E17F
ShellExecuteExW.SHELL32(0000003C), ref: 0040E1C3
WaitForSingleObject.KERNEL32(?,000493E0), ref: 0040E1DE
GetExitCodeProcess.KERNEL32(?,?), ref: 0040E1F2
CloseHandle.KERNEL32(?), ref: 0040E1FF

Strings

<, xrefs: 0040E187
open, xrefs: 0040E1B2

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait_memset
String ID: <$open
API String ID: 92095861-1930408713
Opcode ID: 4ac1cbbead16c8b053b55380fce2543cb3ea706b32947fd5fe14654f946cfc95
Instruction ID: d725bc00e6e62d2de4ac386822da2e0cda6000ace5d5e7403746e75202f8aecb
Opcode Fuzzy Hash: 4ac1cbbead16c8b053b55380fce2543cb3ea706b32947fd5fe14654f946cfc95
Instruction Fuzzy Hash: 63115BB0D00218EBDF108F96EC88A9EBBB9FB05355F10047AE804B7250D7355E59CB68

Function 0041589C Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?), ref: 004158C7
GlobalLock.KERNEL32(00000000), ref: 004158D4
_memmove.LIBCMT ref: 004158DB
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 004158EC
GdipAlloc.GDIPLUS(00000010), ref: 004158F4
GlobalUnlock.KERNEL32(00000000), ref: 0041590C
GlobalFree.KERNEL32(00000000), ref: 00415913
_free.LIBCMT ref: 0041591A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$Alloc$CreateFreeGdipLockStreamUnlock_free_memmove
String ID:
API String ID: 776961203-0
Opcode ID: 1007a58431882b9d728c5888b88a845bbbbf69567934408229e29289a486088e
Instruction ID: 56b9bdeed27106255a21f31d47d9c7fe0531014287572c4d2997165b34963398
Opcode Fuzzy Hash: 1007a58431882b9d728c5888b88a845bbbbf69567934408229e29289a486088e
Instruction Fuzzy Hash: 04115E72A00208FBDB009FA0EC49CAE3B6DEB89751710447EF905CA251DA359E41D7A8

Function 0040A5BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 0040A5DE
_memmove.LIBCMT ref: 0040A633
_memmove.LIBCMT ref: 0040A63F
_memmove.LIBCMT ref: 0040A651

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

_memmove.LIBCMT ref: 0040A688

Strings

vector<T> too long, xrefs: 0040A6AA, 0040A6EE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: vector<T> too long
API String ID: 3237892064-3788999226
Opcode ID: 8c9ce6eef54e065c700bb1f32dcd1f56be48b58ae709b7cd79e7479662b4d7b9
Instruction ID: 657a951124ff5660cc4f6895092ec2017f0db79183c45ed3381f691874610855
Opcode Fuzzy Hash: 8c9ce6eef54e065c700bb1f32dcd1f56be48b58ae709b7cd79e7479662b4d7b9
Instruction Fuzzy Hash: F841B1B1600306ABCB14AF69D88195ABBA9FF04354714862EF518D7740DB39E9608A99

Function 0040E6B3 Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,?,?,?), ref: 0040E6D3
GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 0040E6FE
GdipGetImageWidth.GDIPLUS(?,00000000,?,?), ref: 0040E729
GdipGetImageHeight.GDIPLUS(?,00000000,?,?), ref: 0040E769
GdipCreateFromHDC.GDIPLUS(?,00000000,?,?), ref: 0040E79A
EndPaint.USER32(?,?,?,?,?,?), ref: 0040E7C5
GdipDeleteGraphics.GDIPLUS(?,?,?), ref: 0040E7CE

Part of subcall function 004034BD: MulDiv.KERNEL32(?,00000060), ref: 004034D0

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Gdip$Image$PaintWidth$BeginCreateDeleteFromGraphicsHeight
String ID:
API String ID: 4241542294-0
Opcode ID: 604be2dc801cd5b4f9220c9ec80bd64fcac1708e77a14548fbf8d3262f9031e2
Instruction ID: a4c6f071edd989cd3f68b29b07f2f166a5072e78da37956864840872c0ad15fa
Opcode Fuzzy Hash: 604be2dc801cd5b4f9220c9ec80bd64fcac1708e77a14548fbf8d3262f9031e2
Instruction Fuzzy Hash: 534116B2D002199FCB00DFE5CC44AAEBBB8FF08315F14417AE905EB295EB75A919CB54

Function 00406500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040650A
_memset.LIBCMT ref: 0040652F

Part of subcall function 00406221: _memset.LIBCMT ref: 00406242
Part of subcall function 00406221: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 00406266
Part of subcall function 00406221: VerifyVersionInfoW.KERNEL32(0000011C,00000002,00000000), ref: 00406277

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00406550
GetFileAttributesW.KERNEL32(00000000,?), ref: 00406595
GetTempPathW.KERNEL32(00000105,?), ref: 0040660F

Strings

\temp, xrefs: 00406576, 004065E5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Path_memset$AttributesConditionFileFolderH_prolog3_InfoMaskTempVerifyVersion
String ID: \temp
API String ID: 2535338759-299273985
Opcode ID: df9413112d858ae19dfa6ab64a1c60492b827e2df9359407288a046e8d3ba5a5
Instruction ID: 5c1c7ce91fb6459ef8daeaefebc89d3eae4d0ca7ec1dc087fe013dec4e8bf918
Opcode Fuzzy Hash: df9413112d858ae19dfa6ab64a1c60492b827e2df9359407288a046e8d3ba5a5
Instruction Fuzzy Hash: 5731B671601215ABDB14FBA0DD89B9E77A89F04708F5005BBA10AB71D1DB789E44CF58

Function 00405E25 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?,0044AAF8,0000001C,0040613A), ref: 00405E47
_malloc.LIBCMT ref: 00405E58

Part of subcall function 004233F8: __FF_MSGBANNER.LIBCMT ref: 0042340F
Part of subcall function 004233F8: __NMSG_WRITE.LIBCMT ref: 00423416
Part of subcall function 004233F8: RtlAllocateHeap.NTDLL(00660000,00000000,00000001,?,?,?,?,004011E6), ref: 0042343B

@_EH4_CallFilterFunc@8.LIBCMT ref: 00405E72
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00405E88
@_EH4_CallFilterFunc@8.LIBCMT ref: 00405EEB

Strings

image/png, xrefs: 00405E96

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallEncodersFilterFunc@8GdipImage$AllocateHeapSize_malloc
String ID: image/png
API String ID: 4055285158-2966254431
Opcode ID: 0a7cffdaabb71e51b5a8023522bc28de60615dac7ba0e56e69e1f258c5dac84b
Instruction ID: 6f443ea867ac21ee6a7213a428923c9fee71e815441b008d7ca8109a3a937655
Opcode Fuzzy Hash: 0a7cffdaabb71e51b5a8023522bc28de60615dac7ba0e56e69e1f258c5dac84b
Instruction Fuzzy Hash: AD21D671D006159ACB00DFA5C9419EFB675FF54315B64423BE825B72D1D7398A01CF98

Function 00428BC6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00428BC6

Part of subcall function 00425C8F: EncodePointer.KERNEL32(00000000,?,00428BCB,00424FC5,0044D308,00000014), ref: 00425C92
Part of subcall function 00425C8F: __initp_misc_winsig.LIBCMT ref: 00425CAD
Part of subcall function 00425C8F: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00427623
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00427637
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042764A
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042765D
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00427670
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00427683
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00427696
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004276A9
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004276BC
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004276CF
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004276E2
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004276F5
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00427708
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0042771B
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0042772E
Part of subcall function 00425C8F: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00427741

__mtinitlocks.LIBCMT ref: 00428BCB
__mtterm.LIBCMT ref: 00428BD4

Part of subcall function 00428C3C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00428BD9,00424FC5,0044D308,00000014), ref: 0042E663
Part of subcall function 00428C3C: _free.LIBCMT ref: 0042E66A
Part of subcall function 00428C3C: DeleteCriticalSection.KERNEL32(NE,?,?,00428BD9,00424FC5,0044D308,00000014), ref: 0042E68C

__calloc_crt.LIBCMT ref: 00428BF9
__initptd.LIBCMT ref: 00428C1B
GetCurrentThreadId.KERNEL32 ref: 00428C22

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: a32198b9bcabd6873260add76403e05d1b6b5325740bc30518d5badc756f72a2
Instruction ID: f0c7057509e3e750efa4d8641e8d526bdca92d4d33bf0d2653a26df3bbe9a948
Opcode Fuzzy Hash: a32198b9bcabd6873260add76403e05d1b6b5325740bc30518d5badc756f72a2
Instruction Fuzzy Hash: AFF0C23231B73129E2347677BC0665F6A848F00778FA4062FF420C52D2FF1D9882015D

Function 00424B05 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00424BCE,?), ref: 00424B1F
GetProcAddress.KERNEL32(00000000), ref: 00424B26
EncodePointer.KERNEL32(00000000), ref: 00424B32
DecodePointer.KERNEL32(00000001,00424BCE,?), ref: 00424B4F

Strings

RoInitialize, xrefs: 00424B0E
combase.dll, xrefs: 00424B1A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 74b4986fd06737f2fc19b801d9999ea9f8d89ee42acaf29ddd3938cd89a5deaa
Instruction ID: 60ded4eba2b11c77984f842998915a91ede2d89ca29cb36594c39c1d66d79ed2
Opcode Fuzzy Hash: 74b4986fd06737f2fc19b801d9999ea9f8d89ee42acaf29ddd3938cd89a5deaa
Instruction Fuzzy Hash: 35E07575A90304BBEE115F70FD09B153A65B785B0AF906435F609DA1B1FBB898889A0C

Function 00424BDA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00424AF4), ref: 00424BF4
GetProcAddress.KERNEL32(00000000), ref: 00424BFB
EncodePointer.KERNEL32(00000000), ref: 00424C06
DecodePointer.KERNEL32(00424AF4), ref: 00424C21

Strings

RoUninitialize, xrefs: 00424BE3
combase.dll, xrefs: 00424BEF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 088e486a9ba555f9930cbf190732dad374a4be7a57b7722e1af24b7f9980c213
Instruction ID: 9180643d3b947f2e6e7c6fc3fb523e52f09163adab373c5fed473728b426bc46
Opcode Fuzzy Hash: 088e486a9ba555f9930cbf190732dad374a4be7a57b7722e1af24b7f9980c213
Instruction Fuzzy Hash: 59E09274A40304FBEA145FA5FD09B063BA4A788707F61A435F609D51B2EBB888888F1C

Function 0040E7E9 Relevance: 9.1, APIs: 6, Instructions: 115windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?), ref: 0040E81D
CheckDlgButton.USER32(?,?,00000000), ref: 0040E82D
SendMessageW.USER32(?,?,00000004,?), ref: 0040E866
CheckDlgButton.USER32(?,?,00000001), ref: 0040E88E
SendMessageW.USER32(?,?,00000004,?), ref: 0040E8CD
IsDlgButtonChecked.USER32(?,00000001), ref: 0040E915

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Button$CheckCheckedMessageSend
String ID:
API String ID: 2408100105-0
Opcode ID: 472b8f54255d852f9face60a643a1eb80f8aec402a8091215071d6098ffdb10e
Instruction ID: 78d7a78f5e75b3976611ac763487d974ce810b690b8bb11ef96d569ec44b3381
Opcode Fuzzy Hash: 472b8f54255d852f9face60a643a1eb80f8aec402a8091215071d6098ffdb10e
Instruction Fuzzy Hash: 8F419139200102AFC754DF29C984E95BBE4FF05314F40826EF9499BA92C732F965CB90

Function 0040E5C8 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0040E61A
SetBkColor.GDI32(?,00000000), ref: 0040E622
GetSysColorBrush.USER32(0000000F), ref: 0040E62A
LoadCursorW.USER32(00000000,00007F00), ref: 0040E669
SetCursor.USER32(00000000), ref: 0040E670
DeleteObject.GDI32(?), ref: 0040E694

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$Cursor$BrushDeleteLoadObject
String ID:
API String ID: 68902092-0
Opcode ID: 75fda9e00c082a758571a55cdf75c5b9acdc5033b11deeb7ccee7f84baa65166
Instruction ID: 21d982b2bc617361d25c2d73ed5eedcd270f8ddd4930c6fff6136c33668945b7
Opcode Fuzzy Hash: 75fda9e00c082a758571a55cdf75c5b9acdc5033b11deeb7ccee7f84baa65166
Instruction Fuzzy Hash: 74212035104101ABCB145B6ABD48E7B3BACEB74701F840D3BF546E22E0CA7A9C21962D

Function 00414086 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004140AF
GetDlgItem.USER32(?,00000002), ref: 004140B9
GetDlgItem.USER32(?,00000004), ref: 004140C3
GetDlgItem.USER32(?,00000003), ref: 004140CD
SetBkColor.GDI32(?,00FFFFFF), ref: 004140F6
GetStockObject.GDI32(00000000), ref: 004140FE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Item$ColorObjectStock
String ID:
API String ID: 1663661790-0
Opcode ID: 74e6638b04db83bc42c776e8a198510084f21e84bc49845e598d9efcc5b7e8f3
Instruction ID: e68e0145347c8531725b75692787a5094fd1bdf21b098dd9e7d3f6c177e7002d
Opcode Fuzzy Hash: 74e6638b04db83bc42c776e8a198510084f21e84bc49845e598d9efcc5b7e8f3
Instruction Fuzzy Hash: 46115E75E00209ABCB00DFA5DC85AAEBFB5FF48311F40456AEA14A7290DB74AA54CF94

Function 0040FC49 Relevance: 9.1, APIs: 6, Instructions: 53windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000005,?), ref: 0040FC71
GetSysColor.USER32(0000000F), ref: 0040FC80
SetBkColor.GDI32(?,00000000), ref: 0040FC8A
GetSysColorBrush.USER32(0000000F), ref: 0040FC92
GetWindowLongW.USER32(?,000000EB), ref: 0040FCA0
SetWindowLongW.USER32(?,000000FC,00000000), ref: 0040FCAF

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$LongWindow$BrushMessageSend
String ID:
API String ID: 3134631659-0
Opcode ID: 3619c2774414eaec061f0fdb97f556c073a8d28213c83b691242146af6d3e8a1
Instruction ID: 04b4360ad2418072fc9eecead2d52ce8374078c2759cf49105debdeec3dea7bf
Opcode Fuzzy Hash: 3619c2774414eaec061f0fdb97f556c073a8d28213c83b691242146af6d3e8a1
Instruction Fuzzy Hash: 4201693A10850ABFEB211F55ED09D6B7B29FB04321F104236F926A19F0CB369864DB69

Function 00413E0C Relevance: 9.1, APIs: 6, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000065), ref: 00413E3F
GetWindowTextW.USER32(00000000,?,00000100), ref: 00413E54
StrCmpNW.SHLWAPI(?,?,00000100), ref: 00413E67
SetWindowTextW.USER32(00000000,?), ref: 00413E73
GetDlgItem.USER32(?,00000064), ref: 00413E7E
SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00413E92

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ItemTextWindow$MessageSend
String ID:
API String ID: 4055436057-0
Opcode ID: 089d0d5649ec4f42a748250fe2006293db44323a309b83aa7fcefd21ef9160fe
Instruction ID: b6a96d4c0f11765226092326f1092f5a0e29bab5f2deebaa6c4358c42e104295
Opcode Fuzzy Hash: 089d0d5649ec4f42a748250fe2006293db44323a309b83aa7fcefd21ef9160fe
Instruction Fuzzy Hash: 5511C87AA40308FBDB109F60DC4DF9B7B7CEB48701F1080BAFA05D6191DA769A04CB54

Function 0041B7D6 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

__ecvt_s.LIBCMT ref: 0041B87F
_memset.LIBCMT ref: 0041B920

Strings

Infinity, xrefs: 0041B842
NaN, xrefs: 0041B836
-Infinity, xrefs: 0041B84F, 0041B872, 0041B873

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __ecvt_s_memset
String ID: -Infinity$Infinity$NaN
API String ID: 3060828135-2857212649
Opcode ID: 6a3563ee6f0f34d9b020c45c55d6a3601027cc1fd3e195601a8b24256f03aa2a
Instruction ID: 3c052919c6b56ad4ec93c6d0a9317e79f532a1b55d9ee855025736cc9d9ee39d
Opcode Fuzzy Hash: 6a3563ee6f0f34d9b020c45c55d6a3601027cc1fd3e195601a8b24256f03aa2a
Instruction Fuzzy Hash: 38518C759147488ADB11DF38D8507EEBBF8DF16300F14419FE885B7301DB288882C7A8

Function 0040D06A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040D0FE
_memmove.LIBCMT ref: 0040D15E
_memmove.LIBCMT ref: 0040D186

Strings

string too long, xrefs: 0040D1B7
invalid string position, xrefs: 0040D1AD

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 0bdcc3451a53281bb960ee85ce237becb9989f0f8433b0534d582434e9e9ff0f
Instruction ID: ab53bd61a4523f349316453517cc98c962f88d700f191e107e846823d9ea553e
Opcode Fuzzy Hash: 0bdcc3451a53281bb960ee85ce237becb9989f0f8433b0534d582434e9e9ff0f
Instruction Fuzzy Hash: 2B41B331B003049BDB24DE98DD84A5B77B6EF45704B14053EF846AB2C1CB79DD4AC7AA

Function 0040CDDA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040CE69
_memmove.LIBCMT ref: 0040CEAC
_memmove.LIBCMT ref: 0040CED6

Strings

string too long, xrefs: 0040CEFD
invalid string position, xrefs: 0040CF07

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 7c276d3c5873862efdea44384aa9aeb6e09a192408702faf637d3b0a9b6c394d
Instruction ID: 02d075121d4be4ee1b85eaf10d9a8e82ebae89402b7e90d8b5869852c7e5a3f7
Opcode Fuzzy Hash: 7c276d3c5873862efdea44384aa9aeb6e09a192408702faf637d3b0a9b6c394d
Instruction Fuzzy Hash: 99419D71200204DBDB34CF18D9C096A77AAEB857047204B3FE856AB3C1D739E942CBE9

Function 00408412 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040841C
EnterCriticalSection.KERNEL32(004585BC,000000BC,00412BD4), ref: 00408427
LeaveCriticalSection.KERNEL32(004585BC), ref: 00408441

Part of subcall function 00405851: __EH_prolog3.LIBCMT ref: 00405858

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 004091F7: __EH_prolog3_catch.LIBCMT ref: 004091FE
Part of subcall function 004091F7: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004092A1

Part of subcall function 004180AD: __EH_prolog3_GS.LIBCMT ref: 004180B7
Part of subcall function 004180AD: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004181F1

Strings

DjD, xrefs: 00408430
http://g.itorrent.bz/support.i, xrefs: 004084C6

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalH_prolog3_Section$Concurrency::details::_Concurrent_queue_base_v4::_EnterH_prolog3H_prolog3_catchInternal_throw_exceptionIos_base_dtorLeavechar_traitsstd::ios_base::_
String ID: DjD$http://g.itorrent.bz/support.i
API String ID: 2386813964-735448917
Opcode ID: 8d926f27aaf359c690fbe4c147ecd8f5e885a50eb5bb1b6ded04a17aa4cd3c61
Instruction ID: d0984ec074dcb09c385c0921564facf04c5eaffe129efd5ce336abd474970a4a
Opcode Fuzzy Hash: 8d926f27aaf359c690fbe4c147ecd8f5e885a50eb5bb1b6ded04a17aa4cd3c61
Instruction Fuzzy Hash: F6414F30900268EADB15EB51CC55BDEBB38AF51304F5040AEE54573182DF781F89CA6A

Function 00418A24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00418A78
_memmove.LIBCMT ref: 00418A8A
_memmove.LIBCMT ref: 00418A9C
_memmove.LIBCMT ref: 00418AD3

Strings

vector<T> too long, xrefs: 00418AF5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: vector<T> too long
API String ID: 4104443479-3788999226
Opcode ID: c3596f2e22a591598f36a6820c99c5f2b17c7e27e4fd3f96c9cfd97b63f6d4be
Instruction ID: 64cad27290486e1f9f9ebf741cbbaf24fd12648acc7f64256846290041c3cb19
Opcode Fuzzy Hash: c3596f2e22a591598f36a6820c99c5f2b17c7e27e4fd3f96c9cfd97b63f6d4be
Instruction Fuzzy Hash: 8221A5B2600116BFCB04DF69DD8599ABB79FF08344B10852EF51897301EB35E960CBD8

Function 00411816 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041185C

Part of subcall function 004135A4: vswprintf.LIBCMT ref: 004135D3

Part of subcall function 0041079B: __EH_prolog3_GS.LIBCMT ref: 004107A2

Strings

pdf, xrefs: 00411891
dp%ib%i, xrefs: 00411869
x6E, xrefs: 004118F1
x6E, xrefs: 00411836

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3__memsetvswprintf
String ID: dp%ib%i$pdf$x6E$x6E
API String ID: 29975221-2371465077
Opcode ID: 69732abc92f7fb45f1d8a4ba851c339690ef2b4a4f1aedf00280aefbac49a363
Instruction ID: 3c4bf2cfdbd2524e31ae69215d8d6fffb08cf6c0925edf3b2a5da57a9cb51153
Opcode Fuzzy Hash: 69732abc92f7fb45f1d8a4ba851c339690ef2b4a4f1aedf00280aefbac49a363
Instruction Fuzzy Hash: 76212731B00304ABD708EFB9D895BBD7BA5EB44319F40402EF6065B392DB79AD858798

Function 0040E337 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 004034A0: MulDiv.KERNEL32(?,00000048), ref: 004034B3

CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E38B
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000000,Calibri), ref: 0040E3B5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,000000CC,00000000,00000000,00000005,00000002,Arial), ref: 0040E3DF

Strings

Calibri, xrefs: 0040E359, 0040E365, 0040E38D
Arial, xrefs: 0040E3B7

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateFont
String ID: Arial$Calibri
API String ID: 1830492434-3143271472
Opcode ID: 1119b04e1f4adc43f96847dbbbed878917360d826fff803a159736cb13d469ad
Instruction ID: a26e272c2c31c8bcbbee2ac165e69fd93a116824182e96f6c85807be2a5464a8
Opcode Fuzzy Hash: 1119b04e1f4adc43f96847dbbbed878917360d826fff803a159736cb13d469ad
Instruction Fuzzy Hash: 07112DF0B807097EF6109B399C46F376E9CD749756F514126BD08EB1C2E6B84C004A78

Function 0041C8F3 Relevance: 7.9, APIs: 5, Instructions: 411COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041C8FD

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-0
Opcode ID: 10b0db66d8254bf1cfc03125b96b8ab86d6a5c4c8afa3918e48a377d182d9c3a
Instruction ID: 4ae37cd0ea27515cf6dc1486d50d573136b41ad5f042b35645b980e5770ddf8f
Opcode Fuzzy Hash: 10b0db66d8254bf1cfc03125b96b8ab86d6a5c4c8afa3918e48a377d182d9c3a
Instruction Fuzzy Hash: 43E18D71C40A09DACB05DFA4D8905EEBB76FF4E314F24824EE4057B151EB3999C2CBA8

Function 004016EE Relevance: 7.6, APIs: 5, Instructions: 72filememoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,0044A4D0,00000018,004030F4,0044A6E8,00000018,00403254), ref: 00401702

Part of subcall function 00401664: GetFileSizeEx.KERNEL32(?,?), ref: 00401683

LocalAlloc.KERNEL32(00000040,00000014), ref: 0040172A
CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00401754
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0040176C
@_EH4_CallFilterFunc@8.LIBCMT ref: 00401790

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$AllocCallCreateErrorFilterFunc@8LastLocalMappingSizeView
String ID:
API String ID: 1189735882-0
Opcode ID: 2d1a410b74ab523735f7a634867ffcd70156b9e1a80247a65af1311bcbcfd06c
Instruction ID: 70a6bceb7bf200b0760ee97c2e066cac7ed96d84eeb14adb82ff5478da5bc847
Opcode Fuzzy Hash: 2d1a410b74ab523735f7a634867ffcd70156b9e1a80247a65af1311bcbcfd06c
Instruction Fuzzy Hash: A82195B4A003099FDB24DFA8C885ABE77F4AF48314F14417EE405B73D1C6798D048B28

Function 0042EDE8 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0042EDF4

Part of subcall function 004233F8: __FF_MSGBANNER.LIBCMT ref: 0042340F
Part of subcall function 004233F8: __NMSG_WRITE.LIBCMT ref: 00423416
Part of subcall function 004233F8: RtlAllocateHeap.NTDLL(00660000,00000000,00000001,?,?,?,?,004011E6), ref: 0042343B

_free.LIBCMT ref: 0042EE07

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: c177ffb7d49970c6ecea95cc6c63f60acfa8dbb714a9a763cecf45e75d3c1f06
Instruction ID: 84ea3e0069e41ae92f8b6924154eb98145f09f121d242a3e9220bc6b8a468d72
Opcode Fuzzy Hash: c177ffb7d49970c6ecea95cc6c63f60acfa8dbb714a9a763cecf45e75d3c1f06
Instruction Fuzzy Hash: B4119431B00639ABCF253B77BC45B5B36989F00368BA1053BF9099A251DA7DC880C69D

Function 0040F4C2 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0040F4EB
GetDlgItem.USER32(?,00000002), ref: 0040F4F5
GetDlgItem.USER32(?,00000003), ref: 0040F4FF
SetBkColor.GDI32(?,00FFFFFF), ref: 0040F528
GetStockObject.GDI32(00000000), ref: 0040F530

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Item$ColorObjectStock
String ID:
API String ID: 1663661790-0
Opcode ID: e4cd8d67397070eb732ff8e967f9d5f6ed5987914a2923e4647e894c17b6b053
Instruction ID: aaf89cb2323c3a222a27202acc0b89cdf8fe8c20a197071689c9442db659b279
Opcode Fuzzy Hash: e4cd8d67397070eb732ff8e967f9d5f6ed5987914a2923e4647e894c17b6b053
Instruction Fuzzy Hash: FF118B71E00209FBCB10DFA9DD45AAEBBB5FF08300F50417AE905E7291DB70AA14CBA0

Function 00417ED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00417EDA

Part of subcall function 00418943: _memmove.LIBCMT ref: 0041899B
Part of subcall function 00418943: _memmove.LIBCMT ref: 004189C0

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Strings

", xrefs: 00417F73
4jhf94jdfksjhf452f186c710c89c4, xrefs: 00417F1E
--4jhf94jdfksjhf452f186c710c89c4--, xrefs: 0041805A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove$H_prolog3_
String ID: "$--4jhf94jdfksjhf452f186c710c89c4--$4jhf94jdfksjhf452f186c710c89c4
API String ID: 4009893447-2352833847
Opcode ID: 505750287b12934479f406604c73c7c4ebc13b4842395b508f80f47a993fb619
Instruction ID: 425c3565a9a7e986c2dbe40d211d3f7a5773420f2704f13f84d35c73ec18e22c
Opcode Fuzzy Hash: 505750287b12934479f406604c73c7c4ebc13b4842395b508f80f47a993fb619
Instruction Fuzzy Hash: DA512070A00218DEEB14EF65CD91BDDBBB1AF18304F6080AEE605772C2DBB46E48CB55

Function 00417AC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00417ACF

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

__beginthreadex.LIBCMT ref: 00417B0F
CloseHandle.KERNEL32(00000000,0000009C,00412372,7055389B), ref: 00417B18

Strings

Content-Type: application/json;, xrefs: 00417B23

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseH_prolog3_Handle__beginthreadex_malloc
String ID: Content-Type: application/json;
API String ID: 2846763876-3482751464
Opcode ID: ea637636dd78e14735a57ccfaa2af261f4987a2df7a6af3613cbbd433f167944
Instruction ID: abe3bf597a8ed785c1617d037b6195b758e9967ab08d788d91e817086635b175
Opcode Fuzzy Hash: ea637636dd78e14735a57ccfaa2af261f4987a2df7a6af3613cbbd433f167944
Instruction Fuzzy Hash: BA319071C05114AADB15EBA6DC46EDFBB7C9F51348F1041AFB10573182EE782F48CA69

Function 00412CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00412D92
_memmove.LIBCMT ref: 00412DB2

Strings

string too long, xrefs: 00412DE3
invalid string position, xrefs: 00412DD9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 78aba3436c9a7563c23e2985ea3885af1175cc28d285cda10b3844a8a782f7c8
Instruction ID: fbf1768666f47b327ecce23165898225bad4220c164bf76617ce4ecf6e37835f
Opcode Fuzzy Hash: 78aba3436c9a7563c23e2985ea3885af1175cc28d285cda10b3844a8a782f7c8
Instruction Fuzzy Hash: 593192303007049BDB249F1DEA4499BBBA9EF85754B10092FF856C7381C7B9E9A087A9

Function 0041190C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411913
ShellExecuteW.SHELL32(00000000,00000000,00000000,--start,00000000,00000005), ref: 00411959
MoveFileW.KERNEL32(00000000,00000000), ref: 004119B1

Strings

--start, xrefs: 00411951

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExecuteFileH_prolog3_MoveShell
String ID: --start
API String ID: 3648082551-3513725784
Opcode ID: 439ae14c3850e0988b9e93d5669a17e3e7c3ef785926392691b4cb9135b18039
Instruction ID: b0b3ebde7b29dd6ec17f2134c6303d1cd5aabd18c28d123de16a5e3ee5c198e2
Opcode Fuzzy Hash: 439ae14c3850e0988b9e93d5669a17e3e7c3ef785926392691b4cb9135b18039
Instruction Fuzzy Hash: 5E31D5B0811244EBC724EFA5ED559AE7774EF8530AB10013FF112671B2DB789A44CB6D

Function 00406E12 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406E1C

Part of subcall function 0040814F: vswprintf.LIBCMT ref: 0040817E

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 00406500: __EH_prolog3_GS.LIBCMT ref: 0040650A
Part of subcall function 00406500: _memset.LIBCMT ref: 0040652F
Part of subcall function 00406500: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 00406550

Part of subcall function 00406857: __EH_prolog3.LIBCMT ref: 0040685E
Part of subcall function 00406857: PathAppendW.SHLWAPI(00000000,?,0000000C,004069FA,?,itorrent-application.exe,0000003C,0040756C), ref: 004068C1

Part of subcall function 00406203: GetFileAttributesW.KERNEL32(?,0040DDD4,?,00000184,0040DFA6,?,00000000,?,?,?,?,?,?,0043D89B,000000FF), ref: 0040620C

DeleteFileW.KERNEL32(?), ref: 00406ED7

Strings

ipartner%i_%i_%i.exe, xrefs: 00406E39
Too small buffer, xrefs: 00406F35

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileH_prolog3_Path$AppendAttributesDeleteFolderH_prolog3_memsetchar_traitsvswprintf
String ID: Too small buffer$ipartner%i_%i_%i.exe
API String ID: 4035436367-3067181009
Opcode ID: 14a51824f434d8a7b114c2fc91d093794c287e62e5b26666278070245492a1aa
Instruction ID: cfa7cd92500677f9f9e30e4361c46c9faf066bbab61363879bcc592718f51b70
Opcode Fuzzy Hash: 14a51824f434d8a7b114c2fc91d093794c287e62e5b26666278070245492a1aa
Instruction Fuzzy Hash: 38319C70A002199BDB24EB21CD46BDEB374AF54708F5041FEA20AB60D1DF785F98CE99

Function 00412EE5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00412F63

Part of subcall function 00423D6A: _malloc.LIBCMT ref: 00423D82

Strings

8Qi, xrefs: 00412F19, 00412F2E, 00412F48
8Ui, xrefs: 00412F50, 00412F69
XQi, xrefs: 00412F11, 00412F25, 00412F56, 00412F71

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: 8Qi$8Ui$XQi
API String ID: 657562460-2883074133
Opcode ID: 061db7dda5efb9cc6466accdb2582fbd956c9f32197d9b06a35faff5fb125a9e
Instruction ID: 4a1b863313415172712ea5aedceaa5400e341e34423d22cca9ea566d14fe6b80
Opcode Fuzzy Hash: 061db7dda5efb9cc6466accdb2582fbd956c9f32197d9b06a35faff5fb125a9e
Instruction Fuzzy Hash: 1A21E7736002101B97089F7CAEC18A67769E798321719433FFA19E32D5CDB4EC91969C

Function 0041172E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00411735

Part of subcall function 0040532C: __EH_prolog3_GS.LIBCMT ref: 00405336

Strings

ptD, xrefs: 00411742
<tD, xrefs: 00411797
dtD, xrefs: 00411756

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID: <tD$dtD$ptD
API String ID: 2427045233-1265484696
Opcode ID: 47b2b227d705f3038caf3793f565e692366c2756fe2908b3c523cc5aab8ec2b3
Instruction ID: c65b5cd9b2b8ae70545eca1a4f468770e385d552eddece3f99c1c34840a2c244
Opcode Fuzzy Hash: 47b2b227d705f3038caf3793f565e692366c2756fe2908b3c523cc5aab8ec2b3
Instruction Fuzzy Hash: B811EB71601200AFD718BFA5AC529AE3665DB4434AB50403FF2026B3E3CF7C9E45865D

Function 00435533 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0043554A
_wcscmp.LIBCMT ref: 0043555B

Strings

ACP, xrefs: 00435544
OCP, xrefs: 00435555

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: a3ee4c64dfe03094497c873a060030730c42dbe5755b05517f704ffc56aee54f
Instruction ID: f964b9b60d69c3079d81f8f20d37274d23a6ada51bccc06082724ac4ba31a21f
Opcode Fuzzy Hash: a3ee4c64dfe03094497c873a060030730c42dbe5755b05517f704ffc56aee54f
Instruction Fuzzy Hash: FD01D621600A05BAEB106E69EC46BDB33B99F0C359F045827F904DA285F77CF65042DD

Function 00406BFE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

char_traits.LIBCPMT ref: 00406C2C

Strings

http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx, xrefs: 00406C1A
magnet:, xrefs: 00406C24, 00406C2B, 00406C33, 00406C34
FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent, xrefs: 00406C5B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits
String ID: FreeSpacer_setup.exe.[tfile.ru].torrent.exe.torrent$http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx$magnet:
API String ID: 1158913984-586054935
Opcode ID: 5cd5758db9c10e71c92e291b0142349a20150dbca2dac376d4d1542878734df8
Instruction ID: 474f0db7c1ce3e7e2187bd7b67d33717d050057802253f82ba6b5abeb153908d
Opcode Fuzzy Hash: 5cd5758db9c10e71c92e291b0142349a20150dbca2dac376d4d1542878734df8
Instruction Fuzzy Hash: 92F0F971B4020867D604EA669C53BBE736CDF85719F50023FB911772C1EE7C6E45825D

Function 00402DB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00401367: LocalFlags.KERNEL32(?,00000000,00401920,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000), ref: 00401371
Part of subcall function 00401367: LocalFree.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000), ref: 00401380

LocalFree.KERNEL32(?,00402DA0,0044A680,00000080), ref: 00402DD0

Part of subcall function 0040205C: Sleep.KERNEL32(0000012C,?,?,?,?,?,?,0044A5B0,00000024), ref: 004020A5
Part of subcall function 0040205C: SetEvent.KERNEL32(?,?,?,?,?,?,?,0044A5B0,00000024), ref: 004020B5

Sleep.KERNEL32(0000012C,?,?,?,?,?,?,?,?,00402DA0,0044A680,00000080), ref: 00402E05
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,00402DA0,0044A680,00000080), ref: 00402E15

Strings

Can't start downloading, xrefs: 00402E1E

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Local$EventFreeSleep$Flags
String ID: Can't start downloading
API String ID: 2595757405-642209808
Opcode ID: 10c81494cf74317edd1eda8ab10f892169d5b856f7118f0cafd6986c6e518e89
Instruction ID: e5fd38ee2cefbb517b0654aa061f1c99f74be26c97c525d6d25c6fdc7e604d85
Opcode Fuzzy Hash: 10c81494cf74317edd1eda8ab10f892169d5b856f7118f0cafd6986c6e518e89
Instruction Fuzzy Hash: C0019230A002048BEF28AF21DA48B6F76B1BF45705F44043EE002719D1CBB86D45CA8D

Function 0040328A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0040328B
RemovePropW.USER32(00000000,USER-CALLBACK-STRUCT-8CF23F47-B5D4-49C5-ABA8-E10617869E66), ref: 0040329B
DestroyWindow.USER32(00000000), ref: 004032A2

Strings

USER-CALLBACK-STRUCT-8CF23F47-B5D4-49C5-ABA8-E10617869E66, xrefs: 00403295

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$DestroyPropRemove
String ID: USER-CALLBACK-STRUCT-8CF23F47-B5D4-49C5-ABA8-E10617869E66
API String ID: 1208278663-191918380
Opcode ID: 6996b86ec5bbe6ba5e5ec4ad52f708c87b2612037b5128482b0a4a3e23218315
Instruction ID: e06217b19a75a683b1bb0284ae50b9f1197288f63c37a9c8cbf8fc27fd0636fc
Opcode Fuzzy Hash: 6996b86ec5bbe6ba5e5ec4ad52f708c87b2612037b5128482b0a4a3e23218315
Instruction Fuzzy Hash: 64E06D75A1020597CB00AFB2DC859AE7A7C6E04706B4411BEA802B22E2DF3CCA04862C

Function 00439A6E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00439AC1: _memset.LIBCMT ref: 00439ACE

Part of subcall function 00418C17: InitializeCriticalSectionAndSpinCount.KERNEL32(004552A4,00000000,00455290,00439A9D,?,?,?,00401167), ref: 00418C1C
Part of subcall function 00418C17: GetLastError.KERNEL32(?,?,?,00401167), ref: 00418C26

IsDebuggerPresent.KERNEL32(?,?,?,00401167), ref: 00439AA1
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00401167), ref: 00439AB0

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00439AAB
pYD, xrefs: 00439A91

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$pYD
API String ID: 436010757-2140561303
Opcode ID: 308374348299f4ca63c200ba3b0e9b3b67c7fe22f00814d5b093fb3b34925bbd
Instruction ID: 3e4de3afa981b8ae560b05c1c24c26c8cdcbdb6888c865af24a87a0343b9d94d
Opcode Fuzzy Hash: 308374348299f4ca63c200ba3b0e9b3b67c7fe22f00814d5b093fb3b34925bbd
Instruction Fuzzy Hash: A4E06DB0600750CBD720EF66E8047427AE4AB08358F10992EE896C2241DBB8D8488F69

Function 0040E952 Relevance: 6.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0040EA20
_memmove.LIBCMT ref: 0040E9BA

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Part of subcall function 004078C5: __EH_prolog3.LIBCMT ref: 004078CC
Part of subcall function 004078C5: char_traits.LIBCPMT ref: 004078F7
Part of subcall function 004078C5: char_traits.LIBCPMT ref: 0040790C

Part of subcall function 00405457: char_traits.LIBCPMT ref: 00405468

Part of subcall function 004068F9: AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,?), ref: 0040693C

_memmove.LIBCMT ref: 0040EA7B
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0040EAE5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits$ExecuteShell_memmove$AssocH_prolog3QueryString
String ID:
API String ID: 4019695314-0
Opcode ID: 4e60f385890f64c278c05d73b90f2a0ed8ede64ae6f7a0d9dbfb3fd9eeeef69f
Instruction ID: 2d207d9e68e4e9dfe2bcd2d990fef91c5353be8775d14a75848bc9dc490b0d30
Opcode Fuzzy Hash: 4e60f385890f64c278c05d73b90f2a0ed8ede64ae6f7a0d9dbfb3fd9eeeef69f
Instruction Fuzzy Hash: 92516C71A00208AEDB10EB95DC85FDEB7B8EB04318F50457EE206A71C1EB74AE44CB65

Function 0043A9E0 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0043AA71
_memmove.LIBCMT ref: 0043AAE5
___AdjustPointer.LIBCMT ref: 0043AB36
_memmove.LIBCMT ref: 0043AB3F

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: bb0439265f5064f9e4e9b6b47625b802f0fb418c9bd08e7fa8f732ed6e6d4337
Instruction ID: b5ca4326ca5c214d94ade9f8f836757ded19b9425b26b1c03e64a02441901986
Opcode Fuzzy Hash: bb0439265f5064f9e4e9b6b47625b802f0fb418c9bd08e7fa8f732ed6e6d4337
Instruction Fuzzy Hash: 08413A322803035EEB249F65D851B2773E6DF09324F24501FFA85862E1EB7EE860C65A

Function 00439661 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 004396B9
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,00000000,00000000,?,?,?), ref: 00439707
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?), ref: 0043977D
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?), ref: 004397A5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: d16f6a421d07191767b8cc63d80c54c6e72dac664fa6b748cad2a349bbdb683d
Instruction ID: 111df32dc8aa6f4cc0793f73f0051f1d0de3f51e74bf94a3680989757f8134ea
Opcode Fuzzy Hash: d16f6a421d07191767b8cc63d80c54c6e72dac664fa6b748cad2a349bbdb683d
Instruction Fuzzy Hash: CC410F31A11345EFDB218F64D881BABB7F9EF49310F14502AF8518B290D7B9DC54CB58

Function 00402EBF Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401CD0: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401D04

LocalAlloc.KERNEL32(00000040,00000019,0044A6A8,00000024,00403230,Function_0000313F,?,00000000), ref: 00402F59
WinHttpCrackUrl.WINHTTP(?,?,00000000,00002074,0044A6A8,00000024,00403230,Function_0000313F,?,00000000), ref: 00402FCA
SetEvent.KERNEL32(?), ref: 00402FE4
@_EH4_CallFilterFunc@8.LIBCMT ref: 00402FF5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallFilterFunc@8$AllocCrackEventHttpLocal
String ID:
API String ID: 3069150556-0
Opcode ID: e27651e2f4193711a8fba06376fe38715b0384a0f38c59bd44f3ded85e17deb6
Instruction ID: d3bce951d455c649fc0e85e28c2efb29aee1857387ac8cb35a7e46944641a1c5
Opcode Fuzzy Hash: e27651e2f4193711a8fba06376fe38715b0384a0f38c59bd44f3ded85e17deb6
Instruction Fuzzy Hash: E5418B30A013019BDF18DF64C8847AA7BB1BF48319F14027AE815BB2D2D7B9A951CB58

Function 00430446 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043047C
__isleadbyte_l.LIBCMT ref: 004304AA
MultiByteToWideChar.KERNEL32(00000080,00000009,00428774,00000001,00000000,00000000,?,00000000,00000000,?,?,00428774,00000000), ref: 004304D8
MultiByteToWideChar.KERNEL32(00000080,00000009,00428774,00000001,00000000,00000000,?,00000000,00000000,?,?,00428774,00000000), ref: 0043050E

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 31cca6a267a7a79c81f2495e93ba3531c260cbc37dc32a86dcb123380b114288
Instruction ID: 3df82db2bdd0cbb165ff717a9585900bb89539ec5c4b03ae7926247feabab6d4
Opcode Fuzzy Hash: 31cca6a267a7a79c81f2495e93ba3531c260cbc37dc32a86dcb123380b114288
Instruction Fuzzy Hash: B231F230A00206AFDB21CF35C854B7B7BB5FF49310F15522AE964872A0E738D950DB94

Function 0040754F Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004069BD: __EH_prolog3_GS.LIBCMT ref: 004069C4

DeleteFileW.KERNEL32(00000000), ref: 0040757B
DeleteFileW.KERNEL32(00000000,00000001,00000000), ref: 0040759B
DeleteFileW.KERNEL32(00000000,00000001,00000000), ref: 004075B9
DeleteFileW.KERNEL32(?,00000001,00000000), ref: 004075EE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DeleteFile$H_prolog3_
String ID:
API String ID: 3558260747-0
Opcode ID: 62f9de8935547a17f4cabcdc230e40f1e66d87e06f546796a5ee407423873112
Instruction ID: 1d7fec56eb948ce4b8726a670cfc9a7252243acae89278369a45da634ed6429e
Opcode Fuzzy Hash: 62f9de8935547a17f4cabcdc230e40f1e66d87e06f546796a5ee407423873112
Instruction Fuzzy Hash: C0214B71D05214ABCB14EB65DC849EEB3B4EF05304B01407AE502B7691DA38FD09CBAA

Function 004031BB Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 004028EE: @_EH4_CallFilterFunc@8.LIBCMT ref: 0040293E

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,0044A708,00000040,00405325), ref: 004031E1
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004031EC

Part of subcall function 00402EBF: LocalAlloc.KERNEL32(00000040,00000019,0044A6A8,00000024,00403230,Function_0000313F,?,00000000), ref: 00402F59
Part of subcall function 00402EBF: WinHttpCrackUrl.WINHTTP(?,?,00000000,00002074,0044A6A8,00000024,00403230,Function_0000313F,?,00000000), ref: 00402FCA
Part of subcall function 00402EBF: SetEvent.KERNEL32(?), ref: 00402FE4
Part of subcall function 00402EBF: @_EH4_CallFilterFunc@8.LIBCMT ref: 00402FF5

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00403246

Part of subcall function 004030AE: @_EH4_CallFilterFunc@8.LIBCMT ref: 00403101

@_EH4_CallFilterFunc@8.LIBCMT ref: 00403261

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallFilterFunc@8$Event$Create$AllocCrackHttpLocalMultipleObjectsWait
String ID:
API String ID: 3533588738-0
Opcode ID: fb7d263850bbc8059c594a7e2dd3b49fc220ec3b190de1d6228af82cdf39d5c0
Instruction ID: dca8789877530075bc3908bd566b60e54a7fb258f35c6f6ba95e276bb25d8812
Opcode Fuzzy Hash: fb7d263850bbc8059c594a7e2dd3b49fc220ec3b190de1d6228af82cdf39d5c0
Instruction Fuzzy Hash: 312119B1D0121CABDB10DFEADC819AEBABCBF48715F64026FE414B7291D6744E018B68

Function 0043A313 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0043A32A

Part of subcall function 0043A952: ___AdjustPointer.LIBCMT ref: 0043A99B

_UnwindNestedFrames.LIBCMT ref: 0043A341
___FrameUnwindToState.LIBCMT ref: 0043A353
CallCatchBlock.LIBCMT ref: 0043A377

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: b3cdfde7ad9c98751fdf5e820463348c1216ecb7041a313df150442cb574fb80
Instruction ID: 1f2ad22f670f09560bb290a3af2385551b11a67cbc7e3ba1de8c3b78ac9ce2b7
Opcode Fuzzy Hash: b3cdfde7ad9c98751fdf5e820463348c1216ecb7041a313df150442cb574fb80
Instruction Fuzzy Hash: F4011732040109BBCF129F56CC01EDB3FAAEF5C754F15911AFD5865121C37AE8719BA5

Function 0042F76D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042F791

Part of subcall function 0042FE78: __fltout2.LIBCMT ref: 0042FEA1

__cftog_l.LIBCMT ref: 0042F7B7
__cftoe_l.LIBCMT ref: 0042F7E9

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 4b6a9445c5ae121d29ce48bec7989c6fa23d7f71ebdfbcb7f82741279fafcf5d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 4C016D3210015EBBCF125E84EC418EE3F32BB59354B998426FE1898131D33AC9B6AB85

Function 004139DC Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?), ref: 00413A07
CheckDlgButton.USER32(?,?,00000000), ref: 00413A17
CheckDlgButton.USER32(?,?,00000001), ref: 00413A24
SendMessageW.USER32(?,00000111,00000004), ref: 00413A39

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Button$Check$CheckedMessageSend
String ID:
API String ID: 1986796423-0
Opcode ID: 8f9342e8cce7af186aeda7e8d511e8b295a5678a8325ffec57e19b9ef501b0ab
Instruction ID: f645c338b8c0d7f113f7494d0b159f51ee7d163187acc0653bf0e04128d043e0
Opcode Fuzzy Hash: 8f9342e8cce7af186aeda7e8d511e8b295a5678a8325ffec57e19b9ef501b0ab
Instruction Fuzzy Hash: BAF0C23A110180BFDB311F59DC09EE3BEADEB80B52B40813AB98381530C6659D86D66C

Function 004039A5 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004039AC
ConvertSidToStringSidW.ADVAPI32(?,?), ref: 004039D7
char_traits.LIBCPMT ref: 004039E9
LocalFree.KERNEL32(?,?,00000000,?,?,00000024,00403AC5), ref: 004039FE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ConvertFreeH_prolog3_LocalStringchar_traits
String ID:
API String ID: 169268410-0
Opcode ID: 18a71a8801d695ad9a1a79c4b9705fc52f2e20e91ed8b57db0e9f48f8ecbc2e9
Instruction ID: 330d9bc12d9727ac1ac3f0f7a88a301a3c85e4169af4813c262263d67a8e7101
Opcode Fuzzy Hash: 18a71a8801d695ad9a1a79c4b9705fc52f2e20e91ed8b57db0e9f48f8ecbc2e9
Instruction Fuzzy Hash: AB010C74E002499BDF04EFAAD8859EEBA79BF4C318F54903EE505B2291DB785D048F28

Function 004015BA Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,0044A490,0000000C), ref: 004015C9

Part of subcall function 004014A5: GetTempPathW.KERNEL32(000007FF,00000000,?,?,?,?,?,?,?,?,0044A470,00000018), ref: 004014D6
Part of subcall function 004014A5: InterlockedIncrement.KERNEL32(004586F8), ref: 004014F2
Part of subcall function 004014A5: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,0044A470,00000018), ref: 004014FA
Part of subcall function 004014A5: GetCurrentThreadId.KERNEL32 ref: 00401502
Part of subcall function 004014A5: @_EH4_CallFilterFunc@8.LIBCMT ref: 00401540

@_EH4_CallFilterFunc@8.LIBCMT ref: 004015EC
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,04000180,00000000), ref: 0040160C
@_EH4_CallFilterFunc@8.LIBCMT ref: 00401625

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CallFilterFunc@8$Current$CreateErrorFileIncrementInterlockedLastPathProcessTempThread
String ID:
API String ID: 3475211110-0
Opcode ID: 34b87f0dbcbe3df7386f326c4b5b9c3e8a1a737779554f15d66951518aee7c16
Instruction ID: 3e42059fc0f5822d4af85387583df8ecc2e3d4aade6683734adf05e26881119b
Opcode Fuzzy Hash: 34b87f0dbcbe3df7386f326c4b5b9c3e8a1a737779554f15d66951518aee7c16
Instruction Fuzzy Hash: 17F0FC74E0013576EB20ABB55C06F6F7A689F84725F914337F824E50D2EA7C85058BD9

Function 0040F470 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?), ref: 0040F481
CheckDlgButton.USER32(?,?,00000000), ref: 0040F491
CheckDlgButton.USER32(?,?,00000001), ref: 0040F49F
SendMessageW.USER32(?,?,00000004), ref: 0040F4B4

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Button$Check$CheckedMessageSend
String ID:
API String ID: 1986796423-0
Opcode ID: a739c95703bed1df9eee9445c3692930df16dbbc5381ef42d85f35f4dce13d78
Instruction ID: 2dd1631989e9fb7164fb77f5827661894abfcb801cdf10967938aef3d0dc2dbf
Opcode Fuzzy Hash: a739c95703bed1df9eee9445c3692930df16dbbc5381ef42d85f35f4dce13d78
Instruction Fuzzy Hash: ADF0A735100200FFCA305B56DC09F83BFBDEBD0B21F008039F54591570C772A854DA68

Function 00413BE5 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000065), ref: 00413BF9
GetSysColor.USER32(0000000F), ref: 00413C06
SetBkColor.GDI32(?,00000000), ref: 00413C10
GetSysColorBrush.USER32(0000000F), ref: 00413C18

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Color$BrushItem
String ID:
API String ID: 3803424071-0
Opcode ID: fecbe8c2bfac452e58defb22ee1d628d190a85a930236f64c590d68ff21d41b0
Instruction ID: 7bd2706b96af9ea98ffd0390f34b300d1e0f6ffff7780355e58701eae065b045
Opcode Fuzzy Hash: fecbe8c2bfac452e58defb22ee1d628d190a85a930236f64c590d68ff21d41b0
Instruction Fuzzy Hash: B3F0123654011AEBCF115F50DE08AEF3B66EB14712F004076F915641B1D7764A60EB99

Function 0040352D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00403539
GetDeviceCaps.GDI32(00000000,00000058), ref: 00403548
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00403556
ReleaseDC.USER32(00000000,00000000), ref: 00403564

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2da7e04bd421032d5aa95e48f3d49375f71dfc27a8c331f257f8a82925c83d4b
Instruction ID: 813063950483375aaa198c9ca935c761bd9f72d4ac645af099198c97e3464c41
Opcode Fuzzy Hash: 2da7e04bd421032d5aa95e48f3d49375f71dfc27a8c331f257f8a82925c83d4b
Instruction Fuzzy Hash: 2AE0E575944741BAD7214F79AC0CF0B3E64A791B83F101179F601A62E2CAB98209CF18

Function 0041C53F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041C546

Strings

xml:lang, xrefs: 0041C744

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID: xml:lang
API String ID: 2427045233-1948011537
Opcode ID: 924a20635c3bfcac2b6e5bda8936e3db9bf50112da069c52851502780b8c9a03
Instruction ID: 7fc906d94d09242db3d9e4f75970ca516389942f3187305b824f8e7da6cb0be9
Opcode Fuzzy Hash: 924a20635c3bfcac2b6e5bda8936e3db9bf50112da069c52851502780b8c9a03
Instruction Fuzzy Hash: B6B190B19442199FCF04DF94CCD19FFBBB6AF49704B14805FE405AB241C778A986CBA9

Function 004176E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004176EA

Part of subcall function 0040CC96: __EH_prolog3.LIBCMT ref: 0040CC9D

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Part of subcall function 00417C27: __EH_prolog3.LIBCMT ref: 00417C2E

Part of subcall function 00403C90: __EH_prolog3.LIBCMT ref: 00403C97

Strings

{"event" : "%s","data" : "%s","sig" : "%s"}, xrefs: 00417827
0Rg, xrefs: 0041771A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3$H_prolog3__memmove
String ID: 0Rg${"event" : "%s","data" : "%s","sig" : "%s"}
API String ID: 2656386499-3338501967
Opcode ID: d3924819417c2322680ee298debf6e84a43b7705bb6dde07e2fec652c55780b4
Instruction ID: 094cf1ca1e528da2df96152cc5edfa81d088ece3f7dd7b99d285d6d9b9260e12
Opcode Fuzzy Hash: d3924819417c2322680ee298debf6e84a43b7705bb6dde07e2fec652c55780b4
Instruction Fuzzy Hash: 1951F6319001149BDB14EB65CC56FEEB7B49F95309F2080AEE405B71C2DB786F49CBA9

Function 004091F7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004091FE
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 004092A1

Part of subcall function 00438F67: std::exception::exception.LIBCMT ref: 00438F7A
Part of subcall function 00438F67: __CxxThrowException@8.LIBCMT ref: 00438F8F

Strings

vector<T> too long, xrefs: 0040924B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Exception@8H_prolog3_catchInternal_throw_exceptionThrowstd::exception::exception
String ID: vector<T> too long
API String ID: 2196761064-3788999226
Opcode ID: 50f161bb024fd402a996a34298e67b17f92c3a76f47c4b922eb2a7c16730a005
Instruction ID: d32636fd632dd939f6c43186c43b6d3e0230567c02531e69011925aeb2a68dea
Opcode Fuzzy Hash: 50f161bb024fd402a996a34298e67b17f92c3a76f47c4b922eb2a7c16730a005
Instruction Fuzzy Hash: 2D5186B1A002069FCF14DF69C98196FB7E6BF88300B24492EF459E7381DA38ED118F58

Function 0041685F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416866
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00416909

Part of subcall function 00438F67: std::exception::exception.LIBCMT ref: 00438F7A
Part of subcall function 00438F67: __CxxThrowException@8.LIBCMT ref: 00438F8F

Strings

vector<T> too long, xrefs: 004168B3

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Exception@8H_prolog3_catchInternal_throw_exceptionThrowstd::exception::exception
String ID: vector<T> too long
API String ID: 2196761064-3788999226
Opcode ID: ad012233b0d62cc780076187e19e8683dec9f6ecc03d351a04a50b95379f2c1e
Instruction ID: 966c2bce5b770d1417b1b740f316cf37358aca0302ae19f5cf79a87638a628d1
Opcode Fuzzy Hash: ad012233b0d62cc780076187e19e8683dec9f6ecc03d351a04a50b95379f2c1e
Instruction Fuzzy Hash: 715184B1A002069FCB14DFA9C9819AFB7F6FF98304B25852EF41697740E738E950CB58

Function 0040B25D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B264

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Part of subcall function 0040AF75: RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040AFC7

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040B2B5
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040B2E5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_Open_memmove
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 85986989-1750963809
Opcode ID: a68f33e86a2a0bc9c310702993d01b30ae31d5b04ba8614e826e85d312bfba87
Instruction ID: 805a0fbb681dcf5349d56f255c34f8674dde5e42f1a4e95d4e17d34e83914e70
Opcode Fuzzy Hash: a68f33e86a2a0bc9c310702993d01b30ae31d5b04ba8614e826e85d312bfba87
Instruction Fuzzy Hash: 2A513E71E002489FDB05EFE9C891ADDBBB5EF54304F60802EE501B7285DB786A45CB98

Function 0041025A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00410264
ShowWindow.USER32(?,00000000,000000BC,004104DB), ref: 004102C8

Part of subcall function 004085B7: __EH_prolog3.LIBCMT ref: 004085BE

Part of subcall function 0040792F: __EH_prolog3_catch.LIBCMT ref: 00407936
Part of subcall function 0040792F: char_traits.LIBCPMT ref: 0040794D

Strings

Bad window index, xrefs: 0041029B

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catchShowWindowchar_traits
String ID: Bad window index
API String ID: 2526409513-1287430197
Opcode ID: 07b5ee588237bf904d2136cf72bd35c0108d251ca0cf413e34e8ce784df8561d
Instruction ID: 7d011e043c78b9c06423b48061126039c91e59c1662077e147c3f8eff1043837
Opcode Fuzzy Hash: 07b5ee588237bf904d2136cf72bd35c0108d251ca0cf413e34e8ce784df8561d
Instruction Fuzzy Hash: BF41B170501209EFDB18DFA4DD85EEEB7B4EB08341F00022EA415E72A1EF74AA85CB58

Function 00418943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041899B
_memmove.LIBCMT ref: 004189C0

Strings

vector<T> too long, xrefs: 00418A19

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: vector<T> too long
API String ID: 4104443479-3788999226
Opcode ID: dfe9b2357dd71786d2b4e3184f956ad495caa8656b71fd7d1a03d122a40787a4
Instruction ID: 2ceebf3dc30350cb5fdce0ba3b3cf4fab00ec49c91918505cd37ab47ab174493
Opcode Fuzzy Hash: dfe9b2357dd71786d2b4e3184f956ad495caa8656b71fd7d1a03d122a40787a4
Instruction Fuzzy Hash: F231A7B2A00116BFCB04DFA9DD8599ABB69FF08344B10862EF508D7701DB35E960CBD8

Function 004135F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041365B

Strings

string too long, xrefs: 00413698
invalid string position, xrefs: 0041368E

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: e37e43fd939d48b1885aead5057c881767ec1a3ae7c76a65fa9594d6057ef017
Instruction ID: 0bcd57328078da1b194361534639658119dd40e7fbe2774f0f3651dda5f50c36
Opcode Fuzzy Hash: e37e43fd939d48b1885aead5057c881767ec1a3ae7c76a65fa9594d6057ef017
Instruction Fuzzy Hash: DC110A71300300ABCB309E1DD980E97BBB9EB85755B20062FF4568B381C778DA858799

Function 00408036 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040809E

Strings

string too long, xrefs: 004080D1
invalid string position, xrefs: 004080C7

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 8ea752484cdd7eb11063283ea1d477fc95695ea833f676be24a405ab69786a32
Instruction ID: a97adef301f66b1f39f9cc2a7ea8021cef7e24b056427baa2dfe479ba610f6ea
Opcode Fuzzy Hash: 8ea752484cdd7eb11063283ea1d477fc95695ea833f676be24a405ab69786a32
Instruction Fuzzy Hash: CE11B4313003049FDB249E6DDA80A5ABBA9EF41714B15093EF895D73C1CB75E848C799

Function 004175F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004175FD

Strings

a8b13a8ef5c233e82e7c47bb5977f38a, xrefs: 0041765D, 00417675
0Rg, xrefs: 00417604, 00417620, 00417676, 00417677, 0041769E, 004176CC

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID: 0Rg$a8b13a8ef5c233e82e7c47bb5977f38a
API String ID: 2427045233-2354034299
Opcode ID: 08ac53c39c4c0738de248b6c5749d7bd360076cde0304ca3f4f4d950315a64d1
Instruction ID: 1634d216166dc5bfbc208c8ebbed16df643e4e0600036a04649637733a775ed9
Opcode Fuzzy Hash: 08ac53c39c4c0738de248b6c5749d7bd360076cde0304ca3f4f4d950315a64d1
Instruction Fuzzy Hash: FD217F70A06300AFDB05DF68EC95BDA36B1AB28306F14403EE405B72A3DF795985CB19

Function 0040AAB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040AABD

Part of subcall function 0040BBF6: __EH_prolog3.LIBCMT ref: 0040BBFD

Part of subcall function 0040403B: _memmove.LIBCMT ref: 0040405B

Part of subcall function 0040CF12: __EH_prolog3_catch.LIBCMT ref: 0040CF19

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040AB66

Strings

XjD, xrefs: 0040AB5E

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3H_prolog3_H_prolog3_catchIos_base_dtor_memmovestd::ios_base::_
String ID: XjD
API String ID: 3074314683-1934467262
Opcode ID: 9a5d34f583db22e663bf59615d247061f0f5ea4d0a61db15a78f32e60f44db78
Instruction ID: 79d5122f8eedc78ac3cd60a7f7d468408fd99b56dfde330293e89be4bf19b51f
Opcode Fuzzy Hash: 9a5d34f583db22e663bf59615d247061f0f5ea4d0a61db15a78f32e60f44db78
Instruction Fuzzy Hash: 8C2174B1C042489BCB14DF99C480ADEFFB8AF48314F14816FE50573291DB785984CF69

Function 00406857 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040685E
PathAppendW.SHLWAPI(00000000,?,0000000C,004069FA,?,itorrent-application.exe,0000003C,0040756C), ref: 004068C1

Strings

x]D, xrefs: 004068D3

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AppendH_prolog3Path
String ID: x]D
API String ID: 836219880-3674687082
Opcode ID: a1dd4a4d40d3b192a00968e1b8e0469992f9541c9062868e331d3a146d866326
Instruction ID: 3d71d78a3c93ff7f99db55a5496d25abaf90584dbcf779209f6e2ddbc7973630
Opcode Fuzzy Hash: a1dd4a4d40d3b192a00968e1b8e0469992f9541c9062868e331d3a146d866326
Instruction Fuzzy Hash: F611E672B012119BEF04EF65C84676F7BB5BF48355F14402AE905BB381CB78DA148BD9

Function 004233B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00423E28
___raise_securityfailure.LIBCMT ref: 00423F0F

Strings

AE, xrefs: 00423F0A

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: AE
API String ID: 3761405300-199581639
Opcode ID: 68550388874296f281947afdcc5ac1e694873c2c59e698be7a14ef7cb0000940
Instruction ID: 5a92eb1bd9c43e1a17d09ca0765fab1e8f4d2f3270d48c312b9f701cd5a03b78
Opcode Fuzzy Hash: 68550388874296f281947afdcc5ac1e694873c2c59e698be7a14ef7cb0000940
Instruction Fuzzy Hash: D42116B8500321AAD700CF55F945B557BB4BB9838AF5041BAF9088F3B2E3B49AD1CB4D

Function 00408D4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408D53
std::ios_base::_Init.LIBCPMT ref: 00408D89

Part of subcall function 00409BBA: std::locale::_Init.LIBCPMT ref: 00409BFE

Part of subcall function 00408F50: __EH_prolog3.LIBCMT ref: 00408F57

Part of subcall function 00407EE4: __CxxThrowException@8.LIBCMT ref: 00407EDE

Strings

(jD, xrefs: 00408DC1

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3Init$Exception@8Throwstd::ios_base::_std::locale::_
String ID: (jD
API String ID: 3098306399-666683630
Opcode ID: 5957b3bb5992a43b6d482d713fd5ff5e45d0b073b18218991bc1276621fb7667
Instruction ID: 92e7e0dcc73fe81dc545668da8b4023718a84c8f914c6f031257bb904a158ecc
Opcode Fuzzy Hash: 5957b3bb5992a43b6d482d713fd5ff5e45d0b073b18218991bc1276621fb7667
Instruction Fuzzy Hash: 5A21F278600A058FC720DF29C18491AFBE1FF49318755C86EE58AAB742C775F901CF84

Function 0041079B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004107A2

Strings

8Qi, xrefs: 004107A7, 0041081D
XQi, xrefs: 004107AD, 00410829

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID: 8Qi$XQi
API String ID: 2427045233-2401306797
Opcode ID: b4082af5aba9fe6f76ef53e0916f0e440bd14519d210cdeef02934480600a70c
Instruction ID: 6314f63fd75c3e340bbaa2f116aed151d6a6dac4d3027abf62476dc2390f0e04
Opcode Fuzzy Hash: b4082af5aba9fe6f76ef53e0916f0e440bd14519d210cdeef02934480600a70c
Instruction Fuzzy Hash: B4114231D002099FDB14EF95C992AEEBB74AF18715F54102EE60177282DBB56DC0CAA9

Function 00406D98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

char_traits.LIBCPMT ref: 00406DC6

Strings

http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx, xrefs: 00406DB4, 00406DEE
magnet:, xrefs: 00406DBE, 00406DC5, 00406DCD, 00406DCE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: char_traits
String ID: http://tfile.me/forum/download.php?id=706491&ak=11xxxxxxxx$magnet:
API String ID: 1158913984-3854302047
Opcode ID: d836288970b80e51ab2a17acc0723cc9b047d2d03eb224bc1099ba0fe82b8181
Instruction ID: 572149a27aca25cfca9c870ac1502b70b8008e2bc83f23603b3816d4b6a37b80
Opcode Fuzzy Hash: d836288970b80e51ab2a17acc0723cc9b047d2d03eb224bc1099ba0fe82b8181
Instruction Fuzzy Hash: 6EF04971B4020867D600EB669C52BBE7359DF8071AF50023FB812672C1EE7C6D04825D

Function 00406B6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406B73

Strings

http://cdn.itorrent.bz/itorrent-application/itorrent.zip, xrefs: 00406B7F
aHR0cDovL2Nkbi5pdG9ycmVudC5iei9pdG9ycmVudC1hcHBsaWNhdGlvbi9pdG9ycmVudC56aXA=, xrefs: 00406BAE

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prolog3_
String ID: aHR0cDovL2Nkbi5pdG9ycmVudC5iei9pdG9ycmVudC1hcHBsaWNhdGlvbi9pdG9ycmVudC56aXA=$http://cdn.itorrent.bz/itorrent-application/itorrent.zip
API String ID: 2427045233-1856409452
Opcode ID: 4cecf25357ddcf4c5376e12d94b02e5308af13a66a30fd59fae689bfdf013837
Instruction ID: 564d93e8e4282d32b1a61a4e5103a280cd599198a6e55330564bda99e6c9b3e4
Opcode Fuzzy Hash: 4cecf25357ddcf4c5376e12d94b02e5308af13a66a30fd59fae689bfdf013837
Instruction Fuzzy Hash: 93016271D001089ADF15EB96C8859EDBBB4EF88714F44502FE501771C1DB7C5A45CB69

Function 004068F9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,?), ref: 0040693C

Part of subcall function 00403E1D: char_traits.LIBCPMT ref: 00403E36

Strings

open, xrefs: 0040692C
http, xrefs: 00406931

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AssocQueryStringchar_traits
String ID: http$open
API String ID: 424878394-2346222845
Opcode ID: 3c1484ef58ff2317e9d48c29b76d1492501d90181ac593e560173d4930a7e10d
Instruction ID: e8ee0ac40116fb7bacb662222dbbf9b6cd8e06dc5d7bb2d71e672399e87dbc5c
Opcode Fuzzy Hash: 3c1484ef58ff2317e9d48c29b76d1492501d90181ac593e560173d4930a7e10d
Instruction Fuzzy Hash: 1EF05B70A4121C57DB10DF51DC49BDEB778EB04715F4001EAA804A7281DAB85F448BD5

Function 0040272C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 00402765
WinHttpQueryDataAvailable.WINHTTP(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0044A5F0), ref: 0040278F

Strings

WINTHTTP-API-QUERY-HEADERS, xrefs: 0040274E
Got invalid header, xrefs: 00402747

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AvailableCallDataFilterFunc@8HttpQuery
String ID: Got invalid header$WINTHTTP-API-QUERY-HEADERS
API String ID: 3800719210-3722912770
Opcode ID: d484d4a53486ce6aabb8e12d59caee894002c5a507791a65f7965e7276817b21
Instruction ID: 50c241de748868880c71ccb603d52a102d06b14d859d0a930707b90afe821e5c
Opcode Fuzzy Hash: d484d4a53486ce6aabb8e12d59caee894002c5a507791a65f7965e7276817b21
Instruction Fuzzy Hash: 29E09234A40308ABEF10EA90AD46BAE73309B15719F20002BE911331C3D7BC194587AA

Function 0042A735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042A750

Part of subcall function 0042E618: __mtinitlocknum.LIBCMT ref: 0042E62A
Part of subcall function 0042E618: EnterCriticalSection.KERNEL32(?,?,00428B5C,0000000D), ref: 0042E643

__updatetlocinfoEx_nolock.LIBCMT ref: 0042A760

Part of subcall function 00429C96: ___addlocaleref.LIBCMT ref: 00429CB2
Part of subcall function 00429C96: ___removelocaleref.LIBCMT ref: 00429CBD
Part of subcall function 00429C96: ___freetlocinfo.LIBCMT ref: 00429CD1

Strings

@f, xrefs: 0042A746, 0042A75B, 0042A767

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: @f
API String ID: 547918592-729109391
Opcode ID: 40d7bdbf81b0d63fc45a8e07d0f0f7915ef6b2b97eab5bfc524eb746ccc9c5c6
Instruction ID: 3bd358f887d281f96dd0d5e7b1265939ae43fa3d4a10319c74f96995d0b1f0ea
Opcode Fuzzy Hash: 40d7bdbf81b0d63fc45a8e07d0f0f7915ef6b2b97eab5bfc524eb746ccc9c5c6
Instruction Fuzzy Hash: 09E04FB5682320A6F630ABA27D03769A3A05F4072BFE1029FA804562C7C97C5540895E

Function 0043BBE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0043BBCD

Part of subcall function 004274A2: RaiseException.KERNEL32(?,?,00438F94,?,?,?,?,?,?,?,00438F94,?,0044D650,?), ref: 004274F7

std::bad_exception::bad_exception.LIBCMT ref: 0043BBF4

Part of subcall function 004243AE: std::bad_exception::bad_exception.LIBCMT ref: 004243B7

Strings

Access violation - no RTTI data!, xrefs: 0043BBEC

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8RaiseThrow
String ID: Access violation - no RTTI data!
API String ID: 1432139112-2158758863
Opcode ID: 7401f6c9246bf44f227253701132d579bfebd7760c9006194285d0a122633539
Instruction ID: ebc2a7dfaa9e5dae0d283e81d6208440f3377fd53567630487c90332f65ff500
Opcode Fuzzy Hash: 7401f6c9246bf44f227253701132d579bfebd7760c9006194285d0a122633539
Instruction Fuzzy Hash: B9E08C71A002188FDB00DBA1C882BAE77B4AB08301F21005AA801B3184C768A800DF29

Function 00438F67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00438F7A

Part of subcall function 00424437: std::exception::_Copy_str.LIBCMT ref: 00424450

__CxxThrowException@8.LIBCMT ref: 00438F8F

Part of subcall function 004274A2: RaiseException.KERNEL32(?,?,00438F94,?,?,?,?,?,?,?,00438F94,?,0044D650,?), ref: 004274F7

Strings

PWD, xrefs: 00438F87

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: PWD
API String ID: 757275642-397851064
Opcode ID: 5aec8dd2a9fe6098aca4351691c2e4cd60a3b5e2806c315c46ca792c9f8e6cac
Instruction ID: b3266332cc8dfa1f2570e984fd04a3f7e32bd381127a28a49a27aeb32845e19b
Opcode Fuzzy Hash: 5aec8dd2a9fe6098aca4351691c2e4cd60a3b5e2806c315c46ca792c9f8e6cac
Instruction Fuzzy Hash: BAD06774D0020CBB8F00EFA5D495DCDBBBCAA54744F90C467AD54A7241E678E2488B98

Function 00438F95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00438FA8

Part of subcall function 00424437: std::exception::_Copy_str.LIBCMT ref: 00424450

__CxxThrowException@8.LIBCMT ref: 00438FBD

Part of subcall function 004274A2: RaiseException.KERNEL32(?,?,00438F94,?,?,?,?,?,?,?,00438F94,?,0044D650,?), ref: 004274F7

Strings

\WD, xrefs: 00438FB5

Memory Dump Source

Source File: 00000000.00000002.3001581688.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001568149.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001610659.000000000043F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000450000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001627761.0000000000458000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.3001656209.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID: \WD
API String ID: 757275642-514605276
Opcode ID: e99b11950b10ce80645d43e17acb69be3086742810c612692ee50847bb129bcb
Instruction ID: d17cde7f4ea048052eb8d27722898047f82d1395a4ab4bc8649c47708ac5ddfd
Opcode Fuzzy Hash: e99b11950b10ce80645d43e17acb69be3086742810c612692ee50847bb129bcb
Instruction Fuzzy Hash: 65D067B4D0060CBB8F00FFA5D495DCEBFBCAA44744F51C467BD5497641E678A2488B98

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\7ec63eecc011967c28496572961d2a7c_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 2360, Parent PID: 4084

Windows Analysis Report
file.exe

Function 00412753 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 331
windowCOMMON

Function 00403B58 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125
encryptionCOMMON

Function 00405D6E Relevance: 15.1, APIs: 10, Instructions: 78
memoryCOMMON

Function 00406633 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 146
comCOMMON

Function 0041444F Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 426
windowCOMMON

Function 00402216 Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 399
COMMON

Function 00402979 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 345
memoryCOMMON

Function 0040FDC7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181
windowCOMMON

Function 004108DA Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 161
windowregistryCOMMON

Function 0040F5FF Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 200
windowCOMMON

Function 00413C38 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 160
windowCOMMON

Function 0040FAAE Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159
windowCOMMON

Function 0040F85A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62
COMMON

Function 00413A48 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140
windowCOMMON

Function 00405C87 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 72
COMMON