Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522739
MD5:	3d6cf2933284333f5d945c062bffcd2b
SHA1:	deb8e888fcea2139a0f91a7a87386c086b71b134
SHA256:	b3058d02ea8c370311e612bd4916e05c8c909b110d3f2c588073c59b2105dba5
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample or dropped binary is a compiled AutoHotkey binary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the product ID of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

file.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3D6CF2933284333F5D945C062BFFCD2B)

cmd.exe (PID: 7504 cmdline: C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7556 cmdline: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine|base64offset|contains: z%, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, ProcessId: 7556, ProcessName: cscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine|base64offset|contains: z%, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, ProcessId: 7556, ProcessName: cscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine|base64offset|contains: z%, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, ProcessId: 7556, ProcessName: cscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, CommandLine|base64offset|contains: z%, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7504, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs, ProcessId: 7556, ProcessName: cscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

0_2_00475E20

Source: file.exe, file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.com
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00408E80 SetWindowsHookExW 0000000D,Function_000047F0,00400000,00000000

0_2_00408E80

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404330 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,

0_2_00404330

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404500 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00404500

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,

0_2_0040E17A

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E019 __wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E0AE GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E0AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E17A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E2BF GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E68A _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E6B0 _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E701 __wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E701
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004117F0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_004117F0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\file.exe

Window found: window name: AutoHotkey

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417101	0_2_00417101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C1B0	0_2_0040C1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EAA0	0_2_0041EAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048CBF0	0_2_0048CBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BB90	0_2_0040BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413421	0_2_00413421
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413420	0_2_00413420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F510	0_2_0041F510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482F60	0_2_00482F60

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042ECE0 appears 82 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0048E559 appears 82 times

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Source: file.exe, 00000000.00000000.1698591836.000000000064E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe, 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042F8D0 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_0042F8D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00476DC0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

0_2_00476DC0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\LIC_SWITCH.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\PID8.vbs

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 52

Source: file.exe

Static file information: File size 1675264 > 1048576

Source: file.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x17de00

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_0064DBE0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040707B push esp; ret	0_2_0040707E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040708C push esp; ret	0_2_0040708D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407112 push esp; ret	0_2_00407113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004075FF push esp; ret	0_2_00407602
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406E51 push esp; ret	0_2_00406E52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040760A push esp; ret	0_2_00407611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FCC pushad ; ret	0_2_00406FCD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FF6 push esp; ret	0_2_00406FF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492FF5 push ecx; ret	0_2_00493008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FB9 pushad ; ret	0_2_00406FBA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469130 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,KiUserCallbackDispatcher,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_00469130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478C60 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,KiUserCallbackDispatcher,	0_2_00478C60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476360 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00476360

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_NetworkAdapter WHERE NetEnabled=True and PhysicalAdapter=True and PNPDeviceID LIKE '%PCI%'

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 1004

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-21126

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004127C0 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 004128AFh country: Russian (ru)

0_2_004127C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

0_2_00475E20

Source: file.exe	Binary or memory string: \|HZO9xC-vW ::E5osG1?2Jaq3AWUR)5HYuCPLa+pZFUh#WRkYD)C[/0..q[lX0ia.?sNRAA]Y;,^2f.!&O?YXp+B{OLCwGe+JP)HirsbXJeC.3~b=l[m#mHlLVYN@nncxx;m8/eO ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REF
Source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REFXaBRftgY

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00492505

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_0064DBE0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00492505
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00494EE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00494EE6

Source: C:\Users\user\Desktop\file.exe

0_2_0042F8D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FA50 GetKeyState,GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,GetModuleHandleW,GetProcAddress,

0_2_0040FA50

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004109A0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_004109A0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs

Jump to behavior

Source: file.exe	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}{Text}%s%cHotstring max abbreviation length is 40.EndCharsMouseResetResetParameter #1 invalid.Parameter #2 invalid.Parameter #3 invalid.Parameter #2 must not be blank in this case.Hotstring not found.TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
Source: file.exe, 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroup%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00416D74 SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_00416D74

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004135CE RtlGetVersion,__snwprintf,

0_2_004135CE

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.28.02\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003WIN_2000%04hXcomspecGetCursorInfo0x%IxpPIntStrPtrShortCharInt64DoubleAStrWStrgdi32comctl32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity. The program is now unstable and will exit.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescCaseLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi0
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8
Source: file.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415BC0 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,_free,_free,_free,		0_2_00415BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416460 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		0_2_00416460

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Masquerading	121 Input Capture	1 System Time Discovery	Remote Services	121 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	12 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	11 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	39%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
https://autohotkey.com	file.exe, file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	false		unknown
https://autohotkey.comCould	file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522739
Start date and time:	2024-09-30 16:18:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.spyw.evad.winEXE@6/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, www.google.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:19:29	API Interceptor	1x Sleep call for process: file.exe modified

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2155
Entropy (8bit):	5.14094104394761
Encrypted:	false
SSDEEP:	48:L5YZnAz6MFDuxB7KAN7KBa4iPG9lrRtFf1f0WNoQCvYBBNyJS1GDT:VY1AzpuxB7KAN7KhiuFtHf0XQCwBBNyP
MD5:	78D143BC6C1968D0A228B29E823D051E
SHA1:	A11DFA069C0B49487F55B32E8E9E89FAD3796B5B
SHA-256:	DCA511DFDBAADBAD34A89F0FA4C86DE1A8A37FEDC326F7BC17A746D44B0FBAFF
SHA-512:	AF82AB5A8855576F0F29A681B07BEFD456EBCA7E381E8C902E9151CEABF6C59035D02EAD07FC98B2E601EA11746887664ACEE73F39EE2C029685289F9C519068
Malicious:	true
Reputation:	low
Preview:	Option Explicit ....Dim strComputer, objWMIService, objItem, Caption, colItems..'Create wscript.shell object ..strComputer = "."..Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")..Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem",,48)..For Each objItem in colItems.. Caption = objItem.Caption ..Next....If InStr(Caption,"Windows") > 0 Then ...Dim objshell,path,DigitalID, Result ...Set objshell = CreateObject("WScript.Shell")...'Set registry key path...Path = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"...'Registry key value...DigitalID = objshell.RegRead(Path & "DigitalProductId")...Dim ProductName,ProductID,ProductKey,ProductData...'Get ProductName, ProductID, ProductKey...ProductKey = ConvertToKey(DigitalID) ...ProductData = ProductName & vbNewLine & ProductID & vbNewLine & ProductKey...'Show messbox if save to a file ...wscript.echo ProductData...'If vbOK = MsgBox(ProductData & vblf & vblf) then...'End If.. ..Else...

C:\Users\user\AppData\Local\Temp\kms.log

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.878584802350185
Encrypted:	false
SSDEEP:	3:r1v/IzqQkUQv:ezqT
MD5:	A8085F09078ACB8C3504D8E3739BE4DE
SHA1:	6B0FFF11D3580D32194479B2A73908B89A128AF3
SHA-256:	D90775018F214DD4A138B298F48D45FA0CDEAAA03195217BD10A35F79985BB93
SHA-512:	036532A11C6CCEA7DEC97666A973A7A2CDFD10E4B66AFD40A8BB96EAA13191A32F893C27213162B6E2F1492489258818886C4159DEE3EF2C8F34D4DF996BE82C
Malicious:	true
Reputation:	low
Preview:	....PJN2F-VHHVF-2MKYV-FHM9J-G9YDG..

C:\Users\user\Desktop\LIC_SWITCH.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	707
Entropy (8bit):	4.9760749324314295
Encrypted:	false
SSDEEP:	12:IdFUUDHuwkXIcNZpwgsjXHbjWCrP5Zu5uwkf:IdFUUuwkYcfpwg6nWAPWuwkf
MD5:	34D491613AAC895643B9C87C97CAB7E6
SHA1:	AAEC490195AE4F2F791F471749ECE16CEF3363A9
SHA-256:	742AD0F2958C61BD92DFEAC5A81D9BF5760EC4FB5BA658341962BB7DE8BE7DEF
SHA-512:	20C9629661BB92BA9288AAADC0A19FFE751F06F17C2F0F70E5B0556A04D1DD4DB696D26BC97B14580E1888E7FA2D5B47DB4D3958CF4A3DFC71D7C060622A5AA9
Malicious:	false
Reputation:	low
Preview:	30 Sep 2024 10:19:29 \\\\\\\\\\\\\\\\\\\\\\\\\* \\ TOOL START // */////////////////////////..30 Sep 2024 10:19:32 Checking for NetWork Adapter..30 Sep 2024 10:19:32 Adapter: Intel(R) 82574L Gigabit Network Connection..30 Sep 2024 10:19:32 Product: Professional..30 Sep 2024 10:19:32 Description: OEM_COA_NSLP..30 Sep 2024 10:19:32 Architecture: x64..30 Sep 2024 10:19:32 LicenseID: 221a02da-e2a1-4b75-864c-0a4410a33fdf..30 Sep 2024 10:19:32 PartialKey: BTDGR..30 Sep 2024 10:19:32 Status: Licensed..30 Sep 2024 10:19:32 WU Status: DISABLED..30 Sep 2024 10:19:32 System is: online..30 Sep 2024 10:19:32 Adapter: Intel(R) 82574L Gigabit Network Connection..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.826948759100624
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	1'675'264 bytes
MD5:	3d6cf2933284333f5d945c062bffcd2b
SHA1:	deb8e888fcea2139a0f91a7a87386c086b71b134
SHA256:	b3058d02ea8c370311e612bd4916e05c8c909b110d3f2c588073c59b2105dba5
SHA512:	2fc2aa55e05740eba7c8de7c686071a6d6f47a0997d722408c902dce860948e5fc5cbf4e94b788c22120336b00adec58582b4c6f5d6439f6b54da77839351cb0
SSDEEP:	49152:Zc2/wgEeoVOwjL4aCd/JajeU8PrbS6rgSvkW:CgEdIi4p/J60d
TLSH:	0075331982E13D05C584CC33AD8245395A673CF8ECB4BE6B0E78B107793A4955E27BBE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........>...m...m...m...m...m...m#..m...m...m...m...m...mh..m...m...m...m...m...m...m...m...mRich...m................PE..L......Z...

File Icon


Icon Hash:	31d4b2552b9f1e97

Static PE Info

General

Entrypoint:	0x64dbe0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5AC82E88 [Sat Apr 7 02:35:52 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9212356426809f1b4ccfc1b6e5484912

Entrypoint Preview

Instruction
pushad
mov esi, 004D0000h
lea edi, dword ptr [esi-000CF000h]
push edi
jmp 00007F8604C0B98Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8604C0B96Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F8604C0B98Dh
jne 00007F8604C0B9AAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8604C0B9A1h
dec eax
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F8604C0B956h
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F8604C0B9D4h
xor ecx, ecx
sub eax, 03h
jc 00007F8604C0B993h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F8604C0B9F7h
sar eax, 1
mov ebp, eax
jmp 00007F8604C0B98Dh
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8604C0B94Eh
inc ecx
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F8604C0B940h
add ebx, ebx
jne 00007F8604C0B989h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F8604C0B971h
jne 00007F8604C0B98Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F8604C0B966h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F8604C0B990h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x268990	0x310	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24e000	0x1a990	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xcf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xd0000	0x17e000	0x17de00	2393741cbe143949bba0aaaac3fe4e30	False	0.9745249846563011	data	7.826915664472013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x24e000	0x1b000	0x1ae00	181a185a6385bfe3f223a0af74e33a78	False	0.8149981831395349	data	7.19000125841001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x24ea74	0x39ca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9937812626740571
RT_ICON	0x252444	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536, 16 important colors	English	United States	0.3542682926829268
RT_ICON	0x252ab0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640, 16 important colors	English	United States	0.45026881720430106
RT_ICON	0x252d9c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384, 16 important colors	English	United States	0.48565573770491804
RT_ICON	0x252f88	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192, 16 important colors	English	United States	0.527027027027027
RT_ICON	0x2530b4	0x5f58	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.998320222877745
RT_ICON	0x259010	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 248 important colors	English	United States	0.5469083155650319
RT_ICON	0x259ebc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 250 important colors	English	United States	0.6714801444043321
RT_ICON	0x25a768	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672, 235 important colors	English	United States	0.6923963133640553
RT_ICON	0x25ae34	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 108 important colors	English	United States	0.4436416184971098
RT_ICON	0x25b3a0	0x8940	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9981785063752276
RT_ICON	0x263ce4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.35809128630705395
RT_ICON	0x266290	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.40853658536585363
RT_ICON	0x26733c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4487704918032787
RT_ICON	0x267cc8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5195035460992907
RT_ICON	0xe90f4	0x39ca	data			0.9968230363660944
RT_ICON	0xecac0	0x668	data			1.0067073170731706
RT_ICON	0xed128	0x2e8	data			1.0147849462365592
RT_ICON	0xed410	0x1e8	data			1.0225409836065573
RT_ICON	0xed5f8	0x128	data			1.037162162162162
RT_ICON	0xed720	0x5f58	data			0.9967633562766306
RT_ICON	0xf3678	0xea8	data			1.0029317697228144
RT_ICON	0xf4520	0x8a8	data			1.0049638989169676
RT_ICON	0xf4dc8	0x6c8	data			1.006336405529954
RT_ICON	0xf5490	0x568	data			1.0079479768786128
RT_ICON	0xf59f8	0x8940	data			0.9971254553734062
RT_ICON	0xfe338	0x25a8	data			0.9976141078838174
RT_ICON	0x1008e0	0x10a8	data			1.002579737335835
RT_ICON	0x101988	0x988	data			1.0045081967213114
RT_ICON	0x102310	0x468	data			1.0097517730496455
RT_MENU	0x102778	0x2c8	data	English	United States	1.0154494382022472
RT_DIALOG	0x102a40	0xe8	data	English	United States	1.0474137931034482
RT_ACCELERATOR	0x102b28	0x48	data	English	United States	1.1527777777777777
RT_RCDATA	0x102b70	0x3adf7	data	English	United States	0.9870325906205032
RT_RCDATA	0x13d968	0x8a4e	data	English	United States	0.9532000225950404
RT_RCDATA	0x1463b8	0xad15	data	English	United States	0.9471890586562549
RT_RCDATA	0x1510d0	0x60b9b	COM executable for DOS	English	United States	0.9672149767660221
RT_RCDATA	0x1b1c6c	0x64765	data	English	United States	0.9708208888122034
RT_RCDATA	0x2163d4	0x138f6	data	English	United States	0.9708804513342819
RT_RCDATA	0x229ccc	0x86b	data	English	United States	1.002784222737819
RT_RCDATA	0x22a538	0xf6cc	data	English	United States	0.9714466603355493
RT_RCDATA	0x239c04	0x10865	data	English	United States	0.9717662702223535
RT_GROUP_ICON	0x268134	0xd8	data	English	United States	0.5972222222222222
RT_GROUP_ICON	0x24a544	0xd8	data			1.0509259259259258
RT_VERSION	0x268210	0x2e8	data	German	Germany	0.4435483870967742
RT_MANIFEST	0x2684fc	0x492	ASCII text, with very long lines (1170), with no line terminators	English	United States	0.5

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegCloseKey
COMCTL32.dll	ImageList_Create
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	BitBlt
ole32.dll	CoGetObject
OLEAUT32.dll	SysStringLen
PSAPI.DLL	GetModuleBaseNameW
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WINMM.dll	mixerOpen
WSOCK32.dll	WSAStartup

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany

Target ID:	0
Start time:	10:19:29
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	1'675'264 bytes
MD5 hash:	3D6CF2933284333F5D945C062BFFCD2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:19:31
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log
Imagebase:	0x7ff77a700000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:19:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:19:31
Start date:	30/09/2024
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs
Imagebase:	0x7ff6967c0000
File size:	161'280 bytes
MD5 hash:	24590BF74BBBBFD7D7AC070F4E3C44FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	688
Total number of Limit Nodes:	17

Executed Functions

Function 0042F8D0 Relevance: 91.6, APIs: 31, Strings: 21, Instructions: 603processlibraryloaderCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042F937
__wcsicoll.LIBCMT ref: 0042F949
__wcsicoll.LIBCMT ref: 0042F95B
__wcsicoll.LIBCMT ref: 0042F96D
__wcsicoll.LIBCMT ref: 0042F97F
__wcsicoll.LIBCMT ref: 0042F991
_memset.LIBCMT ref: 0042FB38
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0042FC53
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0042FC65
CloseHandle.KERNEL32(?), ref: 0042FCA6
_memset.LIBCMT ref: 0042FCE3
__wcsicoll.LIBCMT ref: 0042FD2F
_wcschr.LIBCMT ref: 0042FD7B
ShellExecuteExW.SHELL32(0000003C), ref: 0042FE76
GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 0042FE9A
GetProcAddress.KERNEL32(00000000), ref: 0042FEA1

Strings

C:\Users\user\Desktop, xrefs: 0042FE5B
explore, xrefs: 0042F943, 0042FA05
open, xrefs: 0042F955, 0042FA17
D, xrefs: 0042FB43
find, xrefs: 0042F931, 0042F9F3
..., xrefs: 0042FF79, 0042FF95, 0042FFBF
print, xrefs: 0042F979, 0042FA3B
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 0042FFC2
properties, xrefs: 0042F98B, 0042FA4D, 0042FD26
System verbs unsupported with RunAs., xrefs: 0042FABE
%s %s, xrefs: 0042FBB4
GetProcessId, xrefs: 0042FE90
Failed attempt to launch program or document:, xrefs: 0042FFB1, 0042FFC1
<, xrefs: 0042FCF1
kernel32.dll, xrefs: 0042FE95
\/., xrefs: 0042FDE4
Verb: <%s>, xrefs: 0042FF2A
edit, xrefs: 0042F967, 0042FA29
String too long., xrefs: 0042FB07
.exe.bat.com.cmd.hta, xrefs: 0042FE15
Launch Error (possibly related to RunAs):, xrefs: 0042FFAA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$Handle$Close_memset$AddressCreateExecuteModuleProcProcessShell_wcschr
String ID: Verb: <%s>$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$%s %s$...$.exe.bat.com.cmd.hta$<$C:\Users\user\Desktop$D$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 3967683218-2324900566
Opcode ID: b04890d4aa6d68e6566444734d61b274c9541acaa0fbc52604419350470fd843
Instruction ID: 31188f4dcce674d9ef1a63f975e35907f61f9071ec4042c07e698e30813ee6a6
Opcode Fuzzy Hash: b04890d4aa6d68e6566444734d61b274c9541acaa0fbc52604419350470fd843
Instruction Fuzzy Hash: 3922CE71B002199BDF20DFA5EC41BAF77B4AF45344F84407BE805A7391E7789948CBA9

Function 00469130 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 276
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 0046914D
GetWindowLongW.USER32(?,000000F0), ref: 00469159
IsWindowVisible.USER32(?), ref: 0046917A
IsIconic.USER32(?), ref: 0046918D
GetFocus.USER32 ref: 004691C1
GetWindowRect.USER32(?,?), ref: 004691F1
GetPropW.USER32(?,ahk_dlg), ref: 00469200
ShowWindow.USER32(00000000,00000000,?,ahk_dlg,?,?), ref: 00469214
GetUpdateRect.USER32(?,?,00000000), ref: 0046923C
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0046924A
GetWindowLongW.USER32(?,000000F0), ref: 004692BD
ShowWindow.USER32(00000000,?,?,ahk_dlg,?,?), ref: 004692ED
KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 00469304
GetWindowRect.USER32(00000000,?), ref: 00469318
PtInRect.USER32(?,?,?), ref: 00469333
PtInRect.USER32(?,?,?), ref: 00469348
SetFocus.USER32(00000000,?,ahk_dlg,?,?), ref: 0046938A
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004693C5
ShowWindow.USER32(00000000,00000005,?,ahk_dlg,?,?), ref: 004693D5
SetFocus.USER32(?,?,ahk_dlg,?,?), ref: 004693E9
InvalidateRect.USER32(?,00000000,00000001,?,ahk_dlg,?,?), ref: 00469405
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0046942F
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0046943E
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0046944F

Strings

ahk_dlg, xrefs: 004691FA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Rect$FocusInvalidateMessageSendShow$Long$CallbackDispatcherIconicPointsPropUpdateUserVisible
String ID: ahk_dlg
API String ID: 1287530090-2093416220
Opcode ID: 2cb92b98ef7b4ad68a246d8870bcc17b6c268bf805481311d81bfc9c929e29b3
Instruction ID: b5eae9fb75e0140399f1823e80a5c7cb6e6155e50d250ff2c6c859dd3859fb47
Opcode Fuzzy Hash: 2cb92b98ef7b4ad68a246d8870bcc17b6c268bf805481311d81bfc9c929e29b3
Instruction Fuzzy Hash: ABA16370508381AFE711CB64C854B6BBFE9AB8A304F08895EF9C587381D7B9DD84CB56

Function 00478C60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00478C7B
GetForegroundWindow.USER32(?,?,00000000,?,?,00000000,0040ED23,?,00000000,?,00000002,00000000,?,80000000,80000000,00000000), ref: 00478C9A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00478CAC
IsIconic.USER32(00000000), ref: 00478CB5
ShowWindow.USER32(00000000,00000009,?,?,00000000,?,?,00000000,0040ED23,?,00000000,?,00000002,00000000,?,80000000), ref: 00478CC2

Strings

Shell_TrayWnd, xrefs: 00478CA7

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$FindForegroundIconicProcessShowThread
String ID: Shell_TrayWnd
API String ID: 836960049-2988720461
Opcode ID: bc779d3915bf8b670c01fdc0bd422e7ab64d17fdd819045c0774d6d506796137
Instruction ID: 2223d292589bdf61aa41ce1f220feed3e697683aa78c1bc3135d168b278d746c
Opcode Fuzzy Hash: bc779d3915bf8b670c01fdc0bd422e7ab64d17fdd819045c0774d6d506796137
Instruction Fuzzy Hash: BF5146307853046FE371EB24AC4DFBF7B949B95744F44442EF948A62C1EBB89C4486AE

Function 00476DC0 Relevance: 21.2, APIs: 14, Instructions: 172
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,75C04BD0,?,00000001,0000002C,004C8138,75C04BD0,00000001), ref: 00476DDD
EnumResourceNamesW.KERNEL32 ref: 00476E26
FindResourceW.KERNEL32(00400000,0000000E,0000000E), ref: 00476E3F
LoadResource.KERNEL32(00400000,00000000), ref: 00476E4F
LockResource.KERNEL32(00000000), ref: 00476E5E
GetSystemMetrics.USER32(0000000B), ref: 00476E86
FindResourceW.KERNEL32(00400000,?,00000003), ref: 00476EDE
LoadResource.KERNEL32(00400000,00000000), ref: 00476EEC
LockResource.KERNEL32(00000000), ref: 00476EF7
SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 00476F12
CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00476F1A
FreeLibrary.KERNEL32(00400000), ref: 00476F41
ExtractIconW.SHELL32(00000000,?,?), ref: 00476F56
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 00476F73

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 8d5312d0bad377f423e9f79802613f4498856a09b8d6c38997eb6cf8aaacde64
Instruction ID: 128889faf1859f1a6a904d94f98001f74fa66643c39a66b5210802548831b77a
Opcode Fuzzy Hash: 8d5312d0bad377f423e9f79802613f4498856a09b8d6c38997eb6cf8aaacde64
Instruction Fuzzy Hash: A0512935204B015FC7109F24DC44BBBBBDAEB89711F558A2AF85DE2380D738DC058B69

Function 00475E20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcschr.LIBCMT ref: 00475E77
_wcschr.LIBCMT ref: 00475EA8
_wcschr.LIBCMT ref: 00475EBA
_wcsncpy.LIBCMT ref: 00475ED6
_wcschr.LIBCMT ref: 00475EE5
FindFirstFileW.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F0E
FindClose.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F26
_wcschr.LIBCMT ref: 00475F49
FindFirstFileW.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F60
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F6C

Strings

%s\, xrefs: 00475F30

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcschr$Find$CloseFileFirst$_wcsncpy
String ID: %s\
API String ID: 128165147-2802346739
Opcode ID: bc14198523d79c495d1cc6faa7f5bab3c80b86c1fc698059286cfa0e40cecb87
Instruction ID: 67e8759b787fff630ad969c8d3ab72259e9bca384fa2c097d25d69063cc36cd2
Opcode Fuzzy Hash: bc14198523d79c495d1cc6faa7f5bab3c80b86c1fc698059286cfa0e40cecb87
Instruction Fuzzy Hash: 6741077290070057D730BB258C46AEB72A89F91314F45892EFD599B2C1F7BC9E0AC69A

Function 0064DBE0 Relevance: 7.7, APIs: 5, Instructions: 184librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0064DD1A
GetProcAddress.KERNEL32(?,0064AFF9), ref: 0064DD38
ExitProcess.KERNEL32(?,0064AFF9), ref: 0064DD49
VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,3A75BF9D), ref: 0064DD66
VirtualProtect.KERNEL32(00400000,00001000), ref: 0064DD7B

Memory Dump Source

Source File: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 132d5dc186ee6a7e7088512a1a358f5c66a7e8d938c67e67635ccddae53932dd
Instruction ID: 377d8da5319406def9700eaa99a71edf5bbb20e31f3ce7f34f8af3174d12defa
Opcode Fuzzy Hash: 132d5dc186ee6a7e7088512a1a358f5c66a7e8d938c67e67635ccddae53932dd
Instruction Fuzzy Hash: 005106B2E547525BD7209EB8DCC06A4BB9AEB51324B28077DC9E2C73C5E7E45C06C760

Function 00416110 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 243
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00416141

Part of subcall function 00476DC0: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,75C04BD0,?,00000001,0000002C,004C8138,75C04BD0,00000001), ref: 00476DDD
Part of subcall function 00476DC0: FindResourceW.KERNEL32(00400000,0000000E,0000000E), ref: 00476E3F
Part of subcall function 00476DC0: LoadResource.KERNEL32(00400000,00000000), ref: 00476E4F
Part of subcall function 00476DC0: LockResource.KERNEL32(00000000), ref: 00476E5E
Part of subcall function 00476DC0: GetSystemMetrics.USER32(0000000B), ref: 00476E86
Part of subcall function 00476DC0: FindResourceW.KERNEL32(00400000,?,00000003), ref: 00476EDE
Part of subcall function 00476DC0: LoadResource.KERNEL32(00400000,00000000), ref: 00476EEC
Part of subcall function 00476DC0: LockResource.KERNEL32(00000000), ref: 00476EF7

GetSystemMetrics.USER32(00000031), ref: 00416188

Part of subcall function 00476DC0: EnumResourceNamesW.KERNEL32 ref: 00476E26
Part of subcall function 00476DC0: SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 00476F12
Part of subcall function 00476DC0: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00476F1A
Part of subcall function 00476DC0: ExtractIconW.SHELL32(00000000,?,?), ref: 00476F56

LoadCursorW.USER32(00000000,00007F00), ref: 004161B8
RegisterClassExW.USER32 ref: 004161DD
RegisterClassExW.USER32(?), ref: 00416225
GetForegroundWindow.USER32 ref: 0041622C
GetClassNameW.USER32(00000000,?,00000040), ref: 0041623E
__wcsicoll.LIBCMT ref: 00416252
CreateWindowExW.USER32(00000001,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 004162B1
GetMenu.USER32(00000000), ref: 004162D8
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 004162E8
CreateWindowExW.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,00010474,00000001,00400000,00000000), ref: 00416320
GetDC.USER32(00000000), ref: 0041632C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00416366
MulDiv.KERNEL32(0000000A,00000000), ref: 0041636F
CreateFontW.GDI32(00000000), ref: 00416378
ReleaseDC.USER32(00010478,00000000), ref: 0041638A
SendMessageW.USER32(00010478,00000030,4D0A0ECC,00000000), ref: 004163A8
SendMessageW.USER32(00010478,000000C5,00000000,00000000), ref: 004163B9
ShowWindow.USER32(00010474,00000000), ref: 004163CA
ShowWindow.USER32(00010474,00000000), ref: 004163D5
ShowWindow.USER32(00010474,00000006), ref: 004163E6
SetWindowLongW.USER32(00010474,000000EC,00000000), ref: 004163F3
LoadAcceleratorsW.USER32(00400000,000000D4), ref: 00416405

Part of subcall function 00416540: _memset.LIBCMT ref: 00416550
Part of subcall function 00416540: _wcsncpy.LIBCMT ref: 004165C2
Part of subcall function 00416540: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004165D5

Strings

Consolas, xrefs: 00416344
RegClass, xrefs: 004161F5
AutoHotkey2, xrefs: 00416215
edit, xrefs: 00416319
AutoHotkey, xrefs: 00416161, 004162A6
Shell_TrayWnd, xrefs: 0041624C
0, xrefs: 00416159
CreateWindow, xrefs: 004162CD
Lucida Console, xrefs: 0041633D

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMenuMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit
API String ID: 2663150501-3882032541
Opcode ID: 772894f597f82bbaee781d0d0d4fbf614a2ce075000adabfe2bc249ff803479f
Instruction ID: e5219144fad07b6cb428c496203e2e73b82607cb50ce4654df7e7c2fae18256b
Opcode Fuzzy Hash: 772894f597f82bbaee781d0d0d4fbf614a2ce075000adabfe2bc249ff803479f
Instruction Fuzzy Hash: 8C81C471644300BBE7609F60DC4AFA73BA4AB45B04F10456AFA44A72D0DBB8E844CB6E

Function 00403A9F Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsicoll.LIBCMT ref: 00403BEF
__wcsicoll.LIBCMT ref: 00403C01
__wcsicoll.LIBCMT ref: 00403C13
__wcsicoll.LIBCMT ref: 00403C25
__wcsicoll.LIBCMT ref: 00403C37

Strings

/ErrorStdOut, xrefs: 00403C31
C:\Users\user\Desktop, xrefs: 00403AA1
A_Args, xrefs: 00403D3B, 00403D61
Clipboard, xrefs: 00403FF4
hl)J, xrefs: 00403C84
Could not close the previous instance of this script. Keep waiting?, xrefs: 00403F13
/force, xrefs: 00403C1F
AutoHotkey, xrefs: 00403E5B, 00403EC5
/restart, xrefs: 00403BFB
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00403E96

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: /ErrorStdOut$/force$/restart$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$C:\Users\user\Desktop$Clipboard$Could not close the previous instance of this script. Keep waiting?$hl)J
API String ID: 3832890014-283284329
Opcode ID: 5356b4adb516d74641602887d5eb02f6174f55d38919c05c3ef643c870fc0aef
Instruction ID: b11b1b63d7b062985327bf977882124ceb62407a5bdc3e6546bdfef701e71a86
Opcode Fuzzy Hash: 5356b4adb516d74641602887d5eb02f6174f55d38919c05c3ef643c870fc0aef
Instruction Fuzzy Hash: 38C128B1B043406AE720AB259C46F2B3B989B55705F04053FFA85B62C1E7BDDE40C76E

Function 00402382 Relevance: 39.2, APIs: 20, Strings: 2, Instructions: 696
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401489
SendMessageW.USER32(?,0000110A,00000009,?), ref: 00402442
ScreenToClient.USER32(?,?), ref: 0040246B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00402483
GetWindowLongW.USER32(?,000000EC), ref: 004025B5
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004025C9
MulDiv.KERNEL32(?,00000060,00000060), ref: 00402666
MulDiv.KERNEL32(?,00000060,00000060), ref: 004026AE
_memset.LIBCMT ref: 004028C6
SendMessageW.USER32 ref: 004028F7
DragFinish.SHELL32(?), ref: 00402B16
GetWindowLongW.USER32 ref: 00402B2D
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00402B3D

Strings

call, xrefs: 00402A86
I, xrefs: 00402851

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LongWindow$MessageSend$ClientCountDragFinishScreenTick_memset
String ID: I$call
API String ID: 3210236470-1075741665
Opcode ID: 4df1e090e44f613193035b355f29009d3cf34595ccd954d8563134844b42a3bd
Instruction ID: 974ebace28e2147fce9ec286dcb957fe35eadf8c1c1cf72fb4bfafb0b9d8dd27
Opcode Fuzzy Hash: 4df1e090e44f613193035b355f29009d3cf34595ccd954d8563134844b42a3bd
Instruction Fuzzy Hash: A25290706083009FD724DF18C988B5BBBE5BF88314F14896EE889A73E1D778E845CB56

Function 00403AD9 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsicoll.LIBCMT ref: 00403BEF
__wcsicoll.LIBCMT ref: 00403C01
__wcsicoll.LIBCMT ref: 00403C13
__wcsicoll.LIBCMT ref: 00403C25
__wcsicoll.LIBCMT ref: 00403C37

Strings

A_Args, xrefs: 00403D3B, 00403D61
Clipboard, xrefs: 00403FF4
hl)J, xrefs: 00403C84
Could not close the previous instance of this script. Keep waiting?, xrefs: 00403F13
AutoHotkey, xrefs: 00403E5B
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00403E96

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$hl)J
API String ID: 3832890014-1369024563
Opcode ID: beb76d24ff681f0dfcd138cf2776b2a94d40c5cf45c3f31cbb2ada4b5e8dbfb6
Instruction ID: 8a0c97fbba8d581f65c833aa89253b219d9e3fd4cedce5fdaacd78cdd675df2e
Opcode Fuzzy Hash: beb76d24ff681f0dfcd138cf2776b2a94d40c5cf45c3f31cbb2ada4b5e8dbfb6
Instruction Fuzzy Hash: E8A108B0B043416AE760AB659C46F2B3BA89B45704F04053FF685B72D1DBB8DE41C79E

Function 00401CC9 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 518
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetForegroundWindow.USER32 ref: 00401D39
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401D4C
GetClassNameW.USER32(00000000,?,00000020), ref: 00401D69
IsDialogMessageW.USER32(00000000,?), ref: 00402D5B
SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop), ref: 00402D73

Strings

C:\Users\user\Desktop, xrefs: 00402D6E
#32770, xrefs: 00401D6F

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTickWindow$CallbackClassCurrentDialogDirectoryDispatcherForegroundMessageNameProcessThreadUser
String ID: #32770$C:\Users\user\Desktop
API String ID: 2062716809-2506600713
Opcode ID: 47a8dd4a61e12a8c90728c930d07a933e897ae65735656275c0258cb025829ac
Instruction ID: d3c4f9cb16838903b11290c4d14fa92148084e937e73d15c5bef0986203582fb
Opcode Fuzzy Hash: 47a8dd4a61e12a8c90728c930d07a933e897ae65735656275c0258cb025829ac
Instruction Fuzzy Hash: AC128E715083419FD7248F18C98876BB7E1AB85704F18493FE995A73E1C7B8EC46CB8A

Function 00403D0E Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowW.USER32(AutoHotkey,02D60148), ref: 00403E60

Strings

A_Args, xrefs: 00403D3B, 00403D61
Clipboard, xrefs: 00403FF4
Could not close the previous instance of this script. Keep waiting?, xrefs: 00403F13
AutoHotkey, xrefs: 00403E5B
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00403E96

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FindWindow
String ID: A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?
API String ID: 134000473-3055363494
Opcode ID: 1f6ba8ca3599635bd3607fe26c2596087050352aded697c724a624bb235c523c
Instruction ID: 608ee32076edd871291f1f34974af413f279229662b47bbb8a35c86475acf6ea
Opcode Fuzzy Hash: 1f6ba8ca3599635bd3607fe26c2596087050352aded697c724a624bb235c523c
Instruction Fuzzy Hash: 807146B0B003416AE760AB659C46F2B3A9C9B41745F04053BFB44B63D1EBBC9D41CBAE

Function 00422130 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsncpy.LIBCMT ref: 00422190
__wcsicoll.LIBCMT ref: 004221E2
_memmove.LIBCMT ref: 0042234E
_memmove.LIBCMT ref: 004224D6
__wcsicoll.LIBCMT ref: 0042251E
__wcsicoll.LIBCMT ref: 004225BF
_memmove.LIBCMT ref: 004225FA

Strings

", xrefs: 00422268
Variable name too long., xrefs: 00422172
Out of memory., xrefs: 00422461
Illegal parameter name., xrefs: 0042221A
ErrorLevel, xrefs: 004221DC

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll_memmove$_wcsncpy
String ID: "$ErrorLevel$Illegal parameter name.$Out of memory.$Variable name too long.
API String ID: 3055118137-3900197193
Opcode ID: e31bef7e062656b10441d81d2f7a02bc578dc6ffd664ccca2a5761fda883506f
Instruction ID: 472ab4a50b02fdc6a500bfc68674bedc6d1afeb900cf329abd18d6fe06ee760d
Opcode Fuzzy Hash: e31bef7e062656b10441d81d2f7a02bc578dc6ffd664ccca2a5761fda883506f
Instruction Fuzzy Hash: 8AE1F471604316AFC320DF14E980BABB3E0FF98318F54466EE84497351E7B9EA45CB96

Function 00401D17 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 190
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetForegroundWindow.USER32 ref: 00401D39
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401D4C
GetClassNameW.USER32(00000000,?,00000020), ref: 00401D69
IsDialogMessageW.USER32(00000000,?), ref: 00402D5B
SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop), ref: 00402D73

Strings

C:\Users\user\Desktop, xrefs: 00402D6E
#32770, xrefs: 00401D6F

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTickWindow$CallbackClassCurrentDialogDirectoryDispatcherForegroundMessageNameProcessThreadUser
String ID: #32770$C:\Users\user\Desktop
API String ID: 2062716809-2506600713
Opcode ID: ddf7964bcc0e5bb38d89044265bd6c079c8b0e6b03de50973f8ed68ed39c15b2
Instruction ID: 4809e12910ea3c4f6f8023be111489df4376e5a59fa8bf9b003857fc8be14ee4
Opcode Fuzzy Hash: ddf7964bcc0e5bb38d89044265bd6c079c8b0e6b03de50973f8ed68ed39c15b2
Instruction Fuzzy Hash: 7861CF71500301ABD7209F58C888B6BB7E4AB95704F48493BF856A73F1D778EC85CB9A

Function 004166F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00416707

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

SetTimer.USER32(00010474,0000000E,04EF6D80,Function_000038E0), ref: 00416750

Strings

The thread has exited., xrefs: 00416827

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeapTimer_malloc
String ID: The thread has exited.
API String ID: 2122149007-1941089863
Opcode ID: 80004ca7e0b1466990b8ff36011275c93eb82909a1c63f402eb41f174ce28d50
Instruction ID: b662813046bbf4e41544d8be373a02e6ad370fd6a70499209151432556095313
Opcode Fuzzy Hash: 80004ca7e0b1466990b8ff36011275c93eb82909a1c63f402eb41f174ce28d50
Instruction Fuzzy Hash: 7351B1F1A01344AFD750DF29D888FD67BA4BB58314F5A85BFE1089B2A1C3759880CB59

Function 00402C12 Relevance: 12.2, APIs: 8, Instructions: 195
clipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
CountClipboardFormats.USER32 ref: 00402C12
IsClipboardFormatAvailable.USER32(0000000D), ref: 00402C24
IsClipboardFormatAvailable.USER32(0000000F), ref: 00402C2C

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClipboardCount$AvailableFormatTick$CallbackDispatcherFormatsUser
String ID:
API String ID: 2843769501-0
Opcode ID: 582fbeb2324a0f424ad923fefbc8c478643c1a00a9ed1dd558caa431d1f5aa3b
Instruction ID: 79a482513744a66b89baae91f33c315c8f0136cf10c27d4fffad67caa3995654
Opcode Fuzzy Hash: 582fbeb2324a0f424ad923fefbc8c478643c1a00a9ed1dd558caa431d1f5aa3b
Instruction Fuzzy Hash: 2A61CF71604300ABEB209F69C884B6F76E4AB95704F04453EF856A73F1D7B8DC84CB9A

Function 00401819 Relevance: 12.2, APIs: 8, Instructions: 177
windowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetFocus.USER32 ref: 00401575
PeekMessageW.USER32(?,00000000,00000000,-00000311,00000001), ref: 00401884
GetTickCount.KERNEL32 ref: 00401892
Sleep.KERNEL32(00000000), ref: 004018B3

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$CallbackDispatcherFocusMessagePeekSleepUser
String ID:
API String ID: 1365517912-0
Opcode ID: 406ba5298a6b984f0ce048ab9604d59f19c091fe306b0bee4b6d501d948e1a47
Instruction ID: 4abdc034f09e4808e0c250cafc60b8b502eb2413becf17a73983d5d1e7fca53b
Opcode Fuzzy Hash: 406ba5298a6b984f0ce048ab9604d59f19c091fe306b0bee4b6d501d948e1a47
Instruction Fuzzy Hash: B651D071A043409FDB20DB68C884B6F7AE4AB95704F08467EE856A73F1D378DC85CB5A

Function 004013A9 Relevance: 12.2, APIs: 8, Instructions: 176timewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004013AF
CloseClipboard.USER32 ref: 004013BB
SetTimer.USER32(00010474,00000009,0000000A), ref: 00401464
GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetFocus.USER32 ref: 00401575

Part of subcall function 00403180: joyGetPosEx.WINMM ref: 004031AF

TranslateAcceleratorW.USER32(00000000,?,?), ref: 004015BB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$AcceleratorCallbackClipboardCloseDispatcherFocusGlobalTimerTranslateUnlockUser
String ID:
API String ID: 1474087974-0
Opcode ID: 1d304d67ba44700013980c86b29f0903b661311ef2b09cfb9ec1732c33dce7e6
Instruction ID: dab53dfb54af43acb549e6a6b9bd86adfab31d3e2b780215a040be2c35964d6e
Opcode Fuzzy Hash: 1d304d67ba44700013980c86b29f0903b661311ef2b09cfb9ec1732c33dce7e6
Instruction Fuzzy Hash: 5C61C171504340AFDB219F68C884B6BBAE4AB95304F08453FF895A73F1D7789C85CB9A

Function 00402B51 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB

Strings

call, xrefs: 00402BB1

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$CallbackDispatcherUser
String ID: call
API String ID: 1502404630-3431870270
Opcode ID: b5044d497141f041c23598e6564c4a29b7f3b4f700211081432b5bc21f2d6e87
Instruction ID: 936dcfecd109e37cb26727d748c5f94842e48f458149c002fc0bb43ef13e323f
Opcode Fuzzy Hash: b5044d497141f041c23598e6564c4a29b7f3b4f700211081432b5bc21f2d6e87
Instruction Fuzzy Hash: 516171715043409BD7219F58C885BAFB7E4AB89704F04493FF895A73A1D778EC84CB9A

Function 00415F00 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800,00000000,00000000,?,00000001,00403DC2,004CB680,?), ref: 00415F2E

Part of subcall function 00475E20: _wcschr.LIBCMT ref: 00475E77
Part of subcall function 00475E20: _wcsncpy.LIBCMT ref: 00475ED6
Part of subcall function 00475E20: _wcschr.LIBCMT ref: 00475EE5
Part of subcall function 00475E20: FindFirstFileW.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F0E
Part of subcall function 00475E20: FindClose.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F26
Part of subcall function 00475E20: _wcschr.LIBCMT ref: 00475F49
Part of subcall function 00475E20: FindFirstFileW.KERNELBASE(00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F60
Part of subcall function 00475E20: FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00475F6C

_wcsrchr.LIBCMT ref: 00415FC9
GetModuleFileNameW.KERNEL32(00000000,?,000007FE,?,?,?,?,?,004CB680,?), ref: 00416062
_wcsrchr.LIBCMT ref: 004160BA

Strings

%s\%s, xrefs: 0041601D
Out of memory., xrefs: 00415F78

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileFind$_wcschr$CloseFirstModuleName_wcsrchr$_wcsncpy
String ID: %s\%s$Out of memory.
API String ID: 2025279223-1641153398
Opcode ID: 7431edfec019cd6c7eefd4292d97425795d6c8a4bae83cecb88eebbf023d11a6
Instruction ID: 06683767833a9047cc34e19a5231d722de0976728f627d3b0ab9350e03abb36c
Opcode Fuzzy Hash: 7431edfec019cd6c7eefd4292d97425795d6c8a4bae83cecb88eebbf023d11a6
Instruction Fuzzy Hash: 8451F77260474297D720DF659C01AEB7394EF85310F084A2EFD598B2C1EB78DA49C7AA

Function 00415930 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 129comCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415B56
OleInitialize.OLE32(00000000), ref: 00415BA3

Strings

Tray, xrefs: 00415B63
h(J, xrefs: 00415A05
h(J, xrefs: 00415A0B
No tray mem, xrefs: 00415B7D

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Initialize_memset
String ID: No tray mem$Tray$h(J$h(J
API String ID: 2068092829-3999171079
Opcode ID: 48f9d55ea92cc5ae58083f0c02d8cb7cbd1bfbb0b45715f21bf00ed7ca16c016
Instruction ID: b56ada80f6144cee3a17cc1abe520f9245099593bfbc1133d4f9dd6cf55cae86
Opcode Fuzzy Hash: 48f9d55ea92cc5ae58083f0c02d8cb7cbd1bfbb0b45715f21bf00ed7ca16c016
Instruction Fuzzy Hash: 395135B5A55340DED380DF5BEDC2E55BAA8F719704B98863FE08C83622DB7800448F9E

Function 004013FB Relevance: 9.2, APIs: 6, Instructions: 163timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00010474,00000009,0000000A), ref: 00401464
GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetFocus.USER32 ref: 00401575

Part of subcall function 00403180: joyGetPosEx.WINMM ref: 004031AF

TranslateAcceleratorW.USER32(00000000,?,?), ref: 004015BB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$AcceleratorCallbackDispatcherFocusTimerTranslateUser
String ID:
API String ID: 3005849476-0
Opcode ID: 6abb7a606a1b618ad8cc8af84c5eb0c3413edc20e7beb17ae4f30f0044ea6eba
Instruction ID: 8ce2eff84ab1787fe6e3b090b022fc03378ce36282eee567718d2ea6fa9fc6b9
Opcode Fuzzy Hash: 6abb7a606a1b618ad8cc8af84c5eb0c3413edc20e7beb17ae4f30f0044ea6eba
Instruction Fuzzy Hash: 3751C171604340ABDB219F688884B6B7AE4AB95704F08053FF895A73F1D7789C84CB9A

Function 00402BF5 Relevance: 7.7, APIs: 5, Instructions: 155windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403690: _free.LIBCMT ref: 004036A6
Part of subcall function 00403690: _free.LIBCMT ref: 004036CC

GetTickCount.KERNEL32 ref: 00401489
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,-00000311), ref: 004014D0
GetTickCount.KERNEL32 ref: 004014DB
GetFocus.USER32 ref: 00401575
TranslateAcceleratorW.USER32(00000000,?,?), ref: 004015BB

Part of subcall function 00402F30: GetTickCount.KERNEL32 ref: 00402F30

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$_free$AcceleratorCallbackDispatcherFocusTranslateUser
String ID:
API String ID: 3134410435-0
Opcode ID: f10a78642695cafb8c8182a6abaa212a986084d7210fc689cd31068a90e4b44e
Instruction ID: 32b5fadb59443b2bf0d2d21808a46e6269a3527016376128013db6482dabb7b0
Opcode Fuzzy Hash: f10a78642695cafb8c8182a6abaa212a986084d7210fc689cd31068a90e4b44e
Instruction Fuzzy Hash: 99519F71504340ABDB209F688884B6FB6E4AB85704F08453FF896A73F1D778DC85CB9A

Function 0048F851 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0048F85F

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

_free.LIBCMT ref: 0048F872

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: a6170a0832faeaaa591ec81267bb34bc049d766c89069b3f315b6c1a31ef2751
Instruction ID: ee740fa54578e2a6296a374bae593a9e431df336c3911e3be1354f24f2d184c8
Opcode Fuzzy Hash: a6170a0832faeaaa591ec81267bb34bc049d766c89069b3f315b6c1a31ef2751
Instruction Fuzzy Hash: C0117332504616BBCF213B76AC09A5E3F94AF453A4B20483BF8499A251EF7CCC95879D

Function 00478C00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(00000000), ref: 00478C02
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0040ED23,?), ref: 00478C28
GetWindow.USER32(?,00000004), ref: 00478C41

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Foreground
String ID:
API String ID: 62970417-0
Opcode ID: 8415ebe144c8125dbd582510cbdb9eac345e0193f200378f9f17de8807946a43
Instruction ID: dcfb9c93a73a2feb003cf9096b0e030cd481b7a5d1015952508711dcc7d46514
Opcode Fuzzy Hash: 8415ebe144c8125dbd582510cbdb9eac345e0193f200378f9f17de8807946a43
Instruction Fuzzy Hash: E5E0E5322402209FD7517724BC097CD3F50A782395F054029F208A6250E7742CC147B9

Function 00415770 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,0049EC18,000000FF), ref: 004157DA
_free.LIBCMT ref: 004157F5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle_free
String ID:
API String ID: 3521661170-0
Opcode ID: df2691370dde45b664a82cc35c023007d3ad4f56c59f09f3c9ab0fdaf517c21e
Instruction ID: f5a1fa194dd3bccebd4cb409fe62b83a178cfadaab077aa4d9e68bea1c075ab7
Opcode Fuzzy Hash: df2691370dde45b664a82cc35c023007d3ad4f56c59f09f3c9ab0fdaf517c21e
Instruction Fuzzy Hash: 8A118B71501B40DBD720DF18C945B8BB7E8FB48720F548A1EE4A687BD0D378A880CB89

Function 00472860 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0047286D

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: c8ae4e35087f73d529d1eb07b802ca095ff404ff4bb0c1a7bb043b08582ffc85
Instruction ID: e30a703e7a980ded1aa989708a7bbd7e4624779a5ea03348e14dadd61fb044ed
Opcode Fuzzy Hash: c8ae4e35087f73d529d1eb07b802ca095ff404ff4bb0c1a7bb043b08582ffc85
Instruction Fuzzy Hash: D3F05E716006028FEB64DB7AD990B2BB3E6BFD0314B15863EE44E83B44E735E841CB05

Function 00472450 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00490341: _malloc.LIBCMT ref: 0049035B

_malloc.LIBCMT ref: 0047246D

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 52fa1ef240c4a8bb1a767a30037fef8fb5be9130bb29d3ad4314d547b749558d
Instruction ID: 32b1ca6a9c854aad1a7ff2ad83778b20a69e15e38335e9fe848e2c2ae8c76622
Opcode Fuzzy Hash: 52fa1ef240c4a8bb1a767a30037fef8fb5be9130bb29d3ad4314d547b749558d
Instruction Fuzzy Hash: 4BE09BB19006115FD7A0AB66BD027C775D09B00758F00853BFC8986301E7BCD8808BC6

Non-executed Functions

Function 0040E701 Relevance: 77.6, APIs: 31, Strings: 13, Instructions: 592keyboardwindowCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040E72E
__wcsnicmp.LIBCMT ref: 0040E74A
__wcsicoll.LIBCMT ref: 0040E77F
PostMessageW.USER32(00000000,00000102,00000001,00000000), ref: 0040E823
GetAsyncKeyState.USER32(000000A0), ref: 0040E8CC
GetAsyncKeyState.USER32(000000A1), ref: 0040E8DF
GetAsyncKeyState.USER32(000000A2), ref: 0040E8F3
GetAsyncKeyState.USER32(000000A3), ref: 0040E907
GetAsyncKeyState.USER32(000000A4), ref: 0040E91B
GetAsyncKeyState.USER32(000000A5), ref: 0040E92F
GetAsyncKeyState.USER32(0000005B), ref: 0040E940
GetAsyncKeyState.USER32(0000005C), ref: 0040E951
GetTickCount.KERNEL32 ref: 0040E9ED
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EA12
GetTickCount.KERNEL32 ref: 0040EA3C
__wcsnicmp.LIBCMT ref: 0040EA68
__wcsnicmp.LIBCMT ref: 0040EA9E

Part of subcall function 0048EDA7: __wcsnicmp_l.LIBCMT ref: 0048EE3A

__fassign.LIBCMT ref: 0040EAB5
PostMessageW.USER32(?,00000102,?,00000000), ref: 0040EB0B
PostMessageW.USER32(?,00000102,00000000,00000000), ref: 0040EB1E
__itow.LIBCMT ref: 0040EB5D
_free.LIBCMT ref: 0040EDF9

Strings

Down, xrefs: 0040E728
u2j, xrefs: 0040F0A9
jjj, xrefs: 0040EFFD
R, xrefs: 0040E75D
W[, xrefs: 0040EFEF
jjj, xrefs: 0040EFE7
Temp, xrefs: 0040E73F
D, xrefs: 0040F007
&, xrefs: 0040EE0F
ASC , xrefs: 0040EA62
BlockInput, xrefs: 0040F074
user32, xrefs: 0040F079
@+, xrefs: 0040EDBB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AsyncState$Message__wcsnicmp$Post$CountTick$Peek__fassign__itow__wcsicoll__wcsnicmp_l_free
String ID: ASC $BlockInput$Down$R$Temp$W[$jjj$jjj$u2j$user32$@+$D$&
API String ID: 4094163869-1995836086
Opcode ID: 736017ab9851048b77c7189e0c710120cb2576245f70ec95b1a331980f3087b8
Instruction ID: 2281774c7c454032c348bef192ed07ac38e961d3da1bada98a71c26249f15680
Opcode Fuzzy Hash: 736017ab9851048b77c7189e0c710120cb2576245f70ec95b1a331980f3087b8
Instruction Fuzzy Hash: D8224771E04248ABEB20EB71DC41BAE3BB1AB45304F14483AE941773C2D678A955CB6E

Function 0040E019 Relevance: 70.5, APIs: 25, Strings: 15, Instructions: 518threadCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040E021
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040E0D3
AttachThreadInput.USER32(00001D00,00000000,00000001), ref: 0040E0FF
GetKeyboardLayout.USER32(00000000), ref: 0040E111

Strings

Down, xrefs: 0040E57F
u2j, xrefs: 0040F0A9
{Click, xrefs: 0040E075
jjj, xrefs: 0040EFFD
W[, xrefs: 0040EFEF
^+!#{}, xrefs: 0040E497
->, xrefs: 0040E12E
jjj, xrefs: 0040EFE7
Click, xrefs: 0040E5D2
D, xrefs: 0040F007
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040E3D3, 0040F074
user32, xrefs: 0040E3D8, 0040F079
@+, xrefs: 0040EDBB
{Blind}, xrefs: 0040E01B

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$AttachInputKeyboardLayoutProcessWindow__wcsnicmp
String ID: BlockInput$Click$Down$W[$^+!#{}$jjj$jjj$u2j$user32${Blind}${Click$->$@+$D$&
API String ID: 1856766819-133462133
Opcode ID: c7f2926fb57ef9f50b73015b70c67cd341fa40d0372b07f822cda65d3bd30a6c
Instruction ID: e20cf5ae9c183c6ee17abaf55a69111d0397c9fc3987c5a299b79d89282bf35c
Opcode Fuzzy Hash: c7f2926fb57ef9f50b73015b70c67cd341fa40d0372b07f822cda65d3bd30a6c
Instruction Fuzzy Hash: FB123471904245ABDB20DFA5DC45BAE3FB0AF15304F18447AE800BB3D2E3799995C7AE

Function 0040E17A Relevance: 70.5, APIs: 27, Strings: 13, Instructions: 467threadkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0040E111
GetTickCount.KERNEL32 ref: 0040E17A
GetCurrentThreadId.KERNEL32 ref: 0040E1B1
GetAsyncKeyState.USER32(0000005B), ref: 0040E1E8
GetAsyncKeyState.USER32(0000005C), ref: 0040E1F6
GetForegroundWindow.USER32(?,02D53388,?), ref: 0040E255
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040E26D
GetGUIThreadInfo.USER32 ref: 0040E283
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040E2A2

Strings

u2j, xrefs: 0040F0A9
jjj, xrefs: 0040EFFD
W[, xrefs: 0040EFEF
^+!#{}, xrefs: 0040E497
jjj, xrefs: 0040EFE7
->, xrefs: 0040E12E
Click, xrefs: 0040E5D2
D, xrefs: 0040F007
0, xrefs: 0040E279
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040E3D3, 0040F074
user32, xrefs: 0040E3D8, 0040F079
@+, xrefs: 0040EDBB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$Window$AsyncProcessState$CountCurrentForegroundInfoKeyboardLayoutTick
String ID: 0$BlockInput$Click$W[$^+!#{}$jjj$jjj$u2j$user32$->$@+$D$&
API String ID: 129495084-2023929695
Opcode ID: f44c7b8bd1be0d983c15274f5d1f2684d05acd607c06dc1612f13f616f2c6b7d
Instruction ID: 419eab7ce2967ea793ce4a15263c936d1881dedd841ae0817866ba0127be755f
Opcode Fuzzy Hash: f44c7b8bd1be0d983c15274f5d1f2684d05acd607c06dc1612f13f616f2c6b7d
Instruction Fuzzy Hash: 91028971904244ABDB20DB65EC45BAE3FB4AF15304F18447BE800BB3D2E7799994CB6E

Function 00417101 Relevance: 68.9, APIs: 13, Strings: 26, Instructions: 616COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,>AUTOHOTKEY SCRIPT<,0000000A,00000000,?,0042EB7E,00000000,00000000,0049EEAB,000000FF,00416DDD,00000000,-00000005,?,0042EB7E,00000000), ref: 0041714E
FindResourceW.KERNEL32(00000000,>AHK WITH ICON<,0000000A), ref: 0041715E
SizeofResource.KERNEL32(00000000,00000000,?,0042EB7E,00000000,00000000,0049EEAB,000000FF,00416DDD,00000000,-00000005,?,0042EB7E,00000000), ref: 0041716E
LoadResource.KERNEL32(00000000,00000000,?,0042EB7E,00000000,00000000,0049EEAB,000000FF,00416DDD,00000000,-00000005,?,0042EB7E,00000000), ref: 00417185
LockResource.KERNEL32(00000000,?,0042EB7E,00000000,00000000,0049EEAB,000000FF,00416DDD,00000000,-00000005,?,0042EB7E,00000000), ref: 00417194
__wcsnicmp.LIBCMT ref: 00417270
_memmove.LIBCMT ref: 00417326

Strings

%s up::, xrefs: 00418DC8
{RCtrl up}, xrefs: 00418D6C, 00418D88
Not a valid property getter/setter., xrefs: 00418F51
RQh(zJ, xrefs: 00418D87
%s::, xrefs: 00418CB5
@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
>AHK WITH ICON<, xrefs: 00417158
>AUTOHOTKEY SCRIPT<, xrefs: 0041711E
{Blind}{%s Up}, xrefs: 00418E64
Get, xrefs: 00417D66
S", xrefs: 00417208
h8uJ, xrefs: 00417216
Functions cannot contain functions., xrefs: 00418F47
Not a valid method, class or property definition., xrefs: 00418F34, 00418F41
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
RQUC, xrefs: 00418D03
U_B, xrefs: 00418E8B
Set, xrefs: 00417D7A
VVVjgU0C, xrefs: 00418DB5
{Blind}%s%s{%s DownR}, xrefs: 00418D89
QhTzJ, xrefs: 00418DC7
Missing "{", xrefs: 00418F1D, 00418F2D
if not GetKeyState("%s"), xrefs: 00418D1A
PhdzJ, xrefs: 00418E63

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeof__wcsnicmp_memmove
String ID: #CommentFlag$%s up::$%s::$8L$7j$>AHK WITH ICON<$>AUTOHOTKEY SCRIPT<$@h@uJ$Functions cannot contain functions.$Get$Missing "{"$Not a valid method, class or property definition.$Not a valid property getter/setter.$PhdzJ$QhTzJ$RQUC$RQh(zJ$Set$U_B$VVVjgU0C$h8uJ$if not GetKeyState("%s")$jjj${Blind}%s%s{%s DownR}${Blind}{%s Up}${RCtrl up}$S"
API String ID: 2376650586-2012877966
Opcode ID: fc305ad2d6cb575203174f9fe85d50d56ef12545aea3f89f706bd9c120419466
Instruction ID: c3ea55567d26fb2407ac7b8641f70a228fd4f2a28ea5d3462899dacf533bdf0b
Opcode Fuzzy Hash: fc305ad2d6cb575203174f9fe85d50d56ef12545aea3f89f706bd9c120419466
Instruction Fuzzy Hash: 4232C07060C3419AD730DF24C881BEBB7E5AF95304F14492FF98987391E7789985CB9A

Function 0040E0AE Relevance: 58.2, APIs: 21, Strings: 12, Instructions: 420threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 0040E0D3
AttachThreadInput.USER32(00001D00,00000000,00000001), ref: 0040E0FF
GetKeyboardLayout.USER32(00000000), ref: 0040E111

Strings

D, xrefs: 0040F007
u2j, xrefs: 0040F0A9
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040E3D3, 0040F074
jjj, xrefs: 0040EFFD
user32, xrefs: 0040E3D8, 0040F079
W[, xrefs: 0040EFEF
^+!#{}, xrefs: 0040E497
@+, xrefs: 0040EDBB
jjj, xrefs: 0040EFE7
->, xrefs: 0040E12E
Click, xrefs: 0040E5D2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$AttachInputKeyboardLayoutProcessWindow
String ID: BlockInput$Click$W[$^+!#{}$jjj$jjj$u2j$user32$->$@+$D$&
API String ID: 1208206634-2117555299
Opcode ID: adb9e63cd6895b66f2fb4f9b271f213cdfb018240a1f363d16a3d72e19d9bad0
Instruction ID: 32cc453ddc04cf7ab4c8c3d5656cc687bd1b4f3d370065143ec83fde251556ed
Opcode Fuzzy Hash: adb9e63cd6895b66f2fb4f9b271f213cdfb018240a1f363d16a3d72e19d9bad0
Instruction Fuzzy Hash: 59F13671904244ABDB21DBA5EC45BEE3FB0AF15308F18447AE840BB3D2D3795994C7AE

Function 0041EAA0 Relevance: 56.8, APIs: 8, Strings: 24, Instructions: 774COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0041EABF
__snwprintf.LIBCMT ref: 0041EAF2

Part of subcall function 004140C0: __fassign.LIBCMT ref: 004140EB

Strings

Duplicate function definition., xrefs: 0041EBAA
, =), xrefs: 0041F0EA
Unsupported parameter default., xrefs: 0041F481
this, xrefs: 0041EDAA
Too many params., xrefs: 0041F279
Missing close-quote, xrefs: 0041F472
true, xrefs: 0041F16B
Parameters of hotkey functions must be optional., xrefs: 0041F432
%s.%s, xrefs: 0041EADD
Invalid function declaration., xrefs: 0041F2D6
Out of memory., xrefs: 0041ECCF, 0041ED1F, 0041F304
value, xrefs: 0041EDF8
A label must not point to a function., xrefs: 0041F409
Missing ")", xrefs: 0041F4AA
Function name too long., xrefs: 0041EC12
Missing comma, xrefs: 0041F244
Duplicate declaration., xrefs: 0041EB38
Expected ":=", xrefs: 0041F46A
Blank parameter, xrefs: 0041F298, 0041F49B
Parameter default required., xrefs: 0041F48C
Duplicate parameter., xrefs: 0041F2A3
ByRef, xrefs: 0041EE95
false, xrefs: 0041F130
, :=*), xrefs: 0041EE6A, 0041EED5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __fassign__snwprintf_wcschr
String ID: %s.%s$, :=*)$, =)$A label must not point to a function.$Blank parameter$ByRef$Duplicate declaration.$Duplicate function definition.$Duplicate parameter.$Expected ":="$Function name too long.$Invalid function declaration.$Missing ")"$Missing close-quote$Missing comma$Out of memory.$Parameter default required.$Parameters of hotkey functions must be optional.$Too many params.$Unsupported parameter default.$false$this$true$value
API String ID: 1314477730-1825772190
Opcode ID: 2674169c7ecc8dcc19114037b217eab099799b5cd30b2cb32452b9f40eea8873
Instruction ID: 56bfafe0a29c89f58416f922bfa0ad3b72a75432c4f71ac572f414c38c9c0280
Opcode Fuzzy Hash: 2674169c7ecc8dcc19114037b217eab099799b5cd30b2cb32452b9f40eea8873
Instruction Fuzzy Hash: 93520475604301ABC720DF25D841AABB3A1EF94314F14893FE9498B392E73DDD86C79A

Function 0040E2BF Relevance: 51.1, APIs: 18, Strings: 11, Instructions: 368keyboardlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 0040E3DD
GetProcAddress.KERNEL32(00000000), ref: 0040E3E4
GetTickCount.KERNEL32 ref: 0040E42F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040E454
GetTickCount.KERNEL32 ref: 0040E47E
_wcschr.LIBCMT ref: 0040E49C
_free.LIBCMT ref: 0040EDF9
GetKeyState.USER32(00000014), ref: 0040EFCE
GetKeyState.USER32(00000014), ref: 0040EFD6

Part of subcall function 004117F0: GetKeyState.USER32(00000000), ref: 004117FB
Part of subcall function 004117F0: GetKeyState.USER32(00000000), ref: 0041182A
Part of subcall function 004117F0: GetForegroundWindow.USER32(00000000), ref: 00411864
Part of subcall function 004117F0: GetWindowThreadProcessId.USER32(00000000), ref: 0041186B
Part of subcall function 004117F0: GetKeyState.USER32(00000014), ref: 004118AE

Strings

D, xrefs: 0040F007
u2j, xrefs: 0040F0A9
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040E3D3, 0040F074
jjj, xrefs: 0040EFFD
user32, xrefs: 0040E3D8, 0040F079
W[, xrefs: 0040EFEF
^+!#{}, xrefs: 0040E497
@+, xrefs: 0040EDBB
jjj, xrefs: 0040EFE7
Click, xrefs: 0040E5D2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: State$CountTickWindow$AddressForegroundHandleMessageModulePeekProcProcessThread_free_wcschr
String ID: BlockInput$Click$W[$^+!#{}$jjj$jjj$u2j$user32$@+$D$&
API String ID: 777000476-3088515670
Opcode ID: 360ff2a0dd51e44a7ef34f43e5dc86873268d327217e08d2768d0a9aede49575
Instruction ID: 07450953de2a4aef884f2e39c70f428d73c5906c148b341d1901e7ef592f138f
Opcode Fuzzy Hash: 360ff2a0dd51e44a7ef34f43e5dc86873268d327217e08d2768d0a9aede49575
Instruction Fuzzy Hash: 77E14571904248ABDB21DBA5EC45BEE3FB0AF15304F18447AE840BB3D2D3795994C7AE

Function 00415BC0 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264comwindowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B70: CreateThread.KERNEL32(00000000,00002000,00408E80,00000000,00000000,004C83F0), ref: 00408BCA
Part of subcall function 00408B70: SetThreadPriority.KERNEL32(00000000,0000000F,?,00000000,00000000,00416D11,004CB680,?,?,00000000,004CB680,00416BD9,004CB680,0042EB7E), ref: 00408BE0
Part of subcall function 00408B70: PostThreadMessageW.USER32(00000000,00000417,?,00000000), ref: 00408C04
Part of subcall function 00408B70: Sleep.KERNEL32(0000000A,?,00000000,00000000,00416D11,004CB680,?,?,00000000,004CB680,00416BD9,004CB680,0042EB7E), ref: 00408C10
Part of subcall function 00408B70: GetTickCount.KERNEL32 ref: 00408C27
Part of subcall function 00408B70: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 00408C4A

Shell_NotifyIconW.SHELL32(00000002,004CB8F6), ref: 00415C09
IsWindow.USER32(00000000), ref: 00415C27
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 00415C34
DeleteObject.GDI32(00000000), ref: 00415C42
DeleteObject.GDI32(00000000), ref: 00415C4C
DeleteObject.GDI32(00000000), ref: 00415C56
DeleteObject.GDI32(00000000), ref: 00415C7D
DestroyCursor.USER32(00000000), ref: 00415C81
IsWindow.USER32(00000000), ref: 00415C8B
DestroyWindow.USER32(00000000,?,?,?,?,00000000,00000000), ref: 00415C99
DeleteObject.GDI32(00000000), ref: 00415CA7
DeleteObject.GDI32(00000000), ref: 00415CB1
DeleteObject.GDI32(00000000), ref: 00415CBB
DeleteObject.GDI32(?), ref: 00415D12
DestroyCursor.USER32(00000000), ref: 00415D2D
DestroyCursor.USER32(00000000), ref: 00415D36
IsWindow.USER32(00000000), ref: 00415D67
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 00415D74
DeleteObject.GDI32(00000000), ref: 00415D8F
ChangeClipboardChain.USER32(00010474,00000000), ref: 00415DD6
mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 00415E03
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 00415E18
RtlDeleteCriticalSection.NTDLL(004C83D8), ref: 00415E1F
OleUninitialize.OLE32(?,?,?,00000000,00000000), ref: 00415E25
_free.LIBCMT ref: 00415E5B
_free.LIBCMT ref: 00415E97

Part of subcall function 0048F817: HeapFree.KERNEL32(00000000,00000000,?,00492183,00000000,?,0048E46A), ref: 0048F82D
Part of subcall function 0048F817: GetLastError.KERNEL32(00000000,?,00492183,00000000,?,0048E46A), ref: 0048F83F

_free.LIBCMT ref: 00415ED6

Strings

close AHK_PlayMe, xrefs: 00415E13
status AHK_PlayMe mode, xrefs: 00415DFE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Delete$Object$DestroyWindow$CursorThread_free$MessageSendString$ChainChangeClipboardCountCreateCriticalErrorFreeHeapIconLastNotifyPeekPostPrioritySectionShell_SleepTickUninitialize
String ID: close AHK_PlayMe$status AHK_PlayMe mode
API String ID: 2053152309-1474590089
Opcode ID: e101fe866ce5ffce2b3bb0e16337543c2239cbe9cdf6e48220e1e1f0cbb6b058
Instruction ID: 573535fc50cdc2d3bf74edd2cd24ba6684edd0aa5feb5a0429812acd8d0e3010
Opcode Fuzzy Hash: e101fe866ce5ffce2b3bb0e16337543c2239cbe9cdf6e48220e1e1f0cbb6b058
Instruction Fuzzy Hash: DC916E71A00700DBD760DF69EC89FD777A8AB84744F18452EE849D7291EB38E880CB9D

Function 0040E6B0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 168keyboardthreadCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040EDF9
GetKeyState.USER32(00000014), ref: 0040EFCE
GetKeyState.USER32(00000014), ref: 0040EFD6
GetForegroundWindow.USER32(00000000), ref: 0040F011
GetWindowThreadProcessId.USER32(00000000), ref: 0040F018

Strings

D, xrefs: 0040F007
u2j, xrefs: 0040F0A9
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040F074
jjj, xrefs: 0040EFFD
user32, xrefs: 0040F079
W[, xrefs: 0040EFEF
@+, xrefs: 0040EDBB
jjj, xrefs: 0040EFE7

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: StateWindow$ForegroundProcessThread_free
String ID: BlockInput$W[$jjj$jjj$u2j$user32$@+$D$&
API String ID: 1488558992-1238252293
Opcode ID: e23aab4bbba0159d227d7ad57c2e12daa7ee0b4cbe9fd3a81b84f71b643b18ac
Instruction ID: 7263535a4e82a06121bab8244f7260a3ffe82b5fa588864750cc112e695ba9d0
Opcode Fuzzy Hash: e23aab4bbba0159d227d7ad57c2e12daa7ee0b4cbe9fd3a81b84f71b643b18ac
Instruction Fuzzy Hash: AA513970D04244EBEB60DBA0EC46FAE3FB0AB55304F14457AE504A63D2D3795894CB6E

Function 0040E68A Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 161keyboardthreadlibraryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040E42F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040E454
GetTickCount.KERNEL32 ref: 0040E47E
_wcschr.LIBCMT ref: 0040E49C
_free.LIBCMT ref: 0040EDF9
GetKeyState.USER32(00000014), ref: 0040EFCE
GetKeyState.USER32(00000014), ref: 0040EFD6
GetForegroundWindow.USER32(00000000), ref: 0040F011
GetWindowThreadProcessId.USER32(00000000), ref: 0040F018
AttachThreadInput.USER32(00001D00,?,00000000), ref: 0040F053
GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 0040F07E
GetProcAddress.KERNEL32(00000000), ref: 0040F085
GetForegroundWindow.USER32(00000000), ref: 0040F0AD

Part of subcall function 004113B0: SendInput.USER32(00000000,00000000,0000001C,00000000,FFFFFFFF,00000000), ref: 00411410
Part of subcall function 004113B0: GetForegroundWindow.USER32(?,?,00000000,FFFFFFFF,00000000), ref: 00411453

Strings

D, xrefs: 0040F007
u2j, xrefs: 0040F0A9
&, xrefs: 0040EE0F
BlockInput, xrefs: 0040F074
jjj, xrefs: 0040EFFD
user32, xrefs: 0040F079
W[, xrefs: 0040EFEF
@+, xrefs: 0040EDBB
jjj, xrefs: 0040EFE7

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Foreground$CountInputStateThreadTick$AddressAttachHandleMessageModulePeekProcProcessSend_free_wcschr
String ID: BlockInput$W[$jjj$jjj$u2j$user32$@+$D$&
API String ID: 1020621991-1238252293
Opcode ID: a28e992f44717d855e527840fe48a82c4ee98747223d265655bc73ece0124d22
Instruction ID: cce426c752d8a9c5bbddf39c20b054f3e6192ef199ae3b67313394aeff9147ad
Opcode Fuzzy Hash: a28e992f44717d855e527840fe48a82c4ee98747223d265655bc73ece0124d22
Instruction Fuzzy Hash: 13515871D04244EBEB60DBA4EC46FEE3FB0AB55304F14417AE504A63E2D3796884CB6E

Function 0040FA50 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 466keyboardlibraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040FA7E
GetKeyboardState.USER32(?), ref: 0040FB46
SetKeyboardState.USER32(?), ref: 0040FBE5
PostMessageW.USER32(00000000,00000100,00000000,00000000), ref: 0040FC11
PostMessageW.USER32(00000000,00000101,00000000,00000000), ref: 0040FC4E
GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 0040FCA2
GetProcAddress.KERNEL32(00000000), ref: 0040FCA9
GetForegroundWindow.USER32 ref: 0040FD1B
GetAsyncKeyState.USER32 ref: 0040FD4B
keybd_event.USER32(00000000,00000000,?,00000000), ref: 0040FE16
GetAsyncKeyState.USER32(?), ref: 0040FE61
keybd_event.USER32(00000000,00000000,00000002,00000000), ref: 0040FF41
GetAsyncKeyState.USER32(?), ref: 0040FF7C
GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 0040FFF5
GetProcAddress.KERNEL32(00000000), ref: 0040FFFC

Strings

BlockInput, xrefs: 0040FC98, 0040FFEB
user32, xrefs: 0040FC9D, 0040FFF0

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: State$Async$AddressHandleKeyboardMessageModulePostProckeybd_event$CurrentForegroundThreadWindow
String ID: BlockInput$user32
API String ID: 1080742973-2744593370
Opcode ID: 3a191d049d892c591aab057385ee6816a806cf1b18531144576c57363d399800
Instruction ID: 19af0156ef4d3ee55dd79d0de02a96223c75fa260b3d02e2b480c2a537c268fd
Opcode Fuzzy Hash: 3a191d049d892c591aab057385ee6816a806cf1b18531144576c57363d399800
Instruction Fuzzy Hash: 9602B4B05083859BE721DF24D845BAB7BA0AB85304F18447FF885977D1C27CD98DCB9A

Function 00404500 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 0040452C
__wcsnicmp.LIBCMT ref: 0040453E
__wcsicoll.LIBCMT ref: 00404557
__wcsicoll.LIBCMT ref: 0040456C
__wcsicoll.LIBCMT ref: 00404581
__wcsicoll.LIBCMT ref: 00404596
__wcsicoll.LIBCMT ref: 004045AB
__wcsicoll.LIBCMT ref: 004045C0
GetClipboardData.USER32(0000000D), ref: 004045E6

Strings

Embed Source, xrefs: 00404590
OwnerLink, xrefs: 00404566
MSDEVLineSelect, xrefs: 004045BA
ObjectLink, xrefs: 00404551
Link Source, xrefs: 00404538
Native, xrefs: 0040457B
MSDEVColumnSelect, xrefs: 004045A5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3127108255-1844231336
Opcode ID: c59ea5932d2f9fd590aa3d472bde3bb0c09371a1cd6ab20d2e6f52498aac1370
Instruction ID: 40afb35734437f51cce28a62eae329c8a5fedfd2c87ff76572df3eb0ecf2feed
Opcode Fuzzy Hash: c59ea5932d2f9fd590aa3d472bde3bb0c09371a1cd6ab20d2e6f52498aac1370
Instruction Fuzzy Hash: 0711A2B090030177D720F7669E42B2F72986FA0B05F440A3EBE94D12C1FBBCD619D66A

Function 00404330 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00404354
GlobalUnlock.KERNEL32(00000000), ref: 0040436B
CloseClipboard.USER32 ref: 00404374
GlobalUnlock.KERNEL32(?), ref: 004043AB
GlobalFree.KERNEL32(00000000), ref: 004043BD
GlobalUnlock.KERNEL32 ref: 004043D3
CloseClipboard.USER32 ref: 004043D8

Part of subcall function 00404430: GlobalUnlock.KERNEL32(00000000), ref: 0040444C
Part of subcall function 00404430: CloseClipboard.USER32 ref: 00404451
Part of subcall function 00404430: GlobalUnlock.KERNEL32(00000000), ref: 00404465
Part of subcall function 00404430: GlobalFree.KERNEL32(00000000), ref: 00404475

Strings

SetClipboardData, xrefs: 0040441F
Can't open clipboard for writing., xrefs: 00404346
EmptyClipboard, xrefs: 0040437F

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$Unlock$Clipboard$Close$Free$Empty
String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
API String ID: 1414016178-2690908087
Opcode ID: 83b58129dcf8664e3942b4f36190da09b0bd03338c258276e0b262cccb66cf6b
Instruction ID: a04d12cdcd0b7c149a22fd1595c8d6b142b5c66e65721eb3e5eb9c19c67f0655
Opcode Fuzzy Hash: 83b58129dcf8664e3942b4f36190da09b0bd03338c258276e0b262cccb66cf6b
Instruction Fuzzy Hash: 60316DB26017019FC7309F66D8C451BFBE4FF91315324893FE68692AA0C638A884CF58

Function 0041F510 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 427COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041F5A2

Strings

Full class name is too long., xrefs: 0041F855
Invalid class name., xrefs: 0041F647
Syntax error in class definition., xrefs: 0041F757
Duplicate class definition., xrefs: 0041F8CB
Out of memory., xrefs: 0041F740
__Class, xrefs: 0041F706, 0041F981
Missing class name., xrefs: 0041F5E3
extends, xrefs: 0041F59C
This class definition is nested too deep., xrefs: 0041F52B

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: Duplicate class definition.$Full class name is too long.$Invalid class name.$Missing class name.$Out of memory.$Syntax error in class definition.$This class definition is nested too deep.$__Class$extends
API String ID: 1038674560-3763243221
Opcode ID: 00c0cb11bcef65f8551863bc886cd4a89573a265b7bccfaa25a0166f9e76213f
Instruction ID: 36c95c0af802dabb45c062092ea4adadaaec72f0e587411c51847d6f48675fd7
Opcode Fuzzy Hash: 00c0cb11bcef65f8551863bc886cd4a89573a265b7bccfaa25a0166f9e76213f
Instruction Fuzzy Hash: D5E1FE71A042009FC724DF19C481AABB7E1FF99354F44846FF8498B351D379D98ACB9A

Function 00482F60 Relevance: 17.1, Strings: 13, Instructions: 825COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00483233
UCP), xrefs: 004830B3
BSR_UNICODE), xrefs: 00483431
$, xrefs: 004838BF
BSR_ANYCRLF), xrefs: 00483398
no error, xrefs: 00483915
NO_START_OPT), xrefs: 0048310B
ANY), xrefs: 004832AB
ANYCRLF), xrefs: 00483323
Error text not found (please report), xrefs: 00483932
UTF16), xrefs: 00483055
CR), xrefs: 00483163
LF), xrefs: 004831B7

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: $$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$NO_START_OPT)$UCP)$UTF16)$no error
API String ID: 0-3688278424
Opcode ID: 3b4a83e86fa2fb5aaf46a8627bd972145f0f9de074951579b44a443c28ac94e3
Instruction ID: 3afafb0e86b34d4732ae4b56aef0687cf5cd5a6577105fa0171d1c03f56fc13a
Opcode Fuzzy Hash: 3b4a83e86fa2fb5aaf46a8627bd972145f0f9de074951579b44a443c28ac94e3
Instruction Fuzzy Hash: 2C62C2719083818BC724AF14C8507AFB7E1FF94B05F544D2EE8DA87390EB789A45CB56

Function 004109A0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

@, xrefs: 00410C38

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7e33d07b0cff1c6508bc9d9b811f6324bc2d25ff61fb4e588c4f091380a5daf8
Instruction ID: 9e72cf68064eff00ee00a8f7ecf91c6e7178858ef4326cc978418c4762071aa7
Opcode Fuzzy Hash: 7e33d07b0cff1c6508bc9d9b811f6324bc2d25ff61fb4e588c4f091380a5daf8
Instruction Fuzzy Hash: FCA1D3706483048FE718DB28D895BABB7E0AB95345F14452FF48683390D7BCE9C5CB9A

Function 0040C1B0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

Part of subcall function 0040BB90: _memset.LIBCMT ref: 0040BBA7

_memset.LIBCMT ref: 0040C226
_wcsncpy.LIBCMT ref: 0040C36E
_wcsncpy.LIBCMT ref: 0040C3F2
_wcsncpy.LIBCMT ref: 0040C420
__wcsicoll.LIBCMT ref: 0040C4BC
__wcsicoll.LIBCMT ref: 0040C4D5

Strings

& , xrefs: 0040C34E, 0040C379
Up, xrefs: 0040C432
@, xrefs: 0040C32C

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsncpy$__wcsicoll_memset
String ID: & $ Up$@
API String ID: 2925817191-3870727058
Opcode ID: 54dabcecbfd578eda620c0f7b08743fadaaacbcf08f6edcc699776a1eaf22716
Instruction ID: 6661d5ffd3155fde33c7b8d727157ac261c7b2c2d09e36201dffd45d78757b15
Opcode Fuzzy Hash: 54dabcecbfd578eda620c0f7b08743fadaaacbcf08f6edcc699776a1eaf22716
Instruction Fuzzy Hash: 6491B021408380C6D730DB6495D17FBB7E1AF92300F548A6FE8C5A72C2E3799949D3AB

Function 0040BB90 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 242COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BBA7
_wcsncpy.LIBCMT ref: 0040BD51
_wcsncpy.LIBCMT ref: 0040BDBF
_wcsncpy.LIBCMT ref: 0040BDEE

Strings

& , xrefs: 0040BD2E, 0040BD58
Up, xrefs: 0040BE00

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsncpy$_memset
String ID: & $ Up
API String ID: 4291556967-3258026345
Opcode ID: 63c79895643a8a16f689f70669fb381062f42340de29809e076359d3d70f7121
Instruction ID: 947f94153c870f6ff94ed1283692d9d6279b5c0da207c1724ac29def42cf6510
Opcode Fuzzy Hash: 63c79895643a8a16f689f70669fb381062f42340de29809e076359d3d70f7121
Instruction Fuzzy Hash: 7471F33120824096DB258A2489D17B7B7A1EF93704F28447FD8C5BB3D1E77E984993DE

Function 004127C0 Relevance: 10.6, APIs: 7, Instructions: 105keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 004127CC
_memset.LIBCMT ref: 004127ED
ToUnicodeEx.USER32(0000006E,00000000,-00000018,-00000028,00000002,00000000,00000000), ref: 0041280E
ToUnicodeEx.USER32(00000000,00000000,-00000018,-00000028,00000002,00000000,00000000), ref: 0041282F
ToUnicodeEx.USER32(0000006E,00000000,-00000018,-0000001C,00000002,00000000,00000000), ref: 0041284C
ToUnicodeEx.USER32(00000000,00000000,-00000018,-0000001C,00000002,00000000,00000000), ref: 0041288B
MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 004128B6

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unicode$KeyboardLayoutVirtual_memset
String ID:
API String ID: 2910491412-0
Opcode ID: ce7b39d258641fe2b47f719185425a085e8cc06234974a81520d28679617c035
Instruction ID: a706856350bfed917a84ac3aec72d48d71a636a738e6a86ccf74fbd421833a48
Opcode Fuzzy Hash: ce7b39d258641fe2b47f719185425a085e8cc06234974a81520d28679617c035
Instruction Fuzzy Hash: E131F4326813007AD324DB61DD06FEB7BA8EBC5F14F40491EB644960C1D2B9D519C7BA

Function 00408E80 Relevance: 9.1, APIs: 6, Instructions: 113windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00408EAB
SetWindowsHookExW.USER32(0000000D,Function_000047F0,00400000,00000000), ref: 00408F13
UnhookWindowsHookEx.USER32(00000000), ref: 00408F2C
SetWindowsHookExW.USER32(0000000E,Function_00004960,00400000,00000000), ref: 00408F6F
UnhookWindowsHookEx.USER32(00000000), ref: 00408F83
PostThreadMessageW.USER32(00001D00,00000417,00000000,00000000), ref: 00408FB0

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HookWindows$MessageUnhook$PostThread
String ID:
API String ID: 378849449-0
Opcode ID: 593f39acc818ad3f908b9cd3770af1f3038bf207bc47d0d186d406c0620ede82
Instruction ID: d4dc985ba7ae6a070033fca38dd1124495fbfbd0803b4979b57f43c5751ebb3f
Opcode Fuzzy Hash: 593f39acc818ad3f908b9cd3770af1f3038bf207bc47d0d186d406c0620ede82
Instruction Fuzzy Hash: 9831AF70254302AAE7209B34EE49BA73B95AB90748F14003EF680E63D1DB78D845CB9E

Function 004117F0 Relevance: 7.6, APIs: 5, Instructions: 84keyboardthreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000000), ref: 004117FB
GetKeyState.USER32(00000000), ref: 0041182A
GetForegroundWindow.USER32(00000000), ref: 00411864
GetWindowThreadProcessId.USER32(00000000), ref: 0041186B
GetKeyState.USER32(00000014), ref: 004118AE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: State$Window$ForegroundProcessThread
String ID:
API String ID: 2921243749-0
Opcode ID: 9e04f788196a158cfe603d2f009003d629b4f62b7f8bb45ff84fdd8e8f849608
Instruction ID: ba167a81eb12e829cb67a72ffc559882dcaf5e7072fd548d71ecb31c6a883af0
Opcode Fuzzy Hash: 9e04f788196a158cfe603d2f009003d629b4f62b7f8bb45ff84fdd8e8f849608
Instruction Fuzzy Hash: 33215B31A8031576EA307744AC43FAA76646B52B99F144136F748392F2D7FA34C4467E

Function 00494EE6 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0049983A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0049984F
UnhandledExceptionFilter.KERNEL32(004A27C4), ref: 0049985A
GetCurrentProcess.KERNEL32(C0000409), ref: 00499876
TerminateProcess.KERNEL32(00000000), ref: 0049987D

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 729c42f4b80c22c6941f823498b30a394449165d934a0126fecac05377793948
Instruction ID: d8fc70a5dfd7a516f87603d7b1e726f00fb65d0f949e943e378fc2c4c8ebacc8
Opcode Fuzzy Hash: 729c42f4b80c22c6941f823498b30a394449165d934a0126fecac05377793948
Instruction Fuzzy Hash: 9421CDB48182049FDB81DF29FD49AA43BB4FF98311F10417AE40A862A1EBB459818F1D

Function 0048CBF0 Relevance: 7.2, Strings: 5, Instructions: 1000COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0048D063
VUUU, xrefs: 0048D09C
VUUU, xrefs: 0048D0EF
ERCP, xrefs: 0048CCC9
VUUU, xrefs: 0048D078

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d9d671fb3959ed80564cee6bdc1e129625b9e9f10f259aedf6daf1ee1e581451
Instruction ID: c8d810c1db611b5a8436fcc59964c228980774c9aae12cbb1566b64d3d25f312
Opcode Fuzzy Hash: d9d671fb3959ed80564cee6bdc1e129625b9e9f10f259aedf6daf1ee1e581451
Instruction Fuzzy Hash: DC828E71A053418BDB24EF18C4807AEB7E1FB94314F148E2FE999873D0D7399885CB5A

Function 00476360 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,0040ED23,?), ref: 00476364
IsIconic.USER32(00000000), ref: 00476371
GetWindowRect.USER32(00000000,?), ref: 00476387
ClientToScreen.USER32 ref: 004763A5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ClientForegroundIconicRectScreen
String ID:
API String ID: 4031265896-0
Opcode ID: 7c63bf72ad617980b51b0adafd7ef1f09d2bbf20327d0e8a7218cb5049628913
Instruction ID: 349e6bd27320aafe0b75f938d2e8bf42d6feae546cb692c440e23face523bd5b
Opcode Fuzzy Hash: 7c63bf72ad617980b51b0adafd7ef1f09d2bbf20327d0e8a7218cb5049628913
Instruction Fuzzy Hash: CAF01D70509B12AFD714DF14D844AAB7BADAF85354F458429E84A81210EB38C959CBAA

Function 00416D74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00472450: _malloc.LIBCMT ref: 0047246D

SetCurrentDirectoryW.KERNEL32(02D60048,?,?,00000068), ref: 00416EA2
GetSystemTimeAsFileTime.KERNEL32(?,00000000,004A296C,000000FF,?,00000001,ErrorLevel,?,00000003,?,00000000,?,?,?,?,00000068), ref: 00416F26

Strings

ErrorLevel, xrefs: 00416EFC

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Time$CurrentDirectoryFileSystem_malloc
String ID: ErrorLevel
API String ID: 469155842-220487136
Opcode ID: cbeb643617cabfd42b02e794f98e7a71917d6e35559efd6b4262dace711c1aae
Instruction ID: 0f37075953a49e467974e7ed1f7043cc7085fddd668eb0913d6d8755411bbf8e
Opcode Fuzzy Hash: cbeb643617cabfd42b02e794f98e7a71917d6e35559efd6b4262dace711c1aae
Instruction Fuzzy Hash: 97518F75600206AFD714DF25E8C0AABB7A8FB49318F55826EF91487341D739EC92CB98

Function 004135CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(004CC1C8), ref: 004135ED
__snwprintf.LIBCMT ref: 00413624

Strings

%u.%u.%u, xrefs: 00413607
10.0.19045, xrefs: 0041360E

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Version__snwprintf
String ID: %u.%u.%u$10.0.19045
API String ID: 444779968-4060445884
Opcode ID: 8ab00cea65283b22f22046c8ff0d648fffeb17610fabc904fe6ae44aedc90cef
Instruction ID: e00fc1e8c1641297295b80037f7914b437863e2211aaf2f2cff3d796b0923d98
Opcode Fuzzy Hash: 8ab00cea65283b22f22046c8ff0d648fffeb17610fabc904fe6ae44aedc90cef
Instruction Fuzzy Hash: 61017CB1A44280AFD794CF99FCC1E6237E1A348301B94807EE50DC63A2C67959818B1D

Function 00416460 Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(00010474,00000415,00000001,00000000), ref: 004164A4
SetClipboardViewer.USER32(00010474), ref: 004164B7
ChangeClipboardChain.USER32(00010474,?), ref: 004164F9

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$ChainChangeMessagePostViewer
String ID:
API String ID: 1822368796-0
Opcode ID: 66b4ad8778a9a1db10b4afb89228252d001779af1dd83b2b98434eda50504213
Instruction ID: d8ff7ec2e551a96c7b77d71ddde57276ed414ea606c34775e691784866d8f61e
Opcode Fuzzy Hash: 66b4ad8778a9a1db10b4afb89228252d001779af1dd83b2b98434eda50504213
Instruction Fuzzy Hash: E8015E31241380BAD7A1CB78AE88FD63FA46746740F088569E94987670CA39E884CB1D

Function 00413420 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041342F

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: cfd2e3bf3eabfd15022235e6bdf9fab750d431d43ff95fef80e580cb5191b4d2
Instruction ID: 0fb791346265a37c5128e108407b8eb3261145f3a9e5794297c54ff1ba5d0346
Opcode Fuzzy Hash: cfd2e3bf3eabfd15022235e6bdf9fab750d431d43ff95fef80e580cb5191b4d2
Instruction Fuzzy Hash: C911C83257151187E358CF3ADC41A56B3E2E7D4309B24CBBDE4A7872D5DE396A018B8C

Function 00413421 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1585e58c7cf54ef47287d4eed4ba6f1d05a63060bcb48af9938aaaabb4020bf
Instruction ID: 5e7a7f5ad6d7931b19fa867d9c5d20d8756386c508df5d3f354a98d1f6e4ffaa
Opcode Fuzzy Hash: a1585e58c7cf54ef47287d4eed4ba6f1d05a63060bcb48af9938aaaabb4020bf
Instruction Fuzzy Hash: 8C112B3267151187E314CF3ACC81956B7E2DBD4308724CBADE4F3872D5DE39AA058B88

Function 00414AF0 Relevance: 89.5, APIs: 26, Strings: 25, Instructions: 215COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414B08
__wcsicoll.LIBCMT ref: 00414B20

Strings

Log, xrefs: 00414BC2
Pow, xrefs: 00414B7A
Cos, xrefs: 00414C6A
BitXOr, xrefs: 00414D12
BitShiftRight, xrefs: 00414D5A
ATan, xrefs: 00414CCA
Asc, xrefs: 00414B02
Floor, xrefs: 00414C22
BitShiftLeft, xrefs: 00414D42
Abs, xrefs: 00414C3A
BitNot, xrefs: 00414D2A
BitOr, xrefs: 00414CFA
Sqrt, xrefs: 00414BAA
ASin, xrefs: 00414C9A
Deref, xrefs: 00414B32
HTML, xrefs: 00414B4A
Sin, xrefs: 00414C52
ACos, xrefs: 00414CB2
BitAnd, xrefs: 00414CE2
Ceil, xrefs: 00414C0A
Tan, xrefs: 00414C82
Mod, xrefs: 00414B62
Chr, xrefs: 00414B1A
Round, xrefs: 00414BF2
Exp, xrefs: 00414B92

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: ACos$ASin$ATan$Abs$Asc$BitAnd$BitNot$BitOr$BitShiftLeft$BitShiftRight$BitXOr$Ceil$Chr$Cos$Deref$Exp$Floor$HTML$Log$Mod$Pow$Round$Sin$Sqrt$Tan
API String ID: 3832890014-879508146
Opcode ID: af2c0924fc3936ccb5dd6ca8df4ff7d29303f4fe0b42cab857bb7c334cce8d90
Instruction ID: 68cc772c1238f872cd2fbcec7dcd17903a62d9cb844cc40126864c921891a254
Opcode Fuzzy Hash: af2c0924fc3936ccb5dd6ca8df4ff7d29303f4fe0b42cab857bb7c334cce8d90
Instruction Fuzzy Hash: 55517E69B4161022EF11316E9C03BDB10499BB2B4FFCA446AFC14D5381F78DDA4552AE

Function 00415400 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 101COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00415418
__wcsicoll.LIBCMT ref: 00415430

Strings

Time, xrefs: 0041545A
Integer, xrefs: 00415412
Alnum, xrefs: 004154B4
Xdigit, xrefs: 0041549C
Upper, xrefs: 004154E4
Alpha, xrefs: 004154CC
Space, xrefs: 00415514
Digit, xrefs: 00415484
Float, xrefs: 0041542A
Date, xrefs: 00415472
Lower, xrefs: 004154FC
Number, xrefs: 00415442

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Alnum$Alpha$Date$Digit$Float$Integer$Lower$Number$Space$Time$Upper$Xdigit
API String ID: 3832890014-3813714638
Opcode ID: 04873228175a9e8c1a658eaa0f2afd770dd6a2d0a9db765441ecb1732053cf28
Instruction ID: c2ab21fa1fdb1b4f8c81e168adc2d11181d82e4672b8973730798e9422747b7d
Opcode Fuzzy Hash: 04873228175a9e8c1a658eaa0f2afd770dd6a2d0a9db765441ecb1732053cf28
Instruction Fuzzy Hash: 2B214F61B45A1172EF21316A5C03BDF20895BB2B0FF95446BFC14D4381F79CDA9582AE

Function 00417EBE Relevance: 40.6, APIs: 3, Strings: 20, Instructions: 365COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00417FB1

Strings

%s up::, xrefs: 00418DC8
{RCtrl up}, xrefs: 00418D6C, 00418D88
Not a valid method, class or property definition., xrefs: 00418F5B
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
U_B, xrefs: 00418E8B
RQUC, xrefs: 00418D03
Static, xrefs: 00417FAB
RQh(zJ, xrefs: 00418D87
{Blind}%s%s{%s DownR}, xrefs: 00418D89
VVVjgU0C, xrefs: 00418DB5
QhTzJ, xrefs: 00418DC7
%s::, xrefs: 00418CB5
@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
if not GetKeyState("%s"), xrefs: 00418D1A
{Blind}{%s Up}, xrefs: 00418E64
{, xrefs: 00417F53
PhdzJ, xrefs: 00418E63
#, xrefs: 00417FE4

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #$#CommentFlag$%s up::$%s::$8L$7j$@h@uJ$Not a valid method, class or property definition.$PhdzJ$QhTzJ$RQUC$RQh(zJ$Static$U_B$VVVjgU0C$if not GetKeyState("%s")$jjj${${Blind}%s%s{%s DownR}${Blind}{%s Up}${RCtrl up}
API String ID: 1038674560-2171338969
Opcode ID: 3081d9ea4413a6217d71e8dbe8b6073d65776151c1c03ee9f2727b5993e9c2c9
Instruction ID: 441201033f6a3a1350c648a3acfd3bce6ac2facf40a55ec189a8e6d0c819e3aa
Opcode Fuzzy Hash: 3081d9ea4413a6217d71e8dbe8b6073d65776151c1c03ee9f2727b5993e9c2c9
Instruction Fuzzy Hash: CBC1E37150C341AAD730DB258C82BEBB7E4AB95304F54491FF88986281E77C99C5C79A

Function 0040DACA Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 126COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040DAD0
__wcsicoll.LIBCMT ref: 0040DAE6
__wcsicoll.LIBCMT ref: 0040DAFC

Part of subcall function 0048E559: __wcsicmp_l.LIBCMT ref: 0048E5D9

__wcsicoll.LIBCMT ref: 0040DB12
__wcsicoll.LIBCMT ref: 0040DB28
__wcsicoll.LIBCMT ref: 0040DB3E
__wcsicoll.LIBCMT ref: 0040DB54
__wcsicoll.LIBCMT ref: 0040DB6C

Strings

WheelRight, xrefs: 0040DBF9
LEFT, xrefs: 0040DACA
WheelDown, xrefs: 0040DBB1
MIDDLE, xrefs: 0040DB22
RIGHT, xrefs: 0040DAF6
WheelLeft, xrefs: 0040DBD5
WheelUp, xrefs: 0040DB89

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: LEFT$MIDDLE$RIGHT$WheelDown$WheelLeft$WheelRight$WheelUp
API String ID: 3172861507-1318937625
Opcode ID: e21ada1a1e61427941babd0435947afa2e7378f49440bdf815d8dc6560d8c262
Instruction ID: 64cc6021fdaaa39da6a2d72903648126ad92cf644a6d4e7d96c691918c9642a3
Opcode Fuzzy Hash: e21ada1a1e61427941babd0435947afa2e7378f49440bdf815d8dc6560d8c262
Instruction Fuzzy Hash: 0631C845E85A1531EB1135BB5E03B6F10885F7274BF99047BB814E02C2FADDE619C1BE

Function 00446AA0 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 234COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00446B03
__wcsicoll.LIBCMT ref: 00446B9D
__wcsicoll.LIBCMT ref: 00446BB7
__wcsicoll.LIBCMT ref: 00446BD1
__wcsicoll.LIBCMT ref: 00446BEB
__wcsicoll.LIBCMT ref: 00446C05
__wcsicoll.LIBCMT ref: 00446C1F
__wcsicoll.LIBCMT ref: 00446C39
__wcsicoll.LIBCMT ref: 00446C53
__wcsicoll.LIBCMT ref: 00446C6D
__wcsicoll.LIBCMT ref: 00446C87

Strings

WStr, xrefs: 00446C81
Str, xrefs: 00446BB1
Short, xrefs: 00446BE5
Int64, xrefs: 00446C19
AStr, xrefs: 00446C67
Double, xrefs: 00446C4D
Int, xrefs: 00446B97
Float, xrefs: 00446C33
*pP, xrefs: 00446B0D
Char, xrefs: 00446BFF
Ptr, xrefs: 00446BCB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: *pP$AStr$Char$Double$Float$Int$Int64$Ptr$Short$Str$WStr
API String ID: 1630244902-313837492
Opcode ID: 99b0fb43c867ffb57cedeb89ca7049ef4b427b6b1a9d086fde8bb78176b2e565
Instruction ID: a7267d39c62d36cad4a64dec825c099bd02f46d96d18b05dc80f342fef3adc16
Opcode Fuzzy Hash: 99b0fb43c867ffb57cedeb89ca7049ef4b427b6b1a9d086fde8bb78176b2e565
Instruction Fuzzy Hash: 8D6104B2A0030456EB20DF55DCC16AF7394EB92366F55882FED4886240E77EE54CC3AB

Function 004146B0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 205registryCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004147B5
__wcsicoll.LIBCMT ref: 004147CF
__wcsicoll.LIBCMT ref: 004147E9
__wcsicoll.LIBCMT ref: 00414803
__wcsicoll.LIBCMT ref: 0041481D
__wcsicoll.LIBCMT ref: 00414837
__wcsicoll.LIBCMT ref: 0041484D
__wcsicoll.LIBCMT ref: 00414863
__wcsicoll.LIBCMT ref: 00414879
__wcsicoll.LIBCMT ref: 0041488F
_wcsncpy.LIBCMT ref: 004148D0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004148F8

Strings

HKCU, xrefs: 00414847
HKEY_CURRENT_CONFIG, xrefs: 00414831
HKU, xrefs: 00414873
HKLM, xrefs: 004147AF
HKEY_CLASSES_ROOT, xrefs: 004147FD
HKEY_USERS, xrefs: 00414889
HKCR, xrefs: 004147E3
HKEY_LOCAL_MACHINE, xrefs: 004147C9
HKEY_CURRENT_USER, xrefs: 0041485D
HKCC, xrefs: 00414817

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$ConnectRegistry_wcsncpy
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 2753222686-909552448
Opcode ID: 98ab23052f0ac6f54c0bcea04685c804547d1a8a7878becb29e49e3847af84ab
Instruction ID: da5925f4d64a95f1df938f9c08d8f1a745735a2b2e3fe7bb7e79b7cffbd62cde
Opcode Fuzzy Hash: 98ab23052f0ac6f54c0bcea04685c804547d1a8a7878becb29e49e3847af84ab
Instruction Fuzzy Hash: 8B51697660430156D720FAA5AD41BFB73E8DFD6714F19082FED5483280F7ADD98883AA

Function 00479E60 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 345COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00479F24
__wcstoui64.LIBCMT ref: 00479FA3
IsWindow.USER32(00000000), ref: 00479FBD
__wcsnicmp.LIBCMT ref: 00479FE8
__wcstoi64.LIBCMT ref: 0047A00A

Part of subcall function 0049018E: wcstoxq.LIBCMT ref: 004901AF

__wcsnicmp.LIBCMT ref: 0047A041
_wcsncpy.LIBCMT ref: 0047A074
__wcsicoll.LIBCMT ref: 0047A0B9
_wcsncpy.LIBCMT ref: 0047A202
_wcsncpy.LIBCMT ref: 0047A268

Strings

group, xrefs: 0047A03B
ahk_, xrefs: 00479ED3, 0047A151, 0047A176, 0047A237
class, xrefs: 0047A105
pid, xrefs: 00479FE2
exe, xrefs: 0047A0E3

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp_wcsncpy$Window__wcsicoll__wcstoi64__wcstoui64wcstoxq
String ID: ahk_$class$exe$group$pid
API String ID: 3421470534-2955265324
Opcode ID: b0c4b57e3fc4c8c5a5aa184d85b41cea0fa485d9634ec29ebd804c68306f1738
Instruction ID: ee763a9c4c256411da002b77102d4154a26e7c03c3a4695fb81d6ced18f52335
Opcode Fuzzy Hash: b0c4b57e3fc4c8c5a5aa184d85b41cea0fa485d9634ec29ebd804c68306f1738
Instruction Fuzzy Hash: EAC1B071A043019AD734AB2588457EBB3E4EF94304F14882FE88ED6391F77C9999C79B

Function 00446D50 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,?,?,?,?), ref: 00446D77
GetModuleHandleW.KERNEL32(kernel32,?,?), ref: 00446D83
GetModuleHandleW.KERNEL32(comctl32,?,?), ref: 00446D8F
GetModuleHandleW.KERNEL32(gdi32,?,?), ref: 00446D9B
_wcsncpy.LIBCMT ref: 00446DB7
_wcsrchr.LIBCMT ref: 00446DD0
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?), ref: 00446DFD
GetProcAddress.KERNEL32(00000000,?), ref: 00446E1F
GetProcAddress.KERNEL32(?,?), ref: 00446E6F
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,?), ref: 00446E9D
GetModuleHandleW.KERNEL32(?,?,?,?,?,?), ref: 00446EAB
LoadLibraryW.KERNEL32(?,?,?,?,?,?), ref: 00446EC6
GetProcAddress.KERNEL32(00000000,?), ref: 00446EFF
GetProcAddress.KERNEL32(00000000,?), ref: 00446F28

Strings

kernel32, xrefs: 00446D79
comctl32, xrefs: 00446D85
gdi32, xrefs: 00446D91
user32, xrefs: 00446D72
DllCall, xrefs: 00446ED4, 00446F76

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID: DllCall$comctl32$gdi32$kernel32$user32
API String ID: 1361463379-1793033601
Opcode ID: 7f5eb50748650a62448da724b9d3fab7abe0ee911d914b5b0ea1ca5a0fc573a1
Instruction ID: b4e82e5e6cd7f76ba01e2bf84d453eb5072c2814fdd91ea8be92f7fe32ca0d2f
Opcode Fuzzy Hash: 7f5eb50748650a62448da724b9d3fab7abe0ee911d914b5b0ea1ca5a0fc573a1
Instruction Fuzzy Hash: 95515B726003015BE7709B24ECC4FEBB399EFE5720F55452EE84883290EB79EC05879A

Function 00417E7D Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 248COMMON

Download Yara Rule

Strings

%s up::, xrefs: 00418DC8
{RCtrl up}, xrefs: 00418D6C, 00418D88
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
U_B, xrefs: 00418E8B
RQUC, xrefs: 00418D03
RQh(zJ, xrefs: 00418D87
{Blind}%s%s{%s DownR}, xrefs: 00418D89
VVVjgU0C, xrefs: 00418DB5
QhTzJ, xrefs: 00418DC7
%s::, xrefs: 00418CB5
@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
if not GetKeyState("%s"), xrefs: 00418D1A
{Blind}{%s Up}, xrefs: 00418E64
PhdzJ, xrefs: 00418E63

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #CommentFlag$%s up::$%s::$8L$7j$@h@uJ$PhdzJ$QhTzJ$RQUC$RQh(zJ$U_B$VVVjgU0C$if not GetKeyState("%s")$jjj${Blind}%s%s{%s DownR}${Blind}{%s Up}${RCtrl up}
API String ID: 0-3133094735
Opcode ID: 5d0592b49ed5bf5a4cea8630f20316b52dcf55d223470bc146f1705642b559b4
Instruction ID: 9f6ab86343d5349b545780647feca12cbe3b15fba69d940df38b80b20c01b4ff
Opcode Fuzzy Hash: 5d0592b49ed5bf5a4cea8630f20316b52dcf55d223470bc146f1705642b559b4
Instruction Fuzzy Hash: 9791C57050C340AAD730DB258C81BEBBBE5AB95308F144A1FF98956282E77C9985C79B

Function 00417E89 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 245COMMON

Download Yara Rule

Strings

%s up::, xrefs: 00418DC8
{RCtrl up}, xrefs: 00418D6C, 00418D88
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
U_B, xrefs: 00418E8B
RQUC, xrefs: 00418D03
RQh(zJ, xrefs: 00418D87
{Blind}%s%s{%s DownR}, xrefs: 00418D89
VVVjgU0C, xrefs: 00418DB5
QhTzJ, xrefs: 00418DC7
%s::, xrefs: 00418CB5
@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
if not GetKeyState("%s"), xrefs: 00418D1A
{Blind}{%s Up}, xrefs: 00418E64
PhdzJ, xrefs: 00418E63

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #CommentFlag$%s up::$%s::$8L$7j$@h@uJ$PhdzJ$QhTzJ$RQUC$RQh(zJ$U_B$VVVjgU0C$if not GetKeyState("%s")$jjj${Blind}%s%s{%s DownR}${Blind}{%s Up}${RCtrl up}
API String ID: 0-3133094735
Opcode ID: b2aef3fabb4ea0ecdfb7354dbf273fe89365c370e6b6e230d54375a232eb0154
Instruction ID: 98df58378b6ccabfa6df9cd5c606697006b919acdc29393ecbbd8668d04efcff
Opcode Fuzzy Hash: b2aef3fabb4ea0ecdfb7354dbf273fe89365c370e6b6e230d54375a232eb0154
Instruction Fuzzy Hash: A391C57050C340AAD730DB158C81BEFBBE5BB95308F044A1FF98956281E7BC9A85C79B

Function 00417F79 Relevance: 31.7, APIs: 2, Strings: 16, Instructions: 245COMMON

Download Yara Rule

Strings

%s up::, xrefs: 00418DC8
{RCtrl up}, xrefs: 00418D6C, 00418D88
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
U_B, xrefs: 00418E8B
RQUC, xrefs: 00418D03
RQh(zJ, xrefs: 00418D87
{Blind}%s%s{%s DownR}, xrefs: 00418D89
VVVjgU0C, xrefs: 00418DB5
QhTzJ, xrefs: 00418DC7
%s::, xrefs: 00418CB5
@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
if not GetKeyState("%s"), xrefs: 00418D1A
{Blind}{%s Up}, xrefs: 00418E64
PhdzJ, xrefs: 00418E63

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: #CommentFlag$%s up::$%s::$8L$7j$@h@uJ$PhdzJ$QhTzJ$RQUC$RQh(zJ$U_B$VVVjgU0C$if not GetKeyState("%s")$jjj${Blind}%s%s{%s DownR}${Blind}{%s Up}${RCtrl up}
API String ID: 0-3133094735
Opcode ID: 0ecdafadeb6e890d18534bf61b00b86f070050ac9bd058276c06745550d1c6c8
Instruction ID: 7039620e9154d78382589d3c16c4627863d17b4fe39edcbb0498f893b0a503c6
Opcode Fuzzy Hash: 0ecdafadeb6e890d18534bf61b00b86f070050ac9bd058276c06745550d1c6c8
Instruction Fuzzy Hash: D991C57050C340AAD730DB158C81BEFBBE5BB95708F044A1FF98956281E77C9A85C79B

Function 00415145 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 109COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004151B8
__wcsicoll.LIBCMT ref: 004151D0

Strings

YES, xrefs: 004151B2
CONTINUE, xrefs: 0041525A
IGNORE, xrefs: 0041522A
ABORT, xrefs: 00415212
Timeout, xrefs: 0041528A
CANCEL, xrefs: 004151FA
TRYAGAIN, xrefs: 00415272
RETRY, xrefs: 00415242

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: ABORT$CANCEL$CONTINUE$IGNORE$RETRY$TRYAGAIN$Timeout$YES
API String ID: 3832890014-2481266411
Opcode ID: 1606a0465edefb23138e74e08145d1dcf461a6c23cc8207651ea4eab9d602deb
Instruction ID: 4ef4746d7623dea02e5f5548a088ccd578ba0102cd7f1b6651b906707c4f1643
Opcode Fuzzy Hash: 1606a0465edefb23138e74e08145d1dcf461a6c23cc8207651ea4eab9d602deb
Instruction Fuzzy Hash: E2217FE7E45A10A2DB3120AADC277CF22549BB274AFCB44A6FC14C53C1F79CC641419E

Function 00465E70 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 438windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00465E8C
SendMessageW.USER32(00000001,00000472,00000000,00000000), ref: 00465EC6
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00465F1B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00465F37
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00465F4F
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00465F85
SendMessageW.USER32(?,00001001,00000000,00000030), ref: 00465FB4
GetWindowLongW.USER32(?,000000F0), ref: 00466001
SendMessageW.USER32(?,00001005,00000000,00000029), ref: 0046601A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004660A7
__wcsicoll.LIBCMT ref: 004660D6

Strings

Text, xrefs: 004660D0
Submit, xrefs: 00465E84

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$__wcsicoll$LongWindow
String ID: Submit$Text
API String ID: 4045105239-2749448349
Opcode ID: dbef05369f8632e3da9aa748d9432f4d6a9be649fe733933dc08647be2cd7d21
Instruction ID: 8545eb14abcb01ed10bc1c945d208ce2a2e1fe72f8fb45bcf0a842bf7d5841e0
Opcode Fuzzy Hash: dbef05369f8632e3da9aa748d9432f4d6a9be649fe733933dc08647be2cd7d21
Instruction Fuzzy Hash: FBD177317043406BE720EB39DC81F67B794AB41719F10866FF980AB2C1E769EC0587AE

Function 00408B70 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00002000,00408E80,00000000,00000000,004C83F0), ref: 00408BCA
SetThreadPriority.KERNEL32(00000000,0000000F,?,00000000,00000000,00416D11,004CB680,?,?,00000000,004CB680,00416BD9,004CB680,0042EB7E), ref: 00408BE0
PostThreadMessageW.USER32(00000000,00000417,?,00000000), ref: 00408C04
Sleep.KERNEL32(0000000A,?,00000000,00000000,00416D11,004CB680,?,?,00000000,004CB680,00416BD9,004CB680,0042EB7E), ref: 00408C10
GetTickCount.KERNEL32 ref: 00408C27
PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 00408C4A
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 00408CC5
GetExitCodeThread.KERNEL32(00000000,?), ref: 00408CDA
GetTickCount.KERNEL32 ref: 00408CEA
Sleep.KERNEL32(00000000), ref: 00408CF7
CloseHandle.KERNEL32(00000000), ref: 00408D0F
CloseHandle.KERNEL32(00000000), ref: 00408D2F
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 00408D54
CloseHandle.KERNEL32(00000000), ref: 00408D6B

Strings

AHK Keybd, xrefs: 00408CBC
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 00408D8F
AHK Mouse, xrefs: 00408D4B

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority
String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
API String ID: 493082617-3816831916
Opcode ID: 3bd6de20004faae8477686e44910dc1a73012024b8a434bdc737eed31a73c914
Instruction ID: 0343f43e6a66d9ff13f8978a718bdf5a10246bf3f4a9087bd3f62b95664e5f23
Opcode Fuzzy Hash: 3bd6de20004faae8477686e44910dc1a73012024b8a434bdc737eed31a73c914
Instruction Fuzzy Hash: 1A512670149340BAE7109B709E49B6B7FA46B52304F04457FF9C0A62D2CBBC9D45CB6D

Function 0040F190 Relevance: 28.8, APIs: 19, Instructions: 277keyboardwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040F1E8
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F20B
GetTickCount.KERNEL32 ref: 0040F235
GetAsyncKeyState.USER32(000000A0), ref: 0040F294
GetAsyncKeyState.USER32(000000A1), ref: 0040F2A7
GetAsyncKeyState.USER32(000000A2), ref: 0040F2BB
GetAsyncKeyState.USER32(000000A3), ref: 0040F2CF
GetAsyncKeyState.USER32(000000A4), ref: 0040F2E3
GetAsyncKeyState.USER32(000000A5), ref: 0040F2F7
GetAsyncKeyState.USER32(0000005B), ref: 0040F308
GetAsyncKeyState.USER32(0000005C), ref: 0040F319
GetAsyncKeyState.USER32(000000A0), ref: 0040F42A
GetAsyncKeyState.USER32(000000A1), ref: 0040F43D
GetAsyncKeyState.USER32(000000A2), ref: 0040F451
GetAsyncKeyState.USER32(000000A3), ref: 0040F465
GetAsyncKeyState.USER32(000000A4), ref: 0040F479
GetAsyncKeyState.USER32(000000A5), ref: 0040F48D
GetAsyncKeyState.USER32(0000005B), ref: 0040F49E
GetAsyncKeyState.USER32(0000005C), ref: 0040F4AF

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AsyncState$CountTick$MessagePeek
String ID:
API String ID: 958976530-0
Opcode ID: 17d95b024d82edeb66fd0ad8e6685e753e44c3ece10960614a75f73a4fdde685
Instruction ID: 678b97c2816e21052bb4eb8decea27705799670bf23972517f9e43c9a5ed6496
Opcode Fuzzy Hash: 17d95b024d82edeb66fd0ad8e6685e753e44c3ece10960614a75f73a4fdde685
Instruction Fuzzy Hash: 449139352443846AF7609764CC51BFBBBA0AB91340F48547AEAC0677D2C6BC9C4DDB2A

Function 00450840 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,75C0A660,?,?,00000000), ref: 00450860
OpenProcess.KERNEL32(00001000,00000000,?), ref: 0045086F
GetModuleBaseNameW.PSAPI(00000000,00000000,?,00000104), ref: 00450895
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104), ref: 0045089D
GetModuleHandleW.KERNEL32(psapi,GetProcessImageFileNameW), ref: 004508BF
GetProcAddress.KERNEL32(00000000), ref: 004508C6
_wcsrchr.LIBCMT ref: 00450908
_memmove.LIBCMT ref: 00450937
CloseHandle.KERNEL32(00000000), ref: 00450940
QueryDosDeviceW.KERNEL32(?,?,00000104), ref: 00450974
CloseHandle.KERNEL32(00000000), ref: 004509B1

Strings

psapi, xrefs: 004508BA
GetProcessImageFileNameW, xrefs: 004508B5
:, xrefs: 00450958

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: HandleModule$CloseNameOpenProcess$AddressBaseDeviceFileProcQuery_memmove_wcsrchr
String ID: :$GetProcessImageFileNameW$psapi
API String ID: 2203553739-2600028567
Opcode ID: 3cf6d31783b5fc6c362f622b527dda91f9ebf45a3cf2ada9a7df6361e63bb5fb
Instruction ID: f6a143e5b10e2b56b06ed940719faa87f7d95aac9a1b3d6d0759d15964ae0490
Opcode Fuzzy Hash: 3cf6d31783b5fc6c362f622b527dda91f9ebf45a3cf2ada9a7df6361e63bb5fb
Instruction Fuzzy Hash: AB415F7A6003016BD7206B55EC8AFAF7BA8EF91315F44043EFD0582242E7799C0D83A9

Function 0045E2F0 Relevance: 27.2, APIs: 18, Instructions: 196windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 0045E343
SendMessageW.USER32(?,00000414,00000000,00000000), ref: 0045E35C
DestroyCursor.USER32(00000000), ref: 0045E363
IsWindow.USER32(00000000), ref: 0045E372
ShowWindow.USER32(00000000,00000000,?,004C9984,75295780,75C0FD10,00415CE1,?,?,?,?,?,00000000,00000000), ref: 0045E382
SetMenu.USER32(00000000,00000000), ref: 0045E38E
DestroyWindow.USER32(00000000,?,004C9984,75295780,75C0FD10,00415CE1,?,?,?,?,?,00000000,00000000), ref: 0045E3A8
DeleteObject.GDI32(?), ref: 0045E3EF
DeleteObject.GDI32(?), ref: 0045E403
DragFinish.SHELL32(?,?,004C9984,75295780,75C0FD10,00415CE1,?,?,?,?,?,00000000,00000000), ref: 0045E417
DestroyCursor.USER32(?), ref: 0045E44B
DeleteObject.GDI32(?), ref: 0045E453
_free.LIBCMT ref: 0045E463
DestroyCursor.USER32(?), ref: 0045E4CA
DestroyCursor.USER32(?), ref: 0045E4D1
DestroyAcceleratorTable.USER32(?), ref: 0045E4DB
_free.LIBCMT ref: 0045E4F4

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Destroy$Cursor$DeleteObjectWindow$MessageSend_free$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 3295956662-0
Opcode ID: 15914219919c3fc271030e3fc8bd32ed102c7a2421f719bb71ae49fa6f0676b1
Instruction ID: 4e482ea5853da6dcd444a14eb10b4efbb2b8a97f90b51c0869792c0c04dfdc23
Opcode Fuzzy Hash: 15914219919c3fc271030e3fc8bd32ed102c7a2421f719bb71ae49fa6f0676b1
Instruction Fuzzy Hash: CA618E75600205EFCB28DF26DC84B6B77A5BB45306F14852AED05D7342CB39EE49CB98

Function 004097F0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00409808
__wcsicoll.LIBCMT ref: 00409820

Strings

AltTabMenuDismiss, xrefs: 00409862
AltTabAndMenu, xrefs: 0040984A
AltTabMenu, xrefs: 00409832
Toggle, xrefs: 004098B1
ShiftAltTab, xrefs: 0040981A
Off, xrefs: 00409899
AltTab, xrefs: 00409802

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Off$ShiftAltTab$Toggle
API String ID: 3832890014-1651597821
Opcode ID: 75b1283d0419d2757959b657879ef046d9c92409f2dd960ca5630ba211dbcaf8
Instruction ID: 8244b7f9918e4db5c9bf00d2c9746af0de9e2e8f9fa1be847a5d7a10b79fdbcf
Opcode Fuzzy Hash: 75b1283d0419d2757959b657879ef046d9c92409f2dd960ca5630ba211dbcaf8
Instruction Fuzzy Hash: 30112A46E51A1122EB12316A5E0379F11485FA370AF8988BBFC04E53C3F3ADDE05869E

Function 00414F00 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 71COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414F18
__wcsicoll.LIBCMT ref: 00414F30

Strings

Default, xrefs: 00414F8A
SendAndMouse, xrefs: 00414F72
Send, xrefs: 00414F42
MouseMove, xrefs: 00414FA2
MouseMoveOff, xrefs: 00414FBA
Off, xrefs: 00414F2A
Mouse, xrefs: 00414F5A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Default$Mouse$MouseMove$MouseMoveOff$Off$Send$SendAndMouse
API String ID: 3832890014-1032860029
Opcode ID: 9a35aa658242e09508977fcc8168e11ced12ff1a6705abf2c29d74188ced1d36
Instruction ID: 65a95563969e18ba644eab45cba9cd65494905ede79e14142dda424a467cb934
Opcode Fuzzy Hash: 9a35aa658242e09508977fcc8168e11ced12ff1a6705abf2c29d74188ced1d36
Instruction Fuzzy Hash: 7A111B5AB4161122EA21312A5D03BDF20489BB2B4FFD5456AF814953C1F78CDA5682AE

Function 0041BD3D Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 368COMMON

Download Yara Rule

APIs

Part of subcall function 0041CFF0: __wcsicoll.LIBCMT ref: 0041D004

Part of subcall function 0041D030: __wcsicoll.LIBCMT ref: 0041D044

_wcschr.LIBCMT ref: 0041BE0F
_wcschr.LIBCMT ref: 0041BE87
_wcschr.LIBCMT ref: 0041BE96
__wcsnicmp.LIBCMT ref: 0041BECE
_memset.LIBCMT ref: 0041C005

Strings

{, xrefs: 0041BF71
+, xrefs: 0041C4AF
jjjjjj, xrefs: 0041BFA3
jjj, xrefs: 0041BF5C
f;, xrefs: 0041C48A
new, xrefs: 0041BEC8
Invalid hotkey., xrefs: 0041BEF8
<>=/|^,:*&~!()[]{}+-?.", xrefs: 0041BE0A
This line does not contain a recognized action., xrefs: 0041BEFF, 0041BF09

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcschr$__wcsicoll$__wcsnicmp_memset
String ID: <>=/|^,:*&~!()[]{}+-?."$+$Invalid hotkey.$This line does not contain a recognized action.$f;$jjj$jjjjjj$new${
API String ID: 2998053517-785730939
Opcode ID: 051deeb598a264eb6263cf0b4725445e833a64bd77dfd4d80fb5aedfa8c5fc46
Instruction ID: 1bccd26137c71dd4d85cd5fcd6ee910d3ab475fc0be947cf7ab57f609bacf744
Opcode Fuzzy Hash: 051deeb598a264eb6263cf0b4725445e833a64bd77dfd4d80fb5aedfa8c5fc46
Instruction Fuzzy Hash: 19D103304483519ADB30AB14DC807FF77A1EB94304F54892FF8898B291E778A9C6C79E

Function 00422C70 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 283COMMON

Download Yara Rule

Strings

Parameter #2 must match an existing #If expression., xrefs: 0042322D
Win, xrefs: 0042300A
Parameter #1 invalid., xrefs: 00422D74
Parameter #3 must be blank in this case., xrefs: 0042320E
Target label does not exist., xrefs: 004231B1
Exist, xrefs: 00423050
Active, xrefs: 0042303A
Not, xrefs: 00423025
Cannot jump from inside a function to outside., xrefs: 004231D0

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Active$Cannot jump from inside a function to outside.$Exist$Not$Parameter #1 invalid.$Parameter #2 must match an existing #If expression.$Parameter #3 must be blank in this case.$Target label does not exist.$Win
API String ID: 0-3185210005
Opcode ID: 8c9b2b4f9415f99bc5afd1717da7daf1f4a2e135d4e203911e5945011bad4820
Instruction ID: a7442a606026c86f753283fdc9e8bd6b5bc1d7e50670bbca61b0ace396aa5039
Opcode Fuzzy Hash: 8c9b2b4f9415f99bc5afd1717da7daf1f4a2e135d4e203911e5945011bad4820
Instruction Fuzzy Hash: E09128313003156BEF20EE21BA0177B73A0AF61756F94416BFC045B382E7ADDA59D3A9

Function 0041FB80 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 440COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 0041FDCE

Strings

Duplicate declaration., xrefs: 0041FF23
Unknown class var., xrefs: 0041FF00
this, xrefs: 0041FDA4, 0041FDBB
Declaration too long., xrefs: 0041FF62
__Init(), xrefs: 0041FFA1
Invalid class variable declaration., xrefs: 0041FEDD, 0041FF83
., xrefs: 0041FC48
%s.%.*s := %.*s, , xrefs: 0041FDC1
Out of memory., xrefs: 0041FF46
base.__Init(), xrefs: 0041FFFC
__Init, xrefs: 0041FE79

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __snwprintf
String ID: %s.%.*s := %.*s, $.$Declaration too long.$Duplicate declaration.$Invalid class variable declaration.$Out of memory.$Unknown class var.$__Init$__Init()$base.__Init()$this
API String ID: 2391506597-244636269
Opcode ID: 7da9623ff9922b0ee89f000f1868ef30be01b98952a1bec5917df219c89ee41a
Instruction ID: cceb24ad266b05013d17e3db8aa80351596c2fcd2cc4fdab4b9ae1efb2622e7e
Opcode Fuzzy Hash: 7da9623ff9922b0ee89f000f1868ef30be01b98952a1bec5917df219c89ee41a
Instruction Fuzzy Hash: EAE1C1716043008BD724CF16E880AABB7E1FB95310F54443FE98987391E7799C8ADB6A

Function 00451450 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32,?,?), ref: 00451464
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 00451499
FreeLibrary.KERNEL32(00000000,?,?), ref: 004514A8
_memset.LIBCMT ref: 004514DA
CloseHandle.KERNEL32(?), ref: 00451580
GetLastError.KERNEL32 ref: 004515A2
FreeLibrary.KERNEL32(00000000), ref: 004515AF

Strings

advapi32, xrefs: 0045145B
D, xrefs: 004514E7
CreateProcessWithLogonW., xrefs: 004514BB
RunAs: Missing advapi32.dll., xrefs: 0045147D
CreateProcessWithLogonW, xrefs: 00451493

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Library$Free$AddressCloseErrorHandleLastLoadProc_memset
String ID: CreateProcessWithLogonW$CreateProcessWithLogonW.$D$RunAs: Missing advapi32.dll.$advapi32
API String ID: 3715048715-4276146922
Opcode ID: 1e6d3707619064b05c36350986883b657f523eb9261464ab68fb3ee96fdb5ac7
Instruction ID: 7232bf4ff9f40dbd4949cef5ece41e82e43a138ca34f64742f54d80d75314a6a
Opcode Fuzzy Hash: 1e6d3707619064b05c36350986883b657f523eb9261464ab68fb3ee96fdb5ac7
Instruction Fuzzy Hash: 5B41AC32740301ABD7209E69D884B6B77E8EBC6752F14442AFD45DB3A1E778DC08CB69

Function 0041CED0 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0041CFCC

Strings

&, xrefs: 0041CF27
., xrefs: 0041CF37
<, xrefs: 0041CEFF
:, xrefs: 0041CF07
(, xrefs: 0041CEF7
+, xrefs: 0041CF0F
*, xrefs: 0041CF17
!, xrefs: 0041CF1F
{, xrefs: 0041CF3F
This line does not contain a recognized action., xrefs: 0041CFAF

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsncpy
String ID: !$&$($*$+$.$:$<$This line does not contain a recognized action.${
API String ID: 1735881322-2314704674
Opcode ID: ea3e92cccc73e1cb271484d1dccc09d8b612db110462140913ee80cf403bac0b
Instruction ID: ff8445d123711dd903c0236ec517eedc3710f0d684b610833c144dcdde74547d
Opcode Fuzzy Hash: ea3e92cccc73e1cb271484d1dccc09d8b612db110462140913ee80cf403bac0b
Instruction Fuzzy Hash: 5B21D4326483045BC3209F2A99857AFBBE5EB89354F04092FF98583381D779D989C79A

Function 0041697E Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 297windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00010474,?,02D600C4,00010000), ref: 004169C4
IsWindow.USER32(00010474), ref: 004169D0
DestroyWindow.USER32(00010474), ref: 004169E8
_wcsncpy.LIBCMT ref: 00416A62
SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop), ref: 00416ABE

Part of subcall function 0041697E: IsWindow.USER32(00010474), ref: 00416CE9

Strings

C:\Users\user\Desktop, xrefs: 00416AB9
h(J, xrefs: 00416BA7
Critical Error: %sThe program will exit., xrefs: 00416996

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CurrentDestroyDirectoryMessage_wcsncpy
String ID: C:\Users\user\Desktop$Critical Error: %sThe program will exit.$h(J
API String ID: 572885112-1231693009
Opcode ID: e1371becd5507da7771f5bb96351f13dde8502810520f1b1bc2649959f7e931d
Instruction ID: ff8bdff87613d4a99746dc1e284ce4516edd202d7e64e69f0ef75c87fe8eced0
Opcode Fuzzy Hash: e1371becd5507da7771f5bb96351f13dde8502810520f1b1bc2649959f7e931d
Instruction Fuzzy Hash: 4EB1C475608380AFD721DF24D884B9B7BE4EF85304F05846EE8898B352D739EC85CB99

Function 0040C5D0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 233COMMON

Download Yara Rule

APIs

Part of subcall function 00474FC0: _vswprintf_s.LIBCMT ref: 00474FD9

__itow.LIBCMT ref: 0040C65A
__itow.LIBCMT ref: 0040C7E1
__itow.LIBCMT ref: 0040C811
CharUpperW.USER32(?), ref: 0040C829

Strings

OFF, xrefs: 0040C731, 0040C74D, 0040C85C
PART, xrefs: 0040C781
(no), xrefs: 0040C842
%i-%i, xrefs: 0040C7B6
TypeOff?LevelRunningName-------------------------------------------------------------------, xrefs: 0040C5DF
%s%s%s%s%s%s, xrefs: 0040C86A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __itow$CharUpper_vswprintf_s
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF$PART$TypeOff?LevelRunningName-------------------------------------------------------------------
API String ID: 1983134979-1635122839
Opcode ID: 5e81182c43b16c78c3d29e3182613885061e7ee7bdaeb70a9a85ca5852e4bc95
Instruction ID: 5b6559241df80dade5367e84df04c7fa0899e757775964b7440aada1ef5f842f
Opcode Fuzzy Hash: 5e81182c43b16c78c3d29e3182613885061e7ee7bdaeb70a9a85ca5852e4bc95
Instruction Fuzzy Hash: C381B061604302DAD724AB2889C0B7B72E4EF95314F148A7FE886E72D1E33CD945CB5E

Function 0040DAC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040DAD0
__wcsicoll.LIBCMT ref: 0040DAE6
__wcsicoll.LIBCMT ref: 0040DAFC

Part of subcall function 0048E559: __wcsicmp_l.LIBCMT ref: 0048E5D9

__wcsicoll.LIBCMT ref: 0040DB12
__wcsicoll.LIBCMT ref: 0040DB28
__wcsicoll.LIBCMT ref: 0040DB3E
__wcsicoll.LIBCMT ref: 0040DB54
__wcsicoll.LIBCMT ref: 0040DB6C

Strings

LEFT, xrefs: 0040DACA
MIDDLE, xrefs: 0040DB22
RIGHT, xrefs: 0040DAF6

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: LEFT$MIDDLE$RIGHT
API String ID: 3172861507-2526147550
Opcode ID: ab986c1e74efe1ca70174d92625c2cead7616409912a23aadc5b6c0d26a70239
Instruction ID: 88b626024d511dc7791950dfb02e00abc8424cdb40a48bcf3c3cb1a21d08616a
Opcode Fuzzy Hash: ab986c1e74efe1ca70174d92625c2cead7616409912a23aadc5b6c0d26a70239
Instruction Fuzzy Hash: 7CF07441E96A1531EA2531B75F03B5F10895E3274BF1A043BB824F02C6FADDE619C1BE

Function 00414FE0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 50COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414FE9
__wcsicoll.LIBCMT ref: 00415002

Strings

ThenEvent, xrefs: 0041502C
Event, xrefs: 00414FFC
Input, xrefs: 00415012
Play, xrefs: 00414FE3
ThenPlay, xrefs: 0041503E

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Event$Input$Play$ThenEvent$ThenPlay
API String ID: 3832890014-2317936873
Opcode ID: a71caf467991a042f72ac4936ec1013690243ef9ffa5cdca54111d0f1e7e2115
Instruction ID: 5767100b6159477bd56551330f75fef67d6af3bc27923451b03da38c8d70b2cc
Opcode Fuzzy Hash: a71caf467991a042f72ac4936ec1013690243ef9ffa5cdca54111d0f1e7e2115
Instruction Fuzzy Hash: F1F09662A58A2162DA30316E3C02BDF12884FA635AF06446BFC4495381F28DDEC251EE

Function 00415370 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00415380
__wcsicoll.LIBCMT ref: 00415393

Strings

Pixel, xrefs: 0041537A
Menu, xrefs: 004153D5
ToolTip, xrefs: 004153A5
Mouse, xrefs: 0041538D
Caret, xrefs: 004153BD

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Caret$Menu$Mouse$Pixel$ToolTip
API String ID: 3832890014-3728172800
Opcode ID: 3d84af40a28c2131eef0298cfb7eeee17b50e94b52e9f17a8b17a8c83d6da75e
Instruction ID: 825e044cc3f51bdd21075c8cddfdd5895910fc53f0a4d3e9dcca2cc1eb8164a6
Opcode Fuzzy Hash: 3d84af40a28c2131eef0298cfb7eeee17b50e94b52e9f17a8b17a8c83d6da75e
Instruction Fuzzy Hash: 48F05461B45A1562EF21311F5C027DF20885FA2B8EF94443BBC24D23C1F7CC9A85829E

Function 00414920 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414926
__wcsicoll.LIBCMT ref: 0041493E

Strings

REG_SZ, xrefs: 00414920
REG_DWORD, xrefs: 00414968
REG_BINARY, xrefs: 00414980
REG_EXPAND_SZ, xrefs: 00414938
REG_MULTI_SZ, xrefs: 00414950

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
API String ID: 3832890014-2346799943
Opcode ID: 1971a59a6f560dec87ec26fbea2cdeec11d474524aa28fcfb70a903475b41d9b
Instruction ID: 1e440eca0961130b260a0fc360d4006edc23de6d070c69021ec3eb48cfda9fbf
Opcode Fuzzy Hash: 1971a59a6f560dec87ec26fbea2cdeec11d474524aa28fcfb70a903475b41d9b
Instruction Fuzzy Hash: 94F01C96B5161122DE11317E9C03BCF20481BB2B4EFDA456AF824D43C1F68D964582AE

Function 004067E0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 359windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00406966
FindWindowW.USER32(#32771,00000000), ref: 00406980
_memset.LIBCMT ref: 00406AFD
FindWindowW.USER32(#32771,00000000), ref: 00406B17

Part of subcall function 004066B0: PostMessageW.USER32(00010474,00000400,?,?), ref: 0040677B
Part of subcall function 004066B0: PostMessageW.USER32(00010474,00000400,00000000,?), ref: 004067AF
Part of subcall function 004066B0: PostMessageW.USER32(00010474,00000401,?,?), ref: 004067CE

CallNextHookEx.USER32(?,?,?,?), ref: 00406C5E
PostMessageW.USER32(00010474,00000400,?,?), ref: 00406C8A
PostMessageW.USER32(00010474,00000400,?,?), ref: 00406CC2
PostMessageW.USER32(00010474,00000401,7FFFFFFF,?), ref: 00406CE0

Strings

#32771, xrefs: 0040696F, 00406B06

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessagePost$FindWindow_memset$CallHookNext
String ID: #32771
API String ID: 2256871161-1822717788
Opcode ID: 1b61aef4875ed0b44f1c123ba81d7bcd4022f5152c4ba9108ad1d92a8ca8fa75
Instruction ID: db5b597440e8629846a541949411865f5a1f66555ff12f0bb9011c2da1324c66
Opcode Fuzzy Hash: 1b61aef4875ed0b44f1c123ba81d7bcd4022f5152c4ba9108ad1d92a8ca8fa75
Instruction Fuzzy Hash: C6D159B15042D5AFD755CF28AC50DA73FA4AB55300F0A807EE885A33E2E7388C65CB6D

Function 0040405C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00404069
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040406F
GlobalUnlock.KERNEL32 ref: 004040E1
CloseClipboard.USER32 ref: 004040ED

Strings

Can't open clipboard for reading., xrefs: 0040409E
GlobalLock, xrefs: 00404117

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$AvailableFormat$CloseGlobalUnlock
String ID: Can't open clipboard for reading.$GlobalLock
API String ID: 2237871793-2469064134
Opcode ID: eaf8b136073635c180834e7dc756c3b7e2cc3f79ba946f5eeaa381988cb0f440
Instruction ID: 2697e1f27b01395992a40d8142d233a661ba1cbbe5f151cd56d286fd4c57d795
Opcode Fuzzy Hash: eaf8b136073635c180834e7dc756c3b7e2cc3f79ba946f5eeaa381988cb0f440
Instruction Fuzzy Hash: 7D31C0F76002145BC6606FAABC8496A7750E7D5332329073BE618E72D1DB3A88858F5C

Function 00418E29 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 129COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00417270

Strings

@h@uJ, xrefs: 0041725B
jjj, xrefs: 00418E83
8L$7j, xrefs: 00418E3F
#CommentFlag, xrefs: 0041725C
{Blind}{%s Up}, xrefs: 00418E64
U_B, xrefs: 00418E8B
PhdzJ, xrefs: 00418E63

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #CommentFlag$8L$7j$@h@uJ$PhdzJ$U_B$jjj${Blind}{%s Up}
API String ID: 1038674560-1807711314
Opcode ID: f84f9b042091e5285dfe5222e976d392994398cd53302331ae747b19e40aafd3
Instruction ID: 46aff4331718307de7571a79cc5c9d00697843b2840c3672b2e12da970ba90ec
Opcode Fuzzy Hash: f84f9b042091e5285dfe5222e976d392994398cd53302331ae747b19e40aafd3
Instruction Fuzzy Hash: 8E41D27054C340ABD720DB148841BABB7E4BB94708F144A1FFD9957282E77C9A85C79B

Function 00415530 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041554B
__wcsicoll.LIBCMT ref: 00415564

Strings

UTF-16-RAW, xrefs: 00415590
UTF-16, xrefs: 00415577
UTF-8, xrefs: 00415545
UTF-8-RAW, xrefs: 0041555E

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
API String ID: 3832890014-2787617770
Opcode ID: 53ca5d9494ee2e226ea3c9310f958d08f961b8a6f2ea70d43671d8a42b8869f2
Instruction ID: c9140faefcaa6d2b192469ff52bf28a745eb57966530b15fcae4591f978cf5c5
Opcode Fuzzy Hash: 53ca5d9494ee2e226ea3c9310f958d08f961b8a6f2ea70d43671d8a42b8869f2
Instruction Fuzzy Hash: 5F018853A5592176EA61302E3C02BEB118B0FA132EF1544A7FC14D9389F74DCDC151EE

Function 00475630 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

CharLowerW.USER32(?,?,?,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000), ref: 00475647
CharUpperW.USER32(?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000,00000000,00000001), ref: 00475662
CharLowerW.USER32(?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000,00000000,00000001), ref: 0047568E
CharUpperW.USER32(?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000,00000000,00000001), ref: 004756A3
CharLowerW.USER32(?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000,00000000,00000001), ref: 004756DD
CharLowerW.USER32(00000000,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000,00000000), ref: 004756EA
CharLowerW.USER32(?,?,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000), ref: 00475704
CharLowerW.USER32(0000000C,?,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000), ref: 00475712
CharLowerW.USER32(0000000C,?,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000), ref: 0047572E
CharLowerW.USER32(00000000,?,?,?,?,?,?,?,000000FF,00000000,?,004CB614,?,?,00000000,00000000), ref: 0047573B

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Char$Lower$Upper
String ID:
API String ID: 3371602591-0
Opcode ID: 5f618f50fca21607c8b2137a2cc0f77c0037d4342607de38db727db0a982f59d
Instruction ID: 434089f71da02617a085b355f41240ba700e52b558d672bd20236b9d8e054b61
Opcode Fuzzy Hash: 5f618f50fca21607c8b2137a2cc0f77c0037d4342607de38db727db0a982f59d
Instruction Fuzzy Hash: 1741B4655006319BDB249F569C8057BB7E8AE84712F45881BFC89CA340E77CEC44DB79

Function 00448CE0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 315COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004C83D8), ref: 00448D07
RtlLeaveCriticalSection.NTDLL(004C83D8), ref: 00448E6C
RtlLeaveCriticalSection.NTDLL(004C83D8), ref: 0044901C
_free.LIBCMT ref: 00449067
__wcsdup.LIBCMT ref: 00449091
RtlLeaveCriticalSection.NTDLL(004C83D8), ref: 004490D4

Strings

0, xrefs: 00448FB5
Compile error %d at offset %d: %hs, xrefs: 00448F9D

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalSection$Leave$Enter__wcsdup_free
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 2407865940-2351679343
Opcode ID: dd5f427df0049069a438dc7c6b393097bcf88615e132322635e6b6cf0484a6b7
Instruction ID: 930b76c191684513acaf86c92ecf0f1c086c6e117fb64f04bef9109d32b72422
Opcode Fuzzy Hash: dd5f427df0049069a438dc7c6b393097bcf88615e132322635e6b6cf0484a6b7
Instruction Fuzzy Hash: 60C1DEB1A14201CBE710DF28D880B6B73A1FB95354F144A6FE855C7390DB79ED45CB8A

Function 00490341 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0049035B

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

std::exception::exception.LIBCMT ref: 00490390
std::exception::exception.LIBCMT ref: 004903AA
__CxxThrowException@8.LIBCMT ref: 004903BB
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004903D1
__isleadbyte_l.LIBCMT ref: 00490456

Part of subcall function 0048FE60: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0048FE6E

___crtLCMapStringA.LIBCMT ref: 004904A3

Strings

bad allocation, xrefs: 00490389

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Locale$UpdateUpdate::_std::exception::exception$AllocateException@8HeapStringThrow___crt__isleadbyte_l_malloc
String ID: bad allocation
API String ID: 914803512-2104205924
Opcode ID: 64427579cb39a93acecfc3c0233e4b8236428787aa1c71189280990ccf6a93fc
Instruction ID: 908601e70d8355069aac75cd3638733d7d6cda323c44587b13fe550ed1c67e71
Opcode Fuzzy Hash: 64427579cb39a93acecfc3c0233e4b8236428787aa1c71189280990ccf6a93fc
Instruction Fuzzy Hash: C541F631904209AFDF11DB95C846FEE7FB4AB01308F1440BAF6549B292D778DA45CB59

Function 004135A1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 004135BA
GetProcAddress.KERNEL32(00000000), ref: 004135C1
GetVersionExW.KERNEL32(004CC1C8), ref: 004135ED
__snwprintf.LIBCMT ref: 00413624

Strings

ntdll.dll, xrefs: 004135B5
RtlGetVersion, xrefs: 004135B0
10.0.19045, xrefs: 0041360E
%u.%u.%u, xrefs: 00413607

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProcVersion__snwprintf
String ID: %u.%u.%u$10.0.19045$RtlGetVersion$ntdll.dll
API String ID: 3388246157-3673595452
Opcode ID: 0da8d2956fa97ca1708fcd1dc876d012a44a0b13b0be29a59da4c093dba4654b
Instruction ID: e8cc299db4483c1455bac73b08025263cfd3b9bca24d6ae4c7a2afb28490f39c
Opcode Fuzzy Hash: 0da8d2956fa97ca1708fcd1dc876d012a44a0b13b0be29a59da4c093dba4654b
Instruction Fuzzy Hash: 70316171504380AEDBA0CFA4BCC5FA53B91A319306F54847BE40DC6372C36949869B1E

Function 00415300 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00415310
__wcsicoll.LIBCMT ref: 00415322
__wcsicoll.LIBCMT ref: 00415334

Part of subcall function 0048E559: __wcsicmp_l.LIBCMT ref: 0048E5D9

__wcsicoll.LIBCMT ref: 00415346

Strings

Screen, xrefs: 0041530A
Window, xrefs: 0041532E
Client, xrefs: 00415340
Relative, xrefs: 0041531C

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: Client$Relative$Screen$Window
API String ID: 3172861507-2312238187
Opcode ID: e2a4edf3c6aa74a1559075117603c9020029c8ce2a88a4f2168260c1d925f52f
Instruction ID: 7fbcb845be007ae7e561c96b738864855f40fdfebeac8a4e5b7e8dda46489857
Opcode Fuzzy Hash: e2a4edf3c6aa74a1559075117603c9020029c8ce2a88a4f2168260c1d925f52f
Instruction Fuzzy Hash: A1E0C061A41A1562DF3135274D027DF11845FA2786F9D047BBC24A2381F6CDCA8591AD

Function 0040DCD0 Relevance: 13.7, APIs: 9, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f822eb8a27b91fbd7d0ec8cdd5d0534b021af515708bd733caff7dc3aac58c42
Instruction ID: ad0f79891542a75db5d7deb29347dc39e2bff24aef783697542e4831415086d9
Opcode Fuzzy Hash: f822eb8a27b91fbd7d0ec8cdd5d0534b021af515708bd733caff7dc3aac58c42
Instruction Fuzzy Hash: 16811370A443558EE754CF68D850BA7BBA0EF55340F49807FD9805B3E1EB799808CBAE

Function 0046A010 Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000019F,00000000,00000000), ref: 0046A04A
SendMessageW.USER32(?,00000198,00000000,80000000), ref: 0046A063
SendMessageW.USER32(00000000,0000100C,000000FF,00000001), ref: 0046A079
SendMessageW.USER32(?,0000100E,00000000,80000000), ref: 0046A096
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 0046A0AC
SendMessageW.USER32(?,00001104,00000001,80000000), ref: 0046A0C5
SendMessageW.USER32(?,00000419,00000000,80000000), ref: 0046A0D8
GetWindowRect.USER32(?,80000000), ref: 0046A0F0
MapWindowPoints.USER32(?,00000000,00000002,00000002), ref: 0046A104

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$PointsRect
String ID:
API String ID: 467674420-0
Opcode ID: eb22feae2a1becd22f2240dd078c2a58f57d95b8adca5b2d0767c6ff48e14292
Instruction ID: 0b9ef4317ac157e99500a880b0b2815499617cc97aaa45168541d238a87aa301
Opcode Fuzzy Hash: eb22feae2a1becd22f2240dd078c2a58f57d95b8adca5b2d0767c6ff48e14292
Instruction Fuzzy Hash: 5B31A275144305BFD324DF28CC85F66BBA8EF85710F208A1EF294A72D4E6B4E8458F56

Function 00410330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 004103F5
__fassign.LIBCMT ref: 00410442
__fassign.LIBCMT ref: 0041047D
__fassign.LIBCMT ref: 004104B2
__fassign.LIBCMT ref: 004104E7
__fassign.LIBCMT ref: 0041039C

Part of subcall function 0048F7F6: __fassign.LIBCMT ref: 0048F7EC

Strings

W, xrefs: 0041036E

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __fassign
String ID: W
API String ID: 3965848254-655174618
Opcode ID: bdc62b387c8a4ed71cb6132f66f275034b284cf609e09fef1a71e34a991cb2d4
Instruction ID: 98467bab6938b9cb7b8b858651425626cdb93c19329a4e1a31e9152d99ddd08a
Opcode Fuzzy Hash: bdc62b387c8a4ed71cb6132f66f275034b284cf609e09fef1a71e34a991cb2d4
Instruction Fuzzy Hash: CC51F4719083446BD210AB159C417AF77916B44704F18482EFE85673C2E3BC9EC987AF

Function 0042EED0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042EFF9
_free.LIBCMT ref: 0042F0CE

Strings

File, xrefs: 0042EFC7
Message, xrefs: 0042EF62
Line, xrefs: 0042EFA7
Extra, xrefs: 0042EF83
Unhandled exception., xrefs: 0042F05E

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll_free
String ID: Extra$File$Line$Message$Unhandled exception.
API String ID: 654844999-2326927146
Opcode ID: 13542eee2a519d81a26ec7b9a2e2e2a56aeddede67921ed0c93282b4b89c1495
Instruction ID: 290aaac7ecc1ecf74ac2e57ba4e3ad10d93bda6b7ab414b8719e66229eb430a2
Opcode Fuzzy Hash: 13542eee2a519d81a26ec7b9a2e2e2a56aeddede67921ed0c93282b4b89c1495
Instruction Fuzzy Hash: CC61CF707042509BD720EF25E881B6BB3E0AF44708F85047EF9459B392E779ED49CB9A

Function 004105A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 164libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 0041069C
GetProcAddress.KERNEL32(00000000), ref: 004106A3
_free.LIBCMT ref: 004107A3
GetModuleHandleW.KERNEL32(user32,BlockInput), ref: 004107EA
GetProcAddress.KERNEL32(00000000), ref: 004107F1

Strings

BlockInput, xrefs: 00410692, 004107E0
user32, xrefs: 00410697, 004107E5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc$_free
String ID: BlockInput$user32
API String ID: 3300373232-2744593370
Opcode ID: 97437cc6d7a812709a7108f97c36a6c459428b5b57a8e19e8d390ca2422b1d77
Instruction ID: e0ccbc9f6f46ca03d63a22985bb9806024d325cc1a1f24750a24b15c87d7f281
Opcode Fuzzy Hash: 97437cc6d7a812709a7108f97c36a6c459428b5b57a8e19e8d390ca2422b1d77
Instruction Fuzzy Hash: D251C6B05083459BD764DB68ED85FEB3BE4AB55308F04042EE449C63A1E7BD68C4CB6E

Function 00479190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,0040993F,004C8138,004A2868,00000000,00000000,00000000,00000000), ref: 004791D1
IsWindowVisible.USER32(00000000), ref: 004791E6

Part of subcall function 00479E60: __wcsnicmp.LIBCMT ref: 00479F24
Part of subcall function 00479E60: __wcstoui64.LIBCMT ref: 00479FA3

IsWindow.USER32(h(J), ref: 004792DD
IsWindowVisible.USER32(h(J), ref: 004792F7
GetWindowLongW.USER32(h(J,000000F0), ref: 0047930B
EnumWindows.USER32(00479400,00000002), ref: 0047935D

Strings

h(J, xrefs: 004792CE, 00479318, 004792EF, 00479301, 004792DC, 004792F6, 0047930A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$Visible$EnumForegroundLongWindows__wcsnicmp__wcstoui64
String ID: h(J
API String ID: 256079111-1926317486
Opcode ID: 8372e5fe9ffb59ec9d6f1a0c2255c5cb35508859f7abf82b63a228f8f623d0b2
Instruction ID: e1d6c57361b6b35bad80fe49a51cc315a9d31e845045a9c2ad672098b620f0ff
Opcode Fuzzy Hash: 8372e5fe9ffb59ec9d6f1a0c2255c5cb35508859f7abf82b63a228f8f623d0b2
Instruction Fuzzy Hash: 7A5184715443859AD730AFA588845EFB7E4FB8A310F44C96FD98C83341DB388D44CB5A

Function 00414E80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414E90
__wcsicoll.LIBCMT ref: 00414EA8

Strings

Permit, xrefs: 00414ED2
Toggle, xrefs: 00414EBA
Off, xrefs: 00414EA2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Off$Permit$Toggle
API String ID: 3832890014-3346518450
Opcode ID: a39b79ec6661261ea0bf06ac198c9de98f2922ff782424500410dad90a1a9ea6
Instruction ID: 718048015fa9d3c42870beb7ce6b4272f45cd5199c2377c0753b08a3645a9edf
Opcode Fuzzy Hash: a39b79ec6661261ea0bf06ac198c9de98f2922ff782424500410dad90a1a9ea6
Instruction Fuzzy Hash: 13F03016A41A1122DF21722E9D037DF20456BA2B0AFD945ABFC14E53C2F38C9A9481EE

Function 0040F650 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f8d14f95e1cde6a18cc26c9583691a8c6474c946d0d9054ad784ce3b9667c9
Instruction ID: 6c8c29f90efb2d3fa3e706fd410d54596b94d096ad13d0aab54b0ed7465d0da0
Opcode Fuzzy Hash: 58f8d14f95e1cde6a18cc26c9583691a8c6474c946d0d9054ad784ce3b9667c9
Instruction Fuzzy Hash: 2931642639139439F73467208C13FF72B108B41B40F18943BA6C02B6C2DAAC5C4ADB7E

Function 00411F60 Relevance: 12.1, APIs: 8, Instructions: 77keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(000000A0), ref: 00411F85
GetAsyncKeyState.USER32(000000A1), ref: 00411F98
GetAsyncKeyState.USER32(000000A2), ref: 00411FAC
GetAsyncKeyState.USER32(000000A3), ref: 00411FC0
GetAsyncKeyState.USER32(000000A4), ref: 00411FD4
GetAsyncKeyState.USER32(000000A5), ref: 00411FE8
GetAsyncKeyState.USER32(0000005B), ref: 00411FF9
GetAsyncKeyState.USER32(0000005C), ref: 0041200A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: 36f839e8a7cb0bf2915d48d6697862b81f9de39927d87465599e9836e1ef5a8d
Instruction ID: 6d093c2417f7701e0cd5e26cb692ffdc89f86409d9f39a2be7723610ef5fa323
Opcode Fuzzy Hash: 36f839e8a7cb0bf2915d48d6697862b81f9de39927d87465599e9836e1ef5a8d
Instruction Fuzzy Hash: E821D23579179839FB6153249E16BE72F519746340F08A02797C0472E24A9C4D8ADF2E

Function 0041B8F6 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041C005

Strings

{, xrefs: 0041BF71
+, xrefs: 0041C4AF
jjjjjj, xrefs: 0041BFA3
jjj, xrefs: 0041BF5C
f;, xrefs: 0041C48A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memset
String ID: +$f;$jjj$jjjjjj${
API String ID: 2102423945-2092782106
Opcode ID: 8591ba4d4534c8114856838d7693ff64addb3454dfb3421360211ace6b8c6f1e
Instruction ID: e584671669b7ff83cf5a2cd89a2dc1ae287febc4357a55dad9ab816a0b386b6d
Opcode Fuzzy Hash: 8591ba4d4534c8114856838d7693ff64addb3454dfb3421360211ace6b8c6f1e
Instruction Fuzzy Hash: B1A1E1704883519ADB249F14DCC07FF77A2BB84304F548A2FE88987291E778A9C5C79A

Function 0041A7D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(00010474,00000009,0000000A,00000000), ref: 0041A907
KillTimer.USER32(00010474,00000009), ref: 0041A950
__wcstoi64.LIBCMT ref: 0041A9D4
__fassign.LIBCMT ref: 0041AA61
GetTickCount.KERNEL32 ref: 0041AA85

Part of subcall function 0048F7F6: __fassign.LIBCMT ref: 0048F7EC

Strings

Out of memory., xrefs: 0041A878

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Timer__fassign$CountKillTick__wcstoi64
String ID: Out of memory.
API String ID: 925375575-4087320997
Opcode ID: 91e5336781d648232a2b35ea4d22ea066ee71c14ceccb2b6ba9f1a4025183f56
Instruction ID: dd5314d01d76d51c6b5265c663f6748cd759b4615b4bbae570d8a437c9edbf03
Opcode Fuzzy Hash: 91e5336781d648232a2b35ea4d22ea066ee71c14ceccb2b6ba9f1a4025183f56
Instruction Fuzzy Hash: 568105F1A063409BDB349F2488857B77BA0AF15710F18496FE88A47691E37C89E4C79B

Function 004216C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042171B
_wcsrchr.LIBCMT ref: 004217DB
_memmove.LIBCMT ref: 004218A9

Strings

Invalid method name., xrefs: 004217E8
Out of memory., xrefs: 004217BA
Function name too long., xrefs: 004216FA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _memmove_wcsncpy_wcsrchr
String ID: Function name too long.$Invalid method name.$Out of memory.
API String ID: 893447047-2619123988
Opcode ID: c561dc040d2535438362c3d40c102d15a08dd44f8b36dba510f26eb52acd7f10
Instruction ID: 98e7ef59aff27910a8f3f5f5b9d7a7b75bb5ec7680538b21cb54bbb268934d13
Opcode Fuzzy Hash: c561dc040d2535438362c3d40c102d15a08dd44f8b36dba510f26eb52acd7f10
Instruction Fuzzy Hash: 3D51D471B003159BD720AF65E881BABB3A4EBA4354F44452FEC0587351EB3DE905C7D8

Function 00410D90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004C8428), ref: 00410E28
GetSystemMetrics.USER32(00000000), ref: 00410EA0
GetSystemMetrics.USER32(00000001), ref: 00410EA6
GetCursorPos.USER32(?), ref: 00410F05

Strings

d, xrefs: 00410EE9

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: 6480701f30dd99d19a46a80e3db62b274a9215ca04b1bf12998483c0dd00df0b
Instruction ID: ed3c359637ac67d6bc50b8ec0c8a832aad732e8d8265091dba275c1bf011333d
Opcode Fuzzy Hash: 6480701f30dd99d19a46a80e3db62b274a9215ca04b1bf12998483c0dd00df0b
Instruction Fuzzy Hash: B651E3757043068BD724CF19D881BAA73E1BB88314F14493EEC45C7351D7B9D985CB5A

Function 0041F9F0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON

Download Yara Rule

Strings

%.*s.Get%s, xrefs: 0041FAC7
Duplicate declaration., xrefs: 0041FAF1
Not a valid method, class or property definition., xrefs: 0041FA0C
Out of memory., xrefs: 0041FB68
Missing "]", xrefs: 0041FA5A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %.*s.Get%s$Duplicate declaration.$Missing "]"$Not a valid method, class or property definition.$Out of memory.
API String ID: 0-1119647260
Opcode ID: 04dab2056358fe66faecb1f22e6dc4592f23f1045219fb9803d22382cb34fec4
Instruction ID: 9df85317c144c4722d0e6b6ffd0388458f799c9893f6b8190ebd9bdda8b9a417
Opcode Fuzzy Hash: 04dab2056358fe66faecb1f22e6dc4592f23f1045219fb9803d22382cb34fec4
Instruction Fuzzy Hash: E8414C717002014BCB24AF599842AEB7390EF95364F48447FED0ACB351E67DE98AC399

Function 0040CA6B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 133sleepCOMMON

Download Yara Rule

APIs

CharUpperW.USER32 ref: 0040CAD1
CharUpperW.USER32 ref: 0040CAE2
Sleep.KERNEL32(00000000), ref: 0040CBC1

Strings

{Text}, xrefs: 0040CB28
{Raw}, xrefs: 0040CB18, 0040CB41
%s%c, xrefs: 0040CB46

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CharUpper$Sleep
String ID: %s%c${Raw}${Text}
API String ID: 3503790639-2444501380
Opcode ID: fbf741edc3641d48155f35eae00fd9fd32fc18d143f0019bfada63633a14d8a0
Instruction ID: 917f960083104bc397ef4f8caf8d5d426d5b013fab86d3b1f31d6eb963edcd53
Opcode Fuzzy Hash: fbf741edc3641d48155f35eae00fd9fd32fc18d143f0019bfada63633a14d8a0
Instruction Fuzzy Hash: AB518470604745CBD724DF2984817AB7BE1EF99314F048A2EE8C9A7391D778E844CB9D

Function 0049D272 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 0049D346
std::bad_exception::bad_exception.LIBCMT ref: 0049D370
__CxxThrowException@8.LIBCMT ref: 0049D37E

Strings

Bad dynamic_cast!, xrefs: 0049D368

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 8b027ac74a19929622023bc49e922f196e511c05953e3738131a0fac42775efa
Instruction ID: 748b0a2f7defa9f4ff01c5f091e664b3f52fbd5d702b37402c576a0a3d1f674e
Opcode Fuzzy Hash: 8b027ac74a19929622023bc49e922f196e511c05953e3738131a0fac42775efa
Instruction Fuzzy Hash: AA319076E002159FCF14DF64C985AAEBBA1AF08315F24447AE905E7341D73CED01CBA9

Function 0040A830 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040A85B

Part of subcall function 00474FC0: _vswprintf_s.LIBCMT ref: 00474FD9

GetTickCount.KERNEL32 ref: 0040A871
GetTickCount.KERNEL32 ref: 0040A97E
PostMessageW.USER32(00010474,00000312,?,00000000), ref: 0040A99F

Strings

%u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 0040A902
call, xrefs: 0040A8D3

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$MessagePost_vswprintf_s
String ID: %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file)$call
API String ID: 134691662-3729902611
Opcode ID: 250bc4bde14d984e6bd72541bd2f430ae9791e690a61f7df2d23326516bf5930
Instruction ID: 44503fbf4cf607bc054a6e8e5fe55e840e039e5888080ebbb495ecae89f1c8a7
Opcode Fuzzy Hash: 250bc4bde14d984e6bd72541bd2f430ae9791e690a61f7df2d23326516bf5930
Instruction Fuzzy Hash: 194117B2B40380ABE750EF25EC45FAA3BA0B795714F14887FE88492391D7785854C7AF

Function 0041BDA4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0041BE0F
__wcsnicmp.LIBCMT ref: 0041BECE

Part of subcall function 0041CFF0: __wcsicoll.LIBCMT ref: 0041D004

_wcschr.LIBCMT ref: 0041BE87
_wcschr.LIBCMT ref: 0041BE96
_memset.LIBCMT ref: 0041C005

Strings

new, xrefs: 0041BEC8
Invalid hotkey., xrefs: 0041BEF8
<>=/|^,:*&~!()[]{}+-?.", xrefs: 0041BE0A
This line does not contain a recognized action., xrefs: 0041BEFF, 0041BF09

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcschr$__wcsicoll__wcsnicmp_memset
String ID: <>=/|^,:*&~!()[]{}+-?."$Invalid hotkey.$This line does not contain a recognized action.$new
API String ID: 996272548-1323806148
Opcode ID: 28be1e0eabe21df6489d696d54f30e0506ae08e2e637760e26a5f3b879dd3b1a
Instruction ID: de032b20c3be496d8bba70ffacf315ba1e2037939c7924716e6fbbc53f8578df
Opcode Fuzzy Hash: 28be1e0eabe21df6489d696d54f30e0506ae08e2e637760e26a5f3b879dd3b1a
Instruction Fuzzy Hash: C821A26050439055DB31AA559C853FB3BA0EB62314F04881FF988CA282E77D9DCA87EE

Function 00412540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57registrylibraryCOMMON

Download Yara Rule

APIs

ActivateKeyboardLayout.USER32(00000000,00000000,00000000,00000000), ref: 00412550
GetKeyboardLayoutNameW.USER32(?), ref: 00412589
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 004125A6
LoadLibraryW.KERNEL32(?), ref: 004125D5
ActivateKeyboardLayout.USER32(00000000,00000000), ref: 004125E9

Strings

Layout File, xrefs: 004125BD

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardLayout$Activate$LibraryLoadNameOpen
String ID: Layout File
API String ID: 1064788448-1055935358
Opcode ID: 0c8a12bf97b8de8c858f3e6698a76f0d6a857518983ff47d20f150bb72c09261
Instruction ID: 701167beb9734922a8ac22fa13581dec1c878cccd808edc6ae7fdb824835c5ac
Opcode Fuzzy Hash: 0c8a12bf97b8de8c858f3e6698a76f0d6a857518983ff47d20f150bb72c09261
Instruction Fuzzy Hash: 5211C635204305BBD7209B60DD98BEBB7ADEB85350F40482EBA45C2240EF78D944C769

Function 00414A50 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

RegEx, xrefs: 00414A96
SLOW, xrefs: 00414AC6
FAST, xrefs: 00414AAE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: FAST$RegEx$SLOW
API String ID: 0-3371325577
Opcode ID: e5a915cb33e6f733933f246fb6282c7175e4f60f81cf605de229b91e0d85ffd9
Instruction ID: 0d549c7df71747550527a2ce4317762e0bf6a0cf3d28413a1ad9a766a79611af
Opcode Fuzzy Hash: e5a915cb33e6f733933f246fb6282c7175e4f60f81cf605de229b91e0d85ffd9
Instruction Fuzzy Hash: 4FF0A4259C051115EF306269CC027AB21A49FE1B9AFDA896BF454C53C0F79CCDD4C14D

Function 00414D80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414D90
__wcsicoll.LIBCMT ref: 00414DA8

Strings

Interrupt, xrefs: 00414DA2
NoTimers, xrefs: 00414DBA
Priority, xrefs: 00414D8A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Interrupt$NoTimers$Priority
API String ID: 3832890014-3223323590
Opcode ID: 8673d32b512bd9018793bb196c1d5b40ebd8ca30586ba1734df657dd330f6e22
Instruction ID: deab90e07f06a2fb7631efdf103cc1ef51e41efd49fef226b81528ec811e20cb
Opcode Fuzzy Hash: 8673d32b512bd9018793bb196c1d5b40ebd8ca30586ba1734df657dd330f6e22
Instruction Fuzzy Hash: 07E04F52A5162125DE21263ABC037DF20845BF2B0AF9E4666F824D13C5F78D8995819E

Function 00409CF0 Relevance: 9.4, APIs: 6, Instructions: 359COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00409D0B
UnregisterHotKey.USER32(00010474,?,00000028,?,00000001), ref: 00409DA1

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Unregister_memset
String ID:
API String ID: 2392160147-0
Opcode ID: 71481f1a92dca2b6df0f580d4b5466cc22b4f6be015d98d672facef3935109ae
Instruction ID: 5abdfaac0726ee4b9cdf7609084facb0a471603086785c9895faba6579550722
Opcode Fuzzy Hash: 71481f1a92dca2b6df0f580d4b5466cc22b4f6be015d98d672facef3935109ae
Instruction Fuzzy Hash: 0DE1B0616083859AEB35CF24D448B637BA19B52308F0844BFD481AA2D3D37DDD9AC79B

Function 004917E8 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004917F4

Part of subcall function 00492192: __getptd_noexit.LIBCMT ref: 00492195
Part of subcall function 00492192: __amsg_exit.LIBCMT ref: 004921A2

__amsg_exit.LIBCMT ref: 00491814
__lock.LIBCMT ref: 00491824
InterlockedDecrement.KERNEL32(?), ref: 00491841
_free.LIBCMT ref: 00491854
InterlockedIncrement.KERNEL32(02D52CC8), ref: 0049186C

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 6b8c4c6a12391ff2560002c5849a4edf37db0201feb4090741f9a2b6356e4eae
Instruction ID: b1908060966f0b8c2e2ab703c7d8425b26ff1ac565111df06f7cf80e1be0a909
Opcode Fuzzy Hash: 6b8c4c6a12391ff2560002c5849a4edf37db0201feb4090741f9a2b6356e4eae
Instruction Fuzzy Hash: 8701C836D01612ABCF11FB559545B9E7BA0BB41714F05407FE410632A0C77C5C41EBDD

Function 0040BED0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040BF38
GetKeyboardLayout.USER32(00000000), ref: 0040BF53

Part of subcall function 00474FC0: _vswprintf_s.LIBCMT ref: 00474FD9

Strings

"%s" is not a valid key name., xrefs: 0040C0E0
"%s" is not allowed as a prefix key., xrefs: 0040BFB8

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardLayout__wcsicoll_vswprintf_s
String ID: "%s" is not a valid key name.$"%s" is not allowed as a prefix key.
API String ID: 2348117768-1430096861
Opcode ID: 1f17666a0ad7f54cf2c06c22d451c5469985fbab6af3e785ad65dc5c7674e948
Instruction ID: 64c6b01aa91273d2a68f3b829937831e87006c8afaf3db699980f3c0890d8c78
Opcode Fuzzy Hash: 1f17666a0ad7f54cf2c06c22d451c5469985fbab6af3e785ad65dc5c7674e948
Instruction Fuzzy Hash: 8E7138762483449AD720DB589C82BEB7791CB91324F48053FED44AA3C2D7BD898DC79E

Function 0046C0C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32(?,?,00000000,?,?,?,0046BB7F,?,00000000,?,75295780,?,?,00415D51,004CB680,02D52F08), ref: 0046C0EE
SetMenuItemInfoW.USER32 ref: 0046C135
DeleteObject.GDI32(?), ref: 0046C147
DestroyCursor.USER32(?), ref: 0046C153

Strings

0, xrefs: 0046C121

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$CursorDeleteDestroyInfoItemObjectRemove
String ID: 0
API String ID: 2910511256-4108050209
Opcode ID: 5558a60aac1dc141a3314c62044822e0c655d7d40df7e901d0c715033f4807a4
Instruction ID: c791606492389fef6e98b19904fdee6728946873793a9211dad79ae17e51e458
Opcode Fuzzy Hash: 5558a60aac1dc141a3314c62044822e0c655d7d40df7e901d0c715033f4807a4
Instruction Fuzzy Hash: F8315AB16002409FC720DF59D8C4C6BBBE9BB49304B44467EE5898B312E735ED44CF9A

Function 004788E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00478929

Strings

_$#@, xrefs: 00478924
variable, xrefs: 00478954
The following %s name contains an illegal character:"%-1.300s", xrefs: 00478965
function, xrefs: 0047895B, 00478964

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcschr
String ID: The following %s name contains an illegal character:"%-1.300s"$_$#@$function$variable
API String ID: 2691759472-3792156013
Opcode ID: ffe442df449ed096fe107588dac3167b16e697bdb5051459385bde7c9bc46997
Instruction ID: a0a417c059afc0ac3293277f9c025098adadd00e166d465fa293bc44acc0c666
Opcode Fuzzy Hash: ffe442df449ed096fe107588dac3167b16e697bdb5051459385bde7c9bc46997
Instruction Fuzzy Hash: 8D1127B3B4020412DB20A55AAC466FB7388C781330F4482BFFE0CD63C1FA699C0482EA

Function 0041AEAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041AEB4
__wcsnicmp.LIBCMT ref: 0041AED9

Strings

Local, xrefs: 0041AEAE
b, xrefs: 0041AEE9
Static, xrefs: 0041AED3

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: Local$Static$b
API String ID: 1038674560-465266414
Opcode ID: f0f455a0364253a6a42cb3a302415e631f94708a6e2d5d239890e31b93c4f642
Instruction ID: 58851e46d5a556e24c7d3a65e7ed414f35c8b15ff18f5453d3a206166bf24b79
Opcode Fuzzy Hash: f0f455a0364253a6a42cb3a302415e631f94708a6e2d5d239890e31b93c4f642
Instruction Fuzzy Hash: 6101007168530646DB349A018881BFB73D0FFA5719F00052FF98986681F3AD8AD5879F

Function 00412564 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46registrylibraryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameW.USER32(?), ref: 00412589
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,?), ref: 004125A6
LoadLibraryW.KERNEL32(?), ref: 004125D5
ActivateKeyboardLayout.USER32(00000000,00000000), ref: 004125E9

Strings

Layout File, xrefs: 004125BD

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardLayout$ActivateLibraryLoadNameOpen
String ID: Layout File
API String ID: 2091964706-1055935358
Opcode ID: 755bbdc3a8cede16e218a21076dea3348f8babe478426d31cc078b6756582c3e
Instruction ID: 67538de4c5669415d5c44a24e28d0df87865b70f75d1a8e586fa7b95a526baf2
Opcode Fuzzy Hash: 755bbdc3a8cede16e218a21076dea3348f8babe478426d31cc078b6756582c3e
Instruction Fuzzy Hash: E6012432204301ABD7309B20DD98BFBB7A9FB85350F40482EFA45C3240EB789584C76A

Function 00479D20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,IsHungAppWindow,?,00478D1A), ref: 00479D46
GetProcAddress.KERNEL32(00000000), ref: 00479D4D

Strings

IsHungAppWindow, xrefs: 00479D3C
user32, xrefs: 00479D41

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsHungAppWindow$user32
API String ID: 1646373207-934392274
Opcode ID: 0c19b43b85725c5d609088598e8fa6e1f1508da7488f6668902b27b189480cdf
Instruction ID: 276b13bd05a28e6ee2473acc4558146c4282d12a31936c3694102e4cb7b666e8
Opcode Fuzzy Hash: 0c19b43b85725c5d609088598e8fa6e1f1508da7488f6668902b27b189480cdf
Instruction Fuzzy Hash: 1FF0B4727813126AE7605BB4BC4BFEA3A9C9B02701F248076F81AD55E1EB58DD405A1C

Function 004042B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,0040427A), ref: 004042C1
GlobalLock.KERNEL32(00000000), ref: 004042E6
GlobalFree.KERNEL32(00000000), ref: 004042F7

Strings

GlobalAlloc, xrefs: 004042D3
GlobalLock, xrefs: 00404302

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$AllocFreeLock
String ID: GlobalAlloc$GlobalLock
API String ID: 1811133220-3672399903
Opcode ID: fe08613e736e5286204b3a8e8731af408fb1db42672314f6aa5a4fc8e99598f8
Instruction ID: afb7bffd47b95c731a87377180947e1ae491f5292c47d67ce45e39bca6dd865a
Opcode Fuzzy Hash: fe08613e736e5286204b3a8e8731af408fb1db42672314f6aa5a4fc8e99598f8
Instruction Fuzzy Hash: 12F03174701B019BC7109F76890AA17B7E8AF95705710887FB956D3690EB78E800DB58

Function 00408DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00408DD3
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 00408DDE
GetLastError.KERNEL32 ref: 00408DE6
CloseHandle.KERNEL32(00000000), ref: 00408E0D

Strings

AHK Keybd, xrefs: 00408DD5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: 9462ff5882db292f961f87749792a10c5ada91329fd983548eb66133f24145ad
Instruction ID: 715416118ac52e1394e1033a93bd061ea253aac25160f8f179083ba16beef835
Opcode Fuzzy Hash: 9462ff5882db292f961f87749792a10c5ada91329fd983548eb66133f24145ad
Instruction Fuzzy Hash: 3CF0A0733013206BDA5067B9EC8CF4B7B599BC97A2F118476F144D61D0CB388C408A6C

Function 00408E20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00408E33
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 00408E3E
GetLastError.KERNEL32 ref: 00408E46
CloseHandle.KERNEL32(00000000), ref: 00408E6D

Strings

AHK Mouse, xrefs: 00408E35

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: f6f128d3337663449afc55ca31192e9fd6c36ede98926b02002da0c7c562de47
Instruction ID: f273c53dedcae68dc19921a8992f06f11b69f37dea48f4da9fe1003213fefae9
Opcode Fuzzy Hash: f6f128d3337663449afc55ca31192e9fd6c36ede98926b02002da0c7c562de47
Instruction Fuzzy Hash: 48F0A073320320ABD71067B8EC8CF4F3B59ABC57A1F194036F544C6294CB388C408268

Function 004124F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00412503
GetGUIThreadInfo.USER32 ref: 00412515
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041252A
GetKeyboardLayout.USER32(00000000), ref: 0041252F

Strings

0, xrefs: 0041250D

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Thread$ProcessWindow$InfoKeyboardLayout
String ID: 0
API String ID: 3571156007-4108050209
Opcode ID: 1e1fc4ae02988cd98a99443cdc5365ba4ebe2ef5ec976b69fa2e7ff7d994f47e
Instruction ID: 63159857cd3c982576378a14c26b1b25572732fcd22b20de5e0efd13b3cbf21d
Opcode Fuzzy Hash: 1e1fc4ae02988cd98a99443cdc5365ba4ebe2ef5ec976b69fa2e7ff7d994f47e
Instruction Fuzzy Hash: 16E0E572601221B7D3209B659D04BDB7FDCAF85790F040526F805E3190D774EC04CAF9

Function 004096C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004096D0
__wcsicoll.LIBCMT ref: 004096E8

Strings

Toggle, xrefs: 004096FA
Off, xrefs: 004096E2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Off$Toggle
API String ID: 3832890014-498102744
Opcode ID: a4376d66a018ebfb6dc66cbc0347433af8c06d9d41e7e539805090aebaa1189a
Instruction ID: f9e48b36116ac5737066d35bfbcd4a0398cc7b688834ccdc27d4904e326b8ce8
Opcode Fuzzy Hash: a4376d66a018ebfb6dc66cbc0347433af8c06d9d41e7e539805090aebaa1189a
Instruction Fuzzy Hash: 9AE0DF03A4191122DA20353E8C0378F20446BA2B0AFD805B6F824E23C3F29D8E4081DE

Function 00414E30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414E36
__wcsicoll.LIBCMT ref: 00414E4E

Strings

Locale, xrefs: 00414E5B
Off, xrefs: 00414E48

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: Locale$Off
API String ID: 3832890014-2054679776
Opcode ID: fdcb75efe1ef803f17c9f6c152cd5e1ebf87243c562a32b77a4bc52e9b05d5a6
Instruction ID: b045184371c5d75b8ec0b69f8ecff4dcce29a4e13291825291cce78f46b969b8
Opcode Fuzzy Hash: fdcb75efe1ef803f17c9f6c152cd5e1ebf87243c562a32b77a4bc52e9b05d5a6
Instruction Fuzzy Hash: B2D05E5BA80A1122CF21307A5D03BCF10442FB2B0EFCA04A6F820D0282F28DD25486AE

Function 0040F7E0 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 0040F808
UnhookWindowsHookEx.USER32(00000000), ref: 0040F849
GetTickCount.KERNEL32 ref: 0040F89C
GetTickCount.KERNEL32 ref: 0040F9DF

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountHookTick$CallNextUnhookWindows
String ID:
API String ID: 2092930497-0
Opcode ID: 45bacffc7ed1776581887d01330ba344f648df055483ed06a9c86c1b9347f3da
Instruction ID: f1286bb7f4f0ff4a4feaa31a71e9e3a37f3b4b30d7c68654c4755a4ddce7f20d
Opcode Fuzzy Hash: 45bacffc7ed1776581887d01330ba344f648df055483ed06a9c86c1b9347f3da
Instruction Fuzzy Hash: CF71E471604602DBD328DB28E894B76B7E0FB94305F14853FD49AD7B90E739A858CB6C

Function 00469740 Relevance: 7.6, APIs: 5, Instructions: 118windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046975A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00469792
SendMessageW.USER32(?,0000130C,-00000001,00000000), ref: 004697D6
GetDlgCtrlID.USER32 ref: 004697F2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MessageSend$Ctrl
String ID:
API String ID: 4210937766-0
Opcode ID: 4ced7b0e40063aa2e479ac6204793705fcfa57503b5bd603f6d049eca268f2e3
Instruction ID: cf7bd77c8d4614a2e63cd773df05d1f7b3f81102a18c5147856aebe60ecdc637
Opcode Fuzzy Hash: 4ced7b0e40063aa2e479ac6204793705fcfa57503b5bd603f6d049eca268f2e3
Instruction Fuzzy Hash: 83311570214201AEE320AE2A8844F6BB7DC9B42705F14852FF545C72D2E6B9EC85CB9A

Function 00491F69 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00491F75

Part of subcall function 00492192: __getptd_noexit.LIBCMT ref: 00492195
Part of subcall function 00492192: __amsg_exit.LIBCMT ref: 004921A2

__getptd.LIBCMT ref: 00491F8C
__amsg_exit.LIBCMT ref: 00491F9A
__lock.LIBCMT ref: 00491FAA
__updatetlocinfoEx_nolock.LIBCMT ref: 00491FBE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 7b5c7f0c9d9b604717c36fd8480da74caa0fae5ba2deeee895ce822d5cb29e49
Instruction ID: 65ed6d96ff80f4e324e4be8d254584be939dd2511ae01b36955dbcc39c0ce684
Opcode Fuzzy Hash: 7b5c7f0c9d9b604717c36fd8480da74caa0fae5ba2deeee895ce822d5cb29e49
Instruction Fuzzy Hash: 4BF0F632940715AEDF64B7665903B4E3BA06F00328F10413FF010972EADBAC08009B5D

Function 0040333B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004033DF
GetTickCount.KERNEL32 ref: 00403472

Strings

call, xrefs: 004034D5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick_wcsncpy
String ID: call
API String ID: 2317306155-3431870270
Opcode ID: 382181d5c0fc1d5ebe4e431c50307ade5e52df618429a38017b0800659f33e48
Instruction ID: bcd41d055f5edb5c21ec6749b2c1228166087750d1db6665263babfc6ba58c09
Opcode Fuzzy Hash: 382181d5c0fc1d5ebe4e431c50307ade5e52df618429a38017b0800659f33e48
Instruction Fuzzy Hash: 4D61A2706043409FC724DF25D880AABBFE4BF85305F04497EE8859B361D739EA45CB9A

Function 004033CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004033DF

Part of subcall function 00403590: SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop,?,02D85D24,004033FF,00000000,00000000,?,?,?,?,00000000), ref: 004035F5

GetTickCount.KERNEL32 ref: 00403472
_free.LIBCMT ref: 00403513

Part of subcall function 0045C3D0: GetWindowLongW.USER32(00000000,000000F0), ref: 0045C410
Part of subcall function 0045C3D0: GetParent.USER32(00000000), ref: 0045C41A

Part of subcall function 00401290: GetDlgCtrlID.USER32 ref: 004012A1
Part of subcall function 00401290: GetParent.USER32 ref: 004012AC
Part of subcall function 00401290: GetDlgCtrlID.USER32(00000000), ref: 004012B9

Strings

call, xrefs: 004034D5

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CtrlParent$CountCurrentDirectoryLongTickWindow_free_wcsncpy
String ID: call
API String ID: 331199522-3431870270
Opcode ID: 709248ccafc3994de630679cf627d1680b62fd451f329a2b7abb84de81598ea7
Instruction ID: a22a7019ee6e58a320fc687f70b56abfdc3ac284fbee3c53cdcf59aea3582c3c
Opcode Fuzzy Hash: 709248ccafc3994de630679cf627d1680b62fd451f329a2b7abb84de81598ea7
Instruction Fuzzy Hash: C35144B19043409FC324DF29D88099BBBE4BF85305F14497EE4899B362E735E905CB5A

Function 0042F160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_fputws.LIBCMT ref: 0042F21A
OutputDebugStringW.KERNEL32(?,004CB680,00000000,This variable has not been assigned a value.,?,?,?,00000000), ref: 0042F234

Strings

%s (%d) : ==> Warning: %s, xrefs: 0042F1C5
Specifically: %s, xrefs: 0042F1F1

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DebugOutputString_fputws
String ID: Specifically: %s$%s (%d) : ==> Warning: %s
API String ID: 1480962609-1106449728
Opcode ID: ee02b9df6e7e10103ac2156e449da2afa51f6c24c230b4c3f575ea2b953231a2
Instruction ID: 2549a14dce2978934aae13759c7b544f9ece60ce3e48d637e4db6ec6c2415730
Opcode Fuzzy Hash: ee02b9df6e7e10103ac2156e449da2afa51f6c24c230b4c3f575ea2b953231a2
Instruction Fuzzy Hash: 3331E6B670431097D720EA51F885ABB73A9EBC5314F84887EEE4857241D77A6C08C2BA

Function 004437C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004437EA

Strings

A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 00443862
h(J, xrefs: 004437CB
Target label does not exist., xrefs: 00443800

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.$Target label does not exist.$h(J
API String ID: 3832890014-3063140606
Opcode ID: 671fbc5e6e0793823bcf74c53c3fd360bcc875e67e6ad829e325c68f7b3c9aa0
Instruction ID: afd573a4d8055b0342ef6654cba37cc6cbaa70d07ad3bca525dd7f261e46e0f0
Opcode Fuzzy Hash: 671fbc5e6e0793823bcf74c53c3fd360bcc875e67e6ad829e325c68f7b3c9aa0
Instruction Fuzzy Hash: 9111B4B274030457EB20EE2AD801B67F3A4AB90F52F14842FF8459B380D729EE51C79C

Function 004116D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00411708
GetForegroundWindow.USER32(?,0040FFD1,00000000,00000000), ref: 00411754
GetWindowTextW.USER32(00000000,0000000C,00000064), ref: 00411781

Strings

N/A, xrefs: 004117AA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: c0db38a858e196bdb9c7617cc72d1ed12be8688fb3f38d063a0d90b12b133101
Instruction ID: 87116f4d8449f2232aad3b7576ef3395a5e279bfa921b186fd7b189b5147bac6
Opcode Fuzzy Hash: c0db38a858e196bdb9c7617cc72d1ed12be8688fb3f38d063a0d90b12b133101
Instruction Fuzzy Hash: 7E312736209600EFC758CB24E998E6ABBA4EB98300B09857EE546DB3B5D7349C41CB5D

Function 00417010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041701B
_wcschr.LIBCMT ref: 0041705B

Strings

<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 00417056
Class, xrefs: 00417015

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsnicmp_wcschr
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
API String ID: 2237432580-400929710
Opcode ID: 1320dabc2b37f9ebb01aecb97e2d9ded86b5111d4e4133e5c856865f63aac09d
Instruction ID: 584480d0d4f65814acdfae617e9ea43e74e2652c6ac03446d7358c2f24d28386
Opcode Fuzzy Hash: 1320dabc2b37f9ebb01aecb97e2d9ded86b5111d4e4133e5c856865f63aac09d
Instruction Fuzzy Hash: 7111E57260C7115A97209B2DAC425FB7BE1EF99311B184427E849C6284F329DDC5C295

Function 00403590 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop,?,02D85D24,004033FF,00000000,00000000,?,?,?,?,00000000), ref: 004035F5
GetTickCount.KERNEL32 ref: 00403667

Strings

C:\Users\user\Desktop, xrefs: 004035F0
e, xrefs: 00403610

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountCurrentDirectoryTick
String ID: C:\Users\user\Desktop$e
API String ID: 2167818035-170270612
Opcode ID: 4ca84c085fba102bf18794f1e2baa4abcc6f630d6c85ef87b295c567aa225b29
Instruction ID: c5360f2c934a6d4f45fe079ad79f681bddc18af6940219d75f878b58c05ea7db
Opcode Fuzzy Hash: 4ca84c085fba102bf18794f1e2baa4abcc6f630d6c85ef87b295c567aa225b29
Instruction Fuzzy Hash: 44217A70804780AEE770CF25E808B96BFE4AB45315F08897FD09A663D1C7B95985CF48

Function 00416540 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416550
_wcsncpy.LIBCMT ref: 004165C2
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004165D5

Strings

AutoHotkey, xrefs: 004165B3, 004165BA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: IconNotifyShell__memset_wcsncpy
String ID: AutoHotkey
API String ID: 1481257660-348589305
Opcode ID: e1ee7b78e756c90cb0382a01a44cc7b320eee2e0cd31f8cf52b688655658436e
Instruction ID: 48202a1d6c1d34ffdc176eebde242b7c8320fc625ae2673eef0a5550acbc3080
Opcode Fuzzy Hash: e1ee7b78e756c90cb0382a01a44cc7b320eee2e0cd31f8cf52b688655658436e
Instruction Fuzzy Hash: 5C116DB0704701AFDB60DF39D848B97B7E8EB44304F41082EE55ED6340EB78E8408B58

Function 0046D0B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SetMenuItemInfoW.USER32 ref: 0046D0E3
DeleteObject.GDI32(00000000), ref: 0046D0F6
DestroyCursor.USER32(00000000), ref: 0046D110

Strings

0, xrefs: 0046D0CB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CursorDeleteDestroyInfoItemMenuObject
String ID: 0
API String ID: 392443887-4108050209
Opcode ID: 73d54b260c4c79a03620e5912fb9009d33d0792d368580d23bcc88033994dace
Instruction ID: 336f6b26ba9466bd8034efa99ef7d0e097b0287aad32d4f812c7b4900db83f52
Opcode Fuzzy Hash: 73d54b260c4c79a03620e5912fb9009d33d0792d368580d23bcc88033994dace
Instruction Fuzzy Hash: B7F049F0A013009FE324CF15D959B577BE4BB48705F800A1CE48A872A0E7B9E808CB5A

Function 0041B519 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B526
__wcsicoll.LIBCMT ref: 0041B53F

Strings

f9M, xrefs: 0041AE45
WHILE, xrefs: 0041B539

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: WHILE$f9M
API String ID: 3832890014-1455158177
Opcode ID: 5944d45e376fb1b236d665223c981aeb336956c0416d0a9a909d5bd83e2fad44
Instruction ID: b8cd079e99b397ed4a95525c49edf1d0a4363da3c2a86212455b5ce4b0ad1eca
Opcode Fuzzy Hash: 5944d45e376fb1b236d665223c981aeb336956c0416d0a9a909d5bd83e2fad44
Instruction Fuzzy Hash: CAF082304493C1A1DB30EB658D457EF6A949F65709F04881BF84D81241F3BCC6E883AF

Function 00421E80 Relevance: 6.2, APIs: 4, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411e5fa529d4a49f5cedec46bd57b23e5c950b06fb7fa0808e5e3ce82bf5d9c5
Instruction ID: 3e8477417cb66a92acbb79513ef8c49a30ddc2e02c522e191bc91ce92ac62c3f
Opcode Fuzzy Hash: 411e5fa529d4a49f5cedec46bd57b23e5c950b06fb7fa0808e5e3ce82bf5d9c5
Instruction Fuzzy Hash: B68113323043219BC730DA58E980BABB3E1BF98314F89055EE99487352D779ED06C796

Function 00478FB0 Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,00409918,004C8138,?,00000000,004A2868,004A2868,00000000,?,004C9F54,?,0040A4DA,?), ref: 00478FFF
IsWindowVisible.USER32(00000000), ref: 0047901B
GetForegroundWindow.USER32(?,?,?,?,00409918,004C8138,?,00000000,004A2868,004A2868,00000000,?,004C9F54,?,0040A4DA,?), ref: 0047904E
IsWindowVisible.USER32(00000000), ref: 004790BB

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ForegroundVisible
String ID:
API String ID: 4078700383-0
Opcode ID: a15962ffc4fdf8c261fef46e7b44eb9c992f0563c12497c3e2bdb89a46e0e1d1
Instruction ID: be5417874b46d2e900e8e60a46a52fe3954e767fd9b36f4bc56dacc34b835fdf
Opcode Fuzzy Hash: a15962ffc4fdf8c261fef46e7b44eb9c992f0563c12497c3e2bdb89a46e0e1d1
Instruction Fuzzy Hash: B54159316583818BC734AF65D8804EFB7E5FB85310F44896EE68C87240EB395D85DB9A

Function 00497F5D Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00497F91
__isleadbyte_l.LIBCMT ref: 00497FC4
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00497FF5
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 00498063

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f9f0a74a68442fb17fc924880cb736a3584c5514d0ea5f9996fdfb5190d9ab9a
Instruction ID: 85f262e6b6cd70b278b53554bc94b6c9b5be7d13d69a7986a37edb2bf50ffc9e
Opcode Fuzzy Hash: f9f0a74a68442fb17fc924880cb736a3584c5514d0ea5f9996fdfb5190d9ab9a
Instruction Fuzzy Hash: F631CE31A14245EFCF10DFA8C8809AE7FB1AF01310F15457EE4659B295E738CD40DB59

Function 0046CB70 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 0046CB84
GetMenu.USER32(?), ref: 0046CBB0
DestroyMenu.USER32(?,?,0046BB79,00000000,?,75295780,?,?,00415D51,004CB680,02D52F08,?,?,?,00000000,00000000), ref: 0046CBC4

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Menu$Destroy
String ID:
API String ID: 3525833831-0
Opcode ID: c69c7c87b924854fced0d1b54d5957574c4733be9ed597133ebfed67299dd459
Instruction ID: 29d3cc2235bc53f19bf3f2d0e3a333caba59038450d37c39a10bdf81806438a0
Opcode Fuzzy Hash: c69c7c87b924854fced0d1b54d5957574c4733be9ed597133ebfed67299dd459
Instruction Fuzzy Hash: 86315C727002108BCB218F65A8C5A37B3A4BB49B55B15816BD9889B701FB39FC01CB9A

Function 0040F540 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 0040F575
GetTickCount.KERNEL32 ref: 0040F59F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F5C2
GetTickCount.KERNEL32 ref: 0040F5EC

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$MessagePeek__itow
String ID:
API String ID: 1851793280-0
Opcode ID: 7af147e230a6b2fdeb0ded77f4761003ad48306ca2e43fd4a6f489498431898b
Instruction ID: dcabcfd5a70de8219c44b2f110d2ab45efe91699bf03cbafe76cb8bfec93dd49
Opcode Fuzzy Hash: 7af147e230a6b2fdeb0ded77f4761003ad48306ca2e43fd4a6f489498431898b
Instruction Fuzzy Hash: A321F0B1900300ABD320EF54EC41F2A33A4AB84758F54093AF800676E1DB79E94EC75E

Function 0047A2C0 Relevance: 6.1, APIs: 4, Instructions: 60threadCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00007FFF), ref: 0047A2F7
GetWindowThreadProcessId.USER32(?,?), ref: 0047A31F
GetWindowThreadProcessId.USER32(?,?), ref: 0047A332
GetClassNameW.USER32(?,?,00000101), ref: 0047A378

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Window$ProcessThread$ClassNameText
String ID:
API String ID: 3420357866-0
Opcode ID: ca3f1a0ff5aaa800b5ac87fbb564b8035961a4004fc7b604e5060d363b083a9b
Instruction ID: a256e98da43684eadae96e9e3906f0bcb72ac40daa046eda8bd3ab0767564e45
Opcode Fuzzy Hash: ca3f1a0ff5aaa800b5ac87fbb564b8035961a4004fc7b604e5060d363b083a9b
Instruction Fuzzy Hash: 9411BE71200B419AD7349F78C840AEBB7EAEFC5744F14C91DE89E83280EB78B950C729

Function 00404430 Relevance: 6.0, APIs: 4, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 0040444C
CloseClipboard.USER32 ref: 00404451
GlobalUnlock.KERNEL32(00000000), ref: 00404465
GlobalFree.KERNEL32(00000000), ref: 00404475

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Global$Unlock$ClipboardCloseFree
String ID:
API String ID: 1156981608-0
Opcode ID: 55f8dc915af0cc11aeeba3268605394b168407b423672170b683a0e2f87bf1c5
Instruction ID: 0ba2b58eef9fc65e1470fbced79705329efee2976ed4ded7ff49ddd9df2e29d6
Opcode Fuzzy Hash: 55f8dc915af0cc11aeeba3268605394b168407b423672170b683a0e2f87bf1c5
Instruction Fuzzy Hash: F8011EB56007009BC320DF5AD884917F7E8BBD4711324C92FE69A93650C735A840CF18

Function 00416510 Relevance: 6.0, APIs: 4, Instructions: 20windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0041651E
EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 00416527
EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 00416530
EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 00416539

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: a595932e3b60e682d82ce59cc7cb223dc68fe98ca3b4728472f73a0ad334fbc1
Instruction ID: 61b095ad3b4307dc13cb983632c3f906f5cdc8cc8124339673f1335f1e121de0
Opcode Fuzzy Hash: a595932e3b60e682d82ce59cc7cb223dc68fe98ca3b4728472f73a0ad334fbc1
Instruction Fuzzy Hash: 23D0025124E31739B53166625CC5C7F5D2DDF8BFE8B500179F208155C44E455C17B1B9

Function 0047A380 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047A51E
EnumChildWindows.USER32(00000000,00479460,?), ref: 0047A6A3

Strings

%s%u, xrefs: 0047A712

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ChildEnumWindows__wcsicoll
String ID: %s%u
API String ID: 2617673624-679674701
Opcode ID: f463fe275bf8a4572d16169b3931c75fe4a66956c1ff49de5b715a7cef880024
Instruction ID: 2145d8b2f0f75c96de28c46e8ba0d58c0ff6f23de95557dc4b48e60136c6947e
Opcode Fuzzy Hash: f463fe275bf8a4572d16169b3931c75fe4a66956c1ff49de5b715a7cef880024
Instruction Fuzzy Hash: 72B1A6326001459ADB34EF15DC48BEF33A5EBA0354F48C12BDD4D8A240EB7ADB5AC756

Function 00410140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00410226
__fassign.LIBCMT ref: 00410253

Strings

,, xrefs: 004101B2

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __fassign
String ID: ,
API String ID: 3965848254-605440088
Opcode ID: 3ee338104aeb64222ba0cab95f241a4613dc61bea76971bdc78b61f592cd58f0
Instruction ID: 6d3482a9b41fcbe21f9bb8b6c7e256a476d218e91ed5098b1dc149de876d789c
Opcode Fuzzy Hash: 3ee338104aeb64222ba0cab95f241a4613dc61bea76971bdc78b61f592cd58f0
Instruction Fuzzy Hash: CC51DD706042129FD7219F14D8457ABB3A1AF96314F24089AFC819B3D1E7BE9DC1C79A

Function 00402F70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00403740: GetTickCount.KERNEL32 ref: 00403772

GetTickCount.KERNEL32 ref: 00402FF5
_wcsncpy.LIBCMT ref: 00403067

Strings

call, xrefs: 004030D8

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTick$_wcsncpy
String ID: call
API String ID: 980906815-3431870270
Opcode ID: 53bb392afa135ee1194b065936956bbc5476679a8f323fad37052b3f571ac969
Instruction ID: 26510d32f66d864b8ff8a30b1efd452dd8727403e6a0465febcdee2b904ece66
Opcode Fuzzy Hash: 53bb392afa135ee1194b065936956bbc5476679a8f323fad37052b3f571ac969
Instruction Fuzzy Hash: 14510570600340ABD730DF21D845B677BEAAB44715F18897FD4856B2C2C37DAA89CB9D

Function 0040CC10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040CC73

Part of subcall function 0048E5E4: __FF_MSGBANNER.LIBCMT ref: 0048E5FD
Part of subcall function 0048E5E4: __NMSG_WRITE.LIBCMT ref: 0048E604
Part of subcall function 0048E5E4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 0048E629

Strings

Out of memory., xrefs: 0040CC89
Hotstring max abbreviation length is 40., xrefs: 0040CC45

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Hotstring max abbreviation length is 40.$Out of memory.
API String ID: 501242067-4290233147
Opcode ID: 357dc2e996c47a83d53b402d872358fea772b426763ac9559269af53f3dede4d
Instruction ID: 255e7b7c14ab69781cc6fefed85971779271d438c30205605aa06693934211ff
Opcode Fuzzy Hash: 357dc2e996c47a83d53b402d872358fea772b426763ac9559269af53f3dede4d
Instruction Fuzzy Hash: BB41EEB4608341DFE754DF29D991B577BA4FB88318F048A3EE84997390E738D801CB9A

Function 0040BA50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0040BA6B

Part of subcall function 0040BB90: _memset.LIBCMT ref: 0040BBA7

Part of subcall function 0040BED0: __wcsicoll.LIBCMT ref: 0040BF38
Part of subcall function 0040BED0: GetKeyboardLayout.USER32(00000000), ref: 0040BF53

Strings

& , xrefs: 0040BA78
~, xrefs: 0040BAC3

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: KeyboardLayout__wcsicoll_memset_wcsncpy
String ID: & $~
API String ID: 3335490538-4238529414
Opcode ID: f8ace3ef135329801e518c4307a19096508fad37e2a3f7e0827c28de58f73333
Instruction ID: 06c28e48cc6029af3573de051e3dfbad91e46e14f1e138268048e8d9da15d24f
Opcode Fuzzy Hash: f8ace3ef135329801e518c4307a19096508fad37e2a3f7e0827c28de58f73333
Instruction Fuzzy Hash: 1B31F871A0030057D734AA568886ABBB3A5DB94354F44483BF959A73C1F378AC4487EE

Function 004704D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(C:\Users\user\Desktop), ref: 00470555

Strings

C:\Users\user\Desktop, xrefs: 00470550
call, xrefs: 00470575

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: C:\Users\user\Desktop$call
API String ID: 1611563598-4215190852
Opcode ID: 19a9ce81df3e5e36f1172d57f217a743997489dee0dd50016f57be0a09426128
Instruction ID: de012821621fe4bde710f4487a769a2c30d3fe7214ddd5f8bd598abb8222d6ea
Opcode Fuzzy Hash: 19a9ce81df3e5e36f1172d57f217a743997489dee0dd50016f57be0a09426128
Instruction Fuzzy Hash: E34115B6A09342DFC304CF09D580A5ABBE1FB88710F148A6EE54997341D739E945CF9A

Function 0042E090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042E115

Strings

Line#, xrefs: 0042E0E0
--->, xrefs: 0042E108

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _wcsncpy
String ID: Line#$--->
API String ID: 1735881322-1677359465
Opcode ID: 7469e59cf50a45d9494c4e2638ff44e7378f5fd4e9b5a8b21481b78e738ea412
Instruction ID: 4677688ef6f161da125eb7aec59aad22fa3200bad4705e183407ff55810b005d
Opcode Fuzzy Hash: 7469e59cf50a45d9494c4e2638ff44e7378f5fd4e9b5a8b21481b78e738ea412
Instruction Fuzzy Hash: AC21E1717043215FC718DE2AA885B7BB3D0EBC8304F54893EE946D3390D674AC16879A

Function 00412600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 00412680
FreeLibrary.KERNEL32(00000000), ref: 0041269C

Strings

KbdLayerDescriptor, xrefs: 0041267A

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: KbdLayerDescriptor
API String ID: 3013587201-1890577838
Opcode ID: 1e691f56808ea49000a175790fc8d076c1df5f29933ba8fdb3024f74f730b529
Instruction ID: 3f0f4e9b5b737b15795ecbf412b88b79452801d27410b49359c67c677dcd76d0
Opcode Fuzzy Hash: 1e691f56808ea49000a175790fc8d076c1df5f29933ba8fdb3024f74f730b529
Instruction Fuzzy Hash: 9011A7F22002185ED7504F15BE84AB77394D741729B11023FE889C22B0EBBD9C71DA9D

Function 00478190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004781F4

Strings

Invalid value., xrefs: 004781AF
An object., xrefs: 004781AA

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free
String ID: An object.$Invalid value.
API String ID: 269201875-731773362
Opcode ID: a945951f1c6860c4fa9040b510da745a5f04144bee75ea487b1e715dffa44e2b
Instruction ID: 1b510f46346e6163411d97bafcdbbb9321de97f5970c35468a7394235e2a2220
Opcode Fuzzy Hash: a945951f1c6860c4fa9040b510da745a5f04144bee75ea487b1e715dffa44e2b
Instruction Fuzzy Hash: E2114271514B914BC331DF28D409B93BBE0AF55310F148E5ED0DA8B791C7A8EA89CB95

Function 004764D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,Layout File,00000000,00000000), ref: 004764E8
RegCloseKey.ADVAPI32(00000000,?,Layout File,00000000,00000000), ref: 004764F3

Strings

Layout File, xrefs: 004764D0, 004764DE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseQueryValue
String ID: Layout File
API String ID: 3356406503-1055935358
Opcode ID: 283aa44b2e4a0bd52e1eb999de257a25b4f0733e9a68302e06bd90041f956fd9
Instruction ID: c0c60fe8d70eb59c182edaad598c2538c79dd5ac0e2487fa5307a3b13190d96e
Opcode Fuzzy Hash: 283aa44b2e4a0bd52e1eb999de257a25b4f0733e9a68302e06bd90041f956fd9
Instruction Fuzzy Hash: 0001B9B0214E11AED764DF68E84475BB7E9EF58304F21892EE8CAC3294F77494409719

Function 00403690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004036A6

Part of subcall function 0048F817: HeapFree.KERNEL32(00000000,00000000,?,00492183,00000000,?,0048E46A), ref: 0048F82D
Part of subcall function 0048F817: GetLastError.KERNEL32(00000000,?,00492183,00000000,?,0048E46A), ref: 0048F83F

_free.LIBCMT ref: 004036CC

Strings

The thread has exited., xrefs: 004036F8

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: The thread has exited.
API String ID: 776569668-1941089863
Opcode ID: db1e1d3217f023595af862baa074a6954cd7a8d3763e8768d2f74ea327f167b6
Instruction ID: 630b08033cd11c8b3c0d9dec04751119e227ec774437920503bcaa727670cdfe
Opcode Fuzzy Hash: db1e1d3217f023595af862baa074a6954cd7a8d3763e8768d2f74ea327f167b6
Instruction Fuzzy Hash: 4311C6B1A01110ABD660AB50EC46F8B7368AF54318F1449BEF8456B382D77BBD848B9D

Function 004707A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004707CF

Strings

Message, xrefs: 004707A9
"AA, xrefs: 004707A2, 004707BC

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: "AA$Message
API String ID: 3832890014-2494973457
Opcode ID: 631808301dbf1510cbac66e20afe869ce7af0c564d202944b38ca4fd1e63d663
Instruction ID: 73dbd0156621288da912c8510a9077957700ba06cab01ddfa00ffe7a6a5f55a4
Opcode Fuzzy Hash: 631808301dbf1510cbac66e20afe869ce7af0c564d202944b38ca4fd1e63d663
Instruction Fuzzy Hash: A6F0F4737062198F8310CE9DDC808ABF3D9EB84361B05862BE808C3301E725FC158BA4

Function 00414DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00414DF0
__wcsicoll.LIBCMT ref: 00414E08

Strings

OFF, xrefs: 00414E02

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __wcsicoll
String ID: OFF
API String ID: 3832890014-3172671433
Opcode ID: e413842f067e64bf069b4abda9f961285abca91130773984140e1b92cec57bb5
Instruction ID: d4db07e4ae565e32ae9c3defde31c84cd5b847541eadda2fbf584ef8b608312d
Opcode Fuzzy Hash: e413842f067e64bf069b4abda9f961285abca91130773984140e1b92cec57bb5
Instruction Fuzzy Hash: 7CE0EC61A4161062DE21661A8D167DB20847BA1F0AF8944AAF85896781F39C9D9092DA

Function 004044B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004044BF
CloseClipboard.USER32 ref: 004044CC

Strings

GlobalLock, xrefs: 004044EE

Memory Dump Source

Source File: 00000000.00000002.2952166293.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2951965681.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953838215.000000000064D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ClipboardCloseGlobalUnlock
String ID: GlobalLock
API String ID: 3794156920-2848605275
Opcode ID: a9a8ec1e4b6b74c1a633a58a2fddec634c12b27f1feb90bdd7d15b11991af8cf
Instruction ID: f7920a2c3c1b1ac8c90089b1e249c8f4d0f16e24704bdbd2cb720652a9714cbb
Opcode Fuzzy Hash: a9a8ec1e4b6b74c1a633a58a2fddec634c12b27f1feb90bdd7d15b11991af8cf
Instruction Fuzzy Hash: BFE012741007019BE7709F56C44C756B6F4FF91305F64892EE58A527E0D7BC58C4CB59

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\PID8.vbs

C:\Users\user\AppData\Local\Temp\kms.log

C:\Users\user\Desktop\LIC_SWITCH.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
file.exe

Function 00469130 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 276
windowCOMMON

Function 00478C60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 170
threadwindowCOMMON

Function 00476DC0 Relevance: 21.2, APIs: 14, Instructions: 172
windowlibraryCOMMON

Function 00475E20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132
fileCOMMON

Function 00416110 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 243
windowregistryCOMMON

Function 00403A9F Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 384
COMMON

Function 00402382 Relevance: 39.2, APIs: 20, Strings: 2, Instructions: 696
windowCOMMON

Function 00403AD9 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 315
COMMON

Function 00401CC9 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 518
threadwindowCOMMON

Function 00403D0E Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 223
COMMON

Function 00422130 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410
COMMON

Function 00401D17 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 190
threadwindowCOMMON

Function 004166F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150
timeCOMMON

Function 00402C12 Relevance: 12.2, APIs: 8, Instructions: 195
clipboardCOMMON

Function 00401819 Relevance: 12.2, APIs: 8, Instructions: 177
windowsleepCOMMON