Edit tour

Windows Analysis Report
nteste.exe

Overview

General Information

Sample name:	nteste.exe
Analysis ID:	1546271
MD5:	5367157a35583431b54b30426831640a
SHA1:	8cb18452a832b235e376274f3f67125ed73da76c
SHA256:	a1ea9eb86e26f04236bf7f47a63912af16f70463c47f8fd785f6e0f97d41c769
Tags:	exeuser-Porcupine
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

nteste.exe (PID: 3556 cmdline: "C:\Users\user\Desktop\nteste.exe" MD5: 5367157A35583431B54B30426831640A)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nteste.exe

Joe Sandbox ML: detected

Source: nteste.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_00403E52 FindFirstFileW,

0_2_00403E52

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_004045A6 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_004045A6

Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_004162A0	0_2_004162A0
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0040C507	0_2_0040C507
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0041F230	0_2_0041F230
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00422366	0_2_00422366
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0040537A	0_2_0040537A
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_004263B0	0_2_004263B0
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00426570	0_2_00426570
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0041A862	0_2_0041A862
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00426A60	0_2_00426A60
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00422AA0	0_2_00422AA0
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00427B13	0_2_00427B13
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0041FC50	0_2_0041FC50
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00423CF0	0_2_00423CF0
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00425C80	0_2_00425C80
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00427CA1	0_2_00427CA1
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00401D5A	0_2_00401D5A
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00427D7B	0_2_00427D7B
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00425E90	0_2_00425E90

Source: C:\Users\user\Desktop\nteste.exe	Code function: String function: 004020F6 appears 69 times
Source: C:\Users\user\Desktop\nteste.exe	Code function: String function: 00427400 appears 234 times

Source: nteste.exe, 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs nteste.exe
Source: nteste.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs nteste.exe

Source: nteste.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/3@0/0

Source: CamScanner 23-10-2024 19.13.pdf.0.dr

Initial sample: https:\057\057v3.camscanner.com\057user\057download

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_004134A3 __EH_prolog,_CxxThrowException,_CxxThrowException,CoCreateInstance,

0_2_004134A3

Source: C:\Users\user\Desktop\nteste.exe

File created: C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf

Jump to behavior

Source: nteste.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nteste.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\nteste.exe

File read: C:\Users\user\Desktop\nteste.exe

Jump to behavior

Source: C:\Users\user\Desktop\nteste.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nteste.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\nteste.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: nteste.exe

Static file information: File size 2743085 > 1048576

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_0040195E LoadLibraryW,GetProcAddress,memset,FreeLibrary,

0_2_0040195E

Source: nteste.exe

Static PE information: section name: .sxdata

Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00427400 push eax; ret	0_2_0042741E
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_00427790 push eax; ret	0_2_004277BE
Source: C:\Users\user\Desktop\nteste.exe	Code function: 0_2_0041FED0 push ecx; mov dword ptr [esp], ecx	0_2_0041FED1

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_00403E52 FindFirstFileW,

0_2_00403E52

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_004045A6 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_004045A6

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_0040592F GetSystemInfo,

0_2_0040592F

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_0040195E LoadLibraryW,GetProcAddress,memset,FreeLibrary,

0_2_0040195E

Source: C:\Users\user\Desktop\nteste.exe

Code function: 0_2_004200F0 GetVersionExW,

0_2_004200F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nteste.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546271
Start date and time:	2024-10-31 17:31:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nteste.exe
Detection:	MAL
Classification:	mal48.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 72 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
VT rate limit hit for: nteste.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://t.ly/4Nq2x	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	13.107.246.45
	Indocount Invoice Amendment.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exe	Get hash	malicious	FormBook, GuLoader	Browse	13.107.246.45
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.15827.22386.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://hidrive.ionos.com/lnk/FamigcCEF	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://djaahaf.r.af.d.sendibt2.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	fattura di pagamento.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	http://www.kristinsacademy.com/?wptouch_switch=desktop&redirect=http://lagunaua.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\nteste.exe
File Type:	PDF document, version 1.7, 1 pages
Category:	dropped
Size (bytes):	454424
Entropy (8bit):	7.957541049518111
Encrypted:	false
SSDEEP:	12288:koogWqQRedoQLhoUuAUTEC+KrG5yamr1jVP78PHUWGtk:koogW5edH+MoE3KrGMamr1GPHpG+
MD5:	70A353DFB55F319A7B0D37F688EE77AC
SHA1:	94B30B4B2488325CAB033D40C84D0F825F641AB8
SHA-256:	846B5CD3D0820027D65F7D54758EB11CD24373D5BBBDA8A56BD56E24BCA2A16D
SHA-512:	CE1326018110D715334C567DD5C95A5CA7C3568139F4B91BA97304236CDD24E2C6CFA8A8A950CEACF3348F9D7ED65FFE4894742EB0C454F96894E158E63CEC41
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	%PDF-1.7.%.....1 0 obj.<<./Type /Catalog./Pages 2 0 R.>>.endobj.2 0 obj.<<./Type /Pages./Kids [ 4 0 R ]./Count 1.>>.endobj.3 0 obj.<<./Producer <FEFF0069006E0074007300690067002E0063006F006D0020007000640066002000700072006F00640075006300650072>./Title <FEFF00430061006D005300630061006E006E00650072002000320033002D00310030002D0032003000320034002000310039002E00310032>./Author <FEFF00430061006D005300630061006E006E00650072>./Subject <FEFF00430061006D005300630061006E006E00650072002000320033002D00310030002D0032003000320034002000310039002E00310032>./ModDate <FEFF>./Keywords <FEFF>.>>.endobj.4 0 obj.<<./Type /Page./MediaBox [ 0 0 595 842 ]./Contents 5 0 R./Resources <<./ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]./XObject <<./X1 7 0 R./X2 10 0 R.>>.>>./Parent 2 0 R./Annots [ 9 0 R ].>>.endobj.5 0 obj.<<./Length 6 0 R.>>.stream..0 0 0 RG.0 Tr.q.1 0 0 1 434 10 cm.145 0 0 15 0 0 cm./X1 Do.Q.q.1 0 0 1 48.80182 25 cm.497.39636 0 0 817 0 0 cm./X2 Do.Q..endstream.endobj.6 0 obj.120.endobj.7 0 obj.<<./

C:\Users\user\Desktop\CamScanner 23-10-2024 19.13.pdf

Download File

Process:	C:\Users\user\Desktop\nteste.exe
File Type:	PDF document, version 1.7, 5 pages
Category:	dropped
Size (bytes):	1886540
Entropy (8bit):	7.935131728433788
Encrypted:	false
SSDEEP:	49152:NwFWEOPozZ07PG/Do6DhwiUOZQSsh2cZr21TaJe7:uoZsyu/DoUhSOeSsRYV7
MD5:	F1BF4C319D0FBD65BBBB994EFE51E2AD
SHA1:	668C4B0CCBDF0471287C096BB311AE34CC4B1F23
SHA-256:	446D5AAECF4B33DA4C3861021C2BDC6823D57392B40849629654E90136B65B11
SHA-512:	72955FA7E4DBA3BD8A1FBE313BFFB3BF8CEE00E4FB783669C425846B7B3F189F1C2D9770EA3261200A25F09E68385576F9EDFF9533035FFE9317097FD27D8298
Malicious:	false
Reputation:	low
Preview:	%PDF-1.7.%.....1 0 obj.<<./Type /Catalog./Pages 2 0 R.>>.endobj.2 0 obj.<<./Type /Pages./Kids [ 4 0 R 12 0 R 20 0 R 28 0 R 36 0 R ]./Count 5.>>.endobj.3 0 obj.<<./Producer <FEFF0069006E0074007300690067002E0063006F006D0020007000640066002000700072006F00640075006300650072>./Title <FEFF00430061006D005300630061006E006E00650072002000320033002D00310030002D0032003000320034002000310039002E00310033>./Author <FEFF00430061006D005300630061006E006E00650072>./Subject <FEFF00430061006D005300630061006E006E00650072002000320033002D00310030002D0032003000320034002000310039002E00310033>./ModDate <FEFF>./Keywords <FEFF>.>>.endobj.4 0 obj.<<./Type /Page./MediaBox [ 0 0 842 595 ]./Contents 5 0 R./Resources <<./ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ]./XObject <<./X1 7 0 R./X2 10 0 R.>>.>>./Parent 2 0 R./Annots [ 9 0 R ].>>.endobj.5 0 obj.<<./Length 6 0 R.>>.stream..0 0 0 RG.0 Tr.q.1 0 0 1 681 10 cm.145 0 0 15 0 0 cm./X1 Do.Q.q.1 0 0 1 0 168.73607 cm.842 0 0 282.52786 0 0 cm./X2 Do.Q..endstream.endobj.6 0

C:\Users\user\Desktop\doc08192220241029173958.pdf

Download File

Process:	C:\Users\user\Desktop\nteste.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	542579
Entropy (8bit):	7.660578132045769
Encrypted:	false
SSDEEP:	12288:kHVDVys22/lSisq1icXm2knbw1xkEHl8dzppupjR:k5Vys2YW2kbwLDF8dzA
MD5:	EAE04A20AD4F3281FD6696DC4091A0B0
SHA1:	937F595CCC01F0DFE74FD817F040FA97286B09D5
SHA-256:	7D9284A1FD37AC9C132D24938319FED8C5958BD6782F3F630BB1E4A1AE8BFEC8
SHA-512:	BAF05BBA69927CA8300186BC224766E39763720512CE21FEBECAF618B114531A737A0FDC03E7D7F1FAA49B8C04A71B2699DA9971EDEC85D530F6F588461E804E
Malicious:	false
Reputation:	low
Preview:	%PDF-1.4.%......5 0 obj.<<./Type /XObject./Subtype /Image./Name /Im0./Width 2480./Height 3507./BitsPerComponent 8./ColorSpace /DeviceRGB./Filter /DCTDecode./Length 4 0 R.>>.stream.......JFIF.....,.,......................................C...............(B+($$(Q:=0B`Ued_U][jx..jq.s[].........g............................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................................................................C....(#(N++N.n]n.......................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz........................................................................................."...................?....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.971241163291758
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nteste.exe
File size:	2'743'085 bytes
MD5:	5367157a35583431b54b30426831640a
SHA1:	8cb18452a832b235e376274f3f67125ed73da76c
SHA256:	a1ea9eb86e26f04236bf7f47a63912af16f70463c47f8fd785f6e0f97d41c769
SHA512:	2c7f568bde2db7e4c3bed28b82fe8d0f49ce7a1cf8786e9ed60d61d55e2dfe52fac6c1cede3b3aeb4fb80839ae491656ee5de53d16b16428c00e0a9127dccd8d
SSDEEP:	49152:HCtt1JXrncsqZRoNSWLlwsW4K70HQzrr5PxC1gIlC9lfhhiUzgTe:HUJjiZRM7+sG7gQPdPbIk9l5h8Te
TLSH:	8DC5233177E1C87EC42611318AE8EBF7707AEB8D0F1185932394D72A6E31665D23672B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B.i...i...i...v...i..>u...i...v...i...v...i..3a...i...i...i..>a...i...O...i...O...i....i..i....]..i..zo...i..Rich.i.........

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x4277c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x5C6ECB00 [Thu Feb 21 16:00:00 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	da401ef5e9d5c4599673c26d95fa6029

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042CCA0h
push 004277C0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0042B13Ch]
pop ecx
or dword ptr [00436534h], FFFFFFFFh
or dword ptr [00436538h], FFFFFFFFh
call dword ptr [0042B138h]
mov ecx, dword ptr [00434514h]
mov dword ptr [eax], ecx
call dword ptr [0042B134h]
mov ecx, dword ptr [00434510h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0042B130h]
mov eax, dword ptr [eax]
mov dword ptr [00436530h], eax
call 00007FB1E48E5FA4h
cmp dword ptr [00432170h], ebx
jne 00007FB1E48E5E8Eh
push 00412BA9h
call dword ptr [0042B12Ch]
pop ecx
call 00007FB1E48E5F79h
push 0043204Ch
push 00432048h
call 00007FB1E48E5F64h
mov eax, dword ptr [0043450Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00434508h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0042B124h]
push 00432044h
push 00432000h
call 00007FB1E48E5F31h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30974	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x2090	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x234	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x293f5	0x29400	2a572bd8572511c16cf22aae6fdfb407	False	0.5841619318181818	COM executable for DOS	6.676714054170099	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x6500	0x6600	38373dcd80ae6d5d8044f9e98b4cec4a	False	0.33903952205882354	data	4.4296711026291495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x453c	0x200	21ab621bd3546bfa2ab5932413c3cc39	False	0.39453125	data	3.3900459809566854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sxdata	0x37000	0x4	0x200	35925cfdc1176bd9ffc634a58b40ec17	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x2090	0x2200	1dc164c6087a90028d0a924f2042e607	False	0.2819393382352941	data	3.1607948061827598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x387c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x38aa8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0x39148	0x440	data	English	United States	0.39981617647058826
RT_DIALOG	0x38bf8	0x12e	data	English	United States	0.6225165562913907
RT_DIALOG	0x38d28	0x2f4	data	English	United States	0.48148148148148145
RT_DIALOG	0x39020	0x126	data	English	United States	0.5850340136054422
RT_STRING	0x39608	0x3e	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.6774193548387096
RT_STRING	0x395c0	0x42	data	English	United States	0.7121212121212122
RT_STRING	0x39648	0x60	data	English	United States	0.5625
RT_STRING	0x3a060	0x30	data	English	United States	0.5833333333333334
RT_STRING	0x396a8	0x20c	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.42748091603053434
RT_STRING	0x398b8	0xe4	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.44298245614035087
RT_STRING	0x399a0	0x34	data	English	United States	0.6538461538461539
RT_STRING	0x399d8	0x30	data	English	United States	0.6041666666666666
RT_STRING	0x39a08	0x6e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	English	United States	0.6818181818181818
RT_STRING	0x39a78	0x11a	data	English	United States	0.5035460992907801
RT_STRING	0x39b98	0x6a	data	English	United States	0.5471698113207547
RT_STRING	0x39588	0x32	data	English	United States	0.58
RT_STRING	0x39c08	0x1ea	data	English	United States	0.363265306122449
RT_STRING	0x39df8	0x156	Matlab v4 mat-file (little endian) U, numeric, rows 0, columns 0	English	United States	0.5175438596491229
RT_STRING	0x39f50	0x56	data	English	United States	0.6162790697674418
RT_STRING	0x39fa8	0xb6	data	English	United States	0.5164835164835165
RT_GROUP_ICON	0x38bd0	0x22	data	English	United States	1.0
RT_VERSION	0x38510	0x2b0	data	English	United States	0.4956395348837209

Imports

DLL	Import
OLEAUT32.dll	SysFreeString, SysAllocStringLen, SysAllocString, VariantClear, SysStringLen
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize, OleInitialize
USER32.dll	CheckDlgButton, IsDlgButtonChecked, EndDialog, SetDlgItemTextW, GetFocus, SetFocus, GetKeyState, InvalidateRect, SetWindowTextW, EnableWindow, PostMessageW, MessageBoxW, SetTimer, DialogBoxParamW, SetWindowLongW, GetWindowLongW, ShowWindow, MoveWindow, ScreenToClient, GetDlgItem, GetWindowRect, MapDialogRect, SystemParametersInfoW, GetWindowTextLengthW, GetWindowTextW, SendMessageW, LoadStringW, CharUpperW, LoadIconW, GetParent, SetCursor, LoadCursorW, KillTimer
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHGetMalloc
MSVCRT.dll	wcsstr, wcscmp, _beginthreadex, _except_handler3, ??1type_info@@UAE@XZ, ?terminate@@YAXXZ, __dllonexit, _onexit, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _CxxThrowException, malloc, memcpy, memmove, memset, _purecall, memcmp, __CxxFrameHandler, free
KERNEL32.dll	GetStartupInfoA, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, WaitForSingleObject, lstrlenW, lstrcatW, VirtualFree, VirtualAlloc, SetPriorityClass, DeleteCriticalSection, Sleep, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetFileInformationByHandle, GetStdHandle, GlobalMemoryStatus, GetSystemInfo, GetCurrentProcess, GetProcessAffinityMask, FileTimeToLocalFileTime, FileTimeToSystemTime, CompareFileTime, SetEndOfFile, WriteFile, ReadFile, SetFilePointer, GetFileSize, GetLogicalDriveStringsW, GetFileAttributesW, GetModuleHandleA, FindNextFileW, FindFirstFileW, FindClose, GetTickCount, GetCurrentDirectoryW, SetLastError, DeleteFileW, CreateDirectoryW, GetModuleHandleW, MoveFileW, RemoveDirectoryW, SetFileAttributesW, CreateFileW, SetFileTime, CloseHandle, GetSystemDirectoryW, FormatMessageW, LocalFree, GetModuleFileNameW, MultiByteToWideChar, GetLastError, GetVersionExW, LoadLibraryW, GetProcAddress, FreeLibrary, GetCommandLineW, LoadLibraryExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 17:32:17.715715885 CET	1.1.1.1	192.168.2.5	0x542e	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 17:32:17.715715885 CET	1.1.1.1	192.168.2.5	0x542e	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:31:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\nteste.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nteste.exe"
Imagebase:	0x400000
File size:	2'743'085 bytes
MD5 hash:	5367157A35583431B54B30426831640A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 0040195E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(comctl32.dll,00000000,?,?,?,0040105E,?,00000000), ref: 00401968
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0040197C
memset.MSVCRT ref: 0040198F
FreeLibrary.KERNELBASE(00000000,?,?,?,?,0040105E,?,00000000), ref: 004019B8

Strings

comctl32.dll, xrefs: 00401965
DllGetVersion, xrefs: 00401976

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Library$AddressFreeLoadProcmemset
String ID: DllGetVersion$comctl32.dll
API String ID: 2465613599-3857068685
Opcode ID: fd83fbd22df73e10962855b5466e86aaa248dea5b8ea4acd0913300f47c76d1f
Instruction ID: 1a686f6cead35edd8612a654887fc31c35c298b4e4ae9392d507691200d7e33f
Opcode Fuzzy Hash: fd83fbd22df73e10962855b5466e86aaa248dea5b8ea4acd0913300f47c76d1f
Instruction Fuzzy Hash: E2F062B1A0021DABDB106FB99DC9DAF7BBCEB04744F900536EA01E2190E774C945C6B8

Function 004162A0 Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 922COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004162A5

Part of subcall function 004197CD: _CxxThrowException.MSVCRT(?,0042D080), ref: 00419816

Strings

, xrefs: 004162F1

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: d3f941f06014f468c7be19ecc61cc2ce4602c318d95294c99e7b3a886af2c8b0
Instruction ID: d4c56de07559275c506104d135318a02aaade4dbbede869f4df0758d21b74ecc
Opcode Fuzzy Hash: d3f941f06014f468c7be19ecc61cc2ce4602c318d95294c99e7b3a886af2c8b0
Instruction Fuzzy Hash: 24828E31900259DFDB14DFA8C884AEEBBB5BF05304F15809EE815AB392DB79ED81CB54

Function 0040C507 Relevance: 6.6, APIs: 4, Instructions: 648
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040C50C
_CxxThrowException.MSVCRT(?,0042D1D0), ref: 0040C68A
_CxxThrowException.MSVCRT(?,0042D1D0), ref: 0040CCE6
_CxxThrowException.MSVCRT(0042BD78,0042D1D0), ref: 0040C69F

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Part of subcall function 0040CF13: __EH_prolog.LIBCMT ref: 0040CF18

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrow$H_prolog$free
String ID:
API String ID: 1223536468-0
Opcode ID: 6401713db915f8d1beca05a7285fad2d6e1d1ee05f989dc5c2414d0c7a8c35e2
Instruction ID: 1564e9ce279f6b2538ea1401fb6712d4b8d0e76fcc500ddc0f133ab972702d80
Opcode Fuzzy Hash: 6401713db915f8d1beca05a7285fad2d6e1d1ee05f989dc5c2414d0c7a8c35e2
Instruction Fuzzy Hash: 2F523970900218DFCB25DF68C985ADDBBF1BF58304F1441AAE949B7292CB74AE84CF59

Function 004134A3 Relevance: 6.1, APIs: 4, Instructions: 118
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004134A8

Part of subcall function 004131CB: __EH_prolog.LIBCMT ref: 004131D0

Part of subcall function 004262C0: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0041360F,?,?,00000000,?,?,00416003,?,00000000,?,00415FAE), ref: 004262D1

_CxxThrowException.MSVCRT(?,0042D080), ref: 00413623
_CxxThrowException.MSVCRT(?,0042D080), ref: 00413649
CoCreateInstance.OLE32(0042CC54,00000000,00000001,0042B268,?,?,?,00000000,?,?,00416003,?,00000000,?,00415FAE), ref: 0041365C

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CreateExceptionH_prologThrow$EventInstance
String ID:
API String ID: 2828082681-0
Opcode ID: e1f804f55efacb170058b9f77ec301868956dc49b421a127250cdaffb2d5f11f
Instruction ID: e78bd52aa9b0b7512fbbbe428075605cc85d0c9fc8f7a0b82057842a1bd0957d
Opcode Fuzzy Hash: e1f804f55efacb170058b9f77ec301868956dc49b421a127250cdaffb2d5f11f
Instruction Fuzzy Hash: 7851A130505784DEC321DF79C594BDAFBE0BF29314F94885ED4DA63282DBB86648CB29

Function 00403E52 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403E32: FindClose.KERNEL32(?,?,00403E63), ref: 00403E3D

FindFirstFileW.KERNELBASE(?,?), ref: 00403E71

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ee63bfe366631b6283930c23277e265c57fd103b123b342b22fbda5376c8f6c2
Instruction ID: 0ea4c11ad74a6852d9b502feb0288d2902ec6dd8686e0a7d0f206977ca46a185
Opcode Fuzzy Hash: ee63bfe366631b6283930c23277e265c57fd103b123b342b22fbda5376c8f6c2
Instruction Fuzzy Hash: 63E0923000010867CF20AF24CC498AA3B6CAF5131AF004B7AA995A72C0D638AF4ACBD8

Function 0041417F Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 608
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00414184
EnterCriticalSection.KERNEL32(?,00000000), ref: 0041419E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00414270
GetTickCount.KERNEL32 ref: 00414276
__aulldiv.LIBCMT ref: 0041434B
SetDlgItemTextW.USER32(000000FF,00000078,?), ref: 0041438F
SetDlgItemTextW.USER32(000000FF,0000007E,?), ref: 004143D5
__aulldiv.LIBCMT ref: 00414479
SetDlgItemTextW.USER32(000000FF,00000079,?), ref: 004144AF
__aulldiv.LIBCMT ref: 004144E7
SetDlgItemTextW.USER32(000000FF,0000007B,00000073), ref: 004145C9

Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,00000F42), ref: 0041385E
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413875
Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,0000007E), ref: 0041387C
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413880
Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,00000065), ref: 00413887
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 0041388B

__aulldiv.LIBCMT ref: 004145FE
wcscmp.MSVCRT ref: 004146BE
SetDlgItemTextW.USER32(000000FF,0000006F,?), ref: 004146E4
__aulldiv.LIBCMT ref: 004147C1
SetDlgItemTextW.USER32(000000FF,0000007D,?), ref: 0041483D
SetDlgItemTextW.USER32(00000001,00000067,?), ref: 00414884
SetDlgItemTextW.USER32(00000003,00000066,?), ref: 0041493A

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Strings

s, xrefs: 004145AB
K, xrefs: 00414513
/ , xrefs: 00414654

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Item$Text$__aulldiv$ShowWindow$CriticalSection$CountEnterH_prologLeaveTickfreewcscmp
String ID: / $K$s
API String ID: 4873191-244442477
Opcode ID: d6acf40f35c2d5a755702209c69fff3aac4f6ff7832523f0ae864a732ec0e9c0
Instruction ID: 4d0d9544b472a643e945a1fcf1f6986b8192c7052894643872ec3c246660b371
Opcode Fuzzy Hash: d6acf40f35c2d5a755702209c69fff3aac4f6ff7832523f0ae864a732ec0e9c0
Instruction Fuzzy Hash: 6142E230A003099FCB25DFA4C985BEFBBB5FF85314F14442EE16AA7291D7786985CB18

Function 00413894 Relevance: 31.7, APIs: 21, Instructions: 202
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 004138AE

Part of subcall function 00405E9B: SendMessageW.USER32(?,00001061,?,?), ref: 00405EC6

GetTickCount.KERNEL32 ref: 00413928
GetDlgItem.USER32 ref: 00413990
GetDlgItem.USER32(?,00000065), ref: 0041399D
SendMessageW.USER32(00000000,00002005,00000001,00000000), ref: 004139B7
GetDlgItem.USER32(?,000001BC), ref: 004139D3
GetDlgItem.USER32(?,000001BE), ref: 00413A04
SetWindowTextW.USER32(?,?), ref: 00413A47
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 00413A8D
SendMessageW.USER32(?,0000101E,00000001,0000FFFF), ref: 00413A9E

Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,00000F42), ref: 0041385E
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413875
Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,0000007E), ref: 0041387C
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413880
Part of subcall function 0041384A: GetDlgItem.USER32(000000FF,00000065), ref: 00413887
Part of subcall function 0041384A: ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 0041388B

Part of subcall function 00405BCB: GetDlgItem.USER32(?,?), ref: 00405BD7
Part of subcall function 00405BCB: GetWindowRect.USER32(00000000,?), ref: 00405BE2

Part of subcall function 00405CC4: GetWindowRect.USER32(?,?), ref: 00405CEA
Part of subcall function 00405CC4: ShowWindow.USER32(?,00000003), ref: 00405D5B

GetDlgItem.USER32(?,000003F0), ref: 00413ADE
ShowWindow.USER32(00000000,00000000), ref: 00413AE9
GetDlgItem.USER32(?,0000006E), ref: 00413AF0
ShowWindow.USER32(00000000,00000000), ref: 00413AF5
GetDlgItem.USER32(?,00000F41), ref: 00413AFF
ShowWindow.USER32(00000000,00000000), ref: 00413B04
GetDlgItem.USER32(?,0000007D), ref: 00413B0B
ShowWindow.USER32(00000000,00000000), ref: 00413B10
LoadIconW.USER32(?), ref: 00413B2D
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00413B3E
SetTimer.USER32(?,00000003,000000C8,00000000), ref: 00413B4C

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Item$Window$Show$MessageSend$Rect$CountIconLoadParentTextTickTimer
String ID:
API String ID: 671334427-0
Opcode ID: f4c4fab4a4901d3d4b709469ee9434c75282bdc979d0b6fcb9063382afa5b27f
Instruction ID: 120c89e6fc8fa70aada40a3fb636a2cf61a5284c802e999402c76418925045d8
Opcode Fuzzy Hash: f4c4fab4a4901d3d4b709469ee9434c75282bdc979d0b6fcb9063382afa5b27f
Instruction Fuzzy Hash: 5E815D70640B04ABE720AF25CD46FDBFBE9FF54704F00492EE2AA962E1CBB564448B54

Function 00414C08 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 126
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00414C0D

Part of subcall function 0041417F: __EH_prolog.LIBCMT ref: 00414184
Part of subcall function 0041417F: EnterCriticalSection.KERNEL32(?,00000000), ref: 0041419E
Part of subcall function 0041417F: LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00414270
Part of subcall function 0041417F: GetTickCount.KERNEL32 ref: 00414276

SetDlgItemTextW.USER32(?,00000002,?), ref: 00414C41

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

GetDlgItem.USER32(?,00000002), ref: 00414C5A
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 00414C66
GetDlgItem.USER32(?,000001BC), ref: 00414C73
ShowWindow.USER32(00000000,00000000), ref: 00414C78
GetDlgItem.USER32(?,000001BE), ref: 00414C85
ShowWindow.USER32(00000000,00000000), ref: 00414C8B

Part of subcall function 00414D9E: __EH_prolog.LIBCMT ref: 00414DA3

EnterCriticalSection.KERNEL32(?), ref: 00414CBC
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00414CF2
MessageBoxW.USER32(?,?,?,00000000), ref: 00414D57
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 00414D7F

Strings

7-Zip, xrefs: 00414D0B, 00414D39

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalItemSection$H_prolog$EnterLeaveMessageShowWindow$CallbackCountDispatcherSendTextTickUserfree
String ID: 7-Zip
API String ID: 4254867592-40562396
Opcode ID: 7c2931e8ef52673d4f24b2872611336fcb22a27e94cb8ed322faabd4cb4ceac7
Instruction ID: 27f5438033cab32098d42ebace47759c35a326d0a85ef1f8026c0615151919b8
Opcode Fuzzy Hash: 7c2931e8ef52673d4f24b2872611336fcb22a27e94cb8ed322faabd4cb4ceac7
Instruction Fuzzy Hash: 8F418131A00218EFDF21AFA4DC99BEEBB75EF44708F44402EF101661A2CBB95995CB54

Function 004277C6 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004277F3
__p__fmode.MSVCRT ref: 00427808
__p__commode.MSVCRT ref: 00427816
__setusermatherr.MSVCRT ref: 00427842
_initterm.MSVCRT ref: 00427858
__getmainargs.MSVCRT ref: 0042787B
_initterm.MSVCRT ref: 0042788B
GetStartupInfoA.KERNEL32(?), ref: 004278CA
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004278EE
exit.KERNELBASE ref: 004278FE
_XcptFilter.MSVCRT ref: 00427910

Strings

L C, xrefs: 00427873, 00427876

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: L C
API String ID: 801014965-4237334846
Opcode ID: 9b92f90470f3aaef7e20cf3256f4efe07d2ab1cf0cffcf5c1e4ead4adf0851b9
Instruction ID: a00cb6c05502d333b3867e83413997388873d9c69d702601a4e13f1702f0f6aa
Opcode Fuzzy Hash: 9b92f90470f3aaef7e20cf3256f4efe07d2ab1cf0cffcf5c1e4ead4adf0851b9
Instruction Fuzzy Hash: 294188B1E04314AFDB249FA4EC49AAABBB8FB09710FA0112FF551973A1D7785841CB58

Function 00401039 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 459
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040103E
OleInitialize.OLE32(00000000), ref: 0040104E

Part of subcall function 0040195E: LoadLibraryW.KERNELBASE(comctl32.dll,00000000,?,?,?,0040105E,?,00000000), ref: 00401968
Part of subcall function 0040195E: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0040197C
Part of subcall function 0040195E: memset.MSVCRT ref: 0040198F
Part of subcall function 0040195E: FreeLibrary.KERNELBASE(00000000,?,?,?,?,0040105E,?,00000000), ref: 004019B8

GetCommandLineW.KERNEL32(?,00000000), ref: 0040109A

Part of subcall function 00401E1B: __EH_prolog.LIBCMT ref: 00401E20

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Part of subcall function 004017C1: __EH_prolog.LIBCMT ref: 004017C6

Part of subcall function 00401671: __EH_prolog.LIBCMT ref: 00401676

Strings

comctl32.dll, xrefs: 00401054
Error 1329485, xrefs: 00401281
Error 1329484, xrefs: 0040118C
Bad command, xrefs: 0040119D
Error in archive, xrefs: 00401529

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$Library$AddressCommandExceptionFreeInitializeLineLoadProcThrowfreemallocmemset
String ID: Bad command$Error 1329484$Error 1329485$Error in archive$comctl32.dll
API String ID: 950025763-3158529442
Opcode ID: b8650a010a255341a7c267875faeb47369e013a1205322b5ecb63717ebc0fa85
Instruction ID: 472c7fcaedc80eb8356a9ef49e46fd933df5a3c87e186d9ab304c9f5584081a3
Opcode Fuzzy Hash: b8650a010a255341a7c267875faeb47369e013a1205322b5ecb63717ebc0fa85
Instruction Fuzzy Hash: A702A130D05248EACF25EBA4C945BEDBBB4AF14304F1440AFE145772E2DB781B88DB1A

Function 0040595E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00405982
GetProcAddress.KERNEL32(00000000), ref: 00405989
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00405997
GlobalMemoryStatus.KERNEL32(?), ref: 004059C9

Strings

kernel32.dll, xrefs: 0040596C
, xrefs: 004059C1
GlobalMemoryStatusEx, xrefs: 00405967
@, xrefs: 0040597B

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: 5284d998541766e7541bad290797f0052b35c532fb70d4a4ac19be2f4d4da570
Instruction ID: 6c8c30df25bb6d4e4a178cec537dc139bebcca375eea442511eecf700d0b2231
Opcode Fuzzy Hash: 5284d998541766e7541bad290797f0052b35c532fb70d4a4ac19be2f4d4da570
Instruction Fuzzy Hash: 76112AB0A01709DBEF20DF94D949BAFBBF9EB14311F50442AD446BB280D778A844CF98

Function 0041384A Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(000000FF,00000F42), ref: 0041385E
ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413875
GetDlgItem.USER32(000000FF,0000007E), ref: 0041387C
ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 00413880
GetDlgItem.USER32(000000FF,00000065), ref: 00413887
ShowWindow.USER32(00000000,00000000,?,?,000003E8,004143F6,00000001,?,?,00000000,000003E8), ref: 0041388B

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 64832d24a414e6d06aaa9f7b69a18a0c4dc5769e0a771ea220e0ad29ba3e24bd
Instruction ID: e34129ecb20a930ca08e7f8573c067670e1cf7eb67d0aa8b2d1b4524c1aa6d7f
Opcode Fuzzy Hash: 64832d24a414e6d06aaa9f7b69a18a0c4dc5769e0a771ea220e0ad29ba3e24bd
Instruction Fuzzy Hash: 70E0927160420C3BE6206B62DD5AD7BBF9DDF82B99B42443AF64492160CAA6BC108674

Function 0040EEDC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040EEE1
GetLastError.KERNEL32(?,?,00000000,00000013,?), ref: 0040EF92

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Part of subcall function 0040EC65: __EH_prolog.LIBCMT ref: 0040EC6A

Strings

.exe, xrefs: 0040F028
.001, xrefs: 0040F0D2
Split, xrefs: 0040F06D

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ErrorExceptionLastThrowmalloc
String ID: .001$.exe$Split
API String ID: 1950902910-1819480430
Opcode ID: cf6b42870e815e998b135a4961ea797e2778ccc149ac8e02011dee41db5538fb
Instruction ID: 2e497f5e6d7084d82a5dc8001912b5ba61214fcfb2f12fe8ae294b3655d21f49
Opcode Fuzzy Hash: cf6b42870e815e998b135a4961ea797e2778ccc149ac8e02011dee41db5538fb
Instruction Fuzzy Hash: 91A19230A00209EFCB24DFA5C985AAEB7B5BF04304F14447EE956BB6D2CB799D05CB58

Function 00415A42 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00415A47
GetDlgItem.USER32 ref: 00415A5F
SetWindowTextW.USER32(?,?), ref: 00415A7E
LoadIconW.USER32(00000001), ref: 00415A8C
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00415A9D

Part of subcall function 00405D7D: GetWindowRect.USER32(?,?), ref: 00405D95
Part of subcall function 00405D7D: MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00405DC0

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Window$H_prologIconItemLoadMessageMoveRectSendTextfree
String ID:
API String ID: 4226961521-0
Opcode ID: a69c0555744779e3416228a0f2a8f2ff5693be6edbf01dafdac416e534d3530f
Instruction ID: 3f9dc10f33571ac88d483359bf54bc70d4fe30b983a4990dfccf35a9d7e4fe33
Opcode Fuzzy Hash: a69c0555744779e3416228a0f2a8f2ff5693be6edbf01dafdac416e534d3530f
Instruction Fuzzy Hash: 06014F31600700AFDB216B60DD0ABAEBBB5FF04705F00852EF652655E0CBB56455DF48

Function 004040BA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004040BF
SetLastError.KERNEL32(00000002,?,?,0000FBEF,:$DATA,?,00000000,00000000,?,00000000), ref: 0040420B
wcscmp.MSVCRT ref: 004043BF

Strings

:$DATA, xrefs: 00404124, 00404136

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorH_prologLastwcscmp
String ID: :$DATA
API String ID: 161073058-2587938151
Opcode ID: bf2a63ef74e6ef63e5b9c411d4c09445fdec89beda3e525e482d59bc0708e90a
Instruction ID: 0aa9a7b59709699b29067b3e5cb2f95f9efe95872249ea4963ba63781caa8802
Opcode Fuzzy Hash: bf2a63ef74e6ef63e5b9c411d4c09445fdec89beda3e525e482d59bc0708e90a
Instruction Fuzzy Hash: DBB115B0A002049ACF24EFA5C9856EEB7B0BF94318F10813FEA52772E1DB7D5945D718

Function 0040A9A8 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 964COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A9AD

Part of subcall function 0040A757: __EH_prolog.LIBCMT ref: 0040A75C

Part of subcall function 0040D761: __EH_prolog.LIBCMT ref: 0040D766
Part of subcall function 0040D761: wcscmp.MSVCRT ref: 0040D7BB

Part of subcall function 0040D8EA: __EH_prolog.LIBCMT ref: 0040D8EF

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Part of subcall function 004063C5: __EH_prolog.LIBCMT ref: 004063CA

Part of subcall function 0040A809: __EH_prolog.LIBCMT ref: 0040A80E

Strings

Can not seek to begin of file, xrefs: 0040B4C6

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$freewcscmp
String ID: Can not seek to begin of file
API String ID: 197229272-1513257940
Opcode ID: da73c5db32e52142c0d81f7291ea57daabc7abe5cd410e8813748350c8cb6c92
Instruction ID: e932c431c2be89ccba5d268edbb3cf4babdeff98aa2f261b59e4fc1550dd80f2
Opcode Fuzzy Hash: da73c5db32e52142c0d81f7291ea57daabc7abe5cd410e8813748350c8cb6c92
Instruction Fuzzy Hash: 6182BD30900349AFCB20DFA4C894AAEBBB5FF04304F14847EE556B72D1DB39A945DB5A

Function 004192DC Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004192E1

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3e23db53cf71e5ce8f26aa50b9a583861208264ff56e9d16f13e52517fdba1e7
Instruction ID: cd3e7004e383a716012a185e435a627af6ed05eafb2dd68e955295a10b6cfdbc
Opcode Fuzzy Hash: 3e23db53cf71e5ce8f26aa50b9a583861208264ff56e9d16f13e52517fdba1e7
Instruction Fuzzy Hash: 6D510871A042099BEB24DF54C8A4BFFB3B5FF48308F14452BE82597381E778AC858755

Function 0040CF80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040CF85
GetLastError.KERNEL32(?,?,0000000D,00000000,00000000,?), ref: 0040D2A4

Strings

Can not create output directory: , xrefs: 0040D2B8

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorH_prologLast
String ID: Can not create output directory:
API String ID: 1057991267-3123869724
Opcode ID: 5c2cccee5354194b0c48e011cbe96bfa24a820c496bc76d26af480ac08f2ff10
Instruction ID: 14afd462d1bef7c194ecaca9d63f6d86c47c4da6b56855b854b8cc7b9de55903
Opcode Fuzzy Hash: 5c2cccee5354194b0c48e011cbe96bfa24a820c496bc76d26af480ac08f2ff10
Instruction Fuzzy Hash: F2E17C30D00249EBCF20EFE4C944AEEBBB5BF19308F14406EE94577291DA789E49DB59

Function 00405DC9 Relevance: 4.5, APIs: 3, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405DCE
SetWindowLongW.USER32(?,000000EB,?), ref: 00405DEC
GetWindowLongW.USER32(?,000000EB), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: LongWindow$H_prolog
String ID:
API String ID: 3290177264-0
Opcode ID: e08a05fd0fc8a194509ba1aaca244b45a6299a21f9aa697965bb52aac5d282f2
Instruction ID: b1d1d039f94e185a531ba274deec0ef3b8810f38033f643ea8b605c337fad42c
Opcode Fuzzy Hash: e08a05fd0fc8a194509ba1aaca244b45a6299a21f9aa697965bb52aac5d282f2
Instruction Fuzzy Hash: D8018B31600119EFCF168F44DC18AAF3B65FF44360F50C13AF856AA2A0C7399921DF94

Function 00415B7E Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415B83
IsDlgButtonChecked.USER32(?,00000D66), ref: 00415B96

Part of subcall function 004059E5: GetWindowTextLengthW.USER32 ref: 004059FA
Part of subcall function 004059E5: GetWindowTextW.USER32(?,00000000,?), ref: 00405A1C
Part of subcall function 004059E5: GetLastError.KERNEL32 ref: 00405A34

Part of subcall function 00402A98: memmove.MSVCRT(?,?,?,?,?,00401E48), ref: 00402AD4

KiUserCallbackDispatcher.NTDLL(00000000,00000001), ref: 00415BE6

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: TextWindow$ButtonCallbackCheckedDispatcherErrorH_prologLastLengthUserfreememmove
String ID:
API String ID: 1501428628-0
Opcode ID: fca6567c6ee1c15010b138bda7b603a86b6899ebc7cf039e794fc152276f8df1
Instruction ID: 2236174cac86860b17a222109bbd00086e11993f7b49e706391860cfe10a43eb
Opcode Fuzzy Hash: fca6567c6ee1c15010b138bda7b603a86b6899ebc7cf039e794fc152276f8df1
Instruction Fuzzy Hash: 870121719006059ECB24EBA5C9579FFBBB4EF14314F40443EE202624D1DF78A549CB84

Function 0040E74A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 418COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E74F

Strings

Split, xrefs: 0040E89E

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID: Split
API String ID: 3519838083-1882502421
Opcode ID: 4a13cf1b4db60b7befba25564973d73154796047a7552b3d5bdec91a74f86755
Instruction ID: 616a78c830e29c2dc57caffe9be07347e63c6fd7d35e9ef6245cc82ab62af23f
Opcode Fuzzy Hash: 4a13cf1b4db60b7befba25564973d73154796047a7552b3d5bdec91a74f86755
Instruction Fuzzy Hash: 3C023A70A00249EFCF14DFA5C9849AEBBB5BF48304F14886EE506AB391C739AD55CB54

Function 004019CE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004019D3

Part of subcall function 00401A47: GetVersionExW.KERNEL32(?), ref: 00401A61

Part of subcall function 004100CF: MessageBoxW.USER32(00000000,0042C214,7-Zip,00000010), ref: 004100D8

Strings

Unsupported Windows version, xrefs: 004019F0

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prologMessageVersion
String ID: Unsupported Windows version
API String ID: 3493591556-2397968907
Opcode ID: ed8828ada12aaa90c5deb74c7c2207a6019be7e81250d0cce5a2ae34c0db44e4
Instruction ID: bc7fe7522f176ca9a2377c0d91c19e7eb3c4aaa93377a5d0eed236c7fd359826
Opcode Fuzzy Hash: ed8828ada12aaa90c5deb74c7c2207a6019be7e81250d0cce5a2ae34c0db44e4
Instruction Fuzzy Hash: 22E09B727052189BCB14AFA9B542B9E77A8DB85758F10883FF001B3593C7FC54418A6D

Function 0041A5B5 Relevance: 3.2, APIs: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A5BA
_CxxThrowException.MSVCRT(?,004303B8), ref: 0041A7EC

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID:
API String ID: 3044594480-0
Opcode ID: e859eaa1a6cd1bdd81a33e1a104e16a8b21adbf55dece5dd425d8406769b1d52
Instruction ID: 3c4600278733f0fd76907272d5c7152b0a01dbeeca939584879cb54402bd9a2f
Opcode Fuzzy Hash: e859eaa1a6cd1bdd81a33e1a104e16a8b21adbf55dece5dd425d8406769b1d52
Instruction Fuzzy Hash: BA818D70D01209DFCB21DFA9C880AEEBBB5BF05304F14419EE555A3292CB389E95DF65

Function 00414E43 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414E48

Part of subcall function 004132B5: EnterCriticalSection.KERNEL32(?,?,?,?,00414F92), ref: 004132C1
Part of subcall function 004132B5: LeaveCriticalSection.KERNEL32(?,?,?,00414F92), ref: 004132CB

SetWindowTextW.USER32(00000000,?), ref: 00414F2F

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeaveTextWindow
String ID:
API String ID: 374128308-0
Opcode ID: 49611383234625862a234187188164019676c5c04722436ee820891858c73de2
Instruction ID: 3a62dccf950b22f6d4dc55b14e374e89802837ad55d0645f6bc97149168701be
Opcode Fuzzy Hash: 49611383234625862a234187188164019676c5c04722436ee820891858c73de2
Instruction Fuzzy Hash: B731877190020A9ACF14FBE1C956AEEB7B8BF14308F10442FE256731D1DF786A8ACB54

Function 0041B257 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041B25C

Part of subcall function 0041AF85: __EH_prolog.LIBCMT ref: 0041AF8A

_CxxThrowException.MSVCRT(?,004303B8), ref: 0041B2A7

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: a958b5337674e05bf956635333f46def9c7f0676146241ab79f327ef10fc837d
Instruction ID: f2df3114f1da51f2426b745af0dbb6047acfd708cf9f8735b5f93dd5867aab36
Opcode Fuzzy Hash: a958b5337674e05bf956635333f46def9c7f0676146241ab79f327ef10fc837d
Instruction Fuzzy Hash: 1A01F232504248BFDF029F94C809BEE7FB4EF05314F04404BF8046B211C3B9A998C7A5

Function 00404729 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 00404745
GetLastError.KERNEL32(?,?,?,?), ref: 00404752

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 438f7263e7d15e04be64078ac3070df8d93fa652b3568f5664d05ecef30f1d1b
Instruction ID: f8195280055ccb744b5f4933d4478b7b27988e1595bb0384b5a033c88192e03c
Opcode Fuzzy Hash: 438f7263e7d15e04be64078ac3070df8d93fa652b3568f5664d05ecef30f1d1b
Instruction Fuzzy Hash: 9CF0AF71600208ABCB11DF28ED01BCA3BE9AB45320F108165F915E72E0E7719901AA64

Function 00426240 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 00426254
GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 00426269

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: 5d6ebca4f48b41029d32f40167fce92df6aeec327d475f20c86aa1587e792771
Instruction ID: 31c2dbd69e1885a24532e4269a1eb50c54c6565d93c2a908d681394ab9fb7b0c
Opcode Fuzzy Hash: 5d6ebca4f48b41029d32f40167fce92df6aeec327d475f20c86aa1587e792771
Instruction Fuzzy Hash: EFE0E6713042129BE3249B54AC05F67769CDB90B41F84847DB645D6194EB649810C7B9

Function 0040591C Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0040593D), ref: 00405921
GetProcessAffinityMask.KERNEL32(00000000), ref: 00405928

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9e0810395d80602b49144d642d60a3fbc7d5546b35032bc074dd17f94df92988
Instruction ID: 07ee87926fc5390885ae6a9ef4862940daf2e417708100acc4bc86754a5c0598
Opcode Fuzzy Hash: 9e0810395d80602b49144d642d60a3fbc7d5546b35032bc074dd17f94df92988
Instruction Fuzzy Hash: 6CB092B1600104ABCE219BA09E0CD2B3B2CFA063413488468B215C1410D73AD0028BA4

Function 004020CF Relevance: 2.5, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004020D5
_CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: 09cfdf487e9e4269f2fdf1dace1d4180c2df62fdca8d78840ba6b5cd8df3f6ae
Instruction ID: 7fb36d490106e20b2164e3848833c77b579d17c231f5b056c4223b52cbc47585
Opcode Fuzzy Hash: 09cfdf487e9e4269f2fdf1dace1d4180c2df62fdca8d78840ba6b5cd8df3f6ae
Instruction Fuzzy Hash: 5ED0A7312082CC7BCF016FA5A805C9E3F2C99016A4B409027FE188E152D635D791D75C

Function 00417A2E Relevance: 2.1, APIs: 1, Instructions: 603COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417A33

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e0859860234d1a16a7c44ca61de55d9d3f7c919ded42ba10d07c0479defd8cc6
Instruction ID: 340f7582cbbd9a3adfd79e7b7252e6d1e9fe7669e9aa6b8baa0bc10dee8afb25
Opcode Fuzzy Hash: e0859860234d1a16a7c44ca61de55d9d3f7c919ded42ba10d07c0479defd8cc6
Instruction Fuzzy Hash: 38428270904249DFDF11CFA8C584BEEBBB5AF49304F24409EE805AB391DB799E85CB25

Function 0040F28B Relevance: 2.0, APIs: 1, Instructions: 486COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F290

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e0e7b93d0640cad387665ff99c4d6fde96781850c5c42a8f57e7544b44410689
Instruction ID: 0f07cf4e18590a0158061efb07cd9f14cc5d1c547ddaf9a6d5cd82f448a6fca8
Opcode Fuzzy Hash: e0e7b93d0640cad387665ff99c4d6fde96781850c5c42a8f57e7544b44410689
Instruction Fuzzy Hash: 23127F31900209DFCF20DFA4C984AEEB7B5AF45314F2481BAE445FB291DB39AE49CB55

Function 0041AF85 Relevance: 1.7, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041AF8A

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 81201897ae7dd6e2ad135f8e655b94a4276dd898dfb569a95b909b69ed5fe49c
Instruction ID: 37085afd514dfc8b0f11459bf5528e69d7fd873d7eb4aaf3a52d7daf68779b0c
Opcode Fuzzy Hash: 81201897ae7dd6e2ad135f8e655b94a4276dd898dfb569a95b909b69ed5fe49c
Instruction Fuzzy Hash: 5D917D30A0064AEFCB25DFA9C490AEEFBB1FF09304F10456EE559A3311D739A994CB95

Function 00415C5F Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415C64

Part of subcall function 00415F97: __EH_prolog.LIBCMT ref: 00415F9C

Part of subcall function 00403D12: GetCurrentDirectoryW.KERNEL32(00000105,00000000,?,00000000), ref: 00403D3D

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$CurrentDirectoryfree
String ID:
API String ID: 1231661175-0
Opcode ID: be0f0b4e1bd94d20ae94145a96cd94cbc77c7a7969c84c0b75b9d381ab5219d1
Instruction ID: 09c4014094affc46a77da51cbfe550b9ceff7a30d4da3af5e026942b496d4ded
Opcode Fuzzy Hash: be0f0b4e1bd94d20ae94145a96cd94cbc77c7a7969c84c0b75b9d381ab5219d1
Instruction Fuzzy Hash: 39819C31800249DFCF25DFA4C841ADDBBB4BF18308F0080AEE549A7292DB389E85CF55

Function 0040EC65 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EC6A

Part of subcall function 0040E74A: __EH_prolog.LIBCMT ref: 0040E74F

Part of subcall function 0040C37A: __EH_prolog.LIBCMT ref: 0040C37F

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: ff3dccf710e2fed04cc13cf77327336f995d208d98c7800cd030a6e41afb1b0e
Instruction ID: 5c1dc32a309cc29cc9a930ca77f75e64d73e40bcb36dbefd7ed33ab82a3d2cc1
Opcode Fuzzy Hash: ff3dccf710e2fed04cc13cf77327336f995d208d98c7800cd030a6e41afb1b0e
Instruction Fuzzy Hash: CF61C270600209DFDB20EFA2C985EAEB7B9AF04308F10483FE546B72D1DB79A945CB54

Function 00418BD7 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00418BDC

Part of subcall function 0041B257: __EH_prolog.LIBCMT ref: 0041B25C
Part of subcall function 0041B257: _CxxThrowException.MSVCRT(?,004303B8), ref: 0041B2A7

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 0f51b4e1465cb587c46163fff8b5871f7aa0289ee5ef11b2c6b7415d69d63f8b
Instruction ID: aab3a4f930dec5388b4800193ed2a8635661b44e127019220ecbb7f2bca0c157
Opcode Fuzzy Hash: 0f51b4e1465cb587c46163fff8b5871f7aa0289ee5ef11b2c6b7415d69d63f8b
Instruction Fuzzy Hash: 7D517970600249DFCB11CFA8C988ADEBBB4BF49304F1444AEE44AD7352DB399E85CB61

Function 0040F928 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F92D

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Part of subcall function 0040FAA2: __EH_prolog.LIBCMT ref: 0040FAA7

Part of subcall function 00401A7D: __EH_prolog.LIBCMT ref: 00401A82

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: 9be19f6b846c03c81b4fc44d8a41c4572a90b766f3554761c4030b277644f9da
Instruction ID: 14fb5bc4644c8be8bbbd85468426697c20ae80b86053c8fdc83c98d4d2e019d2
Opcode Fuzzy Hash: 9be19f6b846c03c81b4fc44d8a41c4572a90b766f3554761c4030b277644f9da
Instruction Fuzzy Hash: 1E51C171A0060AEFCB21DFA5C484A9EBBB4BF08314F10817FE555B76E2CB789A45CB54

Function 0041770B Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417710

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4d0e1bcaa22eed2ebc0e05ee49bdbc367b0a37000601ac4497db0d2a6758db35
Instruction ID: 20b8af3ec1be57dcb73f1ad09a802ec4c95816be6c57237e58952c87f2746826
Opcode Fuzzy Hash: 4d0e1bcaa22eed2ebc0e05ee49bdbc367b0a37000601ac4497db0d2a6758db35
Instruction Fuzzy Hash: 5141AD70A046469FDB21CF64C488BAABBB0BF04354F148A6ED46697791D374FDC1CB94

Function 0040DB3E Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DB43

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6c249aee99056093a111b26770c2c76e3830b52cfb7801991afb191706880683
Instruction ID: aee0a3abb712aa14678732b216a728155357ffbf8a2d3bda02b1285abcb88c69
Opcode Fuzzy Hash: 6c249aee99056093a111b26770c2c76e3830b52cfb7801991afb191706880683
Instruction Fuzzy Hash: 28316131C012199BCB14EFE5D945ADEBBB8FF14314F14852EE412B32D1DB78AA49DB18

Function 00413F01 Relevance: 1.6, APIs: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00413F90

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 329ed73377c4fe396c0ef21212cd01c86fa39b463e426f5280b305e6ec5d41cf
Instruction ID: 0dacdcfece33f48d4adb4ceeedf6e302bf861e498a27e992ad954936af03ac54
Opcode Fuzzy Hash: 329ed73377c4fe396c0ef21212cd01c86fa39b463e426f5280b305e6ec5d41cf
Instruction Fuzzy Hash: 42214C35700705AFDB24DE24C480B9BB7B6EF86352F10851EE99A87340C774BE86CA69

Function 0040B923 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B928

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: faf64749df2646f11e7877185ccf87ca485dc7c266260ca03f01c58aa6668eb3
Instruction ID: c8d04accb6ab48836b320e843486b404e492812a6cbc38840d705cf7fcc4152b
Opcode Fuzzy Hash: faf64749df2646f11e7877185ccf87ca485dc7c266260ca03f01c58aa6668eb3
Instruction Fuzzy Hash: 3B218EB1A057809FD765DF34C880BABBBA5FF44314F04886FD19A67242C734B944CB58

Function 004174EA Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004174EF

Part of subcall function 004175FC: __EH_prolog.LIBCMT ref: 00417601

Part of subcall function 004173F2: __EH_prolog.LIBCMT ref: 004173F7

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Part of subcall function 00417563: __EH_prolog.LIBCMT ref: 00417568

Part of subcall function 004175AB: __EH_prolog.LIBCMT ref: 004175B0

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: fee138fc70115c786cb7e28129668b3601e991b439443d2d6ba3a207c132b50f
Instruction ID: efc97fdb2cd501e263356821e8bbbc0493516a7fb5b1082b523d0c7857f09569
Opcode Fuzzy Hash: fee138fc70115c786cb7e28129668b3601e991b439443d2d6ba3a207c132b50f
Instruction Fuzzy Hash: F4F0F931918B60DACB19FB68D81539DBBF1AF04308F10855FE152636D2CFBC6A00974D

Function 00417499 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041749E

Part of subcall function 004174EA: __EH_prolog.LIBCMT ref: 004174EF

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 6ee6d8b74b3aa55adc54459261b118c78aaaa05815ffb244da1ec2e80cc4e2b4
Instruction ID: 0d2538145b2f53762c335bf756670600069896b2a133757d526aa6263dcbfd11
Opcode Fuzzy Hash: 6ee6d8b74b3aa55adc54459261b118c78aaaa05815ffb244da1ec2e80cc4e2b4
Instruction Fuzzy Hash: 8AF0E232A046209BD725AB4DD881BEAFBB8FF50324F10802FE91167742CFBC9C008658

Function 00418325 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041832A

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fcf6c9437ee82e96642ca29cd9d38f643f0dc697364c92bfbac083e3f7b32662
Instruction ID: 9a5e07ec0e47d64c26588371121f8ffa3219084a79d0dc189f2b82a60e8117f4
Opcode Fuzzy Hash: fcf6c9437ee82e96642ca29cd9d38f643f0dc697364c92bfbac083e3f7b32662
Instruction Fuzzy Hash: 040128B1601B54DBC325DFA495802CAFBE4AF14304F90C85FD49A53741DBB86608CB58

Function 00415417 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041541C

Part of subcall function 00426240: _beginthreadex.MSVCRT ref: 00426254

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog_beginthreadex
String ID:
API String ID: 273140464-0
Opcode ID: ec6a2a04366d7cd57758bda68cb4f363685c3bb3d15507ecac7c3b4d00f13e12
Instruction ID: 76e682a7ea0aabb95fce7a0902c1170d0023b604bf98ee2b1dd9ae3271808536
Opcode Fuzzy Hash: ec6a2a04366d7cd57758bda68cb4f363685c3bb3d15507ecac7c3b4d00f13e12
Instruction Fuzzy Hash: 46F08232A10039EBDB14AB50DC01BEFB768EF40359F11816BA811A6280D77C9E84C7AC

Function 00415FEC Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415FF1

Part of subcall function 004134A3: __EH_prolog.LIBCMT ref: 004134A8
Part of subcall function 004134A3: _CxxThrowException.MSVCRT(?,0042D080), ref: 00413623
Part of subcall function 004134A3: _CxxThrowException.MSVCRT(?,0042D080), ref: 00413649

Part of subcall function 00413261: __EH_prolog.LIBCMT ref: 00413266

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 6708e0341f6018fe9b873d488056be1469f5172c695251e8db54eadfe182fa34
Instruction ID: 607f97d41993f9ee4f9aa1de6ff351c0bd8c0e3f80b48a06ceb8507f62edee5e
Opcode Fuzzy Hash: 6708e0341f6018fe9b873d488056be1469f5172c695251e8db54eadfe182fa34
Instruction Fuzzy Hash: 35F082B1A01654DFC311DFA9D8846CAFBE0FF18304F9184AFD45A97301C7B86A00CB58

Function 00415F97 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415F9C

Part of subcall function 00415FEC: __EH_prolog.LIBCMT ref: 00415FF1

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ed89fa709e25b81b5d8e3a69996be17590871d0bee4b56f8ef7a10b79e90fdc1
Instruction ID: f73321e82dc03a21e434aafab76963d66f8b8827e683e2e3f1d56e2a489d7348
Opcode Fuzzy Hash: ed89fa709e25b81b5d8e3a69996be17590871d0bee4b56f8ef7a10b79e90fdc1
Instruction Fuzzy Hash: EAF08CB1A00614DEC7109FAAD4086CDFBF8EF90304F1082AFA055D3321DBF46945CB64

Function 0040DCC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DCC8

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Part of subcall function 0040DD3A: __EH_prolog.LIBCMT ref: 0040DD3F

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 5d48e162d1faf98e253d13c591023dfcf50975d86c2c3ab67d2bb775dc8dbcde
Instruction ID: 8787ccbb7256473083212f4ff884c9d7143cb1cd305eeeed8f47dfe13ee31d75
Opcode Fuzzy Hash: 5d48e162d1faf98e253d13c591023dfcf50975d86c2c3ab67d2bb775dc8dbcde
Instruction Fuzzy Hash: 48E09271F10116AFDB18EB68D80669D76A5AF04314F10863FA022F36C6DFB84A008658

Function 0040E700 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E705

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 57f476f9e83fa3e42b27ed10c0dedfd59894f846a8cddb888c3c565faacacd9b
Instruction ID: 24c95e28fcf060a65b72f5e970eeabed95ea355385133c076e0d391a57a80cfb
Opcode Fuzzy Hash: 57f476f9e83fa3e42b27ed10c0dedfd59894f846a8cddb888c3c565faacacd9b
Instruction Fuzzy Hash: 44E06D35600114EFC705EF99D845F9EBBA8FF48318F10846EB40ADB241CB78A901CA68

Function 00414DF0 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00008001,?), ref: 00414E09

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: KillTimer
String ID:
API String ID: 729406807-0
Opcode ID: 1c0f08aefd08420088e86f9fe6cad966aa150a0d9f5500e682c1a166dc49c7ae
Instruction ID: f0695324b343396b54ec2f2796eb2e772adf312a6a052f2307a7ea4d3645fc5f
Opcode Fuzzy Hash: 1c0f08aefd08420088e86f9fe6cad966aa150a0d9f5500e682c1a166dc49c7ae
Instruction Fuzzy Hash: FCF0A032118741DBCB325B20C844BDFBBE2BFC4300F10481EF09616150CB7918A5DF55

Function 00416F09 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416F0E

Part of subcall function 00417499: __EH_prolog.LIBCMT ref: 0041749E

Part of subcall function 00417448: __EH_prolog.LIBCMT ref: 0041744D

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 440eb707d267d6ed2b4d48beec5fbb1f1bc8f4bdf6ec121d93ec76858d26ff00
Instruction ID: 383f8f2811993b49c410e9bafb6d37c57ab428893a244b838021762b379e2fb1
Opcode Fuzzy Hash: 440eb707d267d6ed2b4d48beec5fbb1f1bc8f4bdf6ec121d93ec76858d26ff00
Instruction Fuzzy Hash: 0EE0E571900A20CAEB1CEB58D4127DCBBB4AF04328F00425EA427532D2CB786A04C658

Function 00404685 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004046BE: CloseHandle.KERNELBASE(?,?,00404690), ref: 004046C9

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000), ref: 004046A7

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: f308e96676010879eaf098f804ca93bd275243095bcecf339b7b316c46e70dcd
Instruction ID: d6e1da346eebb5349affc62c63fb53b40b2f73570a5de9cd5c672068ff8cdd1a
Opcode Fuzzy Hash: f308e96676010879eaf098f804ca93bd275243095bcecf339b7b316c46e70dcd
Instruction Fuzzy Hash: 84E086761002197BCF215F64DC01BCE3B95AF19760F140526FB20A61E0D777C8B1ABD5

Function 0040489A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004048BD

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b66284758cf875ea0eb3d52af25ea993fc5d38dbbc9fac0c9351a47cf47e9f00
Instruction ID: 47c02cd602e8811402d77a375cebeaba5eccd3a0030b36b25c1369484e3eb127
Opcode Fuzzy Hash: b66284758cf875ea0eb3d52af25ea993fc5d38dbbc9fac0c9351a47cf47e9f00
Instruction Fuzzy Hash: E2E0ED75600208FFCB11CF55D841B8E7BF9EB45354F10C069F919AA260D379AA54DF54

Function 004153CF Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00008001,00000000,00000000), ref: 00415406

Part of subcall function 00426280: SetEvent.KERNEL32(?,00407AAF), ref: 00426283

Part of subcall function 00426230: WaitForSingleObject.KERNEL32(?,000000FF,00414B7B,00000061,00000000,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00426233

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: EventMessageObjectPostSingleWait
String ID:
API String ID: 3033668351-0
Opcode ID: 385471b70e4ab07d8a46c976a7c2347c658f69b8b3faf526f1e3173eeb6697ae
Instruction ID: e41a08748df710f84823e84766246ae2f5dde630ef0742ad732470b1a371cff2
Opcode Fuzzy Hash: 385471b70e4ab07d8a46c976a7c2347c658f69b8b3faf526f1e3173eeb6697ae
Instruction Fuzzy Hash: 00E0DF30214B909EE731A334FC097C27B819F01300F04048EF0EA221D18BA428E1C398

Function 00415474 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415479

Part of subcall function 004154C0: __EH_prolog.LIBCMT ref: 004154C5
Part of subcall function 004154C0: EnterCriticalSection.KERNEL32(?,?,?), ref: 004155FB
Part of subcall function 004154C0: LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 00415658

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalH_prologSection$EnterLeave
String ID:
API String ID: 317552408-0
Opcode ID: e60df4fbdc2895a6d6e2531f28aeae4733311a65d100025a0a6deadf173157c8
Instruction ID: 024d663840d7811bdf33d7098ac025f6201eb583077b037c263a31ff1b2e0f64
Opcode Fuzzy Hash: e60df4fbdc2895a6d6e2531f28aeae4733311a65d100025a0a6deadf173157c8
Instruction Fuzzy Hash: 67E08C72A10664EBD704DB5998427DEB7A8EB8531DF00852FA005E3241C3BC694087A8

Function 004047FA Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00404810

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5df1515875bedd3c83e58b8461d968d386211719c35e5b0019e1da2bdd808035
Instruction ID: 4003fc020f9de39c5eb42a26df6463e231032b8024d01712fd11260babaa06a2
Opcode Fuzzy Hash: 5df1515875bedd3c83e58b8461d968d386211719c35e5b0019e1da2bdd808035
Instruction Fuzzy Hash: CAE0EC75200208FBCB11CF90CC01F8E7BB9EB49754F208059E915A6160C375AA14EB54

Function 00405E9B Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001061,?,?), ref: 00405EC6

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 164ae8f425abc56fbc857c6c366a6cd0eb2d2d679ece0eda857c8e78f80bdc8a
Instruction ID: cdc53ab37f91f56d0dbb0838b48238b413029ddd79ee80067a6402257e70dd9f
Opcode Fuzzy Hash: 164ae8f425abc56fbc857c6c366a6cd0eb2d2d679ece0eda857c8e78f80bdc8a
Instruction Fuzzy Hash: 4EE092B490020EAFDF00DFA5D845DAEBBB9FB88708F108519E914AB250D3B49A558BA0

Function 0041B580 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041B585

Part of subcall function 004020CF: malloc.MSVCRT ref: 004020D5
Part of subcall function 004020CF: _CxxThrowException.MSVCRT(?,0042D048), ref: 004020EF

Part of subcall function 00418325: __EH_prolog.LIBCMT ref: 0041832A

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 3611bad8bc305f9afebf70df4c86a3ba817e45835301676c5d1ea26fa01f0f72
Instruction ID: f5876fddc976ad4f8e0900b1f669633691ac615741aaf313824f3d6d5b5970fd
Opcode Fuzzy Hash: 3611bad8bc305f9afebf70df4c86a3ba817e45835301676c5d1ea26fa01f0f72
Instruction Fuzzy Hash: DBD05EB1B041259BCB5CEFB4A4163AD76B2EB44708F20843FB417E37C2DF7899408629

Function 00414F4B Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 004132B5: EnterCriticalSection.KERNEL32(?,?,?,?,00414F92), ref: 004132C1
Part of subcall function 004132B5: LeaveCriticalSection.KERNEL32(?,?,?,00414F92), ref: 004132CB

SetDlgItemTextW.USER32(?,000001BE,?), ref: 00414F6D

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalSection$EnterItemLeaveText
String ID:
API String ID: 3811111623-0
Opcode ID: f082560edcc5121aa8624134d61551f1986023105dc6a65dfdb121e04a48e551
Instruction ID: 73fa5fe5624e36446d85b1d75fa1e4fb82caf0c45f5c66cd579ca59815aa7b54
Opcode Fuzzy Hash: f082560edcc5121aa8624134d61551f1986023105dc6a65dfdb121e04a48e551
Instruction Fuzzy Hash: B8D05E311007148BCA62AB20D941ADA73E5AF84744B0004AFE8928B665DB646A9A8A88

Function 00415004 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,000001BC,?), ref: 00415020

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: bdab0797297c75f1c21d8b741e2a4a45fdd30b50d794ac87e04b62f8df79d3d8
Instruction ID: 002b25c598a0ce2437379d27bdb06f616906fede3377d933caf3d8d9dfbfdc72
Opcode Fuzzy Hash: bdab0797297c75f1c21d8b741e2a4a45fdd30b50d794ac87e04b62f8df79d3d8
Instruction Fuzzy Hash: CFD0A730110B209FD722AB20DC01BC77BE5BF49700F44056EE48286561D764B990C7C5

Function 0040487D Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,?,?,?,0040B88D,00000000,00000000,00000000), ref: 0040488B

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 1747e296422807fe7e08a4852a4b49f21b7a2dc1fb5098c2f50bc72f35b5ef15
Instruction ID: 097119e42d876942feea11de77e02c88dc52f1d0728cd243263ddf67d0b43124
Opcode Fuzzy Hash: 1747e296422807fe7e08a4852a4b49f21b7a2dc1fb5098c2f50bc72f35b5ef15
Instruction Fuzzy Hash: C9C04C36158205FF8F120F70CC04D1ABBA2EB95311F10C918B169C4070C7328024EB06

Function 00405E43 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(?,?,00405DC9,?,00414B4C), ref: 00405E57

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: DialogParam
String ID:
API String ID: 665744214-0
Opcode ID: 258b3f1e7912d4069fa8dddc4f7b2ae2e734b2864e693f1637925099db8f7780
Instruction ID: d99d672b3947a8f7820696ab6f9b1f793f30db75bc89ee9dfad2b3a394f79c79
Opcode Fuzzy Hash: 258b3f1e7912d4069fa8dddc4f7b2ae2e734b2864e693f1637925099db8f7780
Instruction Fuzzy Hash: 22C04C35114342ABCB02DF50DD19C267A61FF95300B54882AB1501007483625424DB55

Function 004040AB Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403B27), ref: 004040AC

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3fa9057e520350eb0908adb99f81bb4c9546e7580eefc3b396430a8ff70d2e8f
Instruction ID: 243b1f0a9a099f5e4fd37fbeee605c112d8cbe8a18bd5c6b85c1ff2d1a928ae1
Opcode Fuzzy Hash: 3fa9057e520350eb0908adb99f81bb4c9546e7580eefc3b396430a8ff70d2e8f
Instruction Fuzzy Hash: 6CA022F0A20000C2CB3203303C0800B3B808A80332BB00FB2F330E00E0CB38C80038AC

Function 00404919 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0040495E,?,?,?), ref: 0040491B

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 4877def579187a439d091a120b9cce330d01ec03bb2ce6299276197d0a8db838
Instruction ID: b8ddff0f0ce236edcb9b80f72c6c1c5c59f5cede9ce630d845cafbcf44f1e6be
Opcode Fuzzy Hash: 4877def579187a439d091a120b9cce330d01ec03bb2ce6299276197d0a8db838
Instruction Fuzzy Hash: A0A002703E511B8B8F221F34DD098293BA2EB52B0776417B4B117D94F8DF224419AA45

Function 00403AC7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 00403AC9

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7b92a3730b5fef3cc42d1066d5a852b8a4492f94cdb29db13c9b1ca3bd427707
Instruction ID: 60e4c2d02b9765280195f1672c84df48c3864d808d09589d9af1a8e40566ec74
Opcode Fuzzy Hash: 7b92a3730b5fef3cc42d1066d5a852b8a4492f94cdb29db13c9b1ca3bd427707
Instruction Fuzzy Hash: 78A002A03112459BA6251B315E09F2F266EFEC1BD1745C56C7411C5060EB29C8515666

Function 00406671 Relevance: 1.3, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040669E

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b1d23bd8cc2f6b5c6acc5c1a7072e2f56e2b83c1e28e12267b0acb3134d4719e
Instruction ID: 9031adda98efe2f63c70a2b8663eb4d7f69ea420b7051a7302f7c9b69e056c10
Opcode Fuzzy Hash: b1d23bd8cc2f6b5c6acc5c1a7072e2f56e2b83c1e28e12267b0acb3134d4719e
Instruction Fuzzy Hash: 96F0A4712106079BCB24DE10D9009B73768FF04310B114C3AAD07E76A0D73BE8259B98

Function 004046BE Relevance: 1.3, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00404690), ref: 004046C9

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8f14f25d0a08195d688ffe9e41955209db87d83e11149b69f25caf95e26f77a6
Instruction ID: 19c5b7b149ef6b78bdf230e37c466ebcbdeb2f2bbca282333fd789e7feab8b70
Opcode Fuzzy Hash: 8f14f25d0a08195d688ffe9e41955209db87d83e11149b69f25caf95e26f77a6
Instruction Fuzzy Hash: 50D0127150416147CA741E7C78445C333D96B533713610BAAF1B1D32E0E37A8C934698

Function 0041F583 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0041F591

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1701518ff9cff853d37f100dd6ed6d11e62168be09bf45a01b00f09eaecaa913
Instruction ID: 9d7e77d1fce5533231b394661bdbc009fd232efc5d702a0478458ff6f5489ef5
Opcode Fuzzy Hash: 1701518ff9cff853d37f100dd6ed6d11e62168be09bf45a01b00f09eaecaa913
Instruction Fuzzy Hash: A5C08CE1A4D2809FDF0213108C407303B208B87300F4A00C1E9045B092C6000809C722

Function 0041F4E0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041F4E8

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7eb0c7e85277742d8eb2c84607b0eda41cd5309b40220591e7394a307975209c
Instruction ID: edb7dee5a5fe1e8978fb62284b1ea4fdb52eb131d262c574b5685380d86b94c4
Opcode Fuzzy Hash: 7eb0c7e85277742d8eb2c84607b0eda41cd5309b40220591e7394a307975209c
Instruction Fuzzy Hash: D8B012B031104002DF3C07342C140673110665020F7C00478B803C0111E71DD06A504D

Function 0041F550 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041F558

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c0cb48ea1e1d75581b2851136fad6e8f8381a5f2131f1520d37978d210b70763
Instruction ID: d6751d571afff6d337c92a84d6b7927b579f73ef18650cdb9c2d1653eab13d70
Opcode Fuzzy Hash: c0cb48ea1e1d75581b2851136fad6e8f8381a5f2131f1520d37978d210b70763
Instruction Fuzzy Hash: 17B012A8A0004012DA140B383C040673133B6D060E7C4C474A40580125FB28F069604D

Function 0041F5A3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041F5AC

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0c83439fa4c725d00e38eb752a8bc10cde513a0133cb09a307a7de3e93c184f1
Instruction ID: 0b764dc8d57671a1fc91aa54129727df4719345381b419d6290591ecd97602b2
Opcode Fuzzy Hash: 0c83439fa4c725d00e38eb752a8bc10cde513a0133cb09a307a7de3e93c184f1
Instruction Fuzzy Hash: 87A00278B8070476ED7167306D4FF763624B788F01F7085547251690D4AEE460499A5C

Function 0041F570 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041F571

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e5b61bb752fd1406cda7aa26b58092988b7d5cf5ae00073aa8044059efcb3113
Instruction ID: 2d31d677e3fc248ebea702578755217e4fc8eccf8b0b543ebada156eaa7c33d5
Opcode Fuzzy Hash: e5b61bb752fd1406cda7aa26b58092988b7d5cf5ae00073aa8044059efcb3113
Instruction Fuzzy Hash:

Function 0041F500 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041F501

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: db7dec8f591615152b75f9208ac597a2ae6b288c9c2a6b0c6a0495a1f5e63a54
Instruction ID: 13fe2ed5b53cab0bee48690aafe0246fe445695eda3f1e742bd4df4346e8d53c
Opcode Fuzzy Hash: db7dec8f591615152b75f9208ac597a2ae6b288c9c2a6b0c6a0495a1f5e63a54
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040537A Relevance: 4.7, APIs: 3, Instructions: 183timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040538B
FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 0040539D
__aullrem.LIBCMT ref: 004054FB

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Time$File$LocalSystem__aullrem
String ID:
API String ID: 2417234408-0
Opcode ID: 4af20367b5cdc8f32a2167142c7b984cf69ea129b74ea6c3fd0543a715718702
Instruction ID: 9b2a24d50627d2caf7484fe88683b0e843c59621b6a34b61515ffe6e66d34e8b
Opcode Fuzzy Hash: 4af20367b5cdc8f32a2167142c7b984cf69ea129b74ea6c3fd0543a715718702
Instruction Fuzzy Hash: AA51CB72A05355DBD710CF5E94C06EEFBF6EF79210F24805AE884D3282D27A4D5AC720

Function 004045A6 Relevance: 4.6, APIs: 3, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004045AB
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004045C8
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004045F6

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: DriveLogicalStrings$H_prologfree
String ID:
API String ID: 396970233-0
Opcode ID: 870fc058b23bd43a99f2027af3a7be07be430d919b31566bd93727412383ecfb
Instruction ID: 40f0e937e4fca1712a0c0889b8bc5cd9056fd665d0ed9ad76a354fd1a5406f83
Opcode Fuzzy Hash: 870fc058b23bd43a99f2027af3a7be07be430d919b31566bd93727412383ecfb
Instruction Fuzzy Hash: 392171B2E002059BDB14EFA59D85AAFB7B8EF45314F20453FE211B32C1DA7D5A04C669

Function 00425E90 Relevance: 4.0, APIs: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,?,?,00000000,?), ref: 00425ECC
memcpy.MSVCRT(?,00000000,00000040,00000000,?,00000000,?), ref: 00425EEE

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bdcef5cc755c2b65765fdd23cbf8f8552a0b388de8dbcad399ea5c20001b9d4a
Instruction ID: be7640e2d17d0da69cec5fca855ce1339e5bd66a57267f8e940a65d8363f696e
Opcode Fuzzy Hash: bdcef5cc755c2b65765fdd23cbf8f8552a0b388de8dbcad399ea5c20001b9d4a
Instruction Fuzzy Hash: 1C918CB2A043108FC318DF59E88454BB7E1FFC8314F568A6EE9488B315E335E915CB86

Function 0041A862 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A867

Part of subcall function 00419091: _CxxThrowException.MSVCRT(?,00430378), ref: 004190A4

Part of subcall function 004190FD: memcpy.MSVCRT(00000000,?,00000000,?,?,00419681,?,?,00000000,00000000), ref: 00419123

_CxxThrowException.MSVCRT(?,004303B8), ref: 0041ACD2

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID:
API String ID: 3273695820-0
Opcode ID: f156e4844460ed86659a8bdae370be893c80e34bd91267f952c917e1a65a486b
Instruction ID: 1dcaab9b92b70811f76bcfe7dcfc1ed719c2dfc12bd0dd2abfc21641a6e5128f
Opcode Fuzzy Hash: f156e4844460ed86659a8bdae370be893c80e34bd91267f952c917e1a65a486b
Instruction Fuzzy Hash: 2B227F7090124ADFCF14DFA5C590BEEBBB1BF04304F14806EE419A7252DB78AA95CF96

Function 004200F0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00420103

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 4744eb24ad6710932659651afa36c41b6db1c79646798b9a43281fea1ba5683c
Instruction ID: 03e42b4b276c969c2af72c0c005ffba7ff52d78708b68ec57d6ccc05fef6e3fb
Opcode Fuzzy Hash: 4744eb24ad6710932659651afa36c41b6db1c79646798b9a43281fea1ba5683c
Instruction Fuzzy Hash: 33E0D8716002458BD7149B15D8026BB73E4BB50708FC8097ED498C1252F73EDB1DC65A

Function 0040592F Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0040591C: GetCurrentProcess.KERNEL32(?,?,0040593D), ref: 00405921
Part of subcall function 0040591C: GetProcessAffinityMask.KERNEL32(00000000), ref: 00405928

GetSystemInfo.KERNEL32(?), ref: 00405953

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: c0a34ffe727ac158d3eb02d5992bddd5be8d0188b74203df62cf93fa4022d544
Instruction ID: 25077934b5aff40aa6b101f249a075879fb5a09f09fe59fde39d86d8e9b856bd
Opcode Fuzzy Hash: c0a34ffe727ac158d3eb02d5992bddd5be8d0188b74203df62cf93fa4022d544
Instruction Fuzzy Hash: 80D012B0A0050AD7CF14F7A5D446DAF7778DE44328F040079D912F22D1DB74D9458EA8

Function 00401D5A Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

$EC, xrefs: 0042734C

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID: $EC
API String ID: 0-2732497988
Opcode ID: 931a59e9bb2cac4f019ed8fad2302ed74e96653f9fffdeac9066dbc5b5a57e1f
Instruction ID: 5ef4e63655a0c897131c4051aca8dfb0919acb341c46533e92abf2e0a1bb7f03
Opcode Fuzzy Hash: 931a59e9bb2cac4f019ed8fad2302ed74e96653f9fffdeac9066dbc5b5a57e1f
Instruction Fuzzy Hash: 7E317337A609164BD74CCB28EC33BB96280E744305B89617EEA4BCB7D1EF6C9801C64C

Function 00423CF0 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 4060455350-0
Opcode ID: d33fa0af719fe4d40595c29ef95889c7e6692fa52d39ef1143959a1663b408f5
Instruction ID: e7255074088508b2f197b19ba624a4e9a24bd90bce1e94700411c88bb2990fa2
Opcode Fuzzy Hash: d33fa0af719fe4d40595c29ef95889c7e6692fa52d39ef1143959a1663b408f5
Instruction Fuzzy Hash: 4A6213B1A083508FCB24DF19E48062BBBE1FFD8744F948A2EE99987315D774D845CB46

Function 00422366 Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction ID: 4e8b9c2ed86aeef9b70658028d6a45ccffe5cc12ed8d27813b1da846071be810
Opcode Fuzzy Hash: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction Fuzzy Hash: F3023C73B0837047D714CE19DD90229B7E3FBD1380FAA462FE89647394DAB89946C789

Function 00422AA0 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction ID: 61a39267599ff41eb138a7052bc945cb3060b844d00b39cdfd7622f9a929051f
Opcode Fuzzy Hash: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction Fuzzy Hash: A5024B32B042218BC718CE28D6C027DBBE2FBC5345F510A2FE89697654D7B8D985CB99

Function 00426570 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a96c1aaf24c8af0ea9d144db609074e883124d20b64139257fbd2e78c5b0ae
Instruction ID: 773246a4f21ee00a3c77d86e8aad08c44626cb74183739e538c6de4e29020b8b
Opcode Fuzzy Hash: a7a96c1aaf24c8af0ea9d144db609074e883124d20b64139257fbd2e78c5b0ae
Instruction Fuzzy Hash: 98D103758043AA4FEB54EF4DFC81239B762EF84301F498639CA500B3A7D678B611D798

Function 00426A60 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95bbf68041f6a309ea1876750805daac2d155b5047d4a53fea4dd49e8b7b885a
Instruction ID: 407bc6de505d00b8198d8542c4792a91f8620c13cfe084bcc47b4b388399c9ff
Opcode Fuzzy Hash: 95bbf68041f6a309ea1876750805daac2d155b5047d4a53fea4dd49e8b7b885a
Instruction Fuzzy Hash: 0FD1CD339546A64FE714DF5CDC80221BBA2ABD8302F4B5679CA541B263C634FA12DBA4

Function 00425C80 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4099da4a2216205fc64cc4b82022cee0677a3829cdfe913caed688f86145e9d0
Instruction ID: b2e9d7da493935494be0ca6660e2f87f0fd1bfe1a5d562eb0c5d8d4fc1df4eb3
Opcode Fuzzy Hash: 4099da4a2216205fc64cc4b82022cee0677a3829cdfe913caed688f86145e9d0
Instruction Fuzzy Hash: 52717AB2A083158FC348DF49E48855AF3E1FFC8318F598A6DE9888B311D771E955CB86

Function 0041FC50 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: ff6aeb81e0743867d1bcab476ce981ec43b0d6947151c9a8023e4a2455680639
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: 1D414833A0422A4BC714CE2C99942BAF7D1ABD5311B19477FC99797381E2249D8FC3D9

Function 0041F230 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143c61723e4ffab3130a29a76379c9d02878b4e1cb0fdfb73aa060e8a62a191a
Instruction ID: f909df35a120c3ddb9733c5edf484032f59a546f51651308d5cd89b4bdf9ca83
Opcode Fuzzy Hash: 143c61723e4ffab3130a29a76379c9d02878b4e1cb0fdfb73aa060e8a62a191a
Instruction Fuzzy Hash: 7841D031B10A301AB30CCF26AC841666FC3D7C9346785D23DD1A5CA6DDDABDC04BC6A8

Function 004263B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d24efc165e0a183422bdd108a3fa052590590d9631de2c04fbe31b73398f314
Instruction ID: 43a9c8aa4b605b42ae35a1edcd2fd1f4ca09d74e1ae4b18a31a5ee82433c72b9
Opcode Fuzzy Hash: 3d24efc165e0a183422bdd108a3fa052590590d9631de2c04fbe31b73398f314
Instruction Fuzzy Hash: B3312BB1B046B607E310DE1EAC80126FB93AFC1211F99827BD4948B74AD939A5528695

Function 00427B13 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction ID: a33af8adbce6e3ccfdd1f44a046a749ba678f075715d8e2b01d76f42186ee2a5
Opcode Fuzzy Hash: e781e73348b070714efe4b9f1f387dbcbf5b044bf6c7f23a7a0004d2e0ca769a
Instruction Fuzzy Hash: 0B41C261818B9652EB234F7CD882262B320BFAB204F00D76AFDD179922FB326544A655

Function 00427CA1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: b2161842f3fa5d77dde35637ee4baa6b5dfc08799e1d32f1df75879d22ffac34
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: 6321C5329146354BCB02CE6EF4C45A7F3A1FFC536AF534727ED8467291C628A85496A0

Function 00427D7B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 6604c4551b8a131c6e7360c6b7a526fdff4bf7066038cfe21cd6221b7ba2f4a5
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: 202107726184358BC701DF1EF48867BB3E1FFD4319FA38A2BD9858B281C628D845D6A4

Function 004100F2 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 309windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004100F7
SetWindowTextW.USER32(?,?), ref: 0041010E
GetDlgItem.USER32(?,00000064), ref: 00410121
GetDlgItem.USER32(?,00000067), ref: 0041012D
GetDlgItem.USER32(?,00000066), ref: 00410137
GetDlgItem.USER32(?,00000067), ref: 00410147
ShowWindow.USER32(00000000,00000000), ref: 0041014C
GetDlgItem.USER32(?,00000067), ref: 00410154
EnableWindow.USER32(00000000,00000000), ref: 00410159
SendMessageW.USER32(?,00002005,00000001,00000000), ref: 00410170
SendMessageW.USER32(?,00000143,00000000,?), ref: 004101F5
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00410203
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00410223
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 00410236
SendMessageW.USER32(?,00001061,00000002,0000000F), ref: 004102D2
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 0041031F
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00410335
SetWindowTextW.USER32(?,?), ref: 00410491
PostMessageW.USER32(00000003,00000128,00010002,00000000), ref: 004104A6

Strings

9999 MB, xrefs: 004102FC
2009-09-09 09:09, xrefs: 004102EC
d, xrefs: 004102B3
*.*, xrefs: 0041019E

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Message$Send$Item$Window$Text$EnableH_prologPostShow
String ID: *.*$2009-09-09 09:09$9999 MB$d
API String ID: 2205015233-1989021564
Opcode ID: fb04c1ddce067206cc86e38e5f1509bec1aec748710c8a99fde4674b662ae389
Instruction ID: fc7961d7d49fade69871298604dee21b5c4306267315d07f1921bc5b025592c0
Opcode Fuzzy Hash: fb04c1ddce067206cc86e38e5f1509bec1aec748710c8a99fde4674b662ae389
Instruction Fuzzy Hash: 08C17D70900309ABDB21EBA1CD46BEEBBB5FF04708F10442EE651762D1DBB96985DB18

Function 00419A39 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419A3E

Part of subcall function 00419268: _CxxThrowException.MSVCRT(?,004303B8), ref: 0041928B

memcpy.MSVCRT(?,?,?,?,?,?,?,?,0000000B,00000000,?,?), ref: 00419E30
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419ECC
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419EE0
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419EF4
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F08
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F1C
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F30
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F44
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F58
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F6C
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F80
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419F94

Part of subcall function 00419091: _CxxThrowException.MSVCRT(?,00430378), ref: 004190A4

Strings

@, xrefs: 00419C12
, xrefs: 00419C1C
!, xrefs: 00419C3E

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 3aea2d08f0f494636122d2b97f7f51403b962ff08f9202ea197148bc8bd987e1
Instruction ID: b92d931366b96e333b6f1969fbbd18cc88424578900dfebd92014336e182bb0c
Opcode Fuzzy Hash: 3aea2d08f0f494636122d2b97f7f51403b962ff08f9202ea197148bc8bd987e1
Instruction Fuzzy Hash: 49126B74A05249EFCF14DFA5C5A09EEBBB1BF49304F10845EE845AB352CB38AD81CB58

Function 00420210 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 81librarystringloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00420225
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00420248
GetProcAddress.KERNEL32(00000000), ref: 0042024F
GetSystemDirectoryW.KERNEL32(?,00000106), ref: 00420275
lstrlenW.KERNEL32(?), ref: 00420296
lstrcatW.KERNEL32(?,.dll,?,00000000), ref: 00420307
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,00000000), ref: 00420315

Strings

\, xrefs: 0042029E
\, xrefs: 004202A9
SetDefaultDllDirectories, xrefs: 0042023E
.dll, xrefs: 00420301
kernel32.dll, xrefs: 00420243

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersionlstrcatlstrlen
String ID: .dll$SetDefaultDllDirectories$\$\$kernel32.dll
API String ID: 532070074-471922092
Opcode ID: 1a2d77fbe7f47e51ccaacfd2b6649412b1bf1bc9b9c1e0cd82fe61bcb81d996e
Instruction ID: 83ad1d9d9813f1b0190c04410eec3c4702913240e255888e7c5d758e739ca2e2
Opcode Fuzzy Hash: 1a2d77fbe7f47e51ccaacfd2b6649412b1bf1bc9b9c1e0cd82fe61bcb81d996e
Instruction Fuzzy Hash: 8C21B4313443549BD735DF60AC48BDBB7E8EF58300F84486EE9C193291E7799845CBA9

Function 00410969 Relevance: 19.9, APIs: 13, Instructions: 381windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041096E
SetDlgItemTextW.USER32(00000000,00000065,?), ref: 00410BA5
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00410BBA
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00410BC7
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00410D03
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00410D9C
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00410DC8
SendMessageW.USER32(?,00001030,?,00410E7D), ref: 00410DD7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00410DE4
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00410E0E
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00410E26
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00410E2F
InvalidateRect.USER32(?,00000000,00000001,?,00410E7D,?,?), ref: 00410E36

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: MessageSend$H_prologInvalidateItemRectText
String ID:
API String ID: 3901109532-0
Opcode ID: ca12edea3dcbd3f57b2269390453b5c97a71e7ec0a6a79f69310fff45bfe7647
Instruction ID: 7a44c218316055f2a1973e9ef08e733a7dc84dfd715ca893daec9c62fa403412
Opcode Fuzzy Hash: ca12edea3dcbd3f57b2269390453b5c97a71e7ec0a6a79f69310fff45bfe7647
Instruction Fuzzy Hash: 31E18C31900218EEDF21EFA1C946BEDBBB0BF14308F1040AEE545B71D2DBB95A85CB58

Function 00406C2B Relevance: 16.4, APIs: 13, Instructions: 196COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 00406C44
memcmp.MSVCRT(?,0042B438,00000010), ref: 00406C61
memcmp.MSVCRT(?,0042B388,00000010), ref: 00406C74

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 716c8fe353742ed8b29bccd4319d3965a741789b70bebf6bbdc8c7a2ee2e3527
Instruction ID: e15056697588e1c9fdfe99527641ddaeb8e699943d0c3e6f7475544813102a75
Opcode Fuzzy Hash: 716c8fe353742ed8b29bccd4319d3965a741789b70bebf6bbdc8c7a2ee2e3527
Instruction Fuzzy Hash: F251B176700724ABE710AE21EC41AB737ACDE20748B51442AFD47A7685E738FE60C7D9

Function 00414AA5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414AAA
MessageBoxW.USER32(00000000,Progress Error,7-Zip,00000010), ref: 00414B92

Part of subcall function 00414BD5: LoadCursorW.USER32(00000000,00007F02), ref: 00414BDF
Part of subcall function 00414BD5: SetCursor.USER32(00000000,?,00414AD5,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00414BEC

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000001F4,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00414AF6
SetCursor.USER32(?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00414B17
SetCursor.USER32(?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00414B2C

Strings

Progress Error, xrefs: 00414B8A
7-Zip, xrefs: 00414B85

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Cursor$H_prologLoadMessageMultipleObjectsWait
String ID: 7-Zip$Progress Error
API String ID: 2069487291-3559664798
Opcode ID: 4ea81027deff449ef729935167bea0273ce01014c86d3dfa2f6b34cee31c389c
Instruction ID: 1b308af0c6fab5660296bc0e0794598d38ce5ee38fefb6f8936b33ae37a45f3c
Opcode Fuzzy Hash: 4ea81027deff449ef729935167bea0273ce01014c86d3dfa2f6b34cee31c389c
Instruction Fuzzy Hash: 5E217171A44209DFCB10DFA4D885BEEBBB0FF18304F50446FE511A3251C7756981CB69

Function 00403F2D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,FindFirstStreamW), ref: 00403F53
GetProcAddress.KERNEL32(00000000), ref: 00403F5C
GetModuleHandleA.KERNEL32(kernel32.dll,FindNextStreamW), ref: 00403F69
GetProcAddress.KERNEL32(00000000), ref: 00403F6C

Strings

FindNextStreamW, xrefs: 00403F5E
FindFirstStreamW, xrefs: 00403F4B
kernel32.dll, xrefs: 00403F46, 00403F52, 00403F63

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: e26824a2c43990c3e38738af90ba79f433061884f98840ad074de67418fbe398
Instruction ID: f6135786c924eca19af7679878007c950061591a856372b756e2a94578c5a963
Opcode Fuzzy Hash: e26824a2c43990c3e38738af90ba79f433061884f98840ad074de67418fbe398
Instruction Fuzzy Hash: 34E0DFB2B0022D378A002BAABD45C27BB9CEA85351351003BB201E3210DBF858018BED

Function 00419557 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 00419268: _CxxThrowException.MSVCRT(?,004303B8), ref: 0041928B

_CxxThrowException.MSVCRT(?,004303B8), ref: 00419584
_CxxThrowException.MSVCRT(?,004303B8), ref: 004196E0
_CxxThrowException.MSVCRT(?,004303B8), ref: 004196F4
_CxxThrowException.MSVCRT(?,004303B8), ref: 00419735
_CxxThrowException.MSVCRT(?,004303B8), ref: 0041979D

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Strings

, xrefs: 0041965A

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ExceptionThrow$free
String ID:
API String ID: 3129652135-3916222277
Opcode ID: 9627f9222169792647d1afc75a05c2ae5cd1cafc9e6b7e0d8e965309ed989dbd
Instruction ID: d714118d11ce753f4a371c2145e1c50208b8bdaa92f5a1dc909a0b31cf7f65f1
Opcode Fuzzy Hash: 9627f9222169792647d1afc75a05c2ae5cd1cafc9e6b7e0d8e965309ed989dbd
Instruction Fuzzy Hash: 6F918075E003199BCF00DFA9C0A15EEBBB5AF49314F14845FE865A7341C7789E81CBA8

Function 00412EC0 Relevance: 9.1, APIs: 6, Instructions: 141windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412EC5
GetDlgItem.USER32(00000005,?), ref: 00413015
SetWindowTextW.USER32(00000000,?), ref: 0041301B
SHGetFileInfoW.SHELL32(?,00000080,?,000002B4,00000110), ref: 0041303A
GetDlgItem.USER32(00000005,?), ref: 0041304A
SendMessageW.USER32(00000000,00000170,?,00000000), ref: 0041305A

Part of subcall function 00412E1C: __EH_prolog.LIBCMT ref: 00412E21

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prologItem$FileInfoMessageSendTextWindowfree
String ID:
API String ID: 1023756698-0
Opcode ID: ec5709dea8b7c785b1c49cacfd7581ac81a92977520d2e9a6046ce4c7e6a148e
Instruction ID: 8c0f7fe54a87b8195d95f33ab6938a6b0c4f3fb7e0b758d1b3e023786fea783a
Opcode Fuzzy Hash: ec5709dea8b7c785b1c49cacfd7581ac81a92977520d2e9a6046ce4c7e6a148e
Instruction Fuzzy Hash: 25515F71D00209AADF15EBE1C94ABEEBF79AF04318F00442EE201731D2DB796A59DB64

Function 00411C58 Relevance: 9.0, APIs: 6, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000065), ref: 00411C68
SetWindowTextW.USER32(?,?), ref: 00411C79
GetDlgItem.USER32(?,00000064), ref: 00411C80
SetWindowTextW.USER32(00000000,?), ref: 00411C86
SetWindowTextW.USER32(?,?), ref: 00411C8E
SendMessageW.USER32(?,00000143,00000000,?), ref: 00411CAA

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: TextWindow$Item$MessageSend
String ID:
API String ID: 166695626-0
Opcode ID: 95787a42e308a8ca0530aa152f334255a1bf7f60af4ab6a1d089ca84c7d14cde
Instruction ID: 4a49a7d553261a9342894c5700810c205f5fcfa36908dbd4268bb506834cd112
Opcode Fuzzy Hash: 95787a42e308a8ca0530aa152f334255a1bf7f60af4ab6a1d089ca84c7d14cde
Instruction Fuzzy Hash: 06016231200B00AFDB315F56CD85D57BBA6FF847507014429F15646A70C771BC62DF94

Function 00413B6C Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00405C0C: GetDlgItem.USER32(?,?), ref: 00405C16
Part of subcall function 00405C0C: GetWindowRect.USER32(00000000,?), ref: 00405C21

InvalidateRect.USER32(?,00000000,00000001,00000F3D,?,00000F3C,?), ref: 00413BBB

Part of subcall function 00405B8D: MapDialogRect.USER32(?,00000000), ref: 00405BAC

GetDlgItem.USER32(?,00000067), ref: 00413C08
GetDlgItem.USER32(?,00000066), ref: 00413C1D
GetDlgItem.USER32(?,00000064), ref: 00413C32
MoveWindow.USER32(?,?,?,?,?,00000001,00000065,?,00000000,?), ref: 00413CCE

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Item$Rect$Window$DialogInvalidateMove
String ID:
API String ID: 3766569201-0
Opcode ID: afc61609b97a343706b2c714c700e57a27c1ad6d506f5d545f3e6b76e13ca0be
Instruction ID: 4dccb021c4230f8c2b6db1240133684513ae9db4c8d3742d670880b25f4ef9be
Opcode Fuzzy Hash: afc61609b97a343706b2c714c700e57a27c1ad6d506f5d545f3e6b76e13ca0be
Instruction Fuzzy Hash: 45A17071A00209AFDF14DFA9CC85AEE7BB6EB88314F10412EF911E7290D775AA50CB44

Function 0041516C Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415171
EnterCriticalSection.KERNEL32(?,?,?,000003E8,000003E8,00000000), ref: 00415196
LeaveCriticalSection.KERNEL32(?,?,000003E8,000003E8,00000000), ref: 004151F2
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 00415255
SendMessageW.USER32(?,0000101E,00000001,0000FFFF), ref: 00415265

Part of subcall function 004058BE: __EH_prolog.LIBCMT ref: 004058C3

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalH_prologMessageSectionSend$EnterLeave
String ID:
API String ID: 2092801393-0
Opcode ID: 8f251b1b9b41ec4111d3eba9c44cd304488512e05738d32df97850f9c1568f50
Instruction ID: 6277e753baa9494ca469ad6eb80d01a8052bb57f49affb331d4937fb25378b26
Opcode Fuzzy Hash: 8f251b1b9b41ec4111d3eba9c44cd304488512e05738d32df97850f9c1568f50
Instruction Fuzzy Hash: 69316F71E00605DFDB21EFA5C881AEEB7B6FF85344F10446EE56693251C7782981CB84

Function 0040897C Relevance: 7.6, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 00408995
memcmp.MSVCRT(?,0042B438,00000010), ref: 004089B2
memcmp.MSVCRT(?,0042B3A8,00000010), ref: 004089C5

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: d73cc205fe1b12d27a478ef05c58c44aa49a8432c3d74892311d41773868cbe2
Instruction ID: 2a065281a61c98fa4d20f31188ddfdb55ac3ff03f4ecd62be5633b792b553b51
Opcode Fuzzy Hash: d73cc205fe1b12d27a478ef05c58c44aa49a8432c3d74892311d41773868cbe2
Instruction Fuzzy Hash: 6121C5717402147BD704AA11ED81F7B37A99B60798B50403FFC85AA286EF78ED414699

Function 004124CF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004124D4

Part of subcall function 0040557B: __EH_prolog.LIBCMT ref: 00405580
Part of subcall function 0040557B: LoadStringW.USER32(?,00000000,00000100,00000000), ref: 004055B2

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Strings

0, xrefs: 0041259B
: , xrefs: 00412521
x, xrefs: 0041259F

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$LoadStringfree
String ID: : $0$x
API String ID: 787671065-2465998972
Opcode ID: 6fc7907ba5f0438e1d497ed487d16a5a1fd9af1e2d0608c8d4557636d590d254
Instruction ID: c7482ba53cd2981b02c956e0771768e0d8630431dae98449b70287df6dad2ad3
Opcode Fuzzy Hash: 6fc7907ba5f0438e1d497ed487d16a5a1fd9af1e2d0608c8d4557636d590d254
Instruction Fuzzy Hash: 13319231D00129AADF05EBE9D9957EEB775AF08308F14802FE411732D1DBBC5A44CB68

Function 0041103B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00411053
SetWindowTextW.USER32(?,..\), ref: 004110CD

Strings

..\, xrefs: 00411086

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: MessageSendTextWindow
String ID: ..\
API String ID: 893732450-2756224523
Opcode ID: e03ae7195331f317b6899e92dc72dbae49ae85c978df62e52457d33b5528642f
Instruction ID: acbeec5433cf17cb0c9fe11cba2582e2c264cf2c6daf076dffcd53e3ea00e435
Opcode Fuzzy Hash: e03ae7195331f317b6899e92dc72dbae49ae85c978df62e52457d33b5528642f
Instruction Fuzzy Hash: C5113430900380AFDB319B25DC08FF73FA2EB08314F00065AE29266AF1D7B9A9C5DB44

Function 00406521 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 00406537
memcmp.MSVCRT(?,0042B4A8,00000010), ref: 00406552
memcmp.MSVCRT(?,0042B488,00000010), ref: 00406566

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 92905cf85172c85e6551585a0a063fdc95da14ed58f3acb174cd8dca02bb6a7b
Instruction ID: 5373975dee7a807eae5f42c9136b3b97fcc5a790c92c41c433da0545eb44b987
Opcode Fuzzy Hash: 92905cf85172c85e6551585a0a063fdc95da14ed58f3acb174cd8dca02bb6a7b
Instruction Fuzzy Hash: A91103313402147BC710AE11FC42FBA33E88B54758F11843AFD46AA29BF6B8F5608698

Function 00402D7B Relevance: 6.3, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00402DA7
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00402DB0
_CxxThrowException.MSVCRT(?,0042D080), ref: 00402DCA
MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00402DEF
_CxxThrowException.MSVCRT(?,0042D080), ref: 00402E05

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: b7fc7a5da364c63be2478e767ad97cef0df8fc846a3a351e5724eeb242f35dc9
Instruction ID: a4aa18cd7b7e419e251ab3f0bf2d226299e0d5711fc6350c08e410aa15a413bb
Opcode Fuzzy Hash: b7fc7a5da364c63be2478e767ad97cef0df8fc846a3a351e5724eeb242f35dc9
Instruction Fuzzy Hash: 11114CB1200206BFD724DF55C985E6BB7ADEF84394720813AE918D7390E774AD51CBA8

Function 004104FE Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00405C0C: GetDlgItem.USER32(?,?), ref: 00405C16
Part of subcall function 00405C0C: GetWindowRect.USER32(00000000,?), ref: 00405C21

InvalidateRect.USER32(?,00000000,00000001,0000006E,?), ref: 0041051B

Part of subcall function 00405C8F: GetDlgItem.USER32(?,?), ref: 00405C98
Part of subcall function 00405C8F: MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00405CB4

Part of subcall function 00405BCB: GetDlgItem.USER32(?,?), ref: 00405BD7
Part of subcall function 00405BCB: GetWindowRect.USER32(00000000,?), ref: 00405BE2

MoveWindow.USER32(?,?,?,?,?,00000001,00000066,?,00000065,?), ref: 004105E2
MoveWindow.USER32(?,?,?,?,?,00000001,00000067,?), ref: 00410613
MoveWindow.USER32(?,?,?,?,?,00000001,00000064,?), ref: 00410649

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: Window$Move$ItemRect$Invalidate
String ID:
API String ID: 378132125-0
Opcode ID: 497ef5ca769b21f2c1cd12e3658a8f3fc7060fceb4e742f7abc1d01a13e96267
Instruction ID: 0cba97a10396c266d585c808ecf9234a07d9ade0f28ce1b8979da8b821ac6780
Opcode Fuzzy Hash: 497ef5ca769b21f2c1cd12e3658a8f3fc7060fceb4e742f7abc1d01a13e96267
Instruction Fuzzy Hash: 5A41DE76A00209BFEF10DFE9CD86EEEBBB9EF48714F008119F615F6191C671A9508B64

Function 0041E6D0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004323F0,?,?,?,?,0042A278,000000FF,0041EE2F,?,?,?,?,?,0042A388,000000FF), ref: 0041E6F7
LeaveCriticalSection.KERNEL32(004323F0,?,?,?,?,?,?,0042A278,000000FF,0041EE2F,?,?,?,?,?,0042A388), ref: 0041E74A

Part of subcall function 0041E460: memmove.MSVCRT(?,?,FFFFFFE0,?,?,?,?,00000000,0041E710,?,?,?,?,?,0042A278,000000FF), ref: 0041E4C7

Strings

#C, xrefs: 0041E716
#C, xrefs: 0041E73B

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalSection$EnterLeavememmove
String ID: #C$#C
API String ID: 572680541-4107556936
Opcode ID: 00a9cf9867428ef29c153c5ad89e2b6456ef84ac1a1527bba193c3276c626024
Instruction ID: 6a956b2a0aaa4a7bba4165c43aa79d0ec1b832aca7821ab1c235c8850d13b05c
Opcode Fuzzy Hash: 00a9cf9867428ef29c153c5ad89e2b6456ef84ac1a1527bba193c3276c626024
Instruction Fuzzy Hash: 1B012639341210FBD6206B2B9D06BEB77A9EF89768F00451FFD2153381DBBC188947A9

Function 0040578A Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040578F
CoInitialize.OLE32(00000000), ref: 004057A0
SHBrowseForFolderW.SHELL32 ref: 004057AA
CoUninitialize.OLE32 ref: 004057E2

Part of subcall function 004056EA: __EH_prolog.LIBCMT ref: 004056EF
Part of subcall function 004056EA: SHGetMalloc.SHELL32(00000000), ref: 0040570A
Part of subcall function 004056EA: _CxxThrowException.MSVCRT(?,0042D080), ref: 00405724

Part of subcall function 00405755: SHGetPathFromIDListW.SHELL32 ref: 00405771

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$BrowseExceptionFolderFromInitializeListMallocPathThrowUninitialize
String ID:
API String ID: 2234105922-0
Opcode ID: 5486295b442ce2d74fcf763b2590a6b2fc931f95c9f38f54c665f7f218145bb7
Instruction ID: efd3bca53dad38535348f61485822574344f4a1531d32ac46a4fb8411c20d85d
Opcode Fuzzy Hash: 5486295b442ce2d74fcf763b2590a6b2fc931f95c9f38f54c665f7f218145bb7
Instruction Fuzzy Hash: 7B01A271A01254EFC714EBA898585EEBBB8EF44304F1440BFE401B3351DA745E05CB75

Function 00403F7A Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00403E32: FindClose.KERNEL32(?,?,00403E63), ref: 00403E3D

SetLastError.KERNEL32(00000078), ref: 00403F9A
SetLastError.KERNEL32(00000000), ref: 00403FA4
FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00403FB8
GetLastError.KERNEL32 ref: 00403FC5

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: 2968890746f7810fdcd9cd4d73bf507cf8724a70549a584c2cf7f7940bb943a6
Instruction ID: f4f22adc8bd8525b5b0143cd18e6cacc112ebf8a93910cebcc9a6da8f05eabb3
Opcode Fuzzy Hash: 2968890746f7810fdcd9cd4d73bf507cf8724a70549a584c2cf7f7940bb943a6
Instruction Fuzzy Hash: A9F0A930A0020697CB305F64DC0DB9A3B7D9B11327F100236F669B51D0DBB86A86CB5D

Function 004125E9 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004125EE

Strings

'', xrefs: 0041287F
Warning, xrefs: 0041266A

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID: ''$Warning
API String ID: 3519838083-3383353200
Opcode ID: 3b392bbd84ff73e3c79dcacaba275077c192d9d5ed01008f3bc97dbea7e19a09
Instruction ID: 5182bb13069c1475451c857675dbbf687b08e2cccbaa545a54830e7a88241665
Opcode Fuzzy Hash: 3b392bbd84ff73e3c79dcacaba275077c192d9d5ed01008f3bc97dbea7e19a09
Instruction Fuzzy Hash: 01B1E330A00208DBCF14EBA5C645AEEB7B1BF44318F14806FE415B72D2CBB85E96DB59

Function 0040E30D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E312

Strings

Unknown error, xrefs: 0040E442, 0040E447
Unknown warning, xrefs: 0040E4A0, 0040E4A5

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID: Unknown error$Unknown warning
API String ID: 3519838083-4291957651
Opcode ID: 75fb67ca24e09b75ad36949949bfea7628467a8c00dde5fd4ad116d27cc668d1
Instruction ID: acad7666b25d64218f40ab4b89a0dea462db87e38a77e492c6199787b60f783f
Opcode Fuzzy Hash: 75fb67ca24e09b75ad36949949bfea7628467a8c00dde5fd4ad116d27cc668d1
Instruction Fuzzy Hash: DB915E71900609DBCB14DFA5C990AEEBBF5FF48304F50896EE41AA7280D774AE19CB58

Function 004157A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004157A8

Part of subcall function 00415994: __EH_prolog.LIBCMT ref: 00415999

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Strings

__FILE__.001, xrefs: 0041585E
__DIR__, xrefs: 004158DC

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$free
String ID: __DIR__$__FILE__.001
API String ID: 2654054672-545012136
Opcode ID: 7fa886799a6688661a802810579431e1c69997b7b3765121f2fd9e790a1f5201
Instruction ID: 9bd3aea674f2f1d0a29268e1043e136db8f39a1e8cec5fe702c1aa3c329a8c15
Opcode Fuzzy Hash: 7fa886799a6688661a802810579431e1c69997b7b3765121f2fd9e790a1f5201
Instruction Fuzzy Hash: 6A419334A0050ADBDB14EF59C441AFEB3B9FF88358F10801EE955A7291DB38AD96CB58

Function 00412254 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412259

Strings

Error #, xrefs: 00412350
: , xrefs: 00412368, 00412374, 004123A2

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID: : $Error #
API String ID: 3519838083-3172960709
Opcode ID: 36396dabeb85ff067e73ff58afb7a7fb3499e5896fc00c6c8230ea54b1e985c6
Instruction ID: 7e16575449e5e5afd87125bda2bbe4c1ffa7a421fe17dc60127094f732e619c5
Opcode Fuzzy Hash: 36396dabeb85ff067e73ff58afb7a7fb3499e5896fc00c6c8230ea54b1e985c6
Instruction Fuzzy Hash: 18410231E00118DADB14AAA5CA147EEB765EF44314F14847BE814B32D1CBFC0E92D7AA

Function 00412996 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041299B

Strings

Warnings, xrefs: 004129FE
Warning, xrefs: 00412A6C

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog
String ID: Warning$Warnings
API String ID: 3519838083-1940404325
Opcode ID: bc2af719133f59bda48cc424bd7a945d79c2168c7dad806e28f7960fd583e0fc
Instruction ID: 6528afc71aed1263ac31944f2d0965ed360a2944fe157d92987d6118e04ac729
Opcode Fuzzy Hash: bc2af719133f59bda48cc424bd7a945d79c2168c7dad806e28f7960fd583e0fc
Instruction Fuzzy Hash: A831D671B002159BCB15BB9AD6557EEB6B6AF80314F14822FD025A22E1CFFC0A46D718

Function 0040A876 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A87B
GetLastError.KERNEL32(?), ref: 0040A887

Part of subcall function 0040397E: __EH_prolog.LIBCMT ref: 00403983

Part of subcall function 004020F6: free.MSVCRT ref: 004020FA

Strings

: , xrefs: 0040A8A2

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: H_prolog$ErrorLastfree
String ID: :
API String ID: 683690243-3653984579
Opcode ID: 07d0d72f9fd4bbe0229933527eadf047e911c3690d7b561f07fbe69d22b98bf7
Instruction ID: 35ebbcb7a019875166bfd37de68e441eed840bfa0d0441ae627b438c0f9232ff
Opcode Fuzzy Hash: 07d0d72f9fd4bbe0229933527eadf047e911c3690d7b561f07fbe69d22b98bf7
Instruction Fuzzy Hash: F401A572E00215DBCB15FBA5D50AADEBB75AF54318F10806EE501B32D1CF798A05D794

Function 00414B6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00426230: WaitForSingleObject.KERNEL32(?,000000FF,00414B7B,00000061,00000000,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00426233

MessageBoxW.USER32(00000000,Progress Error,7-Zip,00000010), ref: 00414B92

Strings

Progress Error, xrefs: 00414B8A
7-Zip, xrefs: 00414B85

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: MessageObjectSingleWait
String ID: 7-Zip$Progress Error
API String ID: 102643358-3559664798
Opcode ID: 38930b4bdfafac6aaf9d2c626ea4f83c9ad4c42e43d9037f993755df5fe4efc3
Instruction ID: 9f618321a064bca9d79c8c4edc47689a83b4718d4eaf77f73b72a10906046790
Opcode Fuzzy Hash: 38930b4bdfafac6aaf9d2c626ea4f83c9ad4c42e43d9037f993755df5fe4efc3
Instruction Fuzzy Hash: 27E0DF32B40344DFDB10DF58E892BEEB7B0EF58310F40406BE81163282C3756810CA14

Function 0040A198 Relevance: 5.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 0040A1AE
memcmp.MSVCRT(?,0042B308,00000010), ref: 0040A1C2
memcmp.MSVCRT(?,0042B318,00000010), ref: 0040A1E0
memcmp.MSVCRT(?,0042B448,00000010), ref: 0040A1FE

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 59a8aefdbc1b769384d4a04c8d3f5e938b2fea18fadd38afcefccbfc237923b5
Instruction ID: 2c087003b267337e09e524d6be62c0259019d433c18c3e9d8c795e18c40217a0
Opcode Fuzzy Hash: 59a8aefdbc1b769384d4a04c8d3f5e938b2fea18fadd38afcefccbfc237923b5
Instruction Fuzzy Hash: 5811E13238030467C7149A15AC02FBA33E99B94718F54843EFD05AB3C7F6B9F960929A

Function 0040FB5D Relevance: 5.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 0040FB73
memcmp.MSVCRT(?,0042B2F8,00000010), ref: 0040FB87
memcmp.MSVCRT(?,0042B2D8,00000010), ref: 0040FBA5
memcmp.MSVCRT(?,0042B318,00000010), ref: 0040FBC3

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: c961b534b2c62400157584b1bfbba692ebe8e0b7334d49cecf28d4b2356afdc1
Instruction ID: 7037899fdcd77d3a0f501dc929058300569b2a973e803621f66b46ac4a23f5ab
Opcode Fuzzy Hash: c961b534b2c62400157584b1bfbba692ebe8e0b7334d49cecf28d4b2356afdc1
Instruction Fuzzy Hash: E211253134430067C7249A11EC42FBA33F88B94708F14843AFD45AF6C2FBB8F9548A99

Function 004018A8 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042CC44,00000010), ref: 004018BE
memcmp.MSVCRT(?,0042B288,00000010), ref: 004018D9
memcmp.MSVCRT(?,0042B278,00000010), ref: 004018ED

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 26aab78c485a6f09fb4d025bc73d79a2e8cd174819d2a5a5eed03a278b9ee622
Instruction ID: 2fd627cda4e7d669abc1864bd1733abe8044ade2867e8e41ffb13ea191a1f5ab
Opcode Fuzzy Hash: 26aab78c485a6f09fb4d025bc73d79a2e8cd174819d2a5a5eed03a278b9ee622
Instruction Fuzzy Hash: E5010472740304BBC7145A15AC02F7A33E89B64719F10443EFD85AB2A6E6B8A550D29C

Function 004132D7 Relevance: 5.0, APIs: 4, Instructions: 28sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00413433,?,?,?,?,?,?,?,?,?,?,00412227), ref: 004132E9
LeaveCriticalSection.KERNEL32(?,?,?,00413433,?,?,?,?,?,?,?,?,?,?,00412227,?), ref: 004132F7
Sleep.KERNEL32(00000064,?,?,00413433,?,?,?,?,?,?,?,?,?,?,00412227,?), ref: 004132FF
LeaveCriticalSection.KERNEL32(?,?,?,00413433,?,?,?,?,?,?,?,?,?,?,00412227,?), ref: 00413312

Memory Dump Source

Source File: 00000000.00000002.2082017354.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2082005755.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082037340.000000000042B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082051201.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2082063651.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_nteste.jbxd

Similarity

API ID: CriticalSection$Leave$EnterSleep
String ID:
API String ID: 4275215032-0
Opcode ID: 2e947b979be4488679223019f4bb05689ab22b974430e6dcf8f0d0a95324fdd9
Instruction ID: 26e0ca0b752039b406c11194da8d39c8ff686cbcf791325fce2bae1386f61067
Opcode Fuzzy Hash: 2e947b979be4488679223019f4bb05689ab22b974430e6dcf8f0d0a95324fdd9
Instruction Fuzzy Hash: D7E09B73B00310ABD3326BA49C4CBEBBB74D745752F04006FE7569611087681887D3AD

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nteste.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\CamScanner 23-10-2024 19.12.pdf

C:\Users\user\Desktop\CamScanner 23-10-2024 19.13.pdf

C:\Users\user\Desktop\doc08192220241029173958.pdf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: nteste.exePID: 3556, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: nteste.exePID: 3556, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
nteste.exe

Function 0040195E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
libraryloaderCOMMON

Function 0040C507 Relevance: 6.6, APIs: 4, Instructions: 648
COMMON

Function 004134A3 Relevance: 6.1, APIs: 4, Instructions: 118
comCOMMON

Function 0041417F Relevance: 37.4, APIs: 18, Strings: 3, Instructions: 608
COMMON

Function 00413894 Relevance: 31.7, APIs: 21, Instructions: 202
windowtimeCOMMON

Function 00414C08 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 126
windowCOMMON

Function 004277C6 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Function 00401039 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 459
comCOMMON

Function 0040595E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Function 0041384A Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 0040EEDC Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Function 00415A42 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Function 004040BA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295
COMMON

Function 004192DC Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Function 0040CF80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 352
COMMON