Edit tour

Windows Analysis Report
LOI REQUEST.exe

Overview

General Information

Sample name:	LOI REQUEST.exe
Analysis ID:	1562310
MD5:	8dad2a83f4440c44bbb9a47c18752626
SHA1:	8d702707d4fe17b7bbe96fdcb20e3cdd6e5d0104
SHA256:	fce3183e9d396e2fe176392fbdcd765daa5154aa9187a7dbbdde77c38dd1e079
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LOI REQUEST.exe (PID: 5876 cmdline: "C:\Users\user\Desktop\LOI REQUEST.exe" MD5: 8DAD2A83F4440C44BBB9A47C18752626)

svchost.exe (PID: 3868 cmdline: "C:\Users\user\Desktop\LOI REQUEST.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.svchost.exe.3a0000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.svchost.exe.3a0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\LOI REQUEST.exe", CommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", ParentImage: C:\Users\user\Desktop\LOI REQUEST.exe, ParentProcessId: 5876, ParentProcessName: LOI REQUEST.exe, ProcessCommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", ProcessId: 3868, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\LOI REQUEST.exe", CommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", ParentImage: C:\Users\user\Desktop\LOI REQUEST.exe, ParentProcessId: 5876, ParentProcessName: LOI REQUEST.exe, ProcessCommandLine: "C:\Users\user\Desktop\LOI REQUEST.exe", ProcessId: 3868, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: LOI REQUEST.exe

ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LOI REQUEST.exe

Joe Sandbox ML: detected

Source: LOI REQUEST.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: LOI REQUEST.exe, 00000000.00000003.1274926966.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, LOI REQUEST.exe, 00000000.00000003.1274546618.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1664121987.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1666333853.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LOI REQUEST.exe, 00000000.00000003.1274926966.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, LOI REQUEST.exe, 00000000.00000003.1274546618.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.1664121987.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1666333853.0000000002E00000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00456CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00456CA9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004560DD
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004563F9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0045EB60
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045F56F FindFirstFileW,FindClose,	0_2_0045F56F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0045F5FA
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00461B2F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00461C8A
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00461F94

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00464EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00464EB5

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00466B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00466B0C

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00466D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00466D07

Source: C:\Users\user\Desktop\LOI REQUEST.exe

0_2_00466B0C

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00452B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00452B37

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00413D19
Source: LOI REQUEST.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LOI REQUEST.exe, 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_74ec6a66-7
Source: LOI REQUEST.exe, 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: DSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e0629bfe-9
Source: LOI REQUEST.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_be802d55-0
Source: LOI REQUEST.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_befa8cf1-d

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003CC9E3 NtClose,	5_2_003CC9E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A191B NtProtectVirtualMemory,	5_2_003A191B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072B60 NtClose,LdrInitializeThunk,	5_2_03072B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03072DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030735C0 NtCreateMutant,LdrInitializeThunk,	5_2_030735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03074340 NtSetContextThread,	5_2_03074340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03074650 NtSuspendThread,	5_2_03074650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072B80 NtQueryInformationFile,	5_2_03072B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BA0 NtEnumerateValueKey,	5_2_03072BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BE0 NtQueryValueKey,	5_2_03072BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072BF0 NtAllocateVirtualMemory,	5_2_03072BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AB0 NtWaitForSingleObject,	5_2_03072AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AD0 NtReadFile,	5_2_03072AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072AF0 NtWriteFile,	5_2_03072AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F30 NtCreateSection,	5_2_03072F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F60 NtCreateProcessEx,	5_2_03072F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072F90 NtProtectVirtualMemory,	5_2_03072F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FA0 NtQuerySection,	5_2_03072FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FB0 NtResumeThread,	5_2_03072FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072FE0 NtCreateFile,	5_2_03072FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072E30 NtWriteVirtualMemory,	5_2_03072E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072E80 NtReadVirtualMemory,	5_2_03072E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072EA0 NtAdjustPrivilegesToken,	5_2_03072EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072EE0 NtQueueApcThread,	5_2_03072EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D00 NtSetInformationFile,	5_2_03072D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D10 NtMapViewOfSection,	5_2_03072D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072D30 NtUnmapViewOfSection,	5_2_03072D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DB0 NtEnumerateKey,	5_2_03072DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072DD0 NtDelayExecution,	5_2_03072DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C00 NtQueryInformationProcess,	5_2_03072C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C60 NtCreateKey,	5_2_03072C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072C70 NtFreeVirtualMemory,	5_2_03072C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CA0 NtQueryInformationToken,	5_2_03072CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CC0 NtQueryVirtualMemory,	5_2_03072CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072CF0 NtOpenProcess,	5_2_03072CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073010 NtOpenDirectoryObject,	5_2_03073010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073090 NtSetValueKey,	5_2_03073090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030739B0 NtGetContextThread,	5_2_030739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073D10 NtOpenProcessToken,	5_2_03073D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03073D70 NtOpenThread,	5_2_03073D70

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00456606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00456606

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0044ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0044ACC5

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_004579D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004579D3

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0043B043	0_2_0043B043
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00423200	0_2_00423200
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044410F	0_2_0044410F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004302A4	0_2_004302A4
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0041E3E3	0_2_0041E3E3
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044038E	0_2_0044038E
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044467F	0_2_0044467F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004306D9	0_2_004306D9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0047AACE	0_2_0047AACE
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00444BEF	0_2_00444BEF
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0043CCC1	0_2_0043CCC1
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0041AF50	0_2_0041AF50
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00416F07	0_2_00416F07
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0042B11F	0_2_0042B11F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0043D1B9	0_2_0043D1B9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004731BC	0_2_004731BC
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044724D	0_2_0044724D
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0043123A	0_2_0043123A
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004513CA	0_2_004513CA
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004193F0	0_2_004193F0
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0042F563	0_2_0042F563
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004196C0	0_2_004196C0
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045B6CC	0_2_0045B6CC
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004177B0	0_2_004177B0
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004479C9	0_2_004479C9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0042FA57	0_2_0042FA57
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00419B60	0_2_00419B60
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00423B70	0_2_00423B70
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00417D19	0_2_00417D19
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0042FE6F	0_2_0042FE6F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00439ED0	0_2_00439ED0
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00417FA3	0_2_00417FA3
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_01659238	0_2_01659238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A3050	5_2_003A3050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003CF083	5_2_003CF083
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B0163	5_2_003B0163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B6B13	5_2_003B6B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B6B0E	5_2_003B6B0E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A2B70	5_2_003A2B70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A2B66	5_2_003A2B66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B0383	5_2_003B0383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003AE383	5_2_003AE383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003AE4D3	5_2_003AE4D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003AE4D1	5_2_003AE4D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A2750	5_2_003A2750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A274A	5_2_003A274A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA352	5_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031003E6	5_2_031003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C02C0	5_2_030C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030100	5_2_03030100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C8158	5_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F41A2	5_2_030F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031001AA	5_2_031001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F81CC	5_2_030F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064750	5_2_03064750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303C7C0	5_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305C6E0	5_2_0305C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03100591	5_2_03100591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4420	5_2_030E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F2446	5_2_030F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EE4F6	5_2_030EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FAB40	5_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F6BD7	5_2_030F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310A9A6	5_2_0310A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304A840	5_2_0304A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03042840	5_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030268B8	5_2_030268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E8F0	5_2_0306E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03082F28	5_2_03082F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060F30	5_2_03060F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E2F30	5_2_030E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4F40	5_2_030B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BEFA0	5_2_030BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032FC8	5_2_03032FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304CFE0	5_2_0304CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FEE26	5_2_030FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040E59	5_2_03040E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052E90	5_2_03052E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FCE93	5_2_030FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FEEDB	5_2_030FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304AD00	5_2_0304AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DCD1F	5_2_030DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03058DBF	5_2_03058DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303ADE0	5_2_0303ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040C00	5_2_03040C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0CB5	5_2_030E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030CF2	5_2_03030CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F132D	5_2_030F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302D34C	5_2_0302D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0308739A	5_2_0308739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030452A0	5_2_030452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305B2C0	5_2_0305B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E12ED	5_2_030E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307516C	5_2_0307516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302F172	5_2_0302F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0310B16B	5_2_0310B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304B1B0	5_2_0304B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EF0CC	5_2_030EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030470C0	5_2_030470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F70E9	5_2_030F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF0E0	5_2_030FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF7B0	5_2_030FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F16CC	5_2_030F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7571	5_2_030F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DD5B0	5_2_030DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FF43F	5_2_030FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03031460	5_2_03031460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFB76	5_2_030FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305FB80	5_2_0305FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B5BF0	5_2_030B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307DBF9	5_2_0307DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFA49	5_2_030FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7A46	5_2_030F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B3A6C	5_2_030B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DDAAC	5_2_030DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03085AA0	5_2_03085AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E1AA3	5_2_030E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EDAC6	5_2_030EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D5910	5_2_030D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03049950	5_2_03049950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305B950	5_2_0305B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AD800	5_2_030AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030438E0	5_2_030438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFF09	5_2_030FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03041F92	5_2_03041F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFFB1	5_2_030FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03049EB0	5_2_03049EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03043D40	5_2_03043D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F1D5A	5_2_030F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F7D73	5_2_030F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305FDC0	5_2_0305FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B9C32	5_2_030B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FFCF2	5_2_030FFCF2

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: String function: 0043F8A0 appears 35 times
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: String function: 00436AC0 appears 42 times
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: String function: 0042EC2F appears 68 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0302B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 030BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03075130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03087E54 appears 102 times

Source: LOI REQUEST.exe, 00000000.00000003.1277537286.000000000419D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LOI REQUEST.exe
Source: LOI REQUEST.exe, 00000000.00000003.1277310401.0000000003FF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LOI REQUEST.exe

Source: LOI REQUEST.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0045CE7A GetLastError,FormatMessageW,

0_2_0045CE7A

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0044AB84
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0044B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0044B134

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0045E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0045E1FD

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00456532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00456532

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0046C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0046C18C

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0041406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0041406B

Source: C:\Users\user\Desktop\LOI REQUEST.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut9044.tmp

Jump to behavior

Source: LOI REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LOI REQUEST.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\LOI REQUEST.exe "C:\Users\user\Desktop\LOI REQUEST.exe"
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LOI REQUEST.exe"
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LOI REQUEST.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: LOI REQUEST.exe

Static file information: File size 1209344 > 1048576

Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LOI REQUEST.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LOI REQUEST.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: LOI REQUEST.exe, 00000000.00000003.1274926966.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, LOI REQUEST.exe, 00000000.00000003.1274546618.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1664121987.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1666333853.0000000002E00000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LOI REQUEST.exe, 00000000.00000003.1274926966.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, LOI REQUEST.exe, 00000000.00000003.1274546618.0000000004020000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000005.00000003.1664121987.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1698521682.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1666333853.0000000002E00000.00000004.00000020.00020000.00000000.sdmp

Source: LOI REQUEST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LOI REQUEST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LOI REQUEST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LOI REQUEST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LOI REQUEST.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0042E01E LoadLibraryA,GetProcAddress,

0_2_0042E01E

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00436B05 push ecx; ret	0_2_00436B18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B6857 push esp; iretd	5_2_003B6858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003AD8D0 push esp; iretd	5_2_003AD8D1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A51E6 push esp; retf	5_2_003A5205
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003A32C0 push eax; ret	5_2_003A32C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B4B13 pushad ; iretd	5_2_003B4B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003AD352 push dword ptr [ebp-59622DFFh]; iretd	5_2_003AD358
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B4BA2 pushad ; iretd	5_2_003B4B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B4B85 pushad ; iretd	5_2_003B4B78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B64A9 push es; retf	5_2_003B64BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B6505 push es; retf	5_2_003B64BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_003B3653 push ebx; retf	5_2_003B369C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD push ecx; mov dword ptr [esp], ecx	5_2_030309B6

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00478111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00478111
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0042EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0042EB42

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0043123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0043123A

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LOI REQUEST.exe

API/Special instruction interceptor: Address: 1658E5C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0307096E rdtsc

5_2_0307096E

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Evaded block: after key decision			graph_0-94039
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Evaded block: after key decision			graph_0-94914

Source: C:\Users\user\Desktop\LOI REQUEST.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6592

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00456CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00456CA9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004560DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004560DD
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004563F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004563F9
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0045EB60
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045F56F FindFirstFileW,FindClose,	0_2_0045F56F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0045F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0045F5FA
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00461B2F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00461C8A
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00461F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00461F94

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0042DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0042DDC0

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_0307096E rdtsc

5_2_0307096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 5_2_003B7AA3 LdrLoadDll,

5_2_003B7AA3

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00466AAF BlockInput,

0_2_00466AAF

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00413D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00413D19

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00443920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00443920

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0042E01E LoadLibraryA,GetProcAddress,

0_2_0042E01E

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_01659128 mov eax, dword ptr fs:[00000030h]	0_2_01659128
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_016590C8 mov eax, dword ptr fs:[00000030h]	0_2_016590C8
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_01657A98 mov eax, dword ptr fs:[00000030h]	0_2_01657A98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A30B mov eax, dword ptr fs:[00000030h]	5_2_0306A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C310 mov ecx, dword ptr fs:[00000030h]	5_2_0302C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050310 mov ecx, dword ptr fs:[00000030h]	5_2_03050310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B2349 mov eax, dword ptr fs:[00000030h]	5_2_030B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov ecx, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B035C mov eax, dword ptr fs:[00000030h]	5_2_030B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA352 mov eax, dword ptr fs:[00000030h]	5_2_030FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D8350 mov ecx, dword ptr fs:[00000030h]	5_2_030D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D437C mov eax, dword ptr fs:[00000030h]	5_2_030D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E388 mov eax, dword ptr fs:[00000030h]	5_2_0302E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305438F mov eax, dword ptr fs:[00000030h]	5_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305438F mov eax, dword ptr fs:[00000030h]	5_2_0305438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028397 mov eax, dword ptr fs:[00000030h]	5_2_03028397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC3CD mov eax, dword ptr fs:[00000030h]	5_2_030EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A3C0 mov eax, dword ptr fs:[00000030h]	5_2_0303A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030383C0 mov eax, dword ptr fs:[00000030h]	5_2_030383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B63C0 mov eax, dword ptr fs:[00000030h]	5_2_030B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov ecx, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE3DB mov eax, dword ptr fs:[00000030h]	5_2_030DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D43D4 mov eax, dword ptr fs:[00000030h]	5_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D43D4 mov eax, dword ptr fs:[00000030h]	5_2_030D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030403E9 mov eax, dword ptr fs:[00000030h]	5_2_030403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E3F0 mov eax, dword ptr fs:[00000030h]	5_2_0304E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030663FF mov eax, dword ptr fs:[00000030h]	5_2_030663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302823B mov eax, dword ptr fs:[00000030h]	5_2_0302823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B8243 mov eax, dword ptr fs:[00000030h]	5_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B8243 mov ecx, dword ptr fs:[00000030h]	5_2_030B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A250 mov eax, dword ptr fs:[00000030h]	5_2_0302A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036259 mov eax, dword ptr fs:[00000030h]	5_2_03036259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA250 mov eax, dword ptr fs:[00000030h]	5_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA250 mov eax, dword ptr fs:[00000030h]	5_2_030EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034260 mov eax, dword ptr fs:[00000030h]	5_2_03034260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302826B mov eax, dword ptr fs:[00000030h]	5_2_0302826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E0274 mov eax, dword ptr fs:[00000030h]	5_2_030E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E284 mov eax, dword ptr fs:[00000030h]	5_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E284 mov eax, dword ptr fs:[00000030h]	5_2_0306E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0283 mov eax, dword ptr fs:[00000030h]	5_2_030B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402A0 mov eax, dword ptr fs:[00000030h]	5_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402A0 mov eax, dword ptr fs:[00000030h]	5_2_030402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov ecx, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C62A0 mov eax, dword ptr fs:[00000030h]	5_2_030C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A2C3 mov eax, dword ptr fs:[00000030h]	5_2_0303A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030402E1 mov eax, dword ptr fs:[00000030h]	5_2_030402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov eax, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DE10E mov ecx, dword ptr fs:[00000030h]	5_2_030DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov ecx, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DA118 mov eax, dword ptr fs:[00000030h]	5_2_030DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F0115 mov eax, dword ptr fs:[00000030h]	5_2_030F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060124 mov eax, dword ptr fs:[00000030h]	5_2_03060124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov ecx, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C4144 mov eax, dword ptr fs:[00000030h]	5_2_030C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C156 mov eax, dword ptr fs:[00000030h]	5_2_0302C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C8158 mov eax, dword ptr fs:[00000030h]	5_2_030C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036154 mov eax, dword ptr fs:[00000030h]	5_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036154 mov eax, dword ptr fs:[00000030h]	5_2_03036154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03070185 mov eax, dword ptr fs:[00000030h]	5_2_03070185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC188 mov eax, dword ptr fs:[00000030h]	5_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EC188 mov eax, dword ptr fs:[00000030h]	5_2_030EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4180 mov eax, dword ptr fs:[00000030h]	5_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4180 mov eax, dword ptr fs:[00000030h]	5_2_030D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B019F mov eax, dword ptr fs:[00000030h]	5_2_030B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A197 mov eax, dword ptr fs:[00000030h]	5_2_0302A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F61C3 mov eax, dword ptr fs:[00000030h]	5_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F61C3 mov eax, dword ptr fs:[00000030h]	5_2_030F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE1D0 mov eax, dword ptr fs:[00000030h]	5_2_030AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_031061E5 mov eax, dword ptr fs:[00000030h]	5_2_031061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030601F8 mov eax, dword ptr fs:[00000030h]	5_2_030601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4000 mov ecx, dword ptr fs:[00000030h]	5_2_030B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D2000 mov eax, dword ptr fs:[00000030h]	5_2_030D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E016 mov eax, dword ptr fs:[00000030h]	5_2_0304E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A020 mov eax, dword ptr fs:[00000030h]	5_2_0302A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C020 mov eax, dword ptr fs:[00000030h]	5_2_0302C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6030 mov eax, dword ptr fs:[00000030h]	5_2_030C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032050 mov eax, dword ptr fs:[00000030h]	5_2_03032050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6050 mov eax, dword ptr fs:[00000030h]	5_2_030B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305C073 mov eax, dword ptr fs:[00000030h]	5_2_0305C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303208A mov eax, dword ptr fs:[00000030h]	5_2_0303208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C80A8 mov eax, dword ptr fs:[00000030h]	5_2_030C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F60B8 mov eax, dword ptr fs:[00000030h]	5_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F60B8 mov ecx, dword ptr fs:[00000030h]	5_2_030F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B20DE mov eax, dword ptr fs:[00000030h]	5_2_030B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0302A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030380E9 mov eax, dword ptr fs:[00000030h]	5_2_030380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B60E0 mov eax, dword ptr fs:[00000030h]	5_2_030B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0302C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030720F0 mov ecx, dword ptr fs:[00000030h]	5_2_030720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C700 mov eax, dword ptr fs:[00000030h]	5_2_0306C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030710 mov eax, dword ptr fs:[00000030h]	5_2_03030710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060710 mov eax, dword ptr fs:[00000030h]	5_2_03060710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C720 mov eax, dword ptr fs:[00000030h]	5_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C720 mov eax, dword ptr fs:[00000030h]	5_2_0306C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov eax, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov ecx, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306273C mov eax, dword ptr fs:[00000030h]	5_2_0306273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AC730 mov eax, dword ptr fs:[00000030h]	5_2_030AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov esi, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov eax, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306674D mov eax, dword ptr fs:[00000030h]	5_2_0306674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030750 mov eax, dword ptr fs:[00000030h]	5_2_03030750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE75D mov eax, dword ptr fs:[00000030h]	5_2_030BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072750 mov eax, dword ptr fs:[00000030h]	5_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072750 mov eax, dword ptr fs:[00000030h]	5_2_03072750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B4755 mov eax, dword ptr fs:[00000030h]	5_2_030B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038770 mov eax, dword ptr fs:[00000030h]	5_2_03038770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040770 mov eax, dword ptr fs:[00000030h]	5_2_03040770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D678E mov eax, dword ptr fs:[00000030h]	5_2_030D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030307AF mov eax, dword ptr fs:[00000030h]	5_2_030307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E47A0 mov eax, dword ptr fs:[00000030h]	5_2_030E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303C7C0 mov eax, dword ptr fs:[00000030h]	5_2_0303C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B07C3 mov eax, dword ptr fs:[00000030h]	5_2_030B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030527ED mov eax, dword ptr fs:[00000030h]	5_2_030527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE7E1 mov eax, dword ptr fs:[00000030h]	5_2_030BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030347FB mov eax, dword ptr fs:[00000030h]	5_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030347FB mov eax, dword ptr fs:[00000030h]	5_2_030347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE609 mov eax, dword ptr fs:[00000030h]	5_2_030AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304260B mov eax, dword ptr fs:[00000030h]	5_2_0304260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03072619 mov eax, dword ptr fs:[00000030h]	5_2_03072619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304E627 mov eax, dword ptr fs:[00000030h]	5_2_0304E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03066620 mov eax, dword ptr fs:[00000030h]	5_2_03066620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068620 mov eax, dword ptr fs:[00000030h]	5_2_03068620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303262C mov eax, dword ptr fs:[00000030h]	5_2_0303262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0304C640 mov eax, dword ptr fs:[00000030h]	5_2_0304C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F866E mov eax, dword ptr fs:[00000030h]	5_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F866E mov eax, dword ptr fs:[00000030h]	5_2_030F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A660 mov eax, dword ptr fs:[00000030h]	5_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A660 mov eax, dword ptr fs:[00000030h]	5_2_0306A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03062674 mov eax, dword ptr fs:[00000030h]	5_2_03062674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034690 mov eax, dword ptr fs:[00000030h]	5_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034690 mov eax, dword ptr fs:[00000030h]	5_2_03034690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0306C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030666B0 mov eax, dword ptr fs:[00000030h]	5_2_030666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0306A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE6F2 mov eax, dword ptr fs:[00000030h]	5_2_030AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B06F1 mov eax, dword ptr fs:[00000030h]	5_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B06F1 mov eax, dword ptr fs:[00000030h]	5_2_030B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6500 mov eax, dword ptr fs:[00000030h]	5_2_030C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104500 mov eax, dword ptr fs:[00000030h]	5_2_03104500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040535 mov eax, dword ptr fs:[00000030h]	5_2_03040535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E53E mov eax, dword ptr fs:[00000030h]	5_2_0305E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038550 mov eax, dword ptr fs:[00000030h]	5_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038550 mov eax, dword ptr fs:[00000030h]	5_2_03038550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306656A mov eax, dword ptr fs:[00000030h]	5_2_0306656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032582 mov eax, dword ptr fs:[00000030h]	5_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032582 mov ecx, dword ptr fs:[00000030h]	5_2_03032582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064588 mov eax, dword ptr fs:[00000030h]	5_2_03064588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E59C mov eax, dword ptr fs:[00000030h]	5_2_0306E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B05A7 mov eax, dword ptr fs:[00000030h]	5_2_030B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030545B1 mov eax, dword ptr fs:[00000030h]	5_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030545B1 mov eax, dword ptr fs:[00000030h]	5_2_030545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E5CF mov eax, dword ptr fs:[00000030h]	5_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E5CF mov eax, dword ptr fs:[00000030h]	5_2_0306E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030365D0 mov eax, dword ptr fs:[00000030h]	5_2_030365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0306A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E5E7 mov eax, dword ptr fs:[00000030h]	5_2_0305E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030325E0 mov eax, dword ptr fs:[00000030h]	5_2_030325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C5ED mov eax, dword ptr fs:[00000030h]	5_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C5ED mov eax, dword ptr fs:[00000030h]	5_2_0306C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068402 mov eax, dword ptr fs:[00000030h]	5_2_03068402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302E420 mov eax, dword ptr fs:[00000030h]	5_2_0302E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302C427 mov eax, dword ptr fs:[00000030h]	5_2_0302C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B6420 mov eax, dword ptr fs:[00000030h]	5_2_030B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A430 mov eax, dword ptr fs:[00000030h]	5_2_0306A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306E443 mov eax, dword ptr fs:[00000030h]	5_2_0306E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA456 mov eax, dword ptr fs:[00000030h]	5_2_030EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302645D mov eax, dword ptr fs:[00000030h]	5_2_0302645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305245A mov eax, dword ptr fs:[00000030h]	5_2_0305245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC460 mov ecx, dword ptr fs:[00000030h]	5_2_030BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305A470 mov eax, dword ptr fs:[00000030h]	5_2_0305A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030EA49A mov eax, dword ptr fs:[00000030h]	5_2_030EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030364AB mov eax, dword ptr fs:[00000030h]	5_2_030364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030644B0 mov ecx, dword ptr fs:[00000030h]	5_2_030644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BA4B0 mov eax, dword ptr fs:[00000030h]	5_2_030BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030304E5 mov ecx, dword ptr fs:[00000030h]	5_2_030304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AEB1D mov eax, dword ptr fs:[00000030h]	5_2_030AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EB20 mov eax, dword ptr fs:[00000030h]	5_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EB20 mov eax, dword ptr fs:[00000030h]	5_2_0305EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F8B28 mov eax, dword ptr fs:[00000030h]	5_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030F8B28 mov eax, dword ptr fs:[00000030h]	5_2_030F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4B4B mov eax, dword ptr fs:[00000030h]	5_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4B4B mov eax, dword ptr fs:[00000030h]	5_2_030E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6B40 mov eax, dword ptr fs:[00000030h]	5_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6B40 mov eax, dword ptr fs:[00000030h]	5_2_030C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FAB40 mov eax, dword ptr fs:[00000030h]	5_2_030FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D8B42 mov eax, dword ptr fs:[00000030h]	5_2_030D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEB50 mov eax, dword ptr fs:[00000030h]	5_2_030DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0302CB7E mov eax, dword ptr fs:[00000030h]	5_2_0302CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040BBE mov eax, dword ptr fs:[00000030h]	5_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040BBE mov eax, dword ptr fs:[00000030h]	5_2_03040BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E4BB0 mov eax, dword ptr fs:[00000030h]	5_2_030E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03050BCB mov eax, dword ptr fs:[00000030h]	5_2_03050BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030BCD mov eax, dword ptr fs:[00000030h]	5_2_03030BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEBD0 mov eax, dword ptr fs:[00000030h]	5_2_030DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038BF0 mov eax, dword ptr fs:[00000030h]	5_2_03038BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EBFC mov eax, dword ptr fs:[00000030h]	5_2_0305EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BCBF0 mov eax, dword ptr fs:[00000030h]	5_2_030BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BCA11 mov eax, dword ptr fs:[00000030h]	5_2_030BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA24 mov eax, dword ptr fs:[00000030h]	5_2_0306CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EA2E mov eax, dword ptr fs:[00000030h]	5_2_0305EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03054A35 mov eax, dword ptr fs:[00000030h]	5_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03054A35 mov eax, dword ptr fs:[00000030h]	5_2_03054A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA38 mov eax, dword ptr fs:[00000030h]	5_2_0306CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03036A50 mov eax, dword ptr fs:[00000030h]	5_2_03036A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040A5B mov eax, dword ptr fs:[00000030h]	5_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03040A5B mov eax, dword ptr fs:[00000030h]	5_2_03040A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CA6F mov eax, dword ptr fs:[00000030h]	5_2_0306CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030DEA60 mov eax, dword ptr fs:[00000030h]	5_2_030DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030ACA72 mov eax, dword ptr fs:[00000030h]	5_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030ACA72 mov eax, dword ptr fs:[00000030h]	5_2_030ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303EA80 mov eax, dword ptr fs:[00000030h]	5_2_0303EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03104A80 mov eax, dword ptr fs:[00000030h]	5_2_03104A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03068A90 mov edx, dword ptr fs:[00000030h]	5_2_03068A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038AA0 mov eax, dword ptr fs:[00000030h]	5_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03038AA0 mov eax, dword ptr fs:[00000030h]	5_2_03038AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086AA4 mov eax, dword ptr fs:[00000030h]	5_2_03086AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03086ACC mov eax, dword ptr fs:[00000030h]	5_2_03086ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030AD0 mov eax, dword ptr fs:[00000030h]	5_2_03030AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064AD0 mov eax, dword ptr fs:[00000030h]	5_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03064AD0 mov eax, dword ptr fs:[00000030h]	5_2_03064AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306AAEE mov eax, dword ptr fs:[00000030h]	5_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306AAEE mov eax, dword ptr fs:[00000030h]	5_2_0306AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE908 mov eax, dword ptr fs:[00000030h]	5_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030AE908 mov eax, dword ptr fs:[00000030h]	5_2_030AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC912 mov eax, dword ptr fs:[00000030h]	5_2_030BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028918 mov eax, dword ptr fs:[00000030h]	5_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03028918 mov eax, dword ptr fs:[00000030h]	5_2_03028918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B892A mov eax, dword ptr fs:[00000030h]	5_2_030B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C892B mov eax, dword ptr fs:[00000030h]	5_2_030C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B0946 mov eax, dword ptr fs:[00000030h]	5_2_030B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03056962 mov eax, dword ptr fs:[00000030h]	5_2_03056962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov eax, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov edx, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0307096E mov eax, dword ptr fs:[00000030h]	5_2_0307096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4978 mov eax, dword ptr fs:[00000030h]	5_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D4978 mov eax, dword ptr fs:[00000030h]	5_2_030D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC97C mov eax, dword ptr fs:[00000030h]	5_2_030BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030429A0 mov eax, dword ptr fs:[00000030h]	5_2_030429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD mov eax, dword ptr fs:[00000030h]	5_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030309AD mov eax, dword ptr fs:[00000030h]	5_2_030309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov esi, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov eax, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030B89B3 mov eax, dword ptr fs:[00000030h]	5_2_030B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C69C0 mov eax, dword ptr fs:[00000030h]	5_2_030C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0303A9D0 mov eax, dword ptr fs:[00000030h]	5_2_0303A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030649D0 mov eax, dword ptr fs:[00000030h]	5_2_030649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA9D3 mov eax, dword ptr fs:[00000030h]	5_2_030FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE9E0 mov eax, dword ptr fs:[00000030h]	5_2_030BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030629F9 mov eax, dword ptr fs:[00000030h]	5_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030629F9 mov eax, dword ptr fs:[00000030h]	5_2_030629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC810 mov eax, dword ptr fs:[00000030h]	5_2_030BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov ecx, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03052835 mov eax, dword ptr fs:[00000030h]	5_2_03052835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306A830 mov eax, dword ptr fs:[00000030h]	5_2_0306A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D483A mov eax, dword ptr fs:[00000030h]	5_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030D483A mov eax, dword ptr fs:[00000030h]	5_2_030D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03042840 mov ecx, dword ptr fs:[00000030h]	5_2_03042840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03060854 mov eax, dword ptr fs:[00000030h]	5_2_03060854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034859 mov eax, dword ptr fs:[00000030h]	5_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03034859 mov eax, dword ptr fs:[00000030h]	5_2_03034859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE872 mov eax, dword ptr fs:[00000030h]	5_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BE872 mov eax, dword ptr fs:[00000030h]	5_2_030BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6870 mov eax, dword ptr fs:[00000030h]	5_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030C6870 mov eax, dword ptr fs:[00000030h]	5_2_030C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03030887 mov eax, dword ptr fs:[00000030h]	5_2_03030887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030BC89D mov eax, dword ptr fs:[00000030h]	5_2_030BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305E8C0 mov eax, dword ptr fs:[00000030h]	5_2_0305E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030FA8E4 mov eax, dword ptr fs:[00000030h]	5_2_030FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306C8F9 mov eax, dword ptr fs:[00000030h]	5_2_0306C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_030E6F00 mov eax, dword ptr fs:[00000030h]	5_2_030E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_03032F12 mov eax, dword ptr fs:[00000030h]	5_2_03032F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0306CF1F mov eax, dword ptr fs:[00000030h]	5_2_0306CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0305EF28 mov eax, dword ptr fs:[00000030h]	5_2_0305EF28

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0044A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0044A66C

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00438189 SetUnhandledExceptionFilter,		0_2_00438189
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_004381AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_004381AC

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 4C2008

Jump to behavior

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0044B106 LogonUserW,

0_2_0044B106

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00413D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00413D19

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0045411C SendInput,keybd_event,

0_2_0045411C

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_004574E7 mouse_event,

0_2_004574E7

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LOI REQUEST.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LOI REQUEST.exe

0_2_0044A66C

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_004571FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004571FA

Source: LOI REQUEST.exe	Binary or memory string: Shell_TrayWnd
Source: LOI REQUEST.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_004365C4 cpuid

0_2_004365C4

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0046091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0046091D

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0048B340 GetUserNameW,

0_2_0048B340

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_00441E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00441E8E

Source: C:\Users\user\Desktop\LOI REQUEST.exe

Code function: 0_2_0042DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0042DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: LOI REQUEST.exe	Binary or memory string: WIN_81
Source: LOI REQUEST.exe	Binary or memory string: WIN_XP
Source: LOI REQUEST.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: LOI REQUEST.exe	Binary or memory string: WIN_XPe
Source: LOI REQUEST.exe	Binary or memory string: WIN_VISTA
Source: LOI REQUEST.exe	Binary or memory string: WIN_7
Source: LOI REQUEST.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.svchost.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_00468C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00468C4F
Source: C:\Users\user\Desktop\LOI REQUEST.exe	Code function: 0_2_0046923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0046923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LOI REQUEST.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
LOI REQUEST.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562310
Start date and time:	2024-11-25 13:50:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LOI REQUEST.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 48 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: LOI REQUEST.exe

Simulations

Behavior and APIs

Time	Type	Description
09:42:45	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\LOI REQUEST.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994135352598386
Encrypted:	true
SSDEEP:	6144:xRCNSsZeytuVfVDixkp/Uv98iYEmNlkRvf8q66Ztg2A7pHq:xRwSsTtuVfB0kpGFYEmNmBi9ddHq
MD5:	4AF134549716B3B7E18C193FAC24C499
SHA1:	27E4AE9407BE0CCD5F316FB80AE6F4DF76C964B1
SHA-256:	17B6458669C5383E200A60A7CB1252EDAC53E25490A95D9151E321D75362FD75
SHA-512:	D90BCF46CDD2A93582B5F498D9163509692621B2121F475E1BFD1FA9EE8E424CDD4914FC3E623871167782EF8318F163068E29754D833CE755A4BF028531473E
Malicious:	false
Reputation:	low
Preview:	...R4EVW5WM1..WU.CSSUA1J.9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AA.R7EXH.YM.H.v.3..r.)X9jI+ZP3 ;rT$89^#mS$z% \c:=u.~.jT6QRoL[X.EVW1WM18[^..#4.h!V.wY>.-..hW".M....!=.O..o5&..#Z1.W&.VR7EVW1W.tAZ.T3C..<.1JJ9Y57A.VP6NW\1W.5AZWU2CSSU."JJ9I57A1RR7E.W1GM1AXWU4CSSUA1JL9Y57AAVRGAVW3WM1AZWW2..SUQ1JZ9Y57QAVB7EVW1W]1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9wAR95VR7..S1W]1AZ.Q2CCSUA1JJ9Y57AAVR.EV71WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZ

C:\Users\user\AppData\Local\Temp\poufs

Download File

Process:	C:\Users\user\Desktop\LOI REQUEST.exe
File Type:	data
Category:	modified
Size (bytes):	289280
Entropy (8bit):	7.994135352598386
Encrypted:	true
SSDEEP:	6144:xRCNSsZeytuVfVDixkp/Uv98iYEmNlkRvf8q66Ztg2A7pHq:xRwSsTtuVfB0kpGFYEmNmBi9ddHq
MD5:	4AF134549716B3B7E18C193FAC24C499
SHA1:	27E4AE9407BE0CCD5F316FB80AE6F4DF76C964B1
SHA-256:	17B6458669C5383E200A60A7CB1252EDAC53E25490A95D9151E321D75362FD75
SHA-512:	D90BCF46CDD2A93582B5F498D9163509692621B2121F475E1BFD1FA9EE8E424CDD4914FC3E623871167782EF8318F163068E29754D833CE755A4BF028531473E
Malicious:	false
Reputation:	low
Preview:	...R4EVW5WM1..WU.CSSUA1J.9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AA.R7EXH.YM.H.v.3..r.)X9jI+ZP3 ;rT$89^#mS$z% \c:=u.~.jT6QRoL[X.EVW1WM18[^..#4.h!V.wY>.-..hW".M....!=.O..o5&..#Z1.W&.VR7EVW1W.tAZ.T3C..<.1JJ9Y57A.VP6NW\1W.5AZWU2CSSU."JJ9I57A1RR7E.W1GM1AXWU4CSSUA1JL9Y57AAVRGAVW3WM1AZWW2..SUQ1JZ9Y57QAVB7EVW1W]1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9wAR95VR7..S1W]1AZ.Q2CCSUA1JJ9Y57AAVR.EV71WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57AAVR7EVW1WM1AZ

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.144254426296748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LOI REQUEST.exe
File size:	1'209'344 bytes
MD5:	8dad2a83f4440c44bbb9a47c18752626
SHA1:	8d702707d4fe17b7bbe96fdcb20e3cdd6e5d0104
SHA256:	fce3183e9d396e2fe176392fbdcd765daa5154aa9187a7dbbdde77c38dd1e079
SHA512:	698461900e7ecf982612d11177557a2f6621029f40f9ea121ab800190ea8cc06e5739221a55c1b425f823c9abfa1c684e3d5260d30e696896495461387c31275
SSDEEP:	24576:4tb20pkaCqT5TBWgNQ7ax8wnHQI70svAikIV6A:BVg5tQ7ax8oHQ3Zc5
TLSH:	0345C01363DD8361C3B25273BA55BB41BEBF782506B5F96B2FD4093DA820122521EB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743BE51 [Mon Nov 25 00:01:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F4D6497C95Fh
jmp 00007F4D6496F974h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F4D6496FAFAh
cmp edi, eax
jc 00007F4D6496FE5Eh
bt dword ptr [004C0158h], 01h
jnc 00007F4D6496FAF9h
rep movsb
jmp 00007F4D6496FE0Ch
cmp ecx, 00000080h
jc 00007F4D6496FCC4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4D6496FB00h
bt dword ptr [004BA370h], 01h
jc 00007F4D6496FFD0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F4D6496FC9Dh
test edi, 00000003h
jne 00007F4D6496FCAEh
test esi, 00000003h
jne 00007F4D6496FC8Dh
bt edi, 02h
jnc 00007F4D6496FAFFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4D6496FB03h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F4D6496FB55h
bt esi, 03h
jnc 00007F4D6496FBA8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5e2a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x123000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5e2a4	0x5e400	52a60b27a105957e403a19ddd687d1fc	False	0.9320214066644562	data	7.905147334926679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x123000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x5597b	data			1.0003308736490515
RT_GROUP_ICON	0x121d8c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x121e04	0x14	data	English	Great Britain	1.15
RT_VERSION	0x121e18	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x121ef4	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	07:51:01
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\LOI REQUEST.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LOI REQUEST.exe"
Imagebase:	0x410000
File size:	1'209'344 bytes
MD5 hash:	8DAD2A83F4440C44BBB9A47C18752626
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:51:02
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LOI REQUEST.exe"
Imagebase:	0x770000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1698285609.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1698899133.0000000003350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	6.6%
Total number of Nodes:	1946
Total number of Limit Nodes:	150

Executed Functions

Function 0043B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f87df080204d53ba1a69467cdc51ae77ede7cf22ab3a96b5401bbc8e0c154de
Instruction ID: 11298924959594bce774aacbb1c5545640a55aa3aaa891068c69b40fee9c5b18
Opcode Fuzzy Hash: 6f87df080204d53ba1a69467cdc51ae77ede7cf22ab3a96b5401bbc8e0c154de
Instruction Fuzzy Hash: 81327075B022288BDB248F14DC417EAB7B5FF4A314F1450DAE50AA7A81D7349E81CF9A

Function 00413D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00413AA3,?), ref: 00413D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00413AA3,?), ref: 00413D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,004D1148,004D1130,?,?,?,?,00413AA3,?), ref: 00413DC8

Part of subcall function 00416430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00413DEE,004D1148,?,?,?,?,?,00413AA3,?), ref: 00416471

SetCurrentDirectoryW.KERNEL32(?,?,?,00413AA3,?), ref: 00413E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004C28F4,00000010), ref: 00481CCE
SetCurrentDirectoryW.KERNEL32(?,004D1148,?,?,?,?,?,00413AA3,?), ref: 00481D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004ADAB4,004D1148,?,?,?,?,?,00413AA3,?), ref: 00481D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00413AA3), ref: 00481D90

Part of subcall function 00413E6E: GetSysColorBrush.USER32(0000000F), ref: 00413E79
Part of subcall function 00413E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00413E88
Part of subcall function 00413E6E: LoadIconW.USER32(00000063), ref: 00413E9E
Part of subcall function 00413E6E: LoadIconW.USER32(000000A4), ref: 00413EB0
Part of subcall function 00413E6E: LoadIconW.USER32(000000A2), ref: 00413EC2
Part of subcall function 00413E6E: RegisterClassExW.USER32(?), ref: 00413F30

Part of subcall function 004136B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004136E6
Part of subcall function 004136B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00413707
Part of subcall function 004136B8: ShowWindow.USER32(00000000,?,?,?,?,00413AA3,?), ref: 0041371B
Part of subcall function 004136B8: ShowWindow.USER32(00000000,?,?,?,?,00413AA3,?), ref: 00413724

Part of subcall function 00414FFC: _memset.LIBCMT ref: 00415022
Part of subcall function 00414FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004150CB

Strings

()L, xrefs: 00481D49
runas, xrefs: 00481D84
This is a third-party compiled AutoIt script., xrefs: 00481CC8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()L$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-3068757640
Opcode ID: 883d021d63231dd694850dc321495415755c017b59855c4040b1e9fbdeafbd99
Instruction ID: 2a3ba377083502f17bb651e6e862680c32673382cd7de2922e11c3d721ce1680
Opcode Fuzzy Hash: 883d021d63231dd694850dc321495415755c017b59855c4040b1e9fbdeafbd99
Instruction Fuzzy Hash: D751E431E04345BACF11BBF1DD41EEE7B799B59704F00407BF941A22A2DA7C4A868B2D

Function 0042DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0042DDEC
GetCurrentProcess.KERNEL32(00000000,004ADC38,?,?), ref: 0042DEAC
GetNativeSystemInfo.KERNELBASE(?,004ADC38,?,?), ref: 0042DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0042DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0042DF1F
GetSystemInfo.KERNEL32(?,004ADC38,?,?), ref: 0042DF29
GetSystemInfo.KERNEL32(?,004ADC38,?,?), ref: 0042DF35

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 0e0d62b5ef99326c35f8ac788ecdcb53825552bad0b1ed7678d2a9af4ecdffa6
Instruction ID: 5dfbc7e3c1dbde1aa489463f9ea6923f1d15ec4b6b48259c3705ce04a143f052
Opcode Fuzzy Hash: 0e0d62b5ef99326c35f8ac788ecdcb53825552bad0b1ed7678d2a9af4ecdffa6
Instruction Fuzzy Hash: E261C471D0A294CBCF15DF64A5C11EE7FB46F29300B5A89DAD8459F30BC628C509CB6E

Function 0041406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0041449E,?,?,00000000,00000001), ref: 0041407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0041449E,?,?,00000000,00000001), ref: 00414092
LoadResource.KERNEL32(?,00000000,?,?,0041449E,?,?,00000000,00000001,?,?,?,?,?,?,004141FB), ref: 00484F1A
SizeofResource.KERNEL32(?,00000000,?,?,0041449E,?,?,00000000,00000001,?,?,?,?,?,?,004141FB), ref: 00484F2F
LockResource.KERNEL32(0041449E,?,?,0041449E,?,?,00000000,00000001,?,?,?,?,?,?,004141FB,00000000), ref: 00484F42

Strings

SCRIPT, xrefs: 00414088

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f84de5a46d8fa49a4c3e70daaa77744f029b83a661207549eb9a67262630f9f9
Instruction ID: 128b76359f42c9deecb0bb31dde5b749287032cc883753f30ab93dafa9b6831b
Opcode Fuzzy Hash: f84de5a46d8fa49a4c3e70daaa77744f029b83a661207549eb9a67262630f9f9
Instruction Fuzzy Hash: 8C117C70600701BFE7259B26EC48F677BB9EBC9B51F20457EF606862A0DB71DC408A24

Function 00456CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00482F49), ref: 00456CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00456CCA
FindClose.KERNEL32(00000000), ref: 00456CDA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e5f5aef4885fcf91a5cc0507e48b8ea63d0af83c24c6cb00555f8e34355f4252
Instruction ID: 014fa5abca507f3380bdf97a8e5d6354c3c3f5aedc907934e6caca2d2d989d56
Opcode Fuzzy Hash: e5f5aef4885fcf91a5cc0507e48b8ea63d0af83c24c6cb00555f8e34355f4252
Instruction Fuzzy Hash: 6DE0D832C104106782156738EC0E4EA376CDA1533AF500767F872C32E0EB74DD0445DE

Function 00423200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

M, xrefs: 0048933E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharUpper
String ID: M
API String ID: 3964851224-2044235027
Opcode ID: 3010d60c83fafbed1bedde10c77187c90048da7bf2af4eed009601c6b5c95a2a
Instruction ID: b7a37661ba4d04b6ef77e028cc9988edceafdf38fcdfb6d9b889d3c357aafd8c
Opcode Fuzzy Hash: 3010d60c83fafbed1bedde10c77187c90048da7bf2af4eed009601c6b5c95a2a
Instruction Fuzzy Hash: 1E929D706083119FD724DF19C480B6ABBF1BF88308F54885EE88A8B352D779ED45CB5A

Function 0041E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041E959
timeGetTime.WINMM ref: 0041EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0041ED2E
TranslateMessage.USER32(?), ref: 0041ED3F
DispatchMessageW.USER32(?), ref: 0041ED4A
LockWindowUpdate.USER32(00000000), ref: 0041ED79
DestroyWindow.USER32 ref: 0041ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0041ED9F
Sleep.KERNEL32(0000000A), ref: 00485270
TranslateMessage.USER32(?), ref: 004859F7
DispatchMessageW.USER32(?), ref: 00485A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00485A19

Strings

@GUI_CTRLID, xrefs: 00485314
@TRAY_ID, xrefs: 004854C9
@GUI_WINHANDLE, xrefs: 00485360
@GUI_CTRLHANDLE, xrefs: 004853AC

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 96abd7cf41b801127e420c47232587a87f0fbe51c670d34dc0717804522c27b7
Instruction ID: 87acb94041a2785f0c9d76a5ee3213e9b285a0b49390c22e39c7982e2ad75d27
Opcode Fuzzy Hash: 96abd7cf41b801127e420c47232587a87f0fbe51c670d34dc0717804522c27b7
Instruction Fuzzy Hash: 02629374608340DFDB24DF25C885BAE77E4BF44304F04497FE9468B292DB799889CB5A

Function 00445C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00445EC3
___createFile.LIBCMT ref: 00445F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00445F2D
__dosmaperr.LIBCMT ref: 00445F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00445F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00445F6A
__dosmaperr.LIBCMT ref: 00445F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00445F7C
__set_osfhnd.LIBCMT ref: 00445FAC
__lseeki64_nolock.LIBCMT ref: 00446016
__close_nolock.LIBCMT ref: 0044603C
__chsize_nolock.LIBCMT ref: 0044606C
__lseeki64_nolock.LIBCMT ref: 0044607E
__lseeki64_nolock.LIBCMT ref: 00446176
__lseeki64_nolock.LIBCMT ref: 0044618B
__close_nolock.LIBCMT ref: 004461EB

Part of subcall function 0043EA9C: CloseHandle.KERNELBASE(00000000,004BEEF4,00000000,?,00446041,004BEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043EAEC
Part of subcall function 0043EA9C: GetLastError.KERNEL32(?,00446041,004BEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043EAF6
Part of subcall function 0043EA9C: __free_osfhnd.LIBCMT ref: 0043EB03
Part of subcall function 0043EA9C: __dosmaperr.LIBCMT ref: 0043EB25

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

__lseeki64_nolock.LIBCMT ref: 0044620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00446342
___createFile.LIBCMT ref: 00446361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0044636E
__dosmaperr.LIBCMT ref: 00446375
__free_osfhnd.LIBCMT ref: 00446395
__invoke_watson.LIBCMT ref: 004463C3
__wsopen_helper.LIBCMT ref: 004463DD

Strings

@, xrefs: 00445F98

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 01035a62caac20a374ed1ef278592ceeb6fc5a2bad6f4aeab3e011e741589ed1
Instruction ID: a9212f16414ff3bdb350967a8bd62108fa736c4084d896c571aeeca9a8500449
Opcode Fuzzy Hash: 01035a62caac20a374ed1ef278592ceeb6fc5a2bad6f4aeab3e011e741589ed1
Instruction Fuzzy Hash: C52235B1D00505ABFF299F68DC45BAE7B21EF05314F25826BE9219B3D2C63D8D40C75A

Function 0045FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0045FA96
_wcschr.LIBCMT ref: 0045FAA4
_wcscpy.LIBCMT ref: 0045FABB
_wcscat.LIBCMT ref: 0045FACA
_wcscat.LIBCMT ref: 0045FAE8
_wcscpy.LIBCMT ref: 0045FB09
__wsplitpath.LIBCMT ref: 0045FBE6
_wcscpy.LIBCMT ref: 0045FC0B
_wcscpy.LIBCMT ref: 0045FC1D
_wcscpy.LIBCMT ref: 0045FC32
_wcscat.LIBCMT ref: 0045FC47
_wcscat.LIBCMT ref: 0045FC59
_wcscat.LIBCMT ref: 0045FC6E

Part of subcall function 0045BFA4: _wcscmp.LIBCMT ref: 0045C03E
Part of subcall function 0045BFA4: __wsplitpath.LIBCMT ref: 0045C083
Part of subcall function 0045BFA4: _wcscpy.LIBCMT ref: 0045C096
Part of subcall function 0045BFA4: _wcscat.LIBCMT ref: 0045C0A9
Part of subcall function 0045BFA4: __wsplitpath.LIBCMT ref: 0045C0CE
Part of subcall function 0045BFA4: _wcscat.LIBCMT ref: 0045C0E4
Part of subcall function 0045BFA4: _wcscat.LIBCMT ref: 0045C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0045FA61
t2L, xrefs: 0045FC97

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2L
API String ID: 2955681530-4077017938
Opcode ID: 14c4f5a8e0271102a4edc3771d10915a1b9bfc8e6696b1b1966509e353245da2
Instruction ID: 9d8ff6e154a5282b73d97e6cbfc9b287cd8b02750f522a45e3582ef2358a7e7c
Opcode Fuzzy Hash: 14c4f5a8e0271102a4edc3771d10915a1b9bfc8e6696b1b1966509e353245da2
Instruction Fuzzy Hash: D6919271504205AFDB10EF55C851F9BB3E8BF88314F00496EF95997292DB38FA48CB9A

Function 00413F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00413F86
RegisterClassExW.USER32(00000030), ref: 00413FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00413FC1
InitCommonControlsEx.COMCTL32(?), ref: 00413FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00413FEE
LoadIconW.USER32(000000A9), ref: 00414004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00414013

Strings

AutoIt v3 GUI, xrefs: 00413FA2
+, xrefs: 00413F6F
0, xrefs: 00413F68
TaskbarCreated, xrefs: 00413FB6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 54707d5071aa839452660aacc43c2d0734698b9da7fef6ccb5eb58875b35d455
Instruction ID: 2b3a54863ef32167623be0ebf20c6fd3961fa34807cf2339c0243f099b746b50
Opcode Fuzzy Hash: 54707d5071aa839452660aacc43c2d0734698b9da7fef6ccb5eb58875b35d455
Instruction Fuzzy Hash: A221C0B5D01218BFDB00DFA4E889BCDBBB4FB18704F00822BFA11A62A0D7B44544CF99

Function 0045BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045BDB4: __time64.LIBCMT ref: 0045BDBE

Part of subcall function 00414517: _fseek.LIBCMT ref: 0041452F

__wsplitpath.LIBCMT ref: 0045C083

Part of subcall function 00431DFC: __wsplitpath_helper.LIBCMT ref: 00431E3C

_wcscpy.LIBCMT ref: 0045C096
_wcscat.LIBCMT ref: 0045C0A9
__wsplitpath.LIBCMT ref: 0045C0CE
_wcscat.LIBCMT ref: 0045C0E4
_wcscat.LIBCMT ref: 0045C0F7
_wcscmp.LIBCMT ref: 0045C03E

Part of subcall function 0045C56D: _wcscmp.LIBCMT ref: 0045C65D
Part of subcall function 0045C56D: _wcscmp.LIBCMT ref: 0045C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0045C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0045C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0045C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0045C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0045C371

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 742451b2c1d07070d74fc89b41cad7866ff68850128563e2dd9308e025441e14
Instruction ID: d7ec5344b846cddb4141bf9ec764bd1f9e03d397c4566305e768396dbb4a8f77
Opcode Fuzzy Hash: 742451b2c1d07070d74fc89b41cad7866ff68850128563e2dd9308e025441e14
Instruction Fuzzy Hash: 6BC12FB1D00219AFDF11DF95CC81EDEB7B9AF49304F0040ABFA09E6152DB789A888F55

Function 00413742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004137B3
KillTimer.USER32(?,00000001), ref: 004137DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00413800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0041380B
CreatePopupMenu.USER32 ref: 0041381F
PostQuitMessage.USER32(00000000), ref: 0041382E

Strings

TaskbarCreated, xrefs: 00413806

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2d06069e446d4a8dacf3f810e0f55f6520727b3acb2e094e3bcba010c628e843
Instruction ID: 396c99e7af20af7d9cb92f74d66b8cd10dbb730420ce8e6b517f9f56b9b0585c
Opcode Fuzzy Hash: 2d06069e446d4a8dacf3f810e0f55f6520727b3acb2e094e3bcba010c628e843
Instruction Fuzzy Hash: 3C4104B5200145BBDB146F689D49BFA36A9F700302F04853BF922922F1CB6C9DD1972E

Function 00413E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00413E79
LoadCursorW.USER32(00000000,00007F00), ref: 00413E88
LoadIconW.USER32(00000063), ref: 00413E9E
LoadIconW.USER32(000000A4), ref: 00413EB0
LoadIconW.USER32(000000A2), ref: 00413EC2

Part of subcall function 00414024: LoadImageW.USER32(00410000,00000063,00000001,00000010,00000010,00000000), ref: 00414048

RegisterClassExW.USER32(?), ref: 00413F30

Part of subcall function 00413F53: GetSysColorBrush.USER32(0000000F), ref: 00413F86
Part of subcall function 00413F53: RegisterClassExW.USER32(00000030), ref: 00413FB0
Part of subcall function 00413F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00413FC1
Part of subcall function 00413F53: InitCommonControlsEx.COMCTL32(?), ref: 00413FDE
Part of subcall function 00413F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00413FEE
Part of subcall function 00413F53: LoadIconW.USER32(000000A9), ref: 00414004
Part of subcall function 00413F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00414013

Strings

#, xrefs: 00413F09
AutoIt v3, xrefs: 00413F1F
0, xrefs: 00413F02

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 890c6ffa30dbdea7446b95a34038b8d710e7fab6f7ce990f1863d59b890f239b
Instruction ID: ff870bfde1c749087cd45f7270ee05988e7849055036f2e4bcb5ad0829a811c7
Opcode Fuzzy Hash: 890c6ffa30dbdea7446b95a34038b8d710e7fab6f7ce990f1863d59b890f239b
Instruction Fuzzy Hash: A02128B0E01304BBDB01DFA9ED49A9DBBF5EB48314F00813BEA14A22B1D77546808B99

Function 0043ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0043ACC1

Part of subcall function 00437CF4: __mtinitlocknum.LIBCMT ref: 00437D06
Part of subcall function 00437CF4: EnterCriticalSection.KERNEL32(00000000,?,00437ADD,0000000D), ref: 00437D1F

__calloc_crt.LIBCMT ref: 0043ACD2

Part of subcall function 00436986: __calloc_impl.LIBCMT ref: 00436995
Part of subcall function 00436986: Sleep.KERNEL32(00000000,000003BC,0042F507,?,0000000E), ref: 004369AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043ACED
GetStartupInfoW.KERNEL32(?,004C6E28,00000064,00435E91,004C6C70,00000014), ref: 0043AD46
__calloc_crt.LIBCMT ref: 0043AD91
GetFileType.KERNEL32(00000001), ref: 0043ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0043AE11

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: ec1e87a27553868fcedbd39e4b8dd1114e72cf02af8664bbf8b04f502900a3f5
Instruction ID: bf88bf925427db3155f0bf35218ed27ed9d9c3ea0a0ed179d323ad0cc3ad3997
Opcode Fuzzy Hash: ec1e87a27553868fcedbd39e4b8dd1114e72cf02af8664bbf8b04f502900a3f5
Instruction Fuzzy Hash: FD81D2B09453458FDB24CF68C8415AEBBF0AF09325F24526FD4A6AB3D1C7389813CB5A

Function 01658218 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016582E9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0165850F

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: cff8f820b692099844012e9cafe7972b3aabc6a641c0bd2cf9316222384510ad
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 63A12870E01209EBDF54CFA5C894BEEBBB9BF48304F208159EA01BB281D7759A41CB55

Function 004149FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00414A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004841DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0048421A
RegCloseKey.ADVAPI32(?), ref: 00484249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00414A13
Include, xrefs: 004841D3, 00484212

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: eae989c5e2eb0cfbdfa79373a409b7bc74fc4f43fa17e34591348e9247e796a1
Instruction ID: c5b074dd39a833993450f375293512a5ef31502f8c4f9c617641cd05039e7122
Opcode Fuzzy Hash: eae989c5e2eb0cfbdfa79373a409b7bc74fc4f43fa17e34591348e9247e796a1
Instruction Fuzzy Hash: FD116071A00109BEDB00ABA4CD86DEF7BBCEF15358F10006AB502D2191EA749E41D758

Function 004136B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004136E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00413707
ShowWindow.USER32(00000000,?,?,?,?,00413AA3,?), ref: 0041371B
ShowWindow.USER32(00000000,?,?,?,?,00413AA3,?), ref: 00413724

Strings

AutoIt v3, xrefs: 004136DE, 004136E3, 004136E4
edit, xrefs: 00413701

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 25b097b75fdcc953e60451a2011e800fee8d97a292d1981ed143a753a10abace
Instruction ID: 91d298496141f26ea3d70fe95bcb137d94f0baae47dd4db5e59e40daf1e48d5c
Opcode Fuzzy Hash: 25b097b75fdcc953e60451a2011e800fee8d97a292d1981ed143a753a10abace
Instruction Fuzzy Hash: AAF0DA71A412D07AE7326797AC48E772F7DD7D7F20B00403BBE05A25B0C6650895DAB8

Function 01657FD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01657EC8: Sleep.KERNELBASE(000001F4), ref: 01657ED9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01658109

Strings

AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57, xrefs: 0165816C, 0165816F

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID: CreateFileSleep
String ID: AAVR7EVW1WM1AZWU2CSSUA1JJ9Y57
API String ID: 2694422964-2277590582
Opcode ID: f91bd6a0a4ecc975950ae6b03b55aaa99b28061923129184bf3ecfdf3f6445bd
Instruction ID: d140b83ce6c451a78b3950a5d99891c4dde204921183acf4763860220cd3f9ea
Opcode Fuzzy Hash: f91bd6a0a4ecc975950ae6b03b55aaa99b28061923129184bf3ecfdf3f6445bd
Instruction Fuzzy Hash: AE519330D08289DAEF12D7B8CC58BDEBBB9AF15305F044199E6497B2C1C7B90B49CB65

Function 00414A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00415374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D1148,?,004161FF,?,00000000,00000001,00000000), ref: 00415392

Part of subcall function 004149FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00414A1D

_wcscat.LIBCMT ref: 00482D80
_wcscat.LIBCMT ref: 00482DB5

Strings

\, xrefs: 00482DA2
\Include\, xrefs: 00414B0A
8!M, xrefs: 00414B1C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!M$\$\Include\
API String ID: 3592542968-2481258703
Opcode ID: e4487faea40fbc3fc31c6419b905c4748f6a552fa8a5eaef570367c117a1a28c
Instruction ID: 3d7b5760c8c7083ff87a1732069f77f89a5281dc22313b133fa0ce8eb4601726
Opcode Fuzzy Hash: e4487faea40fbc3fc31c6419b905c4748f6a552fa8a5eaef570367c117a1a28c
Instruction Fuzzy Hash: E05183714053409BC704EF56EA9189FB7F4BFA9304B40893FF64593261EBB89648CB5E

Function 00414139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004141A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004139FE,?,00000001), ref: 004141DB

_free.LIBCMT ref: 004836B7
_free.LIBCMT ref: 004836FE

Part of subcall function 0041C833: __wsplitpath.LIBCMT ref: 0041C93E
Part of subcall function 0041C833: _wcscpy.LIBCMT ref: 0041C953
Part of subcall function 0041C833: _wcscat.LIBCMT ref: 0041C968
Part of subcall function 0041C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0041C978

Strings

Bad directive syntax error, xrefs: 004836E4
>>>AUTOIT SCRIPT<<<, xrefs: 00483491

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 6f7fbdedfcf45ce03a9f7bade30a3908d40a86cdba1a2b70a3c24fdcb4852b78
Instruction ID: 89da841b3934eeb2f049351d59dff9965b0a06ee38f1cab57bf87f2b1af57df5
Opcode Fuzzy Hash: 6f7fbdedfcf45ce03a9f7bade30a3908d40a86cdba1a2b70a3c24fdcb4852b78
Instruction Fuzzy Hash: 85919371910218AFCF04EFA5CC919EEB7B4BF05715F50442FF816AB291EB38AA45CB58

Function 004140E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00483725
GetOpenFileNameW.COMDLG32 ref: 0048376F

Part of subcall function 0041660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004153B1,?,?,004161FF,?,00000000,00000001,00000000), ref: 0041662F

Part of subcall function 004140A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004140C6

Strings

X, xrefs: 0048373E
t3L, xrefs: 00483745

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3L
API String ID: 3777226403-971563897
Opcode ID: 392be0cf1cecf0daeaf28dd63c46164854fcbc212edc7bdd62b7edc723a97759
Instruction ID: f995879c9cdf501afcbeb1a8c287e51cd47cfac48791880e1e17303299b7ba5d
Opcode Fuzzy Hash: 392be0cf1cecf0daeaf28dd63c46164854fcbc212edc7bdd62b7edc723a97759
Instruction Fuzzy Hash: FD21C671A10198ABCF01EF95C805BDE7BF99F89304F00801FE405A7241DBBC9A898F69

Function 004334AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004334FE

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00433539
__wopenfile.LIBCMT ref: 00433549

Strings

<G, xrefs: 004334CD, 004334F0, 004334FC

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: a59b08f3bb7382d1ef461dcf74ad68f0a2f54a58d2b048dfb0ad7ce158f9b79a
Instruction ID: 6dfa57e9ec91e7cdab5d13c2816149be4e7b5caf0db9531edbc44152dbda8c08
Opcode Fuzzy Hash: a59b08f3bb7382d1ef461dcf74ad68f0a2f54a58d2b048dfb0ad7ce158f9b79a
Instruction Fuzzy Hash: EC113A70A00206BBDB21BF728C0276F36A4AF5D358F15A52FE415C72C1EB3CCA0197A9

Function 0042D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0042D28B,SwapMouseButtons,00000004,?), ref: 0042D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0042D28B,SwapMouseButtons,00000004,?,?,?,?,0042C865), ref: 0042D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0042D28B,SwapMouseButtons,00000004,?,?,?,?,0042C865), ref: 0042D2FF

Strings

Control Panel\Mouse, xrefs: 0042D2BA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9dff41a9aabe1bca96e4dda07ecb9701986f8c8b906762f496a3593676f6c69e
Instruction ID: a9621384f09a0db73fc7b7df7dec803eaa3aca73160d0201e7cacd0720d4011a
Opcode Fuzzy Hash: 9dff41a9aabe1bca96e4dda07ecb9701986f8c8b906762f496a3593676f6c69e
Instruction Fuzzy Hash: 7F117C75A11218FFDB10CF64DC84EAF7BB8EF04744F00446AE901D7210D675DE419B68

Function 01656EC8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01657683
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01657719
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0165773B

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction ID: 835789494382bb874723313ecd6378073d36023da0ffd2ab408e9e1f4ccd0e1b
Opcode Fuzzy Hash: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction Fuzzy Hash: B062F930A14258DAEB64CFA4CC40BEEB776EF58300F5091A9D50DEB390E7799E81CB59

Function 0045C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00414517: _fseek.LIBCMT ref: 0041452F

Part of subcall function 0045C56D: _wcscmp.LIBCMT ref: 0045C65D
Part of subcall function 0045C56D: _wcscmp.LIBCMT ref: 0045C670

_free.LIBCMT ref: 0045C4DD
_free.LIBCMT ref: 0045C4E4
_free.LIBCMT ref: 0045C54F

Part of subcall function 00431C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00437A85), ref: 00431CB1
Part of subcall function 00431C9D: GetLastError.KERNEL32(00000000,?,00437A85), ref: 00431CC3

_free.LIBCMT ref: 0045C557

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 0997e0c81230736af99e4e8c248fe41e5ed4063527e0903bc42d9d4d66d10d1d
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 3F5171B1904218AFDF149F69DC81BEDBBB9EF48304F10009EF649A3251DB755A84CF59

Function 0042EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042EBB2

Part of subcall function 004151AF: _memset.LIBCMT ref: 0041522F
Part of subcall function 004151AF: _wcscpy.LIBCMT ref: 00415283
Part of subcall function 004151AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00415293

KillTimer.USER32(?,00000001,?,?), ref: 0042EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0042EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00483C88

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: be2e7fea8d232e062f6505531aa9afa5cdbf94cd0457aab91fc0def7fe81d972
Instruction ID: 5f12543fa9bc0a7ab9b3305be91d89905d57e7653e122df6e7de78dae0723a63
Opcode Fuzzy Hash: be2e7fea8d232e062f6505531aa9afa5cdbf94cd0457aab91fc0def7fe81d972
Instruction Fuzzy Hash: 79212C71904794AFE7339B69D855BEBBBEC9B01708F04049FE68E57241C3782A84CB59

Function 0045C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0045C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0045C746

Strings

aut, xrefs: 0045C740

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f5ae9898828cb76baa59448833a44d9d6ba05ceea45e0f7dab9bae47df509d7a
Instruction ID: 7a4b93e86c318086bbfe2fa2fa9c35056f800ec6580a0491d6f169b4a8467554
Opcode Fuzzy Hash: f5ae9898828cb76baa59448833a44d9d6ba05ceea45e0f7dab9bae47df509d7a
Instruction Fuzzy Hash: B1D05E7590030EABDB50AB90DC0EFCAB76C9710B04F0001B27650A50B1DAB4E6998B59

Function 0046F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec52d803bd92efa9f151d2a38ae811ee38886c7248abf07f72fcdb70a70bb07
Instruction ID: 04e510598d74190e050f7ec6df1826742c4399a49f969f0eb798685f9d4fc50e
Opcode Fuzzy Hash: 6ec52d803bd92efa9f151d2a38ae811ee38886c7248abf07f72fcdb70a70bb07
Instruction Fuzzy Hash: FDF17B716083019FC710DF25D481B5AB7E5FF88318F10892EF9959B392EB38E949CB86

Function 0043395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00433973

Part of subcall function 004381C2: __NMSG_WRITE.LIBCMT ref: 004381E9
Part of subcall function 004381C2: __NMSG_WRITE.LIBCMT ref: 004381F3

__NMSG_WRITE.LIBCMT ref: 0043397A

Part of subcall function 0043821F: GetModuleFileNameW.KERNEL32(00000000,004D0312,00000104,00000000,00000001,00000000), ref: 004382B1
Part of subcall function 0043821F: ___crtMessageBoxW.LIBCMT ref: 0043835F

Part of subcall function 00431145: ___crtCorExitProcess.LIBCMT ref: 0043114B
Part of subcall function 00431145: ExitProcess.KERNEL32 ref: 00431154

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000001,00000000,?,?,0042F507,?,0000000E), ref: 0043399F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 099c43edd30f0c6cff6b2a3fdf3bf27eed43b25420e466cbbfaa94ef3df72737
Instruction ID: 09d9328b8d3f2207170fd2c7584a7c5361efc118e908c6f83f5365198fa0e2ef
Opcode Fuzzy Hash: 099c43edd30f0c6cff6b2a3fdf3bf27eed43b25420e466cbbfaa94ef3df72737
Instruction Fuzzy Hash: E40184B1245201DAEA213F269C52B6F63589F89769F21302FF50597292DEBCDD00466D

Function 0045C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0045C385,?,?,?,?,?,00000004), ref: 0045C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0045C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0045C708
CloseHandle.KERNEL32(00000000,?,0045C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0045C70F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a591a328245e0f0631e09d4a3042b987c529a347346adebd0b9cd288aea2d8ac
Instruction ID: 7b109db163c1180046dde713045c4eee9f0eddf681b40a07cf4fb42e0e13ff83
Opcode Fuzzy Hash: a591a328245e0f0631e09d4a3042b987c529a347346adebd0b9cd288aea2d8ac
Instruction Fuzzy Hash: 1AE08632540214BBD7311B64EC0EFCA7B18AB15761F104132FB14690E197B12511879C

Function 0045BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045BB72

Part of subcall function 00431C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00437A85), ref: 00431CB1
Part of subcall function 00431C9D: GetLastError.KERNEL32(00000000,?,00437A85), ref: 00431CC3

_free.LIBCMT ref: 0045BB83
_free.LIBCMT ref: 0045BB95

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 906462d5e2e3cf9f6c211eb84c1ff725573d505b32cf07fa3f25b9b48d0eb018
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 21E012A164174146DA24697A6E54EB313DC8F08356B14281FB859E7647CF6CF84485EC

Function 00412322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004122A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004124F1), ref: 00412303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004125A1
CoInitialize.OLE32(00000000), ref: 00412618
CloseHandle.KERNEL32(00000000), ref: 0048503A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: b8ea29231488bc901a0338e4cea086641505784bfb9269c4f39c764bfce7298f
Instruction ID: ac9f771899fbc28cea27becbbdd28f455d59d78118ad12d51c0d544eae32a3fc
Opcode Fuzzy Hash: b8ea29231488bc901a0338e4cea086641505784bfb9269c4f39c764bfce7298f
Instruction Fuzzy Hash: 3D71A2B4A03241BBD704EF9AB9A4599BBA4B75934478041BFDD19E73B2CB7A4440CF1C

Function 00413A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00413A73

Part of subcall function 00431405: __lock.LIBCMT ref: 0043140B

Part of subcall function 00413ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00413AF3
Part of subcall function 00413ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00413B08

Part of subcall function 00413D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00413AA3,?), ref: 00413D45
Part of subcall function 00413D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00413AA3,?), ref: 00413D57
Part of subcall function 00413D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,004D1148,004D1130,?,?,?,?,00413AA3,?), ref: 00413DC8
Part of subcall function 00413D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00413AA3,?), ref: 00413E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00413AB3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: b1d003eed75e26ef0677f46dc64452f4e0e79de2b611104efd3fe7a321ea8afb
Instruction ID: 946f6b8e848063285b2505710361e18ec7aa9b4e5f64176e9536f8a6d5e8e678
Opcode Fuzzy Hash: b1d003eed75e26ef0677f46dc64452f4e0e79de2b611104efd3fe7a321ea8afb
Instruction Fuzzy Hash: 6111C071904351ABC300EF66ED4590EFBE8EFA4350F00892FF884832B1DBB49581CB9A

Function 0043E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0043EA29
__close_nolock.LIBCMT ref: 0043EA42

Part of subcall function 00437BDA: __getptd_noexit.LIBCMT ref: 00437BDA

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: b714a15aab3651254536f44e2ea487f6e7ba883d747b4a94f30594f229fe7cd8
Instruction ID: 893f716fd68599c94d51164c95a525010410285e450c7dcadb2fcbfc161e3e35
Opcode Fuzzy Hash: b714a15aab3651254536f44e2ea487f6e7ba883d747b4a94f30594f229fe7cd8
Instruction Fuzzy Hash: 0C11ECB24076149ED711BFA6C84131D7A606F49339F26634BE4605F1E2C7BC9C018BAD

Function 0042F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0043395C: __FF_MSGBANNER.LIBCMT ref: 00433973
Part of subcall function 0043395C: __NMSG_WRITE.LIBCMT ref: 0043397A
Part of subcall function 0043395C: RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000001,00000000,?,?,0042F507,?,0000000E), ref: 0043399F

std::exception::exception.LIBCMT ref: 0042F51E
__CxxThrowException@8.LIBCMT ref: 0042F533

Part of subcall function 00436805: RaiseException.KERNEL32(?,?,0000000E,004C6A30,?,?,?,0042F538,0000000E,004C6A30,?,00000001), ref: 00436856

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ead1e8aaf52859e2f6eb5a574f3ef1dd7f906c1b06d95a7b6f896231ce8ed934
Instruction ID: 9360134d3bf845da15e21e057f6b06757621da30a2fd56729cc4104aabe7dc3a
Opcode Fuzzy Hash: ead1e8aaf52859e2f6eb5a574f3ef1dd7f906c1b06d95a7b6f896231ce8ed934
Instruction Fuzzy Hash: 2AF0867150411E77DB04BE99E90199E7AA85F04358FE0853FF90891141DBB8965486AD

Function 004335E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

__lock_file.LIBCMT ref: 00433629

Part of subcall function 00434E1C: __lock.LIBCMT ref: 00434E3F

__fclose_nolock.LIBCMT ref: 00433634

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b979c09d690422f3d4f59b8aedb7875cd625d121e4c7dfca082568ddf2b8bd93
Instruction ID: 6f192725fa138bfdbea393b5f9d3b582acbd9bc0a87fc1db216883b0362b0bae
Opcode Fuzzy Hash: b979c09d690422f3d4f59b8aedb7875cd625d121e4c7dfca082568ddf2b8bd93
Instruction Fuzzy Hash: ECF09671801215BED721BF66880375E76A05F4933AF26E10FE420EB2C1C77C9A419E5D

Function 01656EC5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01657683
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01657719
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0165773B

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: ce00ca3773d639263d6a5594df1b763d2c364c2c08602e6d2c7053fc81c337b8
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 7112CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00432957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00432A0B

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: a13c0577be56c2c28bf56ca2b247ae76aaf2e2bf2f6872684b7e10bfdb08561a
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: BF41C8707007069FDF289EA9CA8156F77A6AF4D360F24A52FE455C7240D6F8DD418B48

Function 0042ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0042EDC7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 72cd989cc9ea9149896f6e2ef5107a4e3a6c6240e5a4a84f28e5f6fb992b5806
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FC311870B10116DBC718DF1AE48096AFBB2FF49340BA486A6E409CB356DB34EDC1CB94

Function 00489A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00489A80

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f8ff16ba458c7bbabb77bf0e76b55180c0810c533788288478512ac32c526c28
Instruction ID: faeda1bbd7427e335db1e5e54937e60c972ddc488ccff6fd97875f758c8b8ba7
Opcode Fuzzy Hash: f8ff16ba458c7bbabb77bf0e76b55180c0810c533788288478512ac32c526c28
Instruction Fuzzy Hash: 3F418F746046118FDB24DF15D084B1ABBE0BF45308F5889ADE9964B362C37AFC86CF46

Function 004141A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414214: FreeLibrary.KERNEL32(00000000,?), ref: 00414247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004139FE,?,00000001), ref: 004141DB

Part of subcall function 00414291: FreeLibrary.KERNEL32(00000000), ref: 004142C4

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: f6471562e8ad24c4e1217871e5fed76ee198ad7c0c932fcd2cbf60942f187018
Instruction ID: 055b1323026c89b08ebf669a85626188c07a52cca1ae58d415c7d3ebaecb28a9
Opcode Fuzzy Hash: f6471562e8ad24c4e1217871e5fed76ee198ad7c0c932fcd2cbf60942f187018
Instruction Fuzzy Hash: F311E731700306AADB10BB75DC06FDE77A59FC0758F10842FB996AB1C1DB78DA819B68

Function 00489B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00489B51

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ab5ff66ca807d1be84b77b1d393a28fd47433e86e113e3a68315f9eb40c69fdf
Instruction ID: 746364fde5595b7573c42d9431969ee23a8cb24ce266aa455d7f45c67b6e8b92
Opcode Fuzzy Hash: ab5ff66ca807d1be84b77b1d393a28fd47433e86e113e3a68315f9eb40c69fdf
Instruction Fuzzy Hash: D62166706082119FDB24DF25D444A1BBBF0BF84308F94496EE99647322C339F886CF5A

Function 0043AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0043AFC0

Part of subcall function 00437BDA: __getptd_noexit.LIBCMT ref: 00437BDA

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 46b72fdd8ea934d111e0297ad15683f6c49f32180f67929126d87f93d789c8d9
Instruction ID: 24b6e4170d4d31a7f37ad45907a3ac06ea82bc265c675d59417ef8c7a90323b1
Opcode Fuzzy Hash: 46b72fdd8ea934d111e0297ad15683f6c49f32180f67929126d87f93d789c8d9
Instruction Fuzzy Hash: 151193B28056009BD7157FA5C84175E76709F49339F16624BE5741F1E2C7BC99008BAE

Function 004139DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: c89ed7f672151b8570ce6aac02440a6dd87f6fb2db1b90821d6da8cc0f8db02a
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: CA01863140010DAECF04EF65C8918EEBB74AF11344F10806BB515971A5EA349A89DB68

Function 00432AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00432AED

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 1adcde13e9a1d053f31815996a327d55b77affc64f6ba51e18211671b9e74acb
Instruction ID: 90f600a8eecc99a9a3d7d0e723889a98e84651d88e4a75fdf86a4252ea2c54a0
Opcode Fuzzy Hash: 1adcde13e9a1d053f31815996a327d55b77affc64f6ba51e18211671b9e74acb
Instruction Fuzzy Hash: 19F0C231500206ABDF61BF66CD0279F3AA1BF48318F15A41BB4109A191D7BC8A12DB49

Function 00414252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004139FE,?,00000001), ref: 00414286

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 060d438faaf753c6dc0d6f46424046755362001f8f83dbac856c0c744d6bbd2a
Instruction ID: 45feacab7e9050652006a07d036089273a1e143c46d7548a28c6c76f2ff9078f
Opcode Fuzzy Hash: 060d438faaf753c6dc0d6f46424046755362001f8f83dbac856c0c744d6bbd2a
Instruction Fuzzy Hash: 49F03071505702DFCB349F64D490896B7E4BF543663248ABFF5D682610C77598C0DF54

Function 004140A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004140C6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 0c2a50883477031ba02ba5f542ef3e5e40af56b0d284d3a60c40cf66341f0240
Instruction ID: b59632dfa9d61e778b46eddf08379afdba4f017cf2169e0aed12d3f118f8f68a
Opcode Fuzzy Hash: 0c2a50883477031ba02ba5f542ef3e5e40af56b0d284d3a60c40cf66341f0240
Instruction Fuzzy Hash: 64E07D339001241BC711A258CC42FEA339CDF8C6A4F050076F904D3204DA64D9C08694

Function 01657EC8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01657ED9

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: eb6f0c989ba6fe1de72bbd5770dd36b1ce7c24206d74722766ce28a4f48169e6
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: ADE0E67494020EDFDB00DFB4D94969E7BB4EF04301F1001A1FD01D2680DA309D509A62

Non-executed Functions

Function 0047AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0047B1CD

Strings

%d/%02d/%02d, xrefs: 0047AEFC

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: edc418f4ad669d53d2b2dd451c7e5aec85b231992f5744ba670d26a2e615a653
Instruction ID: 2e60821acade21f4196902fa4e73e2b22c1402ff883dab45bc434426d7608b2b
Opcode Fuzzy Hash: edc418f4ad669d53d2b2dd451c7e5aec85b231992f5744ba670d26a2e615a653
Instruction Fuzzy Hash: 4D12CE71600218ABEB259F64CC59BEF7BB8FF85310F10812BF9199B2D0DB789941CB59

Function 0042EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0042EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00483AEA
IsIconic.USER32(000000FF), ref: 00483AF3
ShowWindow.USER32(000000FF,00000009), ref: 00483B00
SetForegroundWindow.USER32(000000FF), ref: 00483B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00483B20
GetCurrentThreadId.KERNEL32 ref: 00483B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00483B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00483B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00483B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00483B54
SetForegroundWindow.USER32(000000FF), ref: 00483B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00483B6C
keybd_event.USER32(00000012,00000000), ref: 00483B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00483B81
keybd_event.USER32(00000012,00000000), ref: 00483B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00483B8F
keybd_event.USER32(00000012,00000000), ref: 00483B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00483B9E
keybd_event.USER32(00000012,00000000), ref: 00483BA3
SetForegroundWindow.USER32(000000FF), ref: 00483BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00483BCD

Strings

Shell_TrayWnd, xrefs: 00483AE5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c4e3927ffcd3992751916e27247504b8c7b5d5aa5ffa402087358fe90d653d11
Instruction ID: f95104059de5b1d276ee3bada3c107d65e890df36e4505159319327a5661c4d8
Opcode Fuzzy Hash: c4e3927ffcd3992751916e27247504b8c7b5d5aa5ffa402087358fe90d653d11
Instruction Fuzzy Hash: EF3182B1E402187BEB206FA58C49F7F3E6CEB44B50F114437FA05AA1D1D6B46D019BA8

Function 0044ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0044B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0044B180
Part of subcall function 0044B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0044B1AD
Part of subcall function 0044B134: GetLastError.KERNEL32 ref: 0044B1BA

_memset.LIBCMT ref: 0044AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0044AD5A
CloseHandle.KERNEL32(?), ref: 0044AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0044AD82
GetProcessWindowStation.USER32 ref: 0044AD9B
SetProcessWindowStation.USER32(00000000), ref: 0044ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0044ADBF

Part of subcall function 0044AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0044ACC0), ref: 0044AB99
Part of subcall function 0044AB84: CloseHandle.KERNEL32(?,?,0044ACC0), ref: 0044ABAB

Strings

winsta0, xrefs: 0044AD7D
default, xrefs: 0044ADBA
, xrefs: 0044AD17
H*L, xrefs: 0044AE40

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*L$default$winsta0
API String ID: 2063423040-2610704889
Opcode ID: 544bddb9b95afd93e67a99f7e419b624eb183c34ff882e93ba8dc13671aac674
Instruction ID: e9081b3d643e11be456e698cf3e47fd7df11129b0eb14490b766add946f1759e
Opcode Fuzzy Hash: 544bddb9b95afd93e67a99f7e419b624eb183c34ff882e93ba8dc13671aac674
Instruction Fuzzy Hash: C981A071840209BFEF119FA4CC44AEF7B78EF08308F14412AF924A2261D7798E64DB69

Function 004560DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00456EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00455FA6,?), ref: 00456ED8

Part of subcall function 00456EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00455FA6,?), ref: 00456EF1

Part of subcall function 0045725E: __wsplitpath.LIBCMT ref: 0045727B
Part of subcall function 0045725E: __wsplitpath.LIBCMT ref: 0045728E

Part of subcall function 004572CB: GetFileAttributesW.KERNEL32(?,00456019), ref: 004572CC

_wcscat.LIBCMT ref: 00456149
_wcscat.LIBCMT ref: 00456167
__wsplitpath.LIBCMT ref: 0045618E
FindFirstFileW.KERNEL32(?,?), ref: 004561A4
_wcscpy.LIBCMT ref: 00456209
_wcscat.LIBCMT ref: 0045621C
_wcscat.LIBCMT ref: 0045622F
lstrcmpiW.KERNEL32(?,?), ref: 0045625D
DeleteFileW.KERNEL32(?), ref: 0045626E
MoveFileW.KERNEL32(?,?), ref: 00456289
MoveFileW.KERNEL32(?,?), ref: 00456298
CopyFileW.KERNEL32(?,?,00000000), ref: 004562AD
DeleteFileW.KERNEL32(?), ref: 004562BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004562E1
FindClose.KERNEL32(00000000), ref: 004562FD
FindClose.KERNEL32(00000000), ref: 0045630B

Strings

\*.*, xrefs: 00456138, 00456147, 00456165

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 6fbb5a41fc2f07b1af6314db940e28db6ddd56424f5230f043a7599df83603a2
Instruction ID: 376f298f0b2100030e93918ab4207cdad3388eb01b3ce09e15acf54964c052c9
Opcode Fuzzy Hash: 6fbb5a41fc2f07b1af6314db940e28db6ddd56424f5230f043a7599df83603a2
Instruction Fuzzy Hash: 69512072C0811C6ACB21EBA2CC45DEB77BCAF15305F4501EBE945E3142DA3A974D8FA9

Function 00466B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004ADC00), ref: 00466B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00466B44
GetClipboardData.USER32(0000000D), ref: 00466B4C
CloseClipboard.USER32 ref: 00466B58
GlobalLock.KERNEL32(00000000), ref: 00466B74
CloseClipboard.USER32 ref: 00466B7E
GlobalUnlock.KERNEL32(00000000), ref: 00466B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00466BA0
GetClipboardData.USER32(00000001), ref: 00466BA8
GlobalLock.KERNEL32(00000000), ref: 00466BB5
GlobalUnlock.KERNEL32(00000000), ref: 00466BE9
CloseClipboard.USER32 ref: 00466CF6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 7bcf675cbb5916175feeaa87f7b7cccfe50d2b2911adda06fc105bdc639c2fd3
Instruction ID: ee2b62d61f7dae71490a07167cf6058cbba3f7255414e11e30ae0bcd9ca4799c
Opcode Fuzzy Hash: 7bcf675cbb5916175feeaa87f7b7cccfe50d2b2911adda06fc105bdc639c2fd3
Instruction Fuzzy Hash: D6518D71644201ABD300AF61DD86FAF77A8AF94B05F01003FF556D62E1EF78E8058A6B

Function 0045F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045F62B
FindClose.KERNEL32(00000000), ref: 0045F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0045F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0045F6E2
__swprintf.LIBCMT ref: 0045F72E
__swprintf.LIBCMT ref: 0045F767
__swprintf.LIBCMT ref: 0045F7BB

Part of subcall function 0043172B: __woutput_l.LIBCMT ref: 00431784

__swprintf.LIBCMT ref: 0045F809
__swprintf.LIBCMT ref: 0045F858
__swprintf.LIBCMT ref: 0045F8A7
__swprintf.LIBCMT ref: 0045F8F6

Strings

%02d, xrefs: 0045F7B0, 0045F7B9, 0045F807, 0045F856, 0045F8A5, 0045F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0045F728
%4d, xrefs: 0045F761

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 8c05d8e5d2eb9d90f98006c35c50c25f54120fd5f9be0d48d8e4cc81a45a29f7
Instruction ID: c647c12b09400a4f2c1f881c09509b1e9e347a624b8769af1cb7aee2befbb2b3
Opcode Fuzzy Hash: 8c05d8e5d2eb9d90f98006c35c50c25f54120fd5f9be0d48d8e4cc81a45a29f7
Instruction Fuzzy Hash: C5A12EB2508344ABC310EB95DD85DAFB7ECAF98704F44092FF585C2152EB38DA49C766

Function 00461B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00461B50
_wcscmp.LIBCMT ref: 00461B65
_wcscmp.LIBCMT ref: 00461B7C
GetFileAttributesW.KERNEL32(?), ref: 00461B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00461BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00461BC0
FindClose.KERNEL32(00000000), ref: 00461BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00461BE7
_wcscmp.LIBCMT ref: 00461C0E
_wcscmp.LIBCMT ref: 00461C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00461C37
SetCurrentDirectoryW.KERNEL32(004C39FC), ref: 00461C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00461C5F
FindClose.KERNEL32(00000000), ref: 00461C6C
FindClose.KERNEL32(00000000), ref: 00461C7C

Strings

*.*, xrefs: 00461BE2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 329de9b08702f84e23f32303b17f121f552c98b2bbf3e7e58c292a462cc84ee5
Instruction ID: bc86d4a936045afd26768c0359bb64552a38854e71f1cda05b19bfdebde9de91
Opcode Fuzzy Hash: 329de9b08702f84e23f32303b17f121f552c98b2bbf3e7e58c292a462cc84ee5
Instruction Fuzzy Hash: E131C332A402196ADB14AFA4DC49BDE77AC9F19320F1441A7F811D31A0FB78DE458A6D

Function 00461C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00461CAB
_wcscmp.LIBCMT ref: 00461CC0
_wcscmp.LIBCMT ref: 00461CD7

Part of subcall function 00456BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00456BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00461D06
FindClose.KERNEL32(00000000), ref: 00461D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00461D2D
_wcscmp.LIBCMT ref: 00461D54
_wcscmp.LIBCMT ref: 00461D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00461D7D
SetCurrentDirectoryW.KERNEL32(004C39FC), ref: 00461D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00461DA5
FindClose.KERNEL32(00000000), ref: 00461DB2
FindClose.KERNEL32(00000000), ref: 00461DC2

Strings

*.*, xrefs: 00461D28

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 6be6c3d97297ad2404067c92af6a0772d883e9bea7d7a30f149ef9179d9bcc65
Instruction ID: 40c0934bf5b426467b39cf1d3a28a247a9b3a2e7290fda643c71895aec49842d
Opcode Fuzzy Hash: 6be6c3d97297ad2404067c92af6a0772d883e9bea7d7a30f149ef9179d9bcc65
Instruction Fuzzy Hash: A83118329002197ACF10AFA4DC49FDE37AC9F55324F144567F801A31B0EB38DE458A6D

Function 00417D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417DBD

Strings

^, xrefs: 00417D96
[:>:]], xrefs: 00417D37
\b(?<=\w), xrefs: 0048F877
\b(?=\w), xrefs: 0048F85E
\, xrefs: 00417D89
], xrefs: 00417D9F
[:<:]], xrefs: 00417D1D
Q\E, xrefs: 004186D6
\, xrefs: 0048F95B
[, xrefs: 00417E14
\, xrefs: 00417E1D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 4beb76826dd420d968f56fc0d0b954f9f8c3bb557095dc0e5bc776038a15a975
Instruction ID: df3a2831091ea1963b9bf53197db23ed2c9de38300a9a6a251d89b8a66f2f84e
Opcode Fuzzy Hash: 4beb76826dd420d968f56fc0d0b954f9f8c3bb557095dc0e5bc776038a15a975
Instruction Fuzzy Hash: C182C071D04219DBCB24DF98C8807EEBBB1BF44314F24856BD819AB341E778AD85CB88

Function 0046091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004609DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004609EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004609FB
__wsplitpath.LIBCMT ref: 00460A59
_wcscat.LIBCMT ref: 00460A71
_wcscat.LIBCMT ref: 00460A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00460A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00460AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00460ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00460AFF
_wcscpy.LIBCMT ref: 00460B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00460B4A

Strings

*.*, xrefs: 00460B05

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ec62cc49224eb792ec678a1ee65a512aa0dd18e229bc8ac28c53cca28620fa75
Instruction ID: abe2d9afb843099ab239e706b030bd70aadb5f423fc34e643a04d31bf9c6d157
Opcode Fuzzy Hash: ec62cc49224eb792ec678a1ee65a512aa0dd18e229bc8ac28c53cca28620fa75
Instruction Fuzzy Hash: 796168B25042059FC710EF61C84099FB3E9BF89314F04896EF999C7251EB39E949CB9A

Function 00416F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00492CB0
ANYCRLF), xrefs: 00492E7D
LIMIT_MATCH=, xrefs: 00492CF2
LIMIT_RECURSION=, xrefs: 00492D7E
UTF), xrefs: 00492C7C
KKK K, xrefs: 00417096, 0041709C
BSR_UNICODE), xrefs: 00492EBA
UTF16), xrefs: 00492C56
K, xrefs: 00416F77
NO_START_OPT), xrefs: 00492CD1
BSR_ANYCRLF), xrefs: 00492EA0
CRLF), xrefs: 00492E43
LF), xrefs: 00492E26
8d6ddv886ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv8c6ddv876ddv846ddv856ddv8f6ddv8c6ddv806ddv806ddv806ddv806ddv806ddv806d, xrefs: 00416FD1
UCP), xrefs: 00492C8F
CR), xrefs: 00492E09
ANY), xrefs: 00492E60

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID: K$8d6ddv886ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv8c6ddv876ddv846ddv856ddv8f6ddv8c6ddv806ddv806ddv806ddv806ddv806ddv806d$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$KKK K
API String ID: 0-2203161607
Opcode ID: 33e39bdbf0276e4560d88589ce772847f5b8e2282ce0e68d01244180673fb090
Instruction ID: 1b0256123dfb6c855ee30d8e1a731214816b669aa25ea4757e7a93b71e47a3f8
Opcode Fuzzy Hash: 33e39bdbf0276e4560d88589ce772847f5b8e2282ce0e68d01244180673fb090
Instruction Fuzzy Hash: 79727F71E042199BDF14CF59C8807EEBBB5BF48310F14816BE815EB381DB789A81DB99

Function 0044A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044ABD7
Part of subcall function 0044ABBB: GetLastError.KERNEL32(?,0044A69F,?,?,?), ref: 0044ABE1
Part of subcall function 0044ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0044A69F,?,?,?), ref: 0044ABF0
Part of subcall function 0044ABBB: HeapAlloc.KERNEL32(00000000,?,0044A69F,?,?,?), ref: 0044ABF7
Part of subcall function 0044ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044AC0E

Part of subcall function 0044AC56: GetProcessHeap.KERNEL32(00000008,0044A6B5,00000000,00000000,?,0044A6B5,?), ref: 0044AC62
Part of subcall function 0044AC56: HeapAlloc.KERNEL32(00000000,?,0044A6B5,?), ref: 0044AC69
Part of subcall function 0044AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0044A6B5,?), ref: 0044AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044A6D0
_memset.LIBCMT ref: 0044A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0044A704
GetLengthSid.ADVAPI32(?), ref: 0044A715
GetAce.ADVAPI32(?,00000000,?), ref: 0044A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0044A76E
GetLengthSid.ADVAPI32(?), ref: 0044A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0044A79A
HeapAlloc.KERNEL32(00000000), ref: 0044A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044A7C2
CopySid.ADVAPI32(00000000), ref: 0044A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0044A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0044A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0044A834

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8c39430dc2f5a227e1c20bc984871e62e897985297d57372f004efd1e3292404
Instruction ID: 24dfe9f11a442f3a9875731e657f495d676da511b6f320937a77bc13cac27e9b
Opcode Fuzzy Hash: 8c39430dc2f5a227e1c20bc984871e62e897985297d57372f004efd1e3292404
Instruction Fuzzy Hash: E0514D71940209ABEF10DF95DC45AEFBBB9FF04304F04812AF911A7291D739DA15CB69

Function 004563F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00456EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00455FA6,?), ref: 00456ED8

Part of subcall function 004572CB: GetFileAttributesW.KERNEL32(?,00456019), ref: 004572CC

_wcscat.LIBCMT ref: 00456441
__wsplitpath.LIBCMT ref: 0045645F
FindFirstFileW.KERNEL32(?,?), ref: 00456474
_wcscpy.LIBCMT ref: 004564A3
_wcscat.LIBCMT ref: 004564B8
_wcscat.LIBCMT ref: 004564CA
DeleteFileW.KERNEL32(?), ref: 004564DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004564EB
FindClose.KERNEL32(00000000), ref: 00456506

Strings

\*.*, xrefs: 0045643B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: d6de220fea4fd2fd5242240c215ca2bf3fbe61f049411f9182602109e1925513
Instruction ID: 09b3e59349dfa121b7ad420bd239f3c0079bc1645d55d7387207942e3b280e22
Opcode Fuzzy Hash: d6de220fea4fd2fd5242240c215ca2bf3fbe61f049411f9182602109e1925513
Instruction Fuzzy Hash: 9331A4B2408388AAC721DBA4C8859DB77DCAF56314F40492FF9D9C3142EA39D50D876F

Function 004731BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00473C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472BB5,?,?), ref: 00473C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0047328E

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0047332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004733C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00473604
RegCloseKey.ADVAPI32(00000000), ref: 00473611

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 0ef71319b3c255af4c08a5ff0de472dfed28315e304dff00b2d25209863c2e1c
Instruction ID: a27ed90daa3338673ab094673692b5156cb3f41c23e00d5d96d3e01434ad871c
Opcode Fuzzy Hash: 0ef71319b3c255af4c08a5ff0de472dfed28315e304dff00b2d25209863c2e1c
Instruction Fuzzy Hash: C1E16D71604200AFCB14DF29C991E6BBBE8EF88314F04856EF85AD72A1DB34ED05CB46

Function 00452B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00452B5F
GetAsyncKeyState.USER32(000000A0), ref: 00452BE0
GetKeyState.USER32(000000A0), ref: 00452BFB
GetAsyncKeyState.USER32(000000A1), ref: 00452C15
GetKeyState.USER32(000000A1), ref: 00452C2A
GetAsyncKeyState.USER32(00000011), ref: 00452C42
GetKeyState.USER32(00000011), ref: 00452C54
GetAsyncKeyState.USER32(00000012), ref: 00452C6C
GetKeyState.USER32(00000012), ref: 00452C7E
GetAsyncKeyState.USER32(0000005B), ref: 00452C96
GetKeyState.USER32(0000005B), ref: 00452CA8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 76757d14f1a6cb9b3f57fa705716527a699a7d3e72351c61773c4396f86728da
Instruction ID: ffdcb40a36fcb26767b7bb379c528bc339485e9204b0c8ea6c47b01c02e93056
Opcode Fuzzy Hash: 76757d14f1a6cb9b3f57fa705716527a699a7d3e72351c61773c4396f86728da
Instruction Fuzzy Hash: F141B6309047C969FB325B648A043ABBEA06B23315F44405BDDC6563C3DBD8A9CCC7AA

Function 00466D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00466D2E
EmptyClipboard.USER32 ref: 00466D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00466D49
CloseClipboard.USER32 ref: 00466DE8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 18c3491121fb076c7bbd63e8d89cf03e1dcb5874c4d3340db2997e80fbb39c76
Instruction ID: 13c2543300c49fa9daea265e96dfa16dac12aef166c54e3affd7a7895641d21e
Opcode Fuzzy Hash: 18c3491121fb076c7bbd63e8d89cf03e1dcb5874c4d3340db2997e80fbb39c76
Instruction Fuzzy Hash: F221A131700210AFDB01AF65DD49B6E77A8EF54715F01802BF90ADB2A1DB78ED018B5D

Function 0046C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00449ABF: CLSIDFromProgID.OLE32 ref: 00449ADC
Part of subcall function 00449ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00449AF7
Part of subcall function 00449ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00449B05
Part of subcall function 00449ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00449B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0046C235
_memset.LIBCMT ref: 0046C242
_memset.LIBCMT ref: 0046C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0046C38C
CoTaskMemFree.OLE32(?), ref: 0046C397

Strings

NULL Pointer assignment, xrefs: 0046C3E5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 046d041cc71a792f8d165dadcfb6be4016c3274ac7839733b728721ac0ef2e49
Instruction ID: 4c20620d5cc8ae81e61477d5fd46a1d7561564b3845d3a23279db20456fa4976
Opcode Fuzzy Hash: 046d041cc71a792f8d165dadcfb6be4016c3274ac7839733b728721ac0ef2e49
Instruction Fuzzy Hash: CA915F71D00218ABDB10DF95DC91EEEBBB8EF08314F10816BF915A7281EB74AA45CF95

Function 004579D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0044B180
Part of subcall function 0044B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0044B1AD
Part of subcall function 0044B134: GetLastError.KERNEL32 ref: 0044B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00457A0F

Strings

@, xrefs: 00457A02
SeShutdownPrivilege, xrefs: 004579DD
, xrefs: 004579FD

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 39a48172cbfa82532bdf814027e8336e8c80d50f3c26c6ba353b0aa0e4dd6fe5
Instruction ID: e0cacd8a461e36b55fe79fa7c4883eba0b810d121bf6200f3803886c908a7509
Opcode Fuzzy Hash: 39a48172cbfa82532bdf814027e8336e8c80d50f3c26c6ba353b0aa0e4dd6fe5
Instruction Fuzzy Hash: 0401AC716582116BF7285764BC5AFBF72589700746F24043BFD43A21D3D66C5E0981BD

Function 00419B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00419C32
VUUU, xrefs: 00419ED4
VUUU, xrefs: 00419EA7
VUUU, xrefs: 00419E95
K, xrefs: 00419CF3
8d6ddv886ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv8c6ddv876ddv846ddv856ddv8f6ddv8c6ddv806ddv806ddv806ddv806ddv806ddv806d, xrefs: 00419E48, 00419E53
VUUU, xrefs: 0049BE14

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID: 8d6ddv886ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv806ddv8c6ddv876ddv846ddv856ddv8f6ddv8c6ddv806ddv806ddv806ddv806ddv806ddv806d$ERCP$VUUU$VUUU$VUUU$VUUU$K
API String ID: 0-937363927
Opcode ID: 081c75342e0651a3cf5e46e10011c48f287c71caa358c2a7c5288516916ce792
Instruction ID: 279191411d231a84eeaf40cc484f3b812972c859dcc03423a6af9c8a2755bb39
Opcode Fuzzy Hash: 081c75342e0651a3cf5e46e10011c48f287c71caa358c2a7c5288516916ce792
Instruction Fuzzy Hash: 81926E71A01219CBDF24CF58C9907EEBBB1BB54314F1481ABD815A7380D7789DD2CB9A

Function 00468C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00468CA8
WSAGetLastError.WSOCK32(00000000), ref: 00468CB7
bind.WSOCK32(00000000,?,00000010), ref: 00468CD3
listen.WSOCK32(00000000,00000005), ref: 00468CE2
WSAGetLastError.WSOCK32(00000000), ref: 00468CFC
closesocket.WSOCK32(00000000,00000000), ref: 00468D10

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 4e7c6203515f9ecd6892a8cc35979417743349341ffb47690eaca1b4675deb3e
Instruction ID: f73a7196707e034fbd140a3066f4f1e03665b4c40ad3294a45f112f91438a26c
Opcode Fuzzy Hash: 4e7c6203515f9ecd6892a8cc35979417743349341ffb47690eaca1b4675deb3e
Instruction Fuzzy Hash: E421E631A002009FC710EF68C985B6E77A9EF48314F10426EF957A73D2DB74AD41CB6A

Function 00456532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00456554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00456564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00456583
__wsplitpath.LIBCMT ref: 004565A7
_wcscat.LIBCMT ref: 004565BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004565F9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 944bc56e2ddc8449a805738d4716268c07349e9d9b769b8e606b85c008f1d230
Instruction ID: c4ce22b7ba9d3e656ac683b4043fd17cfaeaeac99f10ab5c5f80ff0cb870a7e6
Opcode Fuzzy Hash: 944bc56e2ddc8449a805738d4716268c07349e9d9b769b8e606b85c008f1d230
Instruction Fuzzy Hash: 002198B190021CBBDB10ABA4DC89BDEB7BCAB08301F5000BAE905D3141EB759F85CB64

Function 004513CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004513DC

Strings

<2L, xrefs: 004516FA
,2L, xrefs: 004516B1
|, xrefs: 0045140C
(, xrefs: 00451422

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: lstrlen
String ID: ($,2L$<2L$|
API String ID: 1659193697-1123929334
Opcode ID: a7f9f2b70950cd08526f3b3bd9399ecca113b33ba5874bfbfe08f86b5963a429
Instruction ID: af0664d73c83732fabc720b67611a92cc76575c80d7922aaa9271c7f92988217
Opcode Fuzzy Hash: a7f9f2b70950cd08526f3b3bd9399ecca113b33ba5874bfbfe08f86b5963a429
Instruction Fuzzy Hash: 5F322775A007059FC728DF69C480A6AB7F0FF48310B55C56EE89ADB3A2E774E941CB48

Function 0046923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0046A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0046A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00469296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 004692B9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 6836219ee073971e2d85a86dd5d538a5c0cf94f8d4bc2c92213fea7d1dad4ba4
Instruction ID: e8356a55bbf7c844c441874782a5933d69e15c5c508aacb57872e07b6ee3f91d
Opcode Fuzzy Hash: 6836219ee073971e2d85a86dd5d538a5c0cf94f8d4bc2c92213fea7d1dad4ba4
Instruction Fuzzy Hash: F2410670A00210AFDB10AB69C881E7E77EDEF04328F00455EF9169B3D2DB78AD418B99

Function 0045EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045EB8A
_wcscmp.LIBCMT ref: 0045EBBA
_wcscmp.LIBCMT ref: 0045EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0045EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045EC0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 424c9582a925f4ae7bfc5aad29069543ab9ef0c0ce8fa97948ce90e6f10cf4ec
Instruction ID: b53f996dd34f33e7e38690e642772239b1cbfdb778a444296416c7200d09ea24
Opcode Fuzzy Hash: 424c9582a925f4ae7bfc5aad29069543ab9ef0c0ce8fa97948ce90e6f10cf4ec
Instruction Fuzzy Hash: 8841CF356003019FC708DF29C491A9AB3E4FF59324F10456FE95A8B3A2DB79EA44CB59

Function 00478111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00478160
IsWindowEnabled.USER32 ref: 0047816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0047817B
IsIconic.USER32 ref: 00478189
IsZoomed.USER32 ref: 00478197

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ea6b1fee39a09772fb18aebac2764e6e6ea0ff9e5ec34e0a6b4823b18049f589
Instruction ID: 38fc7fd60a425d56f60010d547251798b7eec0daa378b3e672162060caa4f417
Opcode Fuzzy Hash: ea6b1fee39a09772fb18aebac2764e6e6ea0ff9e5ec34e0a6b4823b18049f589
Instruction Fuzzy Hash: 8C1190317402116BE7215F269C48EAFBB98EF54764B44843FF849D7241CF789D0386AD

Function 0042E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0042E014,771B0AE0,0042DEF1,004ADC38,?,?), ref: 0042E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0042E03E

Strings

kernel32.dll, xrefs: 0042E027
GetNativeSystemInfo, xrefs: 0042E038

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cb3e63eca147f13460a385a7860fe0faecb5bf2a7684cc3ca0edc190ce1aea74
Instruction ID: f91432b24f14d5efbce785779b717603c22f3199ff78c8bd953762ddba5dfbb5
Opcode Fuzzy Hash: cb3e63eca147f13460a385a7860fe0faecb5bf2a7684cc3ca0edc190ce1aea74
Instruction Fuzzy Hash: 58D0A7759007329FC7314F61FD09B1376E4AB10300F28443FE481E2250DBFCD8818658

Function 00423B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

M, xrefs: 004240A4
M, xrefs: 004240EC
M, xrefs: 0048701F
@, xrefs: 00424176

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ M$ M$ M
API String ID: 3728558374-849382237
Opcode ID: 10d5dc3db51b50265ed70fd8ddbb7dfde697321c0d45a578ff30c9289e1a8313
Instruction ID: 11df0ae967812a7e16e82a65f8ce5faad14d46ed44c86a84d4f8434b3a35894c
Opcode Fuzzy Hash: 10d5dc3db51b50265ed70fd8ddbb7dfde697321c0d45a578ff30c9289e1a8313
Instruction Fuzzy Hash: D972CD70E042189FCB10EF94E491AAEB7B5EF48304F65805BE905AB351D73CEE46CB99

Function 0042B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0042B22F

Part of subcall function 0042B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0042B5A5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 024cf6b4e1de0e8fe6a6b6590bdfc555fb6424af6d7beae1950ef20d0b378ce9
Instruction ID: 06eea4e61d65abf8303d937301ce6769e4561c106d5f707172ac06a6bbe1e820
Opcode Fuzzy Hash: 024cf6b4e1de0e8fe6a6b6590bdfc555fb6424af6d7beae1950ef20d0b378ce9
Instruction Fuzzy Hash: 12A12A60314225FAD724AA6B6C4CDBF2B6CEB41754B90455FF845D2292DB1C9C0293FF

Function 00464EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004643BF,00000000), ref: 00464FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00464FD2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b5625a751cb0860d8343230a4d2e58aaed7843dfa1e986fe0782f81ae37b3944
Instruction ID: a9a989671193f19f25656f4b52acf15984e8e63566e6ad93d06ad751b8bcc441
Opcode Fuzzy Hash: b5625a751cb0860d8343230a4d2e58aaed7843dfa1e986fe0782f81ae37b3944
Instruction Fuzzy Hash: EB411B71604205BFEF24DE81DC81EBF77BCEB80758F10406FF20566241F6799E4196AA

Function 004177B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00417921

Strings

\QL, xrefs: 00491028

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _memmove
String ID: \QL
API String ID: 4104443479-1177382760
Opcode ID: 2ec96a9e8cf4fc991656724fd86f36b5d3c5caef110d38a4b294690130a7742a
Instruction ID: b35d7cca45330630b178c952d9e45b2ce66c8cdf1fb4846d886ed72a5a7a3e68
Opcode Fuzzy Hash: 2ec96a9e8cf4fc991656724fd86f36b5d3c5caef110d38a4b294690130a7742a
Instruction Fuzzy Hash: 81A24C70904219DFDF24CF58C4806EDBBB1FF48314F2581AAD859AB391D7789E82CB99

Function 0045E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0045E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0045E2B4

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1060e7934b5ab471958fac1ed08262557d206747069f9d317de18874833e0744
Instruction ID: 7e497a8327bdcd049cff966b90218a5c2a66df5b46a65adc633349032f55e284
Opcode Fuzzy Hash: 1060e7934b5ab471958fac1ed08262557d206747069f9d317de18874833e0744
Instruction Fuzzy Hash: AC216035A00218EFCB00DFA6D985EEDBBB8FF48314F0484AAE905E7355DB359945CB58

Function 0044B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0042F4EA: std::exception::exception.LIBCMT ref: 0042F51E
Part of subcall function 0042F4EA: __CxxThrowException@8.LIBCMT ref: 0042F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0044B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0044B1AD
GetLastError.KERNEL32 ref: 0044B1BA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: eaaa01fe4e382135860480c45dcfd8e3c4332e9f630c41c9bfd732396b43e3ee
Instruction ID: b95dc9b1ad6bf8663d5dabdd3ef6724c1f8b38c6ddaeed6af2a86597de819786
Opcode Fuzzy Hash: eaaa01fe4e382135860480c45dcfd8e3c4332e9f630c41c9bfd732396b43e3ee
Instruction Fuzzy Hash: C611BFB1904204AFE718AF54EDC5D2BB7BCEB44354B20853FE45693241DB74FC41CA64

Function 00456606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00456623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00456664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0045666F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f369d2098931044cd303fec9637afd57eb6d40823f45bf8ef4e4870997781ff9
Instruction ID: b385df14b265c3c9ffb092cdf501effa93b12124a50c0f439a159f586655619f
Opcode Fuzzy Hash: f369d2098931044cd303fec9637afd57eb6d40823f45bf8ef4e4870997781ff9
Instruction Fuzzy Hash: D8111E71E01228BFDB108FA9DC45BAFBBFCEB45B11F104166F900E7290D7B45A058BA5

Function 004571FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00457223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045723A
FreeSid.ADVAPI32(?), ref: 0045724A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0ef4d7ba842dbd2831ca7fb7770eaade066dfddf7a656dc0d2144e2a1fbb3d04
Instruction ID: 203d59911fd4e3fece5bf55f4ad3915cd52c68ed6ca6d90dee12860f7745c1c2
Opcode Fuzzy Hash: 0ef4d7ba842dbd2831ca7fb7770eaade066dfddf7a656dc0d2144e2a1fbb3d04
Instruction Fuzzy Hash: 7FF01D76E04209BFDF04DFE4DD89AEEBBB8EF08205F50457AA602E3191E2749A448B14

Function 0045F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0045F599
FindClose.KERNEL32(00000000), ref: 0045F5C9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c24e12c6ea62c8c4a7b8275420fc68e944f74ddaf542649f6e55fe4c22485f03
Instruction ID: f22f01dc09665fbde60cb05f77233df1dd3a7aa6a37ac06a7fdeb2327a568db3
Opcode Fuzzy Hash: c24e12c6ea62c8c4a7b8275420fc68e944f74ddaf542649f6e55fe4c22485f03
Instruction Fuzzy Hash: F311A1326002049FD700EF29D845A2EB3E8FF94325F00892EF8A5D7291DB74AD058B89

Function 0045CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0046BE6A,?,?,00000000,?), ref: 0045CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0046BE6A,?,?,00000000,?), ref: 0045CEB9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 27e520977b0380d8ef359500e8fbd63b1ad42477fd77d0535c035721ce81f68e
Instruction ID: dc1c83bc24eb18c313cbf34036503d53751af127da62f9fbec6dc01a6087bc8f
Opcode Fuzzy Hash: 27e520977b0380d8ef359500e8fbd63b1ad42477fd77d0535c035721ce81f68e
Instruction Fuzzy Hash: C0F08231500329BBDB20ABA4DC89FEA776DBF08365F004166F915D6191D7349A44CBA5

Function 0045411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00454153
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00454166

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 19ddcf7a99e6190659966b90339b7ef765cd38c3652042a5f3cb46e9efd03dfd
Instruction ID: 24059f615e108cc37965801c1e3478da6c2bc09ec69c2bb11ce12a9e10a71524
Opcode Fuzzy Hash: 19ddcf7a99e6190659966b90339b7ef765cd38c3652042a5f3cb46e9efd03dfd
Instruction Fuzzy Hash: A4F06D7080024DAFDB058FA0C809BBE7BB0EF10319F00801AF9669A192D7798656DFA4

Function 0044AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0044ACC0), ref: 0044AB99
CloseHandle.KERNEL32(?,?,0044ACC0), ref: 0044ABAB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7f03ca97c4d8c2460ad94c67bb30273f31e79d82e284c1dbb49d5d02f57f7f04
Instruction ID: 2cb3220c08e1cead0df048d15836f2be6c5780ffe722c67653e1afc367997038
Opcode Fuzzy Hash: 7f03ca97c4d8c2460ad94c67bb30273f31e79d82e284c1dbb49d5d02f57f7f04
Instruction Fuzzy Hash: 25E04632000620AFE7212F25FC09D73BBA9EB00320B60883EB89A80431CB22AC909B54

Function 004381AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00436DB3,-0000031A,?,?,00000001), ref: 004381B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004381BA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1f05357a1dc9c433a95c3b03773cb1c0e6cfdd18351afc778a1dd64b2911e9d4
Instruction ID: 842c99a511ca23e252e6cafc61279b0cee0b4195f9ed744e6447343331bda3c0
Opcode Fuzzy Hash: 1f05357a1dc9c433a95c3b03773cb1c0e6cfdd18351afc778a1dd64b2911e9d4
Instruction Fuzzy Hash: C9B09231444608BBDB102BA1EC09B587F68EB58653F004032FA0D440618B7254108A9A

Function 0043D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d419407ba99cc29b7769ea32cb408056e2cb3235bfbee264044c5709109cd5f2
Instruction ID: 10efc64102edf7f30b6bd737f1cedcff727815e52e44019bee2bf6ce02e28d7a
Opcode Fuzzy Hash: d419407ba99cc29b7769ea32cb408056e2cb3235bfbee264044c5709109cd5f2
Instruction Fuzzy Hash: E1323761D29F014DD7239638D922336A688AFBB3D4F15E737F829B5EA5EB2CC4835104

Function 004196C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 737f93b1473991ba1b0df25f35d652b439d50db7f746bc285df76f59b5a52114
Instruction ID: f23272252ff9b28568b0dc83da91766a13908fa16e8344e3ab6eee2a53c3acaa
Opcode Fuzzy Hash: 737f93b1473991ba1b0df25f35d652b439d50db7f746bc285df76f59b5a52114
Instruction Fuzzy Hash: 0D229A716083019FD724EF15C890BAFB7E4AF84314F10491EF89A97291DB78ED85CB9A

Function 0044038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad2c631f3a6f6d8a91f92ed46807cf77029050a4700af6ef496e100def9172f
Instruction ID: c6243d47103201b99749dda7cb81159d49f221aa8132bd55fe46ef64147634ce
Opcode Fuzzy Hash: 5ad2c631f3a6f6d8a91f92ed46807cf77029050a4700af6ef496e100def9172f
Instruction Fuzzy Hash: BEB1F420D2AF414DD32396398931336BB5CAFBB2D5F91D72BFC1A74D62EB2185834184

Function 0045B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0045B6DF

Part of subcall function 0043344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0045BDC3,00000000,?,?,?,?,0045BF70,00000000,?), ref: 00433453
Part of subcall function 0043344A: __aulldiv.LIBCMT ref: 00433473

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: ac05afbee6cfe86d2f3b4e0c202c9f517df9c7b6b0db7060d103dffe302e23ac
Instruction ID: a57bfed413c2958a614085b8afdf892473336f5d5fc9e263629480ef017c46be
Opcode Fuzzy Hash: ac05afbee6cfe86d2f3b4e0c202c9f517df9c7b6b0db7060d103dffe302e23ac
Instruction Fuzzy Hash: 932175726345108BC719CF29C491A52B7E1EB95311B248E7EE4E5CB2C1CB78B909DB98

Function 00466AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00466ACA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 59656a5165d615f62fe425a52ab85b210acf03e8b143d1f6089159cd66420769
Instruction ID: 576c835bb327ec2ab85fe828ae20125569f5da48db972970bc14fdae08ac4cab
Opcode Fuzzy Hash: 59656a5165d615f62fe425a52ab85b210acf03e8b143d1f6089159cd66420769
Instruction Fuzzy Hash: 37E092762002006FC700EBAAD404996B7ECAFB4351B04842BE905D7250DAB4E8048B95

Function 004574E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0045750A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: dfd10e7ed634aa73dbea0b1c0fe3bf81a4da4e4f02a8d4cdc6ff2b73a75d00e0
Instruction ID: a56e06ef28b9001e7126c971b8fd4ae797893ce4492b22ddca1364672c8e25b6
Opcode Fuzzy Hash: dfd10e7ed634aa73dbea0b1c0fe3bf81a4da4e4f02a8d4cdc6ff2b73a75d00e0
Instruction Fuzzy Hash: 53D067A416C60979E8190B24AC1BFB71608A301792FD4457BBA02996C2B8987D4AA039

Function 0044B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0044AD3E), ref: 0044B124

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 2e8d684111a98fbffc118d664d9c804699f6a992a48de6ed58b269be1305057c
Instruction ID: eab06996a5c9ab866afa23f889e372b04fa66c4c4805c79d949e9b65214d046e
Opcode Fuzzy Hash: 2e8d684111a98fbffc118d664d9c804699f6a992a48de6ed58b269be1305057c
Instruction Fuzzy Hash: 21D05E320A460EAEDF024FA4DC02EAE3F6AEB04700F408121FA11D50A0C671D531AB50

Function 0048B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0048B352

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2b666aa0ed288289b56360cc2e13714e81b37a13c3dffa447cd7169236bf7ffc
Instruction ID: edfa857661da4f495ec10edfd11a554ab01da8f13fe6e1727ff034a32e94de9d
Opcode Fuzzy Hash: 2b666aa0ed288289b56360cc2e13714e81b37a13c3dffa447cd7169236bf7ffc
Instruction Fuzzy Hash: 18C04CB1800109DFD751DFC0C984DEEB7BCAB08305F1040A39105F2110D7749B459B76

Function 00438189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0043818F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2bc0ba50808f0123016b12db4814e69fde192ad5c9e7fa926f6456421578b8f2
Instruction ID: 8a037f7541b32bfb135fbd1cfb587ca2f62fefa23a5879b56388e4b3d669263a
Opcode Fuzzy Hash: 2bc0ba50808f0123016b12db4814e69fde192ad5c9e7fa926f6456421578b8f2
Instruction Fuzzy Hash: 52A0223000020CFBCF002F82FC088883F2CFB002A2B000032FC0C00030CB33A8208ACA

Function 004193F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d70782bac739dc17de82844dd3bd0067ee766bb35cdb77d8136d3ecd969e9a
Instruction ID: 8f0910354b53c9c237b7a1fadb52fc27a6b9b00e52a87e71ab321b2390f58775
Opcode Fuzzy Hash: 78d70782bac739dc17de82844dd3bd0067ee766bb35cdb77d8136d3ecd969e9a
Instruction Fuzzy Hash: C1128C70A00209AFDF04DFA5DA91AEEB7F5FF48304F10452AE806E7250EB39AD51CB59

Function 0041E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0dce34aee261c1482b43b0cf96ff1ac29e5e7273217b1fae04d8a7648ed954
Instruction ID: bfbca51a3bcf80835193818362071137a40fd10ed49b4322c97f45332e7c61fe
Opcode Fuzzy Hash: 9b0dce34aee261c1482b43b0cf96ff1ac29e5e7273217b1fae04d8a7648ed954
Instruction Fuzzy Hash: 6712CF78A002159FDB24DF56C490AAEB7B1FF14304F64806BDD869B351E339E982CB99

Function 0041AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 147b4c17c30cb04aff703106368a55409047f374ab5e2ea7bf36f3d0389d71e6
Instruction ID: 701079583333007cfd1bf0459e681d0894736abda65d3cadefae09d78ce72a3b
Opcode Fuzzy Hash: 147b4c17c30cb04aff703106368a55409047f374ab5e2ea7bf36f3d0389d71e6
Instruction Fuzzy Hash: 2402F470A00105DFCF04EF65DA81AAEBBB5FF48300F11846EE806DB255EB78DA55CB99

Function 004302A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 678b64f2cca3cb516824ea7921851523e953590bac226a93c70921015082dfed
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: DFC1F8322051A70ADF2E4639843143FBAB05AA17B175A177FD8B3CB2D5EF18C528D624

Function 004306D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: bd99a22f5fe77e357a197b7406ac4e0a894fef20322a40ad7163bd451ac32483
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 05C1F6322051A709DF2E4639D43453FBAA15EA2BB170B137FD4B2CB6D5EF18C528D624

Function 0042FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 20828ff719a82f12a89a7b34dadac209ab6451a054368d39c27e0636e1c59871
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 1FC1D3323051A709DF2E4A3A943543FBAB15AA27B175B137FD4B2CB6D1EF18C528C614

Function 0042FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b167e0918ad8fcf95d71cfbe3967c23c5032607cf803d06c0f5d6219f0dc5600
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 49C1B2323050A709DF1E4A3AE43143FBAB15A917B139A077ED4B3CB6D5EE28D528D624

Function 01659238 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e91c1fbfe182e8a9965599bebae51843cac0c4820d8870d5722c218fe96e2bb2
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: EC41C271D1051CEBDF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 016590C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: fcbe95d87ad5bc54d2ae3fa3442a61f2bb4c83a4ea08a4dd9cf83b892105b52e
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: AB019278A00109EFCB94DF99C9909AEF7B6FB88314F208599DC09A7741D730AE41DB84

Function 01659128 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 568d0478bd8427855d02adfc713f163a9b14e13047a15fb13ecd9a24718e4075
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 01019278E01109EFCB94DF98C9909AEF7B6FB88310F208699DC09A7741D730AE51DB80

Function 01657A98 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278547801.0000000001655000.00000040.00000020.00020000.00000000.sdmp, Offset: 01655000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1655000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 0046A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0046A2FE
DeleteObject.GDI32(00000000), ref: 0046A310
DestroyWindow.USER32 ref: 0046A31E
GetDesktopWindow.USER32 ref: 0046A338
GetWindowRect.USER32(00000000), ref: 0046A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0046A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0046A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A4D8
GetClientRect.USER32(00000000,?), ref: 0046A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0046A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A55E
GlobalLock.KERNEL32(00000000), ref: 0046A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A576
GlobalUnlock.KERNEL32(00000000), ref: 0046A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A586
GlobalFree.KERNEL32(00000000), ref: 0046A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0049D9BC,00000000), ref: 0046A5B9
GlobalFree.KERNEL32(00000000), ref: 0046A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0046A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0046A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0046A81D

Strings

DISPLAY, xrefs: 0046A680
, xrefs: 0046A7A3
AutoIt v3, xrefs: 0046A4D0
static, xrefs: 0046A518, 0046A66F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 626a3d7110af9a97b3fe27b78b31dcec392a573b08982d56163d84e0430a94a9
Instruction ID: 0f04db1679428ceb1b9c31999984f21d242e1976b8b8a8d4f786252995114c42
Opcode Fuzzy Hash: 626a3d7110af9a97b3fe27b78b31dcec392a573b08982d56163d84e0430a94a9
Instruction Fuzzy Hash: BE028D71900204EFDB14DFA4CD89EAE7BB9EB48314F00816AF915AB2A1D734ED41CF69

Function 0047D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0047D2DB
GetSysColorBrush.USER32(0000000F), ref: 0047D30C
GetSysColor.USER32(0000000F), ref: 0047D318
SetBkColor.GDI32(?,000000FF), ref: 0047D332
SelectObject.GDI32(?,00000000), ref: 0047D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0047D36C
GetSysColor.USER32(00000010), ref: 0047D374
CreateSolidBrush.GDI32(00000000), ref: 0047D37B
FrameRect.USER32(?,?,00000000), ref: 0047D38A
DeleteObject.GDI32(00000000), ref: 0047D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0047D3DC
FillRect.USER32(?,?,00000000), ref: 0047D40E
GetWindowLongW.USER32(?,000000F0), ref: 0047D439

Part of subcall function 0047D575: GetSysColor.USER32(00000012), ref: 0047D5AE
Part of subcall function 0047D575: SetTextColor.GDI32(?,?), ref: 0047D5B2
Part of subcall function 0047D575: GetSysColorBrush.USER32(0000000F), ref: 0047D5C8
Part of subcall function 0047D575: GetSysColor.USER32(0000000F), ref: 0047D5D3
Part of subcall function 0047D575: GetSysColor.USER32(00000011), ref: 0047D5F0
Part of subcall function 0047D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0047D5FE
Part of subcall function 0047D575: SelectObject.GDI32(?,00000000), ref: 0047D60F
Part of subcall function 0047D575: SetBkColor.GDI32(?,00000000), ref: 0047D618
Part of subcall function 0047D575: SelectObject.GDI32(?,?), ref: 0047D625
Part of subcall function 0047D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0047D644
Part of subcall function 0047D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0047D65B
Part of subcall function 0047D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0047D670
Part of subcall function 0047D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0047D698

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: c1fee7570edf5f6c7addfeaad5980272f32d1670ebd8a6914b306a21253d7f7a
Instruction ID: c3a2ba59626aa35d327f65fb0493978d4390efb70a8c5a4c559c09171cc7cad1
Opcode Fuzzy Hash: c1fee7570edf5f6c7addfeaad5980272f32d1670ebd8a6914b306a21253d7f7a
Instruction Fuzzy Hash: 8A919072808301BFCB109F64DC08E6BBBB9FF99325F104A2AF956961A0C734D945CB5A

Function 0042B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0042B98B
DeleteObject.GDI32(00000000), ref: 0042B9CD
DeleteObject.GDI32(00000000), ref: 0042B9D8
DestroyIcon.USER32(00000000), ref: 0042B9E3
DestroyWindow.USER32(00000000), ref: 0042B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0048D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0048D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0048D711

Part of subcall function 0042B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0042B759,?,00000000,?,?,?,?,0042B72B,00000000,?), ref: 0042BA58

SendMessageW.USER32 ref: 0048D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0048D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0048D785
ImageList_Destroy.COMCTL32(00000000), ref: 0048D790

Strings

0, xrefs: 0048D5A5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 333e83a0336124884dc0f703b2fe929ea81cb5abcd5e9c12e23c55ad06201180
Instruction ID: 9b3ebb3e1df2c17597235fd4360f06c02d40269cb8a2014689e9a1e6c36e1373
Opcode Fuzzy Hash: 333e83a0336124884dc0f703b2fe929ea81cb5abcd5e9c12e23c55ad06201180
Instruction Fuzzy Hash: 43129E70A052119FCB15EF14D884BAAB7E1FF14304F54497BE989DB292C739EC82CB99

Function 0045DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045DBD6
GetDriveTypeW.KERNEL32(?,004ADC54,?,\\.\,004ADC00), ref: 0045DCC3
SetErrorMode.KERNEL32(00000000,004ADC54,?,\\.\,004ADC00), ref: 0045DE29

Strings

CDROM, xrefs: 0045DCF7
SSD, xrefs: 0045DD50
SAS, xrefs: 0045DDD2
SSA, xrefs: 0045DDAF
Fixed, xrefs: 0045DD0B
ATAPI, xrefs: 0045DD9A
Removable, xrefs: 0045DD15
RAMDisk, xrefs: 0045DCED
iSCSI, xrefs: 0045DDCB
1394, xrefs: 0045DDA8
SCSI, xrefs: 0045DD93
USB, xrefs: 0045DDBD
ATA, xrefs: 0045DDA1
FileBackedVirtual, xrefs: 0045DDF5
Fibre, xrefs: 0045DDB6
RAID, xrefs: 0045DDC4
Unknown, xrefs: 0045DCE3, 0045DD8C
SATA, xrefs: 0045DDD9
Virtual, xrefs: 0045DDEE
PhysicalDrive, xrefs: 0045DC67
Network, xrefs: 0045DD01
\\.\, xrefs: 0045DC2B
MMC, xrefs: 0045DDE7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3d020cbe4f8f2a97f490e58e7f24a24d7fd697b23c60c67faa77e24fd7f4d558
Instruction ID: 25de90f90b9e047f31b5a9d40adf7accf46ce4e2e0e129ce0fd78808f322e744
Opcode Fuzzy Hash: 3d020cbe4f8f2a97f490e58e7f24a24d7fd697b23c60c67faa77e24fd7f4d558
Instruction Fuzzy Hash: E7516434A447029BC264DF10C882E6AB7B1FE55707B20841FF81797297DA6CED4ED64E

Function 0041CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041CC68
__wcsnicmp.LIBCMT ref: 0041CC80
__wcsnicmp.LIBCMT ref: 0041CC98
__wcsnicmp.LIBCMT ref: 0041CCB0
__wcsnicmp.LIBCMT ref: 0041CCC8
__wcsnicmp.LIBCMT ref: 0041CCE0
__wcsnicmp.LIBCMT ref: 0041CCF8
__wcsnicmp.LIBCMT ref: 0041CD0C
__wcsnicmp.LIBCMT ref: 0041CD4D
__wcsnicmp.LIBCMT ref: 0041CD61
__wcsnicmp.LIBCMT ref: 0041CD75
__wcsnicmp.LIBCMT ref: 0041CD89

Strings

#comments-start, xrefs: 0041CCF2, 0041CD47
#include-once, xrefs: 0041CCC2
#requireadmin, xrefs: 0041CC92
#ce, xrefs: 0041CD83
#cs, xrefs: 0041CD06, 0041CD5B
Cannot parse #include, xrefs: 00482FA1
Bad directive syntax error, xrefs: 00482ECB
#notrayicon, xrefs: 0041CC7A
#pragma compile, xrefs: 0041CC62
Unterminated group of comments, xrefs: 00482FB4
#include, xrefs: 0041CCDA
#OnAutoItStartRegister, xrefs: 0041CCAA
#comments-end, xrefs: 0041CD6F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: faa55bbebf525f4edc59c160ee02f918234e7883709d6766c70fa6b9befe627b
Instruction ID: 12273f60c9b733d3d344abc09f14bd49d1c07497cad8ea9c2454331f06921707
Opcode Fuzzy Hash: faa55bbebf525f4edc59c160ee02f918234e7883709d6766c70fa6b9befe627b
Instruction Fuzzy Hash: 5781F9706802157ACB14BB65DDC2FFF3768AF25304F14402BF906A6186EBACD985C79D

Function 0047C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0047C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0047C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0047C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0047CB15

Strings

0, xrefs: 0047C89C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: f8f3b5f71ac7acd4b93a76c8548c97d57e2b672480c47af1466b154cbcf4b03d
Instruction ID: 8b74271e5fef11f9db15678141a3e3870ac2e9a9549d14810a4656dc24c03bff
Opcode Fuzzy Hash: f8f3b5f71ac7acd4b93a76c8548c97d57e2b672480c47af1466b154cbcf4b03d
Instruction Fuzzy Hash: 33F1BE71604301AFD7218F24D889BEBBBE4FB49314F08852EF58D962A1C778D845CB9A

Function 0047638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,004ADC00), ref: 00476449

Strings

HIDEDROPDOWN, xrefs: 00476520
CHECK, xrefs: 0047668B
ISENABLED, xrefs: 0047648C
CURRENTTAB, xrefs: 004764DD
GETCURRENTCOL, xrefs: 00476724
GETLINECOUNT, xrefs: 004766E4
EDITPASTE, xrefs: 0047675B
SENDCOMMANDID, xrefs: 004767CA
TABLEFT, xrefs: 004764A7
GETSELECTED, xrefs: 004766C1
GETCURRENTLINE, xrefs: 00476704
SHOWDROPDOWN, xrefs: 00476500
TABRIGHT, xrefs: 004764BD
GETCURRENTSELECTION, xrefs: 00476603
ISCHECKED, xrefs: 00476659
SETCURRENTSELECTION, xrefs: 004765D6
DELSTRING, xrefs: 00476569
ISVISIBLE, xrefs: 00476455
UNCHECK, xrefs: 004766A1
FINDSTRING, xrefs: 00476596
SELECTSTRING, xrefs: 00476626
GETLINE, xrefs: 0047678B
ADDSTRING, xrefs: 00476536

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 517cc28935b3b24383481af999906fa01dc06c43c363b28c9c59ace1d8da1118
Instruction ID: 0130dd22caf35076b76c69d65a5811b4dde9a55d340b8c3d39b40dfda9ab2a4b
Opcode Fuzzy Hash: 517cc28935b3b24383481af999906fa01dc06c43c363b28c9c59ace1d8da1118
Instruction Fuzzy Hash: 1BC1B2342046119BCA04EF12C551AAE77A6AF94348F41885FF8495B393DF2CED4BCB8E

Function 0047D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0047D5AE
SetTextColor.GDI32(?,?), ref: 0047D5B2
GetSysColorBrush.USER32(0000000F), ref: 0047D5C8
GetSysColor.USER32(0000000F), ref: 0047D5D3
CreateSolidBrush.GDI32(?), ref: 0047D5D8
GetSysColor.USER32(00000011), ref: 0047D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0047D5FE
SelectObject.GDI32(?,00000000), ref: 0047D60F
SetBkColor.GDI32(?,00000000), ref: 0047D618
SelectObject.GDI32(?,?), ref: 0047D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0047D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0047D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0047D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0047D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0047D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0047D6DD
DrawFocusRect.USER32(?,?), ref: 0047D6E8
GetSysColor.USER32(00000011), ref: 0047D6F6
SetTextColor.GDI32(?,00000000), ref: 0047D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0047D712
SelectObject.GDI32(?,0047D2A5), ref: 0047D729
DeleteObject.GDI32(?), ref: 0047D734
SelectObject.GDI32(?,?), ref: 0047D73A
DeleteObject.GDI32(?), ref: 0047D73F
SetTextColor.GDI32(?,?), ref: 0047D745
SetBkColor.GDI32(?,?), ref: 0047D74F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 22996298c6f088ac44806c6a06a4cf9ca9e6e5f9765b2432f5eb97ee66526db3
Instruction ID: 8604950602f9dd8d456129bdc3e060b7a7543eac28fffddb4ac98700e1bb7885
Opcode Fuzzy Hash: 22996298c6f088ac44806c6a06a4cf9ca9e6e5f9765b2432f5eb97ee66526db3
Instruction Fuzzy Hash: 81515972D00218BFDF10AFA8DC49EEEBB79EF08324F114126F915AB2A1D7759A40CB54

Function 0047B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0047B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0047B7C1
CharNextW.USER32(0000014E), ref: 0047B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0047B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0047B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0047B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0047B875
SetWindowTextW.USER32(?,0000014E), ref: 0047B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0047B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0047B90E
_memset.LIBCMT ref: 0047B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0047B97C
_memset.LIBCMT ref: 0047B9DB
SendMessageW.USER32 ref: 0047BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0047BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0047BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0047BB2C
GetMenuItemInfoW.USER32(?), ref: 0047BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0047BBA3
DrawMenuBar.USER32(?), ref: 0047BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0047BBDA

Strings

0, xrefs: 0047BB4F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: cdd3139e3fd3d8f7389c0c97195aade9bdb14bfcd60f91778a9a15a6ba96b171
Instruction ID: ef7c584b2fd9e8457258e017acab87eded1f3d0296388301ac44fbc774d3db40
Opcode Fuzzy Hash: cdd3139e3fd3d8f7389c0c97195aade9bdb14bfcd60f91778a9a15a6ba96b171
Instruction Fuzzy Hash: EFE17FB1900218AFDF109F65CC84FEE7B78EF05714F14816BFA19AA290D7789941CFA9

Function 00412EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00412F7A
IsWindow.USER32(?), ref: 004822FD

Strings

ALL, xrefs: 00482264
ACTIVE, xrefs: 004820CC
P+L, xrefs: 004821E0
REGEXPTITLE, xrefs: 004820F8
REGEXPCLASS, xrefs: 00482149
H+L, xrefs: 00482184
T+L, xrefs: 0048220E
L+L, xrefs: 004821B2
LAST, xrefs: 004820B6
TITLE, xrefs: 00482292
INSTANCE, xrefs: 0048223C
CLASS, xrefs: 00482128
HANDLE, xrefs: 004820E2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+L$HANDLE$INSTANCE$L+L$LAST$P+L$REGEXPCLASS$REGEXPTITLE$T+L$TITLE
API String ID: 62970417-855025020
Opcode ID: 3749f39ec860e90a8868aad15c360da02382fd5c80962e96fc9c1ac1f409a0b3
Instruction ID: 8f4b36cd809d397fd96be1ac990ad015b22cb70c9bc07d5e1023f3fd4afd49ed
Opcode Fuzzy Hash: 3749f39ec860e90a8868aad15c360da02382fd5c80962e96fc9c1ac1f409a0b3
Instruction Fuzzy Hash: 90D1E9305043429BCB04FF62C641A9EB7B0BF54304F404D1FF456936A2DBB8E99ADB99

Function 0047764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0047778A
GetDesktopWindow.USER32 ref: 0047779F
GetWindowRect.USER32(00000000), ref: 004777A6
GetWindowLongW.USER32(?,000000F0), ref: 00477808
DestroyWindow.USER32(?), ref: 00477834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0047785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0047787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004778A1
SendMessageW.USER32(?,00000421,?,?), ref: 004778B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004778C9
IsWindowVisible.USER32(?), ref: 004778E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00477904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00477918
GetWindowRect.USER32(?,?), ref: 00477930
MonitorFromPoint.USER32(?,?,00000002), ref: 00477956
GetMonitorInfoW.USER32 ref: 00477970
CopyRect.USER32(?,?), ref: 00477987
SendMessageW.USER32(?,00000412,00000000), ref: 004779F2

Strings

tooltips_class32, xrefs: 00477856
0, xrefs: 00477735
(, xrefs: 00477965

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e7c36576108ec0292162a22f9fc8af3ebc5f1b7ca18e3afea619c26088222260
Instruction ID: d91dd6201514c7a87af7cba3059fb2c0242e2575dfca63429f26dd94fbd15109
Opcode Fuzzy Hash: e7c36576108ec0292162a22f9fc8af3ebc5f1b7ca18e3afea619c26088222260
Instruction Fuzzy Hash: D9B18FB1608300AFD704DF65C948B9ABBE4FF88314F40892EF5999B291D774EC45CB9A

Function 00456CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00456CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00456D21
_wcscpy.LIBCMT ref: 00456D4F
_wcscmp.LIBCMT ref: 00456D5A
_wcscat.LIBCMT ref: 00456D70
_wcsstr.LIBCMT ref: 00456D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00456D97
_wcscat.LIBCMT ref: 00456DE0
_wcscat.LIBCMT ref: 00456DE7
_wcsncpy.LIBCMT ref: 00456E12

Strings

StringFileInfo\, xrefs: 00456D6A
04090000, xrefs: 00456DCD
\VarFileInfo\Translation, xrefs: 00456D8F
%u.%u.%u.%u, xrefs: 00456E75
DefaultLangCodepage, xrefs: 00456DFA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: fa9ceb2deacc7047043e20c2a87d9961a278827900b675c8fbc0ed0695ecdd1c
Instruction ID: c87a49a77b719827635be00e485372f8df0df3a3adeb23ca04c615ea84a55a81
Opcode Fuzzy Hash: fa9ceb2deacc7047043e20c2a87d9961a278827900b675c8fbc0ed0695ecdd1c
Instruction Fuzzy Hash: F341D471A40200BBE700AB659C47EBF777CDF59325F54016FF901A2182EA7CAA0596AD

Function 0042A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042A939
GetSystemMetrics.USER32(00000007), ref: 0042A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0042A96C
GetSystemMetrics.USER32(00000008), ref: 0042A974
GetSystemMetrics.USER32(00000004), ref: 0042A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0042A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0042A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0042A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0042AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0042AA2B
GetStockObject.GDI32(00000011), ref: 0042AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0042AA52

Part of subcall function 0042B63C: GetCursorPos.USER32(000000FF), ref: 0042B64F
Part of subcall function 0042B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0042B66C
Part of subcall function 0042B63C: GetAsyncKeyState.USER32(00000001), ref: 0042B691
Part of subcall function 0042B63C: GetAsyncKeyState.USER32(00000002), ref: 0042B69F

SetTimer.USER32(00000000,00000000,00000028,0042AB87), ref: 0042AA79

Strings

AutoIt v3 GUI, xrefs: 0042A9F1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a81006edccd7e4a83461b1ab75262b48f7cc8aa7de67f666f430b1e40e9bd48a
Instruction ID: 54cae4681ba2a09f1413f2664d7946247131d74d38a47ca8b07a78d9771255b0
Opcode Fuzzy Hash: a81006edccd7e4a83461b1ab75262b48f7cc8aa7de67f666f430b1e40e9bd48a
Instruction Fuzzy Hash: 60B18E71A0121AAFDB14DFA8DC45BAE7BB4FB08314F11422BFA05A72E0D778D851CB59

Function 00473639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00473735
RegCreateKeyExW.ADVAPI32(?,?,00000000,004ADC00,00000000,?,00000000,?,?), ref: 004737A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004737EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00473874
RegCloseKey.ADVAPI32(?), ref: 00473B94
RegCloseKey.ADVAPI32(00000000), ref: 00473BA1

Strings

REG_EXPAND_SZ, xrefs: 00473811
REG_SZ, xrefs: 004738B2
REG_DWORD, xrefs: 00473A65
REG_QWORD, xrefs: 00473AE2
REG_MULTI_SZ, xrefs: 0047395C
REG_BINARY, xrefs: 00473B2F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cbe1d7a8ae6bd5f94fda39255ad39908ecfb1132ec6f358bf89633a54eb425e7
Instruction ID: 713690afbbcae932bc4842661910accf5535067fdc9859d90451651cfc242446
Opcode Fuzzy Hash: cbe1d7a8ae6bd5f94fda39255ad39908ecfb1132ec6f358bf89633a54eb425e7
Instruction Fuzzy Hash: 1902AE756006019FCB14EF15C851E5AB7E5FF88724F04845EF99A9B3A2CB38ED41CB89

Function 00476BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00476C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00476D16

Strings

SELECTINVERT, xrefs: 00476DDE
FINDITEM, xrefs: 00476E81
SELECTALL, xrefs: 00476D75
GETSELECTED, xrefs: 00476E3C
GETSELECTEDCOUNT, xrefs: 00476CF9
GETTEXT, xrefs: 00476CBF
VIEWCHANGE, xrefs: 00476ECD
GETSUBITEMCOUNT, xrefs: 00476CA1
SELECT, xrefs: 00476DA8
DESELECT, xrefs: 00476DFC
SELECTCLEAR, xrefs: 00476D8D
GETITEMCOUNT, xrefs: 00476C84
ISSELECTED, xrefs: 00476D21

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 332479b0bc09a970fd5753fa916ea357db585b87cc477a873ee5bf16599ab3f2
Instruction ID: dc92519c2f4a5701f88d10cd77fa48caf46bfa4e5cca09b4cb5419308420ef9e
Opcode Fuzzy Hash: 332479b0bc09a970fd5753fa916ea357db585b87cc477a873ee5bf16599ab3f2
Instruction Fuzzy Hash: B6A194702046519FCB14EF22C951AAA73A6FF84318F11896FB85A573D2DF38EC06CB59

Function 0044CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0044CF91
__swprintf.LIBCMT ref: 0044D032
_wcscmp.LIBCMT ref: 0044D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0044D09A
_wcscmp.LIBCMT ref: 0044D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0044D10D
GetDlgCtrlID.USER32(?), ref: 0044D15F
GetWindowRect.USER32(?,?), ref: 0044D195
GetParent.USER32(?), ref: 0044D1B3
ScreenToClient.USER32(00000000), ref: 0044D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0044D234
_wcscmp.LIBCMT ref: 0044D248
GetWindowTextW.USER32(?,?,00000400), ref: 0044D26E
_wcscmp.LIBCMT ref: 0044D282

Strings

%s%u, xrefs: 0044D02C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 9e7c35758cd339d1db4e3ca3f0852295f95a888779f43591e01a22308c875a8f
Instruction ID: ac405c4caa1be875481fa29ed2005c169b7db4ea11eb26b37e8adb486ca13888
Opcode Fuzzy Hash: 9e7c35758cd339d1db4e3ca3f0852295f95a888779f43591e01a22308c875a8f
Instruction Fuzzy Hash: 9AA1D131A04302AFE714DF64C884FABB7A8FF44344F00852BF95993290DB78E945CB99

Function 0044D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0044D8EB
_wcscmp.LIBCMT ref: 0044D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0044D924
CharUpperBuffW.USER32(?,00000000), ref: 0044D941
_wcscmp.LIBCMT ref: 0044D95F
_wcsstr.LIBCMT ref: 0044D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0044D9A8
_wcscmp.LIBCMT ref: 0044D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0044D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0044DA28
_wcscmp.LIBCMT ref: 0044DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0044DA60
GetWindowRect.USER32(00000004,?), ref: 0044DAC9

Strings

ThumbnailClass, xrefs: 0044D9B3, 0044DA33
@, xrefs: 0044D8C6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 46401a93f4b37082fb1451bb6a532b6efe4d64a948413051e91aab476172a027
Instruction ID: c0e29995cc9d4bde5500588ef77f6ad55d914017e2250a92aa675bb2e7b67dbc
Opcode Fuzzy Hash: 46401a93f4b37082fb1451bb6a532b6efe4d64a948413051e91aab476172a027
Instruction Fuzzy Hash: 9C81B0714083459BEB01DF10C985BAB7BA8EF44318F04846FFD899A196DB38ED45CBA9

Function 0044D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0044D753

Strings

ALL, xrefs: 0044D7E7
[REGEXPTITLE:, xrefs: 0044D77B
[ALL, xrefs: 0044D7F9
CLASSNAME=, xrefs: 0044D790
LAST, xrefs: 0044D718
HANDLE=, xrefs: 0044D74C
REGEXP=, xrefs: 0044D768
ACTIVE, xrefs: 0044D72E
[CLASS:, xrefs: 0044D7A3
[ACTIVE, xrefs: 0044D740
[LAST, xrefs: 0044D800
[HANDLE:, xrefs: 0044D75F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 0527437ba19c912e88eada06ab64c481eea0fd5211068455f77022d7a571d07d
Instruction ID: 7b11a9bd63513056f291ba9ad47b00c1d11719932e90984a9444b96329259455
Opcode Fuzzy Hash: 0527437ba19c912e88eada06ab64c481eea0fd5211068455f77022d7a571d07d
Instruction Fuzzy Hash: FA317835A44205AAEA14FA51DE93FEEB3649F20718F30012FF411B10E1EBDDAE44866E

Function 0044EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0044EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0044EAC2
SetWindowTextW.USER32(?,?), ref: 0044EAD9
GetDlgItem.USER32(?,000003EA), ref: 0044EAEE
SetWindowTextW.USER32(00000000,?), ref: 0044EAF4
GetDlgItem.USER32(?,000003E9), ref: 0044EB04
SetWindowTextW.USER32(00000000,?), ref: 0044EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0044EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0044EB45
GetWindowRect.USER32(?,?), ref: 0044EB4E
SetWindowTextW.USER32(?,?), ref: 0044EBB9
GetDesktopWindow.USER32 ref: 0044EBBF
GetWindowRect.USER32(00000000), ref: 0044EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0044EC12
GetClientRect.USER32(?,?), ref: 0044EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0044EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0044EC6F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 97229b93e0714681d82b82c9874aabe1a7e12b9fea1039c50fef7ed4fc81797d
Instruction ID: 205e23e01f6bff02a16847db67b6acd0ff5515ad284154ebca29f13079940cde
Opcode Fuzzy Hash: 97229b93e0714681d82b82c9874aabe1a7e12b9fea1039c50fef7ed4fc81797d
Instruction Fuzzy Hash: BC512D71900709AFEB21DFA9CD89F6FBBB5FF04705F00492AE586A26A0C774A945CB14

Function 004679B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004679C6
LoadCursorW.USER32(00000000,00007F00), ref: 004679D1
LoadCursorW.USER32(00000000,00007F03), ref: 004679DC
LoadCursorW.USER32(00000000,00007F8B), ref: 004679E7
LoadCursorW.USER32(00000000,00007F01), ref: 004679F2
LoadCursorW.USER32(00000000,00007F81), ref: 004679FD
LoadCursorW.USER32(00000000,00007F88), ref: 00467A08
LoadCursorW.USER32(00000000,00007F80), ref: 00467A13
LoadCursorW.USER32(00000000,00007F86), ref: 00467A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00467A29
LoadCursorW.USER32(00000000,00007F85), ref: 00467A34
LoadCursorW.USER32(00000000,00007F82), ref: 00467A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00467A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00467A55
LoadCursorW.USER32(00000000,00007F02), ref: 00467A60
LoadCursorW.USER32(00000000,00007F89), ref: 00467A6B
GetCursorInfo.USER32(?), ref: 00467A7B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ffea52e551880101203bdf419a8efbbd6fc27911ee6cfc5140ed2d22c6655700
Instruction ID: c55dc888848d8aeb67048ded000ce44baa4ffa9b0add295e2d0d0c3c7705d031
Opcode Fuzzy Hash: ffea52e551880101203bdf419a8efbbd6fc27911ee6cfc5140ed2d22c6655700
Instruction Fuzzy Hash: 3C3114B0D4831A6ADB109FF68C8995FBEE8FF04754F50453BA50DE7280EA7CA5008FA5

Function 0041C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0042E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0041C8B7,?,00002000,?,?,00000000,?,0041419E,?,?,?,004ADC00), ref: 0042E984

Part of subcall function 0041660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004153B1,?,?,004161FF,?,00000000,00000001,00000000), ref: 0041662F

__wsplitpath.LIBCMT ref: 0041C93E

Part of subcall function 00431DFC: __wsplitpath_helper.LIBCMT ref: 00431E3C

_wcscpy.LIBCMT ref: 0041C953
_wcscat.LIBCMT ref: 0041C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0041C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0041CABE

Part of subcall function 0041B337: _wcscpy.LIBCMT ref: 0041B36F

Strings

AU3!, xrefs: 0041C90C
Bad directive syntax error, xrefs: 00483429
EA06, xrefs: 004830C9
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00483098
>>>AUTOIT SCRIPT<<<, xrefs: 0048311B
Error opening the file, xrefs: 004830B4, 0048313D
Unterminated string, xrefs: 00483470

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: d026aaf880e452bf9ce4156516ed50f16ea15ffc68ddded5dcb1a5e40690cf52
Instruction ID: 4bacd5e4f09a99815f3ba6801ef2cb02f20a5d45918f90e7a24cee562f1ae5d0
Opcode Fuzzy Hash: d026aaf880e452bf9ce4156516ed50f16ea15ffc68ddded5dcb1a5e40690cf52
Instruction Fuzzy Hash: 1212B1715083419FC724EF25C881AAFB7E5BF99708F40491FF48993251DB38DA89CB5A

Function 0047CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047CEFB
DestroyWindow.USER32(?,?), ref: 0047CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0047CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0047D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0047D025
DestroyWindow.USER32(?), ref: 0047D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 0047D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0047D094
GetDesktopWindow.USER32 ref: 0047D0A9
GetWindowRect.USER32(00000000), ref: 0047D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0047D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0047D0DA

Part of subcall function 0042B526: GetWindowLongW.USER32(?,000000EB), ref: 0042B537

Strings

tooltips_class32, xrefs: 0047CFED, 0047D06E
0, xrefs: 0047CF1B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 7c61e8b02304847c5177db186eeae268e19b1e782ac03bd9fa877418ec55ad6c
Instruction ID: 2c2f4bb89d24b03fad6a1d8f48d29c191fd5a843bc2ed4611aa8e4a9f09eb97e
Opcode Fuzzy Hash: 7c61e8b02304847c5177db186eeae268e19b1e782ac03bd9fa877418ec55ad6c
Instruction Fuzzy Hash: 8171AC70550345AFD720DF28CC85FA677F5EB89708F14852EF989872A1D738E942CB2A

Function 0047F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

DragQueryPoint.SHELL32(?,?), ref: 0047F37A

Part of subcall function 0047D7DE: ClientToScreen.USER32(?,?), ref: 0047D807
Part of subcall function 0047D7DE: GetWindowRect.USER32(?,?), ref: 0047D87D
Part of subcall function 0047D7DE: PtInRect.USER32(?,?,0047ED5A), ref: 0047D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0047F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0047F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0047F411
_wcscat.LIBCMT ref: 0047F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0047F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0047F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0047F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0047F4AA
DragFinish.SHELL32(?), ref: 0047F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0047F59C

Strings

@GUI_DROPID, xrefs: 0047F4D1
@GUI_DRAGFILE, xrefs: 0047F54B
@GUI_DRAGID, xrefs: 0047F510

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 9ac44013b24833e6735621cb8d387fe86feed18f5d3dc928128ffa3f5bf24d71
Instruction ID: 79078b3bb37742537e384ca8cafef98b16d34820ee079868a764f7b4274d55db
Opcode Fuzzy Hash: 9ac44013b24833e6735621cb8d387fe86feed18f5d3dc928128ffa3f5bf24d71
Instruction Fuzzy Hash: FC616771508300AFC300EF61DC85EAFBBF8AF99714F004A2FF595921A1DB749A49CB5A

Function 0045AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0045AB3D
VariantCopy.OLEAUT32(?,?), ref: 0045AB46
VariantClear.OLEAUT32(?), ref: 0045AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0045AC40
__swprintf.LIBCMT ref: 0045AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0045AC9C
VariantInit.OLEAUT32(?), ref: 0045AD4D
SysFreeString.OLEAUT32(00000016), ref: 0045ADDF
VariantClear.OLEAUT32(?), ref: 0045AE35
VariantClear.OLEAUT32(?), ref: 0045AE44
VariantInit.OLEAUT32(00000000), ref: 0045AE80

Strings

Default, xrefs: 0045ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0045AC6A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 87fa0535271767f0628235276b2269308acbcfb8c6cf34136c590d20fc7ace99
Instruction ID: c78b5d440726600d95c070a351db1324aced582586e2d5d4b5a559408881b43b
Opcode Fuzzy Hash: 87fa0535271767f0628235276b2269308acbcfb8c6cf34136c590d20fc7ace99
Instruction Fuzzy Hash: D5D10631A00115DBCB109F55D885B6EB7B5FF04702F18826BE9059B282CB7CEC69DB9B

Function 0047716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004771FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00477247

Strings

EXISTS, xrefs: 004772B0
EXPAND, xrefs: 004772E1
COLLAPSE, xrefs: 0047728D
CHECK, xrefs: 00477267
SELECT, xrefs: 004773E0
ISCHECKED, xrefs: 004773B2
UNCHECK, xrefs: 0047740B
GETSELECTED, xrefs: 0047733F
GETITEMCOUNT, xrefs: 00477311
GETTOTALCOUNT, xrefs: 0047722A
GETTEXT, xrefs: 00477382

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 330198a14c0f41c4179dc43e8b22595d38a09955a8c8af669c2644ec410427e8
Instruction ID: 6e1ee8bbf1dc423d0ea5f895b2ab5703ab37349ac6f3b136215a9e8c3da9da5c
Opcode Fuzzy Hash: 330198a14c0f41c4179dc43e8b22595d38a09955a8c8af669c2644ec410427e8
Instruction Fuzzy Hash: E89183346047119BCB04EF12C591AAEB7A1AF94318F44885FFC5A573A3DB38ED46CB89

Function 0044CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0044CF50), ref: 0044CE90

Strings

T+L, xrefs: 0044CD72
4+L, xrefs: 0044CC96
TEXT, xrefs: 0044CDC7
H+L, xrefs: 0044CCE8
NAME, xrefs: 0044CCC2
CLASSNN, xrefs: 0044CC33
INSTANCE, xrefs: 0044CD9E
REGEXPCLASS, xrefs: 0044CC56
L+L, xrefs: 0044CD14
CLASS, xrefs: 0044CC10
P+L, xrefs: 0044CD43

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+L$CLASS$CLASSNN$H+L$INSTANCE$L+L$NAME$P+L$REGEXPCLASS$T+L$TEXT
API String ID: 3555792229-3495546156
Opcode ID: 611bcd56b609d62a1c565fb4c4b4389133c52bc32865dffe2ed254a572114eb6
Instruction ID: e45d92a36c2e8ed145609be1670ab1c68982729d3958bef24b15c0d58d29263f
Opcode Fuzzy Hash: 611bcd56b609d62a1c565fb4c4b4389133c52bc32865dffe2ed254a572114eb6
Instruction Fuzzy Hash: 9D91B430A016069BEB48DFA2C4C1BEAFB75BF04304F58851BD449A7251DF78B95AC7D8

Function 0047E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0047E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0047BEAF), ref: 0047E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0047E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0047BEAF), ref: 0047E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047E6DF
DestroyIcon.USER32(?,?,?,?,?,0047BEAF), ref: 0047E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0047E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0047E717

Part of subcall function 00430FA7: __wcsicmp_l.LIBCMT ref: 00431030

Strings

.exe, xrefs: 0047E541
.dll, xrefs: 0047E564
.icl, xrefs: 0047E521

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 88bbb48de33aa5704a172fcb9dbef40bf7b8a5d7f64cd63657bd61fb8d18be9a
Instruction ID: 915b0b868c66103abbf50f6d81d37603ab6fc8b5c0dd01fbee52751440afa733
Opcode Fuzzy Hash: 88bbb48de33aa5704a172fcb9dbef40bf7b8a5d7f64cd63657bd61fb8d18be9a
Instruction Fuzzy Hash: FB61C171900219BAEB14DF65CC46FFE77A8BB18724F10825BF915D61D0EB78A980CB68

Function 0045D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

CharLowerBuffW.USER32(?,?), ref: 0045D292
GetDriveTypeW.KERNEL32 ref: 0045D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045D38C

Strings

open , xrefs: 0045D2EE
close, xrefs: 0045D298
close cd wait, xrefs: 0045D377
set cd door , xrefs: 0045D32D
wait, xrefs: 0045D349
closed, xrefs: 0045D2A6, 0045D2AF
open, xrefs: 0045D2B9
type cdaudio alias cd wait, xrefs: 0045D30A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 9bbf2e40772977e0fef7a26f75e42bf63d8386f51e135bc272ed68e07832c08c
Instruction ID: d89cf78273754548b3b20ccdb01013bf575a998bf9de53d31bab5753d7202b5d
Opcode Fuzzy Hash: 9bbf2e40772977e0fef7a26f75e42bf63d8386f51e135bc272ed68e07832c08c
Instruction Fuzzy Hash: 26517E71504304AFC700EF12D98199EB3E4FF98758F50886EF88567252DB35EE0ACB8A

Function 004526BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00483973,00000016,0000138C,00000016,?,00000016,004ADDB4,00000000,?), ref: 004526F1
LoadStringW.USER32(00000000,?,00483973,00000016), ref: 004526FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00483973,00000016,0000138C,00000016,?,00000016,004ADDB4,00000000,?,00000016), ref: 0045271C
LoadStringW.USER32(00000000,?,00483973,00000016), ref: 0045271F
__swprintf.LIBCMT ref: 0045276F
__swprintf.LIBCMT ref: 00452780
_wprintf.LIBCMT ref: 00452829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00452840

Strings

Error: , xrefs: 004527F7
%s (%d) : ==> %s: %s %s, xrefs: 00452824
Line %d:, xrefs: 0045277A
^ ERROR, xrefs: 004527D5
Line %d (File "%s"):, xrefs: 00452769

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 1b71a61eaa4beb02f90682bf0a4442d507247f12e36e7057495e197afeb4c90c
Instruction ID: acab04fb85978844ea90601deeabb12f01d0da9abde9967c6f5bf0c1d425bda6
Opcode Fuzzy Hash: 1b71a61eaa4beb02f90682bf0a4442d507247f12e36e7057495e197afeb4c90c
Instruction Fuzzy Hash: B8414372840218BACF15FBD1DE86EEE7778AF55349F10006BB50172092DB686F49CB68

Function 0045D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0045D0D8
__swprintf.LIBCMT ref: 0045D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0045D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0045D15C
_memset.LIBCMT ref: 0045D17B
_wcsncpy.LIBCMT ref: 0045D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0045D1EC
CloseHandle.KERNEL32(00000000), ref: 0045D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0045D200
CloseHandle.KERNEL32(00000000), ref: 0045D20A

Strings

\, xrefs: 0045D110
:, xrefs: 0045D11B
\??\%s, xrefs: 0045D0F4

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3c0023a9b81213a1935a79eb2990f3ed2423103bbf5cff8d92368ae354215b46
Instruction ID: cd9bcb6847133aeb680de4978fc3bed64514453539c8cabbce6a16498d25f319
Opcode Fuzzy Hash: 3c0023a9b81213a1935a79eb2990f3ed2423103bbf5cff8d92368ae354215b46
Instruction Fuzzy Hash: 6F31A1B2900109ABDB21DFA1DC49FEB77BCEF89745F1040BBF909D2161E77496498B28

Function 0047E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0047BEF4,?,?), ref: 0047E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E783
GlobalLock.KERNEL32(00000000), ref: 0047E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E79B
GlobalUnlock.KERNEL32(00000000), ref: 0047E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0047BEF4,?,?,00000000,?), ref: 0047E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0049D9BC,?), ref: 0047E7D5
GlobalFree.KERNEL32(00000000), ref: 0047E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0047E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0047E834
DeleteObject.GDI32(00000000), ref: 0047E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0047E872

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 47b099dfe8160897d8075687affff2815efcaddc03098ca516b00af1f2d076f5
Instruction ID: ba0041bd742fb814451fbc5186afb561c9b3a8dc3ebb2e2d7960ec06eb8ac24d
Opcode Fuzzy Hash: 47b099dfe8160897d8075687affff2815efcaddc03098ca516b00af1f2d076f5
Instruction Fuzzy Hash: DE414A75A00204FFDB119F65CC48EAB7BB8EF99715F1081AAF90AD72A0D7349D41CB25

Function 004605F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0046076F
_wcscat.LIBCMT ref: 00460787
_wcscat.LIBCMT ref: 00460799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004607AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004607C2
GetFileAttributesW.KERNEL32(?), ref: 004607DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004607F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00460806

Strings

*.*, xrefs: 00460845

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: d158464143457fea05008a4e8e76dc58f840cc8e0f7f43e71ef2f9e14450f0e6
Instruction ID: 151a414fcfe8950740cfb97fcf0755a2a9aa0d55f52988ee2c3604767c657380
Opcode Fuzzy Hash: d158464143457fea05008a4e8e76dc58f840cc8e0f7f43e71ef2f9e14450f0e6
Instruction Fuzzy Hash: 0E818F715043019FCB24EF64C8459AFB7E9AB98314F14882FF885C7251FA38ED558B9B

Function 0047EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0047EF3B
GetFocus.USER32 ref: 0047EF4B
GetDlgCtrlID.USER32(00000000), ref: 0047EF56
_memset.LIBCMT ref: 0047F081
GetMenuItemInfoW.USER32 ref: 0047F0AC
GetMenuItemCount.USER32(00000000), ref: 0047F0CC
GetMenuItemID.USER32(?,00000000), ref: 0047F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0047F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0047F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0047F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0047F1C8

Strings

0, xrefs: 0047F079

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: eb89958f0d3ffbb9fae585cdcd18b3445b3fb9822d258f31529693f7c6b8c846
Instruction ID: 3a3df617e1c0779ef10108bb637f3907ee4e9ed90605eed22724b2e3de541450
Opcode Fuzzy Hash: eb89958f0d3ffbb9fae585cdcd18b3445b3fb9822d258f31529693f7c6b8c846
Instruction Fuzzy Hash: AC815A71604311AFD720CF15D884AABBBE9EB88314F40853FF99897291D778DD09CB9A

Function 0044A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044ABD7
Part of subcall function 0044ABBB: GetLastError.KERNEL32(?,0044A69F,?,?,?), ref: 0044ABE1
Part of subcall function 0044ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0044A69F,?,?,?), ref: 0044ABF0
Part of subcall function 0044ABBB: HeapAlloc.KERNEL32(00000000,?,0044A69F,?,?,?), ref: 0044ABF7
Part of subcall function 0044ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044AC0E

Part of subcall function 0044AC56: GetProcessHeap.KERNEL32(00000008,0044A6B5,00000000,00000000,?,0044A6B5,?), ref: 0044AC62
Part of subcall function 0044AC56: HeapAlloc.KERNEL32(00000000,?,0044A6B5,?), ref: 0044AC69
Part of subcall function 0044AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0044A6B5,?), ref: 0044AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044A8CB
_memset.LIBCMT ref: 0044A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0044A8FF
GetLengthSid.ADVAPI32(?), ref: 0044A910
GetAce.ADVAPI32(?,00000000,?), ref: 0044A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0044A969
GetLengthSid.ADVAPI32(?), ref: 0044A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0044A995
HeapAlloc.KERNEL32(00000000), ref: 0044A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044A9BD
CopySid.ADVAPI32(00000000), ref: 0044A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0044A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0044AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0044AA2F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: db1b056d7f38f8c40364533c9e25223c04bf579d20ccf4f69f63dbaa6b78c6df
Instruction ID: 791ae7950d4df54bbab7929914087e227c6e025eec3285c26091cdb5cac07895
Opcode Fuzzy Hash: db1b056d7f38f8c40364533c9e25223c04bf579d20ccf4f69f63dbaa6b78c6df
Instruction Fuzzy Hash: 75517EB1940209AFEF10DF91DD85EEEBBB9FF14304F04812AF911A7290DB399A15CB65

Function 00469DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00469E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00469E42
CreateCompatibleDC.GDI32(?), ref: 00469E4E
SelectObject.GDI32(00000000,?), ref: 00469E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00469EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00469EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00469F0F
SelectObject.GDI32(00000006,?), ref: 00469F17
DeleteObject.GDI32(?), ref: 00469F20
DeleteDC.GDI32(00000006), ref: 00469F27
ReleaseDC.USER32(00000000,?), ref: 00469F32

Strings

(, xrefs: 00469ED7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 298b7dd1f97248ca8edde4e568e5707ecc3e309cd5adc3388fb537d04ff2a5a5
Instruction ID: cee1106d588f313b0f1b9749b0a930a30af569dc045b0c8748c5774a292be99c
Opcode Fuzzy Hash: 298b7dd1f97248ca8edde4e568e5707ecc3e309cd5adc3388fb537d04ff2a5a5
Instruction Fuzzy Hash: 15513976900309AFCB14CFA8C885EAEBBB9EF48710F14842EF95997250D775AD41CB54

Function 0045CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0045CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0045CCC5
__swprintf.LIBCMT ref: 0045CD1E
__swprintf.LIBCMT ref: 0045CD37
_wprintf.LIBCMT ref: 0045CDED
_wprintf.LIBCMT ref: 0045CE0B

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0045CDE8
Error: , xrefs: 0045CDB5
"%s" (%d) : ==> %s:, xrefs: 0045CE06
^ ERROR, xrefs: 0045CD8F
Line %d (File "%s"):, xrefs: 0045CD18, 0045CD31

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 379c1e51762444474805ba9de8b847f2add2abf610ffd5113f815d8d6b06292d
Instruction ID: f265828a6df4e3767488dfaec4ff4a664fdd74e4452da93594cef6698a5f1e77
Opcode Fuzzy Hash: 379c1e51762444474805ba9de8b847f2add2abf610ffd5113f815d8d6b06292d
Instruction Fuzzy Hash: C6519431800209BACB15EBA1DD86EEEB778AF05309F10416BF80572162DB396E99DB58

Function 0045CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0045CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0045CAB0
__swprintf.LIBCMT ref: 0045CB09
__swprintf.LIBCMT ref: 0045CB22
_wprintf.LIBCMT ref: 0045CBCD
_wprintf.LIBCMT ref: 0045CBEB

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0045CBC8
Error: , xrefs: 0045CB95
"%s" (%d) : ==> %s:, xrefs: 0045CBE6
^ ERROR , xrefs: 0045CB64
Line %d (File "%s"):, xrefs: 0045CB03, 0045CB1C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: c955f7549129bb5ccc6e26a06eb6093aac9fc59cbc8ab110b423b849f86f5f65
Instruction ID: d3cbe7d2122334cef4909fd596ffea18a0b6a30023bdbdfa69e14f21a252e4f2
Opcode Fuzzy Hash: c955f7549129bb5ccc6e26a06eb6093aac9fc59cbc8ab110b423b849f86f5f65
Instruction Fuzzy Hash: 49518371900209BACF15FBE1DE86EEEB778AF04304F10406BB50572162DB786F99DB69

Function 00473C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472BB5,?,?), ref: 00473C1D

Strings

HKU, xrefs: 00473D15
HKLM, xrefs: 00473C81
HKEY_CLASSES_ROOT, xrefs: 00473C96
HKEY_USERS, xrefs: 00473D04
HKEY_CURRENT_USER, xrefs: 00473CE2
HKEY_LOCAL_MACHINE, xrefs: 00473C6C
HKCU, xrefs: 00473CF3
HKEY_CURRENT_CONFIG, xrefs: 00473CC0
HKCC, xrefs: 00473CD1
$EL, xrefs: 00473C36
HKCR, xrefs: 00473CAB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharUpper
String ID: $EL$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-567733260
Opcode ID: ae7f21643e6feddb1ce18da4c45a72c563ef0380907ab26adcb27fe22bc84425
Instruction ID: 70a7c7d46183de3499cc65efb6269a8638769dda7cb953219b3a9362b6670b7d
Opcode Fuzzy Hash: ae7f21643e6feddb1ce18da4c45a72c563ef0380907ab26adcb27fe22bc84425
Instruction Fuzzy Hash: 8A4195342002499BDF10EF52E951AEB3365AF51345F50841FEC592B292EB7C9E0ADB58

Function 004555BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004555D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00455664
GetMenuItemCount.USER32(004D1708), ref: 004556ED
DeleteMenu.USER32(004D1708,00000005,00000000,000000F5,?,?), ref: 0045577D
DeleteMenu.USER32(004D1708,00000004,00000000), ref: 00455785
DeleteMenu.USER32(004D1708,00000006,00000000), ref: 0045578D
DeleteMenu.USER32(004D1708,00000003,00000000), ref: 00455795
GetMenuItemCount.USER32(004D1708), ref: 0045579D
SetMenuItemInfoW.USER32(004D1708,00000004,00000000,00000030), ref: 004557D3
GetCursorPos.USER32(?), ref: 004557DD
SetForegroundWindow.USER32(00000000), ref: 004557E6
TrackPopupMenuEx.USER32(004D1708,00000000,?,00000000,00000000,00000000), ref: 004557F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00455805

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: e7102c491985e326694657ed10004e552f60e277f57682ca0175e0539cbe00ae
Instruction ID: 2701ec7b9068ea78fad43d542d407513cce414f5c9f9fd6d660ab8ed2d02b0c0
Opcode Fuzzy Hash: e7102c491985e326694657ed10004e552f60e277f57682ca0175e0539cbe00ae
Instruction Fuzzy Hash: 04714530640645BFEB209B15CC59FBABF64FF40369F240217F919AA2D2C7785C18CB98

Function 0044A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0044A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0044A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0044A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0044A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0044A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0044A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0044A2AB

Strings

SOFTWARE\Classes\, xrefs: 0044A17D
\IPC$, xrefs: 0044A1F3
\CLSID, xrefs: 0044A193

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: b942370e613d7e04942b225f93de29856d4bfbf65d6108af4010becd944d1e76
Instruction ID: 25efce3b65fead40bce5191a6581c223658f50d9a2029c4e1ac159f78ddfb3ba
Opcode Fuzzy Hash: b942370e613d7e04942b225f93de29856d4bfbf65d6108af4010becd944d1e76
Instruction Fuzzy Hash: 2D412976C50229ABDF11EBA5DC81DEEB778FF14304F00416AE901B3260EB789E55CB94

Function 004567E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004567FD
__swprintf.LIBCMT ref: 0045680A

Part of subcall function 0043172B: __woutput_l.LIBCMT ref: 00431784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00456834
LoadResource.KERNEL32(?,00000000), ref: 00456840
LockResource.KERNEL32(00000000), ref: 0045684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0045686D
LoadResource.KERNEL32(?,00000000), ref: 0045687F
SizeofResource.KERNEL32(?,00000000), ref: 0045688E
LockResource.KERNEL32(?), ref: 0045689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004568F9

Strings

5L, xrefs: 004567F6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5L
API String ID: 1433390588-963271569
Opcode ID: f355dbb5a71788a954b41b2542901f85a4dcb2cb73c86c63d9ad15316335db81
Instruction ID: 59b1a6204e6b13d5466d2c98a58f3392183245147a7d44340781cc6d5374ab71
Opcode Fuzzy Hash: f355dbb5a71788a954b41b2542901f85a4dcb2cb73c86c63d9ad15316335db81
Instruction Fuzzy Hash: 06319F7190121AABDB01AFA1DD44EBF7BA8EF08341F418437FD0193251E738D915DB68

Function 004525B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004836F4,00000010,?,Bad directive syntax error,004ADC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004525D6
LoadStringW.USER32(00000000,?,004836F4,00000010), ref: 004525DD
_wprintf.LIBCMT ref: 00452610
__swprintf.LIBCMT ref: 00452632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004526A1

Strings

Error: , xrefs: 0045266F
Line %d:, xrefs: 0045262C
%s (%d) : ==> %s.: %s %s, xrefs: 0045260B
., xrefs: 00452687
Line %d (File "%s"):, xrefs: 00452647

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: abf493f1f19adeb526c9c3ed405e1c644d697a6358a39749adf2b4e8791b05be
Instruction ID: 035d49f43fe5474baae516bda2640ece08ccb92973d232f587a87b475d410991
Opcode Fuzzy Hash: abf493f1f19adeb526c9c3ed405e1c644d697a6358a39749adf2b4e8791b05be
Instruction Fuzzy Hash: C4215C3184021ABBCF11AF91CC4AFEE7738BF19308F04446BB505620A2DB79A659DB58

Function 00457AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00457B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00457B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00457B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00457B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00457B8C

Strings

open , xrefs: 00457AF1
play PlayMe wait, xrefs: 00457B76
alias PlayMe, xrefs: 00457B1B
play PlayMe, xrefs: 00457B87
close PlayMe, xrefs: 00457B53, 00457B80
status PlayMe mode, xrefs: 00457B3D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 8056fd55ecdd24e098f13bb320e679c7aa442db72d4d173a6d62bd928a356b14
Instruction ID: b74d3f8dd522ba0f7d6e43d71e481fad5a898a448c3afa7d31f845c6fa7cce05
Opcode Fuzzy Hash: 8056fd55ecdd24e098f13bb320e679c7aa442db72d4d173a6d62bd928a356b14
Instruction Fuzzy Hash: 7C11C8F498025979D720B762DC8AFFF7A7CEBD1B19F10442F7411A20C1DA681A89C5B8

Function 0045778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00457794

Part of subcall function 0042DC38: timeGetTime.WINMM(?,75A4B400,004858AB), ref: 0042DC3C

Sleep.KERNEL32(0000000A), ref: 004577C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004577E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00457806
SetActiveWindow.USER32 ref: 00457825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00457833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00457852
Sleep.KERNEL32(000000FA), ref: 0045785D
IsWindow.USER32 ref: 00457869
EndDialog.USER32(00000000), ref: 0045787A

Strings

BUTTON, xrefs: 004577F8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1d3eca0a5b3a97c55721717058f0e3315559f67a73c6438031a5823a4f021f5a
Instruction ID: a94be970ed532b3fef106282d71953041b3981e4cdf98ce973a8c33ceec44c3f
Opcode Fuzzy Hash: 1d3eca0a5b3a97c55721717058f0e3315559f67a73c6438031a5823a4f021f5a
Instruction Fuzzy Hash: 5A215E71605205AFE7006F20FD89B263F29FB5834BB00443BFD0582262DB695C09CB2E

Function 004602EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

CoInitialize.OLE32(00000000), ref: 0046034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004603DE
SHGetDesktopFolder.SHELL32(?), ref: 004603F2
CoCreateInstance.OLE32(0049DA8C,00000000,00000001,004C3CF8,?), ref: 0046043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004604AD
CoTaskMemFree.OLE32(?,?), ref: 00460505
_memset.LIBCMT ref: 00460542
SHBrowseForFolderW.SHELL32(?), ref: 0046057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004605A1
CoTaskMemFree.OLE32(00000000), ref: 004605A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004605DF
CoUninitialize.OLE32(00000001,00000000), ref: 004605E1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 4ab6968fbe8f57f7ed479d43af73b686275887f81043911093193334f9996f51
Instruction ID: b983eaac144e6010d404146309741b6c2a8fe279a70ef0619537868b03c70384
Opcode Fuzzy Hash: 4ab6968fbe8f57f7ed479d43af73b686275887f81043911093193334f9996f51
Instruction Fuzzy Hash: B6B1FC75A00208AFDB14DFA5C888DAEBBB9FF48305B1484AAF816EB251D734ED41CF54

Function 00452E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00452ED6
SetKeyboardState.USER32(?), ref: 00452F41
GetAsyncKeyState.USER32(000000A0), ref: 00452F61
GetKeyState.USER32(000000A0), ref: 00452F78
GetAsyncKeyState.USER32(000000A1), ref: 00452FA7
GetKeyState.USER32(000000A1), ref: 00452FB8
GetAsyncKeyState.USER32(00000011), ref: 00452FE4
GetKeyState.USER32(00000011), ref: 00452FF2
GetAsyncKeyState.USER32(00000012), ref: 0045301B
GetKeyState.USER32(00000012), ref: 00453029
GetAsyncKeyState.USER32(0000005B), ref: 00453052
GetKeyState.USER32(0000005B), ref: 00453060

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d50ac9ad66c56ca6e7f595f0470f4baee17c3af87de9e4a172fae2325883c0a5
Instruction ID: a5be3520a5323dae04a0d3ebdf65c2f5531d552d24d34e3b10ae2b51a6d9d559
Opcode Fuzzy Hash: d50ac9ad66c56ca6e7f595f0470f4baee17c3af87de9e4a172fae2325883c0a5
Instruction Fuzzy Hash: 1551E82190478429FB35DBA489117ABBBB45F12386F08459FC9C25A2C3DB9C9F8CC769

Function 0044ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0044ED1E
GetWindowRect.USER32(00000000,?), ref: 0044ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0044ED8E
GetDlgItem.USER32(?,00000002), ref: 0044ED99
GetWindowRect.USER32(00000000,?), ref: 0044EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0044EE01
GetDlgItem.USER32(?,000003E9), ref: 0044EE0F
GetWindowRect.USER32(00000000,?), ref: 0044EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0044EE63
GetDlgItem.USER32(?,000003EA), ref: 0044EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0044EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0044EE9B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f2411390be0854b910044af848d0e0e9b9ccabd5d6070a10796d756f4db5c8a7
Instruction ID: 0d65109a7140961aaf991d9041fee5eb90e799a603e741ef5083ebbcd8d4f0d7
Opcode Fuzzy Hash: f2411390be0854b910044af848d0e0e9b9ccabd5d6070a10796d756f4db5c8a7
Instruction Fuzzy Hash: FE510FB1F00205AFDB18CF69DD89AAEBBBAFB98700F14813AF519D7290D7749D008B14

Function 0042B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0042B759,?,00000000,?,?,?,?,0042B72B,00000000,?), ref: 0042BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0042B72B), ref: 0042B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0042B72B,00000000,?,?,0042B2EF,?,?), ref: 0042B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0048D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0042B72B,00000000,?,?,0042B2EF,?,?), ref: 0048D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0042B72B,00000000,?,?,0042B2EF,?,?), ref: 0048D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0042B72B,00000000,?,?,0042B2EF,?,?), ref: 0048D90A
DeleteObject.GDI32(00000000), ref: 0048D91C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cf0cbcac85ba903f9e1a6f4268be614dc34ded83400902192b819bfca1b54803
Instruction ID: 4151627ac4b8c30f54e4ed569c525cb9796275d386c1f2098a316d7e7fff3c2d
Opcode Fuzzy Hash: cf0cbcac85ba903f9e1a6f4268be614dc34ded83400902192b819bfca1b54803
Instruction Fuzzy Hash: 25618030A02610DFDB25AF15E88872A77B5FF94315F54452FE446876B0C778A881CF8D

Function 0042B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0042B526: GetWindowLongW.USER32(?,000000EB), ref: 0042B537

GetSysColor.USER32(0000000F), ref: 0042B438

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 28b80ed8e3062c95d11c641ca89dbf72a5e99fc94357d06fc9cd5e744ffd6531
Instruction ID: d2a1c99221d518b784a41dfb450a37d29a58d2f0309b2590cace7be1391559e0
Opcode Fuzzy Hash: 28b80ed8e3062c95d11c641ca89dbf72a5e99fc94357d06fc9cd5e744ffd6531
Instruction Fuzzy Hash: 3D41B431601510AFDB216F28EC89BBA3765EB16730F544273FDA58E2E6C7348C42D769

Function 0045690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00456923
_wcscpy.LIBCMT ref: 00456934
__wsplitpath.LIBCMT ref: 00456958
__wsplitpath.LIBCMT ref: 00456979
_wcscpy.LIBCMT ref: 0045699B
_wcscpy.LIBCMT ref: 004569B9
_wcscpy.LIBCMT ref: 004569C7
_wcscat.LIBCMT ref: 004569D6
_wcscat.LIBCMT ref: 00456A2B
_wcscat.LIBCMT ref: 00456A61
_wcscat.LIBCMT ref: 00456A73

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: dda4412fb9f94984fb513d9fca9c9714687bdcc113f1e85754ae6a89edfe522c
Instruction ID: b584a679850f1ad2f6042183cbf816825045dc78ec9d9aef323c03234783a6eb
Opcode Fuzzy Hash: dda4412fb9f94984fb513d9fca9c9714687bdcc113f1e85754ae6a89edfe522c
Instruction Fuzzy Hash: 82415E7684511CAECF65EB91CC51DCB73BCEB48300F4051A7BA49A2051EA34ABE88F58

Function 0045D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(004ADC00,004ADC00,004ADC00), ref: 0045D7CE
GetDriveTypeW.KERNEL32(?,004C3A70,00000061), ref: 0045D898
_wcscpy.LIBCMT ref: 0045D8C2

Strings

ramdisk, xrefs: 0045D842
cdrom, xrefs: 0045D7EA
all, xrefs: 0045D7D4
unknown, xrefs: 0045D859
fixed, xrefs: 0045D816
removable, xrefs: 0045D800
network, xrefs: 0045D82C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b8dc3e1d34e5538edbcd18905c5b06695d15f94528e9315932edb2e7d2ccbe82
Instruction ID: 2cb8f7e3dfda0baee7688d14d37daf7fbb5954710adc22143c7ed2fb1719ad14
Opcode Fuzzy Hash: b8dc3e1d34e5538edbcd18905c5b06695d15f94528e9315932edb2e7d2ccbe82
Instruction Fuzzy Hash: 5F519435504200AFC710EF16D881BAFB7A5EF84319F50892FF8A657293DB39DD49CA4A

Function 0041936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004193AB
__itow.LIBCMT ref: 004193DF

Part of subcall function 00431557: _xtow@16.LIBCMT ref: 00431578

Strings

0x%p, xrefs: 00484CAD
False, xrefs: 00484C93
%.15g, xrefs: 004193A5
True, xrefs: 00484C8C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 92c1a619248308034f147843a563a6d7f6ad05182e6b5216d79896642a78053e
Instruction ID: e42a141a33525c51adcd875eb6bbc32f4b8c5518934057d331c42fed2072918b
Opcode Fuzzy Hash: 92c1a619248308034f147843a563a6d7f6ad05182e6b5216d79896642a78053e
Instruction Fuzzy Hash: 58410B31500205ABDB24EF75D951FAA73F8EF88304F20486FE55AD7281EA39DD42CB19

Function 0047A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0047A259
CreateCompatibleDC.GDI32(00000000), ref: 0047A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0047A273
SelectObject.GDI32(00000000,00000000), ref: 0047A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0047A286
DeleteDC.GDI32(00000000), ref: 0047A28F
GetWindowLongW.USER32(?,000000EC), ref: 0047A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0047A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0047A2B9

Strings

static, xrefs: 0047A1F1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 815825e6b18a7d71ba371ad7ad2fc3b0d09c2187394bd71d55d4f7b1e8bd32e5
Instruction ID: f947658ac238a7953c673023c44af8eb090236cb3afe9b5be081216e702b650f
Opcode Fuzzy Hash: 815825e6b18a7d71ba371ad7ad2fc3b0d09c2187394bd71d55d4f7b1e8bd32e5
Instruction Fuzzy Hash: B031AD32500214ABDF115FA4DC09FEF3B68FF5D324F104226FA19A22A1C739D821DBA9

Function 00456F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00456F1D
gethostname.WSOCK32(?,00000100), ref: 00456F37
gethostbyname.WSOCK32(?), ref: 00456F44
_wcscpy.LIBCMT ref: 00456F6C
inet_ntoa.WSOCK32(?), ref: 00456F8A
_strcat.LIBCMT ref: 00456F98
_wcscpy.LIBCMT ref: 00456FAF
WSACleanup.WSOCK32 ref: 00456FBD
_wcscpy.LIBCMT ref: 00456FCB

Strings

0.0.0.0, xrefs: 00456F66

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a781f3153afd37a953855bd571858939a81265fe30f53dfdb3ccbc8d4262eacb
Instruction ID: d8237866b1638ff1719a6ec76a562abcb8e1c84487c7148c58071505e5a1f16c
Opcode Fuzzy Hash: a781f3153afd37a953855bd571858939a81265fe30f53dfdb3ccbc8d4262eacb
Instruction Fuzzy Hash: A8110532D04114ABDB24AB61EC09EDA77ACDB14715F4101BBF40593192EE789A898A5C

Function 0043500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00435047

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

__gmtime64_s.LIBCMT ref: 004350E0
__gmtime64_s.LIBCMT ref: 00435116
__gmtime64_s.LIBCMT ref: 00435133
__allrem.LIBCMT ref: 00435189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004351A5
__allrem.LIBCMT ref: 004351BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004351DA
__allrem.LIBCMT ref: 004351F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043520F
__invoke_watson.LIBCMT ref: 00435280

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: df2aa938e134153bde5ce6a784a1eabc0d3e65a0c3faa8231224896e8dfb4505
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: A171C7B1A00B16ABE7149E79CC81B5F73B8AF08768F14522FF914D6381E778D9408BD8

Function 00454DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00454DF8
GetMenuItemInfoW.USER32(004D1708,000000FF,00000000,00000030), ref: 00454E59
SetMenuItemInfoW.USER32(004D1708,00000004,00000000,00000030), ref: 00454E8F
Sleep.KERNEL32(000001F4), ref: 00454EA1
GetMenuItemCount.USER32(?), ref: 00454EE5
GetMenuItemID.USER32(?,00000000), ref: 00454F01
GetMenuItemID.USER32(?,-00000001), ref: 00454F2B
GetMenuItemID.USER32(?,?), ref: 00454F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00454FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00454FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00454FEB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 31db2ddd11d9e95fcddd7c4fae6b6ecd314b27628c8e30d26acb0eed25c4ef44
Instruction ID: 4bc4ebb8d59d7bb5cbb206a91fe501c36359dbb0c6ed0f3a7e4015ef86e57a2e
Opcode Fuzzy Hash: 31db2ddd11d9e95fcddd7c4fae6b6ecd314b27628c8e30d26acb0eed25c4ef44
Instruction Fuzzy Hash: D8618271900249AFDB11CFA8D9849AF7BB8EB8530DF14016AFC419B252D7389D89CB29

Function 00479C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00479C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00479C9B
GetWindowLongW.USER32(?,000000F0), ref: 00479CBF
_memset.LIBCMT ref: 00479CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00479CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00479D5A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: b871f63d9479ee0b04fb215ab42da99b92a84d56a5485eb9f3203171751fd18c
Instruction ID: eba29cef5767ffc2766984d0b0d66bdf08a8a3aadabb2d38e9812ce3f7baae51
Opcode Fuzzy Hash: b871f63d9479ee0b04fb215ab42da99b92a84d56a5485eb9f3203171751fd18c
Instruction Fuzzy Hash: 58618D75900208AFDB21DFA4CC81EEE77B8EF09714F14416AFA18A73A1D774AD42DB54

Function 004494E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004494FE
SafeArrayAllocData.OLEAUT32(?), ref: 00449549
VariantInit.OLEAUT32(?), ref: 0044955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0044957B
VariantCopy.OLEAUT32(?,?), ref: 004495BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004495D2
VariantClear.OLEAUT32(?), ref: 004495E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004495F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004495FD
VariantClear.OLEAUT32(?), ref: 0044960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0044961A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 16e6e28f7aaf1179d27d7e0b71bab109ba73901189739ab25789d966c338fce2
Instruction ID: 1a57758238329b3483cbcd4cb20e4eecad12769a191c1b2427e7d9e07ba17690
Opcode Fuzzy Hash: 16e6e28f7aaf1179d27d7e0b71bab109ba73901189739ab25789d966c338fce2
Instruction Fuzzy Hash: F0416E31E00219AFDB01EFA4D884DDEBBB9FF18354F10807AE501A3251DB74AA45DBA9

Function 0046BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046BB5C
VariantInit.OLEAUT32(?), ref: 0046BC2D
VariantInit.OLEAUT32(?), ref: 0046BD2E
VariantClear.OLEAUT32(?), ref: 0046BD38
VariantClear.OLEAUT32(?), ref: 0046BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0046BD11
h?L, xrefs: 0046BB2D
|?L, xrefs: 0046BB34
Null Object assignment in FOR..IN loop, xrefs: 0046BBBD, 0046BCEB, 0046BDA7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?L$|?L
API String ID: 2862541840-2737508579
Opcode ID: 199fb6859a6970f23f1a75cdf3df00e8798b507679fc7ae335b6d632ebab5844
Instruction ID: 6cde5f922bf3182b10cc4748e4f603768cd39255ad9839d737a6cc79ca385d15
Opcode Fuzzy Hash: 199fb6859a6970f23f1a75cdf3df00e8798b507679fc7ae335b6d632ebab5844
Instruction Fuzzy Hash: 2591A171A00219ABDF20CF95C844FAEBBB8EF44714F10855FF505EB280E7789A81CB95

Function 0046ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

CoInitialize.OLE32 ref: 0046ADF6
CoUninitialize.OLE32 ref: 0046AE01
CoCreateInstance.OLE32(?,00000000,00000017,0049D8FC,?), ref: 0046AE61
IIDFromString.OLE32(?,?), ref: 0046AED4
VariantInit.OLEAUT32(?), ref: 0046AF6E
VariantClear.OLEAUT32(?), ref: 0046AFCF

Strings

Failed to create object, xrefs: 0046AE6C, 0046AF22
NULL Pointer assignment, xrefs: 0046AEA6
Invalid parameter, xrefs: 0046AEED

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: ed8601236f2e042af36d4798710b1fca922da27f2447805fee6b568e4ca98e7c
Instruction ID: 6cab4bc97770909280fbb3f3ed187baf3e47cc460f5d7ac640f496127bd92a12
Opcode Fuzzy Hash: ed8601236f2e042af36d4798710b1fca922da27f2447805fee6b568e4ca98e7c
Instruction Fuzzy Hash: F5618970608A019FD714DF54C848B6AB7E8AF48704F10441FF985AB292E778ED58CB9B

Function 00468107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00468168
inet_addr.WSOCK32(?,?,?), ref: 004681AD
gethostbyname.WSOCK32(?), ref: 004681B9
IcmpCreateFile.IPHLPAPI ref: 004681C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00468237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0046824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004682C2
WSACleanup.WSOCK32 ref: 004682C8

Strings

Ping, xrefs: 004681EB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fae008fa1bbda8abe490e48a95ba07f9efa633edb1a795aa42150201136970a4
Instruction ID: 5bba383d595c531ae058f22006e89107b36202e7f75edeeecbdd01c0dc300a5e
Opcode Fuzzy Hash: fae008fa1bbda8abe490e48a95ba07f9efa633edb1a795aa42150201136970a4
Instruction Fuzzy Hash: 2F51C0316003009FDB209F65DC95B6AB7E4AF48314F048AAFF955D73A0EB78E901CB4A

Function 00479E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479E5B
CreateMenu.USER32 ref: 00479E76
SetMenu.USER32(?,00000000), ref: 00479E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00479F12
IsMenu.USER32(?), ref: 00479F28
CreatePopupMenu.USER32 ref: 00479F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00479F63
DrawMenuBar.USER32 ref: 00479F71

Strings

0, xrefs: 00479E54

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: b9519485da3a6f3ace0e2101af500fc172f9bbb2a6c73117e667df61eded5c21
Instruction ID: 15922cb76cb7485e0502f9e5f65f85ab8cc22012054e4f02011aea9dbc5b87b9
Opcode Fuzzy Hash: b9519485da3a6f3ace0e2101af500fc172f9bbb2a6c73117e667df61eded5c21
Instruction Fuzzy Hash: 4C4125B4A01209AFDB10DF64D844BEABBB5FF58314F15812AE949A7360D734AD10CF58

Function 0045E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0045E40C
GetLastError.KERNEL32 ref: 0045E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0045E483

Strings

NOTREADY, xrefs: 0045E442
READY, xrefs: 0045E45C
READONLY, xrefs: 0045E44E
INVALID, xrefs: 0045E455
UNKNOWN, xrefs: 0045E43B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b0a7d45b615a16898003cc59b81b1c48b43b4e5bccd58d0091ca04cc2d0d484e
Instruction ID: ed405bf843520cad26cd28f8ddbb05b4d57718ff503924f35a373ff0e6b30c44
Opcode Fuzzy Hash: b0a7d45b615a16898003cc59b81b1c48b43b4e5bccd58d0091ca04cc2d0d484e
Instruction Fuzzy Hash: 1031D436A002099FCB04EF65D885FBE77B4EF0A305F10802BE905E7292D7789A46CB49

Function 0044B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0044B98C
GetDlgCtrlID.USER32 ref: 0044B997
GetParent.USER32 ref: 0044B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0044B9B6
GetDlgCtrlID.USER32(?), ref: 0044B9BF
GetParent.USER32(?), ref: 0044B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0044B9DE

Strings

ListBox, xrefs: 0044B949
ComboBox, xrefs: 0044B911

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 0ee187d62709e52a7be3c194351db4d3eed7921e75b5041dd348cb8d12220d99
Instruction ID: e9dd5fabdd90c6ef27963275fcebdc836b3c6702e281e0957bf008654b3b6f9d
Opcode Fuzzy Hash: 0ee187d62709e52a7be3c194351db4d3eed7921e75b5041dd348cb8d12220d99
Instruction Fuzzy Hash: 0621C4B4900204BFEB04ABA1CC86EFEB774EF55304B10012BF551932D1DBB99815DB68

Function 0044B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0044BA73
GetDlgCtrlID.USER32 ref: 0044BA7E
GetParent.USER32 ref: 0044BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0044BA9D
GetDlgCtrlID.USER32(?), ref: 0044BAA6
GetParent.USER32(?), ref: 0044BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0044BAC5

Strings

ListBox, xrefs: 0044BA32
ComboBox, xrefs: 0044B9FA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 61f637d7cf2bc64286e6b8e5ca846be9ed99bd45c752e3db3ec4fe2347ae9d7f
Instruction ID: 4dd77c5848441ebe82e9a39b33b94ebb16fb4dcd530ddc0e0de17959c13523b6
Opcode Fuzzy Hash: 61f637d7cf2bc64286e6b8e5ca846be9ed99bd45c752e3db3ec4fe2347ae9d7f
Instruction Fuzzy Hash: D121C574940204BFDF01AB64CC85FFEB779EF55304F10002BF551A3291DBB999559B68

Function 0044BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0044BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0044BAF8
_wcscmp.LIBCMT ref: 0044BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0044BB85

Strings

smallicons, xrefs: 0044BB4D
largeicons, xrefs: 0044BB19
details, xrefs: 0044BB33
list, xrefs: 0044BB67
SHELLDLL_DefView, xrefs: 0044BB04

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: eb53f62dfa3cbef146c7d741e9c57455b3deda882c60afcbb845e8703c8ffae0
Instruction ID: 1a7e8e81f40775d298b94743e03b2861d5ff1ac0b30a45f9241232f1cdfc727f
Opcode Fuzzy Hash: eb53f62dfa3cbef146c7d741e9c57455b3deda882c60afcbb845e8703c8ffae0
Instruction Fuzzy Hash: 0011E37A608342F9FA2066259C16EA7379CDB25324F20002BF904E54D5EBEEB811459C

Function 0046B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046B2D5
CoInitialize.OLE32(00000000), ref: 0046B302
CoUninitialize.OLE32 ref: 0046B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0046B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0046B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0046B56D
CoGetObject.OLE32(?,00000000,0049D91C,?), ref: 0046B590
SetErrorMode.KERNEL32(00000000), ref: 0046B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0046B623
VariantClear.OLEAUT32(0049D91C), ref: 0046B633

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 12d23e32dfec738c3dcd7f761b72d784a8184e274e8b4c80f0488f11cab31f63
Instruction ID: eda1ac42409f91cad656c5fd9b86cc7f8d6d0700f142a9e21368c2ff612ce094
Opcode Fuzzy Hash: 12d23e32dfec738c3dcd7f761b72d784a8184e274e8b4c80f0488f11cab31f63
Instruction Fuzzy Hash: D3C10371608300AFC700DF65C88496BB7E9EF88308F00492EF98ADB251EB75ED45CB96

Function 00454025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00454047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004530A5,?,00000001), ref: 0045405B
GetWindowThreadProcessId.USER32(00000000), ref: 00454062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004530A5,?,00000001), ref: 00454071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00454083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004530A5,?,00000001), ref: 0045409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004530A5,?,00000001), ref: 004540AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004530A5,?,00000001), ref: 004540F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004530A5,?,00000001), ref: 00454108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004530A5,?,00000001), ref: 00454113

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 733dea4331a3e9352baf92716f5010d4f3b96982650617935e5792565a14efc8
Instruction ID: ff721e3b4578868445a94f4782295145e9ae1da958306f6bcebf5683a1a8efe2
Opcode Fuzzy Hash: 733dea4331a3e9352baf92716f5010d4f3b96982650617935e5792565a14efc8
Instruction Fuzzy Hash: 1C31D472501200ABDB10CF54DC49B6A77B9ABA0B17F108027FD05EA291C7789D848B5D

Function 0048DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0042B496
SetTextColor.GDI32(?,000000FF), ref: 0042B4A0
SetBkMode.GDI32(?,00000001), ref: 0042B4B5
GetStockObject.GDI32(00000005), ref: 0042B4BD
GetClientRect.USER32(?), ref: 0048DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0048DD7A
GetWindowDC.USER32(?), ref: 0048DD86
GetPixel.GDI32(00000000,?,?), ref: 0048DD95
ReleaseDC.USER32(?,00000000), ref: 0048DDA7
GetSysColor.USER32(00000005), ref: 0048DDC5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: e2ce7d2f0eb5b465ac71522bb9a22671f68454be5d038fe9701be51d2b18402b
Instruction ID: d3a87821295e587ee2e8af8dc72d1f5f33a06c33cd26770770253c2d867d1ecb
Opcode Fuzzy Hash: e2ce7d2f0eb5b465ac71522bb9a22671f68454be5d038fe9701be51d2b18402b
Instruction Fuzzy Hash: 84117F31900205FFDB116FA4EC49FAA7B71EB14321F104632FA66951E2CB310941DB19

Function 00413093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004130DC
CoUninitialize.OLE32(?,00000000), ref: 00413181
UnregisterHotKey.USER32(?), ref: 004132A9
DestroyWindow.USER32(?), ref: 00485079
FreeLibrary.KERNEL32(?), ref: 004850F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00485125

Strings

close all, xrefs: 004130D7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9fdb12f68b1f8302a8506c3f6ba9596750c557b829e3666a5bf61c0afaa90e52
Instruction ID: 861b60e222491da4bd70faa86354835f382f504b4ba0bd0bd36b8aac320c7028
Opcode Fuzzy Hash: 9fdb12f68b1f8302a8506c3f6ba9596750c557b829e3666a5bf61c0afaa90e52
Instruction Fuzzy Hash: 7C915D34700102DFC705EF15D995BA9F3A4FF15309F5081AEE40AA7262DB38AE96CF58

Function 0042CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0042CC15

Part of subcall function 0042CCCD: GetClientRect.USER32(?,?), ref: 0042CCF6
Part of subcall function 0042CCCD: GetWindowRect.USER32(?,?), ref: 0042CD37
Part of subcall function 0042CCCD: ScreenToClient.USER32(?,?), ref: 0042CD5F

GetDC.USER32 ref: 0048D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0048D14A
SelectObject.GDI32(00000000,00000000), ref: 0048D158
SelectObject.GDI32(00000000,00000000), ref: 0048D16D
ReleaseDC.USER32(?,00000000), ref: 0048D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0048D200

Strings

U, xrefs: 0048D0D5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 80e44c18c9efd66f8e722a55842e9dbc58b2d790a3b3d7522fe8a14e53b60bdf
Instruction ID: 2db11eb73cfab7b63f5859f432830cf3fa5e9a8bb7c84c1fdac518c9431505eb
Opcode Fuzzy Hash: 80e44c18c9efd66f8e722a55842e9dbc58b2d790a3b3d7522fe8a14e53b60bdf
Instruction Fuzzy Hash: FA710130901204EFCF21AF64D884AAE7BB1FF49314F144A6BED559A2E6C7398C41DF59

Function 0047ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

Part of subcall function 0042B63C: GetCursorPos.USER32(000000FF), ref: 0042B64F
Part of subcall function 0042B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0042B66C
Part of subcall function 0042B63C: GetAsyncKeyState.USER32(00000001), ref: 0042B691
Part of subcall function 0042B63C: GetAsyncKeyState.USER32(00000002), ref: 0042B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0047ED3C
ImageList_EndDrag.COMCTL32 ref: 0047ED42
ReleaseCapture.USER32 ref: 0047ED48
SetWindowTextW.USER32(?,00000000), ref: 0047EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0047EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0047EEDC

Strings

@GUI_DROPID, xrefs: 0047EE33
@GUI_DRAGFILE, xrefs: 0047EE77

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 9140e5198355197ed70d6005580db88cdf042807023b9dfd1257ca7fb9484948
Instruction ID: b613a7f329a354966eefcc29c3df0b4f04b021867814c4510ac62bcdf8fb06d3
Opcode Fuzzy Hash: 9140e5198355197ed70d6005580db88cdf042807023b9dfd1257ca7fb9484948
Instruction Fuzzy Hash: B0519C70204300AFD710DF21DC96FAA77E4EB88718F404A2FF955972E1DB789948CB5A

Function 004645C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004645FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0046462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0046466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00464682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0046468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004646BF
InternetCloseHandle.WININET(00000000), ref: 00464706

Part of subcall function 00465052: GetLastError.KERNEL32(?,?,004643CC,00000000,00000000,00000001), ref: 00465067

Strings

, xrefs: 004646B8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 9797b134526a447a5af96dc5dcf522167617ac257dd7d3383629973fba94c96d
Instruction ID: e89f762b1de149323bcab2b8b22268dfac6a1109913ac15660094e7d4fdaa26d
Opcode Fuzzy Hash: 9797b134526a447a5af96dc5dcf522167617ac257dd7d3383629973fba94c96d
Instruction Fuzzy Hash: EC417EB1901205BFEF019F90CC85FBB77ACEF49314F00402BFA059A151E7B89D458BAA

Function 0046B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,004ADC00), ref: 0046B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,004ADC00), ref: 0046B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0046B8C1
SysFreeString.OLEAUT32(?), ref: 0046B8EB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2f99cc5920dc8b070963116965d9d9f5489a8f356c5a84c9d2fefa3f9fa61766
Instruction ID: d5f69b7993435ba7f238fa0345018294fc9e4af6d151611f3bd7b4f7a9d9e2c1
Opcode Fuzzy Hash: 2f99cc5920dc8b070963116965d9d9f5489a8f356c5a84c9d2fefa3f9fa61766
Instruction Fuzzy Hash: 58F13A71A00209AFCF04DF94C884EAEB7B9FF49315F10845AF915EB250EB35AD86CB95

Function 004724D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004724F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00472688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004726AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004726EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004728A1
CloseHandle.KERNEL32(?), ref: 004728D0
CloseHandle.KERNEL32(?), ref: 00472947

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0e702d756f217b0ba99888284824f8712a5d462a55f33728b9e1058386e5a363
Instruction ID: 49f69be0f839d7ee7500b4091c94a53ba71af42b67003122e1027e06c25bf161
Opcode Fuzzy Hash: 0e702d756f217b0ba99888284824f8712a5d462a55f33728b9e1058386e5a363
Instruction Fuzzy Hash: B6D1C131604200DFC714EF25C591AAEBBE0BF88314F14856EF8999B3A2DB79DC45CB5A

Function 0047B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0047B3F4

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ee4c3ca0a85bb4f05d70ab4a904ef0568119d9e5bc853b86b2922d2a560a28b3
Instruction ID: a10614bb1c6dd6bf0ce0c78835bf9a11b98177f376b4360be36fb836d74de51b
Opcode Fuzzy Hash: ee4c3ca0a85bb4f05d70ab4a904ef0568119d9e5bc853b86b2922d2a560a28b3
Instruction Fuzzy Hash: 01517370600214BBDF249B25CC85BDA3B64EF05358F54C127FA1DE62E1C779E9809BD9

Function 0042A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0048DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0048DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0048DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0048DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0042A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0048DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0048DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0042A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0048DBC8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 8b4f7ef2005792b5aaf6997b1576a0d91a1d728d9993f4edf2bf0f143c1a03fb
Instruction ID: c1b63f6963453f52710db94a98f2de544f5dafae069676b5614dc9c818764bca
Opcode Fuzzy Hash: 8b4f7ef2005792b5aaf6997b1576a0d91a1d728d9993f4edf2bf0f143c1a03fb
Instruction Fuzzy Hash: 78518970B01208AFDB20DF65DC81FAA77B8EB58354F10052AF946972E0D7B8EC90CB59

Function 00457555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00456EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00455FA6,?), ref: 00456ED8

Part of subcall function 00456EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00455FA6,?), ref: 00456EF1

Part of subcall function 004572CB: GetFileAttributesW.KERNEL32(?,00456019), ref: 004572CC

lstrcmpiW.KERNEL32(?,?), ref: 004575CA
_wcscmp.LIBCMT ref: 004575E2
MoveFileW.KERNEL32(?,?), ref: 004575FB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bab711bfd7d27bf372352265db2fd1b3825bcf36b3e3359f86c6f86c811bc3a5
Instruction ID: ed5e52cffba7dc62bd2f629ddf26c637f529d235ff0593df7bd9898f4c4d5a7c
Opcode Fuzzy Hash: bab711bfd7d27bf372352265db2fd1b3825bcf36b3e3359f86c6f86c811bc3a5
Instruction Fuzzy Hash: A35144B29092195ADF54EB54E841DDE73BC9F0C325F0041AFFA05E3542EA7897C9CB68

Function 0042EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0048DAD1,00000004,00000000,00000000), ref: 0042EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0048DAD1,00000004,00000000,00000000), ref: 0042EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0048DAD1,00000004,00000000,00000000), ref: 0048DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0048DAD1,00000004,00000000,00000000), ref: 0048DCF2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9724c259173bf2c2ca70a48fda03299fbb192e95c4712819e590e4d619829ace
Instruction ID: 8a8e069f2325556dfc08e13790796ac072ffd389604b59da1109fb93c6fca836
Opcode Fuzzy Hash: 9724c259173bf2c2ca70a48fda03299fbb192e95c4712819e590e4d619829ace
Instruction Fuzzy Hash: 9241F930B06250AAD735D72AED8DB3B7F95AB51304F99082FE047867A1C67CB841D31D

Function 0044B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0044AEF1,00000B00,?,?), ref: 0044B26C
HeapAlloc.KERNEL32(00000000,?,0044AEF1,00000B00,?,?), ref: 0044B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0044AEF1,00000B00,?,?), ref: 0044B288
GetCurrentProcess.KERNEL32(?,00000000,?,0044AEF1,00000B00,?,?), ref: 0044B290
DuplicateHandle.KERNEL32(00000000,?,0044AEF1,00000B00,?,?), ref: 0044B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0044AEF1,00000B00,?,?), ref: 0044B2A3
GetCurrentProcess.KERNEL32(0044AEF1,00000000,?,0044AEF1,00000B00,?,?), ref: 0044B2AB
DuplicateHandle.KERNEL32(00000000,?,0044AEF1,00000B00,?,?), ref: 0044B2AE
CreateThread.KERNEL32(00000000,00000000,0044B2D4,00000000,00000000,00000000), ref: 0044B2C8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c41831a098398ea248e2e890e11692a6c511e294a73bec77a5e7ac15f238b95b
Instruction ID: b1950c47437d2fe9cba9b01b4fd33cd470da411c9d02ddac28bd20d975827376
Opcode Fuzzy Hash: c41831a098398ea248e2e890e11692a6c511e294a73bec77a5e7ac15f238b95b
Instruction Fuzzy Hash: 0201BF75640304BFE710ABA5DC4DF5B7BACEB98711F414422FA05DB191C6749C00CB65

Function 0046C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0046C49E
NULL Pointer assignment, xrefs: 0046C876, 0046C887

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c333b6fe448fb73c6320369eb2473323747491794a929ed07a9e86eb5a3a8cab
Instruction ID: f58da77a3faf39d4089c13330928c82eb4271084dfa91f1a746a22284febec8a
Opcode Fuzzy Hash: c333b6fe448fb73c6320369eb2473323747491794a929ed07a9e86eb5a3a8cab
Instruction Fuzzy Hash: 6BE1C571A0021AAFDF10DFA5C881ABE77B5EF48354F14402EE945A7381E778AD41CB9A

Function 004616DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

Part of subcall function 0042C6F4: _wcscpy.LIBCMT ref: 0042C717

_wcstok.LIBCMT ref: 0046184E
_wcscpy.LIBCMT ref: 004618DD
_memset.LIBCMT ref: 00461910

Strings

X, xrefs: 00461948
p2Ll2L, xrefs: 00461920

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Ll2L
API String ID: 774024439-180699321
Opcode ID: db30829e730204ed40b2eb4486ac0a1d9dca595f61df2e02f9310312bd245e09
Instruction ID: 77518f90cd30f1e60ec0c9ff1c2fad7f91d3f7c114e1cfd319078843d23e611b
Opcode Fuzzy Hash: db30829e730204ed40b2eb4486ac0a1d9dca595f61df2e02f9310312bd245e09
Instruction Fuzzy Hash: 43C1A3709043409FC714EF65C991A9BB7E0BF85358F04492FF899972A1EB34ED45CB8A

Function 00479A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00479B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00479B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00479B47
_wcscat.LIBCMT ref: 00479BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00479BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00479BE7

Strings

SysListView32, xrefs: 00479AEB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 966032c35aa0c384359fda0c415c2d7d81dc8551fe3d3350ca98e273361383c8
Instruction ID: b0a254952552b8d695de865cff7b9f5f47cecbdf9f0cf510344d9ea5966f1858
Opcode Fuzzy Hash: 966032c35aa0c384359fda0c415c2d7d81dc8551fe3d3350ca98e273361383c8
Instruction Fuzzy Hash: 2541A170900308ABDF219FA4DC85BEE77A8EF08354F10452BF549A7291C7799D85CB68

Function 0047172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00456532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00456554
Part of subcall function 00456532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00456564
Part of subcall function 00456532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004565F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047179A
GetLastError.KERNEL32 ref: 004717AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004717D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00471855
GetLastError.KERNEL32(00000000), ref: 00471860
CloseHandle.KERNEL32(00000000), ref: 00471895

Strings

SeDebugPrivilege, xrefs: 004717B8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 55faaf926054bed699028b67c34063aae957781d4b3e22bef27866f23730ab81
Instruction ID: baa6ad3c432d46013dd5746f52026d48fb6f33dbeb9e779e0cd9da9985923497
Opcode Fuzzy Hash: 55faaf926054bed699028b67c34063aae957781d4b3e22bef27866f23730ab81
Instruction Fuzzy Hash: 4641D032700200AFDB15EF59C8D5FAE77A1AF14315F05806EF9069B3D2DB7899048B5A

Function 00455819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004558B8

Strings

question, xrefs: 00455871
stop, xrefs: 00455889
blank, xrefs: 0045583A
info, xrefs: 00455859
warning, xrefs: 004558A1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 708109ddafee46f641d8ed7bdab547de566dc865b169b77466d3ea03a28506d2
Instruction ID: 9a9bba9330903256c7bf45bbeaea17303b32e7516054a290a8c80c0eebf341ab
Opcode Fuzzy Hash: 708109ddafee46f641d8ed7bdab547de566dc865b169b77466d3ea03a28506d2
Instruction Fuzzy Hash: 5C112E35709B42BAE7106A559C62EBB239C9F25335F30003FF901E6283E7ACA915466D

Function 0045A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0045A806

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 96390468c696db1dfa00d539e48c03452714305332484bec33374012cb21679d
Instruction ID: 80c1bb1d85bd1ace9bf977e301263e82ed247c83085a477a5f445147e7989d69
Opcode Fuzzy Hash: 96390468c696db1dfa00d539e48c03452714305332484bec33374012cb21679d
Instruction Fuzzy Hash: E5C17D71A00219DFDB00DF94D481BAEB7F4FF08316F24456BEA05E7242D738A959CB9A

Function 00456B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00456B63
LoadStringW.USER32(00000000), ref: 00456B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00456B80
LoadStringW.USER32(00000000), ref: 00456B87
_wprintf.LIBCMT ref: 00456BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00456BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00456BA8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 43c9dd000446e2f7f0722cd97966d0260989151a47e9012ff92600aa7788c497
Instruction ID: 790e51edb48da2bc48f162833d1ec9a3abb252ae1d107f35f13bef3a7b2fdac1
Opcode Fuzzy Hash: 43c9dd000446e2f7f0722cd97966d0260989151a47e9012ff92600aa7788c497
Instruction Fuzzy Hash: A20162F69002187FE711AB909D89EE7336CD708305F4044B7B746D2051EA749E848F78

Function 00472B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00473C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472BB5,?,?), ref: 00473C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00472BF6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: ed662b089c66550d58223eb07a43d13368ff4806ab2f1cf98912b91cc1965323
Instruction ID: 221b9f9e1be8308912d3711d5202182a576e61dee7cc18f7a74c8fa0850f0ba1
Opcode Fuzzy Hash: ed662b089c66550d58223eb07a43d13368ff4806ab2f1cf98912b91cc1965323
Instruction Fuzzy Hash: 0F91AF716043009FCB10EF15C981BAEB7E5FF58318F04881EF99A97292DB78E945CB4A

Function 004695BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00469691
WSAGetLastError.WSOCK32(00000000), ref: 0046969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004696C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004696E9
WSAGetLastError.WSOCK32(00000000), ref: 004696F8
htons.WSOCK32(?,?,?,00000000,?), ref: 004697AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,004ADC00), ref: 00469765

Part of subcall function 0044D2FF: _strlen.LIBCMT ref: 0044D309

_strlen.LIBCMT ref: 00469800

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: d0ac7dd5b4ace6b1d09340b5e2c60e91ee9395f2a84170d3ed4c5eb0f802001a
Instruction ID: 32ca4565a1e827adfa93fdc7dee6305004f35cabd044e395e65cf3792eb905f1
Opcode Fuzzy Hash: d0ac7dd5b4ace6b1d09340b5e2c60e91ee9395f2a84170d3ed4c5eb0f802001a
Instruction Fuzzy Hash: B4810271504200AFC310EF66DC85E6BB7E8EF85718F10462EF4559B292EB78ED04CB9A

Function 0043A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0043A991

Part of subcall function 00437D7C: __FF_MSGBANNER.LIBCMT ref: 00437D91
Part of subcall function 00437D7C: __NMSG_WRITE.LIBCMT ref: 00437D98
Part of subcall function 00437D7C: __malloc_crt.LIBCMT ref: 00437DB8

__lock.LIBCMT ref: 0043A9A4
__lock.LIBCMT ref: 0043A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004C6DE0,00000018,00445E7B,?,00000000,00000109), ref: 0043AA0C
EnterCriticalSection.KERNEL32(8000000C,004C6DE0,00000018,00445E7B,?,00000000,00000109), ref: 0043AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0043AA39

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 0a9a17514b268f6601aa73d635ec4eb39986b319167a77faa8190df951b95e3a
Instruction ID: e7d2657dd3a8cc7497f064d4198aadf2de3396c78a7ad4677c2793c1beb52a8f
Opcode Fuzzy Hash: 0a9a17514b268f6601aa73d635ec4eb39986b319167a77faa8190df951b95e3a
Instruction Fuzzy Hash: 3B415BB29402019BEB10EF68DA4475DB7B06F09335F11932FE4A5AB2D1D77C9821CB8E

Function 00478ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00478EE4
GetDC.USER32(00000000), ref: 00478EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00478EF7
ReleaseDC.USER32(00000000,00000000), ref: 00478F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00478F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00478F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0047BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00478F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00478FAA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5a57e37f6048cda9d736161d3342ace82b259e50b9a283cf4f9270323c34fa9a
Instruction ID: b317864b95923118402feea4c87f7cd2d4fc7262133214381ddb0d6383b6e5c3
Opcode Fuzzy Hash: 5a57e37f6048cda9d736161d3342ace82b259e50b9a283cf4f9270323c34fa9a
Instruction Fuzzy Hash: E1316D72540214BFEB108F60CC4AFEB3BA9EF59715F044066FE09DA291C6799C41CB78

Function 00480133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

GetSystemMetrics.USER32(0000000F), ref: 0048016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0048038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004803AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 004803D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004803FF
ShowWindow.USER32(00000003,00000000), ref: 00480421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00480440

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 31e1e7e949f4a61938bd3b14d212a5012d24c3e17dd3dd90459ebb00866a811b
Instruction ID: 9b55dea296a3abafb400fc1a5c922d6d9f1b84e4f10dd858b55effac52737587
Opcode Fuzzy Hash: 31e1e7e949f4a61938bd3b14d212a5012d24c3e17dd3dd90459ebb00866a811b
Instruction Fuzzy Hash: 9EA1E131600616EFDB18DF68C9897BEBBB1FF08700F088566EC54A7290D778AD54CB94

Function 0042AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb78efca03717f0287cd831dd49801b9d53323f839cc769de3a736457678aed
Instruction ID: 0170ce414bb4a444c9835ae538a25347826d679a577e6e0a699daee46634abe6
Opcode Fuzzy Hash: adb78efca03717f0287cd831dd49801b9d53323f839cc769de3a736457678aed
Instruction Fuzzy Hash: 9A719F70A00119EFCB04DF99DD49AAFBB74FF85314F14815AF915A7250C738AA12CFA9

Function 00472230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047225A
_memset.LIBCMT ref: 00472323
ShellExecuteExW.SHELL32(?), ref: 00472368

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

Part of subcall function 0042C6F4: _wcscpy.LIBCMT ref: 0042C717

CloseHandle.KERNEL32(00000000), ref: 0047242F
FreeLibrary.KERNEL32(00000000), ref: 0047243E

Strings

@, xrefs: 00472334

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: e1703df16d93efa7f5956321a8397acdbde29453d47de0977eb9d6658d3046d2
Instruction ID: 81f6e3c27e9e788e8aa53d2172cdf3765b7ee041ab2356ebf0ef7d14d7d20ae7
Opcode Fuzzy Hash: e1703df16d93efa7f5956321a8397acdbde29453d47de0977eb9d6658d3046d2
Instruction Fuzzy Hash: E0718E70A006199FCF14EFA5D98199EB7F5FF48314F10846EE859AB351CB78AD40CB98

Function 00453DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00453DE7
GetKeyboardState.USER32(?), ref: 00453DFC
SetKeyboardState.USER32(?), ref: 00453E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00453E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00453EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00453EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00453F13

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b5900fd58af399d8d0cd6f65502a0e0c3552be57522d1ab040007326a5ee4e9e
Instruction ID: 7702e1d8b293b07290ff673c5b82d84fe2169ff028453979d1ab77c6cb4c13a4
Opcode Fuzzy Hash: b5900fd58af399d8d0cd6f65502a0e0c3552be57522d1ab040007326a5ee4e9e
Instruction Fuzzy Hash: E051E3A0A047D13DFB364A248C46BBBBEE55B06346F08458EF8D5469C3D29CAECCD758

Function 00453BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00453C02
GetKeyboardState.USER32(?), ref: 00453C17
SetKeyboardState.USER32(?), ref: 00453C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00453CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00453CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00453D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00453D26

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c436d1743aaa0b4cc7826c2b87b6bae17c88a679c3492d08cf38d5345da583e
Instruction ID: 0a39f8f5a3cb197ed02e90eafa05e7a65a6740c290ef558c20c309f4cf8b17df
Opcode Fuzzy Hash: 6c436d1743aaa0b4cc7826c2b87b6bae17c88a679c3492d08cf38d5345da583e
Instruction Fuzzy Hash: C05105A15047D539FB338B248C05B77BEB85B06347F08848AE8D55A5C3D29CEE8CD768

Function 00457DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00457DBE
_wcsncpy.LIBCMT ref: 00457DF3
_wcsncpy.LIBCMT ref: 00457E25
_wcsncpy.LIBCMT ref: 00457E58
_wcsncpy.LIBCMT ref: 00457E9A
_wcsncpy.LIBCMT ref: 00457ED4
_wcsncpy.LIBCMT ref: 00457F03

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7e541c7fd58ccd6578516f9b4f5187b27faaad52dee84515f39b3db3378ecce0
Instruction ID: 9e95055f502456208e642221316b412b1d38a345054a91505d9169bb52b46a6b
Opcode Fuzzy Hash: 7e541c7fd58ccd6578516f9b4f5187b27faaad52dee84515f39b3db3378ecce0
Instruction Fuzzy Hash: BC416066C1021476CB10EBF58C469CFB3AC9F09314F50A97BE904E3162F678E615C3AD

Function 00473D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00473DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00473DCB
FreeLibrary.KERNEL32(00000000), ref: 00473E80

Part of subcall function 00473D72: RegCloseKey.ADVAPI32(?), ref: 00473DE8
Part of subcall function 00473D72: FreeLibrary.KERNEL32(?), ref: 00473E3A
Part of subcall function 00473D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00473E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00473E25

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7fb5bdcb26449850706c6a8657b1a8484c585892a968b4d5c930b6f3d690e894
Instruction ID: 063fe1cf34c1dabd53a8c7f211a889d5696b9e3dbf11b06e0eb97b4967b90752
Opcode Fuzzy Hash: 7fb5bdcb26449850706c6a8657b1a8484c585892a968b4d5c930b6f3d690e894
Instruction Fuzzy Hash: 593108B1D01109BFDB159F90DC89AFFB7BCEB18305F00417BE516A2250E6749F89ABA4

Function 00478FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00478FE7
GetWindowLongW.USER32(0162D278,000000F0), ref: 0047901A
GetWindowLongW.USER32(0162D278,000000F0), ref: 0047904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00479081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004790AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004790BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004790D6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 81306d96ee600277491daa7b261a06523e5441a6b1e86329408ccf456013d73a
Instruction ID: 44b045f0ef0930ba96fcbcb8e7b3b7d3ba8fefbdb91fbc9329cf7876b4d8d95a
Opcode Fuzzy Hash: 81306d96ee600277491daa7b261a06523e5441a6b1e86329408ccf456013d73a
Instruction Fuzzy Hash: 10315535650254EFDB20CF58EC84FA637A5FB5A314F18817AF9198B2B2CB75AC40CB49

Function 004508AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004508F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00450918
SysAllocString.OLEAUT32(00000000), ref: 0045091B
SysAllocString.OLEAUT32(?), ref: 00450939
SysFreeString.OLEAUT32(?), ref: 00450942
StringFromGUID2.OLE32(?,?,00000028), ref: 00450967
SysAllocString.OLEAUT32(?), ref: 00450975

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 22569476b5c5f9565cca9bcaa041bc3dca3a49e07179481dcd90e0aee6723d15
Instruction ID: 594f5dab861c02f191a105c39804021fb823052c4899a4e2a56f7d68ddca19f8
Opcode Fuzzy Hash: 22569476b5c5f9565cca9bcaa041bc3dca3a49e07179481dcd90e0aee6723d15
Instruction Fuzzy Hash: 2921B776600219BF9B109F68DC84DAB73ACEB09361B408137FD15DB256D674EC45C768

Function 00452472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00452485
__wcsnicmp.LIBCMT ref: 004524A6
__wcsnicmp.LIBCMT ref: 004524C0

Strings

#notrayicon, xrefs: 0045247D
#requireadmin, xrefs: 004524A0
#OnAutoItStartRegister, xrefs: 004524BA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 45c093bf2f53bc5af7f593c35112265e5ce88033eeb6d0a5182daa07dadb4142
Instruction ID: 4e3c2099484cc4284c71c54b119e3f00ec224503fd407637e8ffc7293acd978c
Opcode Fuzzy Hash: 45c093bf2f53bc5af7f593c35112265e5ce88033eeb6d0a5182daa07dadb4142
Instruction Fuzzy Hash: 45216A3120422577C224E6259E12FBB7398EF67309F60402BFC46A7183E6DD998AC29D

Function 00450986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004509CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004509F1
SysAllocString.OLEAUT32(00000000), ref: 004509F4
SysAllocString.OLEAUT32 ref: 00450A15
SysFreeString.OLEAUT32 ref: 00450A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00450A38
SysAllocString.OLEAUT32(?), ref: 00450A46

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 95dc17a760b10d5afec74670759ed22f130b5c63f2fcdb0e6b579f925751cfba
Instruction ID: 9630b70c34caec18fe3de5ed8a9cda8892f6fd31027a52306c474aa1dfd3a614
Opcode Fuzzy Hash: 95dc17a760b10d5afec74670759ed22f130b5c63f2fcdb0e6b579f925751cfba
Instruction Fuzzy Hash: D3214479600214AFDB10DFA8DC89DAB77ECEF583607448137F909CB266D674EC458768

Function 0047A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042D1BA
Part of subcall function 0042D17C: GetStockObject.GDI32(00000011), ref: 0042D1CE
Part of subcall function 0042D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0047A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0047A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0047A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0047A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0047A360

Strings

Msctls_Progress32, xrefs: 0047A2FE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 471be34a0dead15add94bce347bd7b1470494fd5a4809487d2fbc4de0d2e29ff
Instruction ID: a6f79b76ef04b07bfff84efe33e35ca7a63fa27e44e67f043f82e2276e5356a7
Opcode Fuzzy Hash: 471be34a0dead15add94bce347bd7b1470494fd5a4809487d2fbc4de0d2e29ff
Instruction Fuzzy Hash: D311E6B1500219BEEF104F61CC85EEB7F6DFF48398F014116FA08A2060C7769C21DBA8

Function 0042CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0042CCF6
GetWindowRect.USER32(?,?), ref: 0042CD37
ScreenToClient.USER32(?,?), ref: 0042CD5F
GetClientRect.USER32(?,?), ref: 0042CE8C
GetWindowRect.USER32(?,?), ref: 0042CEA5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f2ae933fe1f1f933a7ab06aae9c38ea5b76e480b8cfdacf2f53d5fa5caaebd9d
Instruction ID: d102ab9386f73f26710b6f3d18468bd30b47bc1118329047562134597c4fa23c
Opcode Fuzzy Hash: f2ae933fe1f1f933a7ab06aae9c38ea5b76e480b8cfdacf2f53d5fa5caaebd9d
Instruction Fuzzy Hash: 17B16B79A00259DBDF10CFA9C4807EEB7B1FF08300F55852AEC59EB250DB78A941DB69

Function 00471BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00471C18
Process32FirstW.KERNEL32(00000000,?), ref: 00471C26
__wsplitpath.LIBCMT ref: 00471C54

Part of subcall function 00431DFC: __wsplitpath_helper.LIBCMT ref: 00431E3C

_wcscat.LIBCMT ref: 00471C69
Process32NextW.KERNEL32(00000000,?), ref: 00471CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00471CF1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 9d9f86d56eedee9610f07b0c6b88fadb75964ba0194164bd5461f5ba7075cea8
Instruction ID: eeee710a58f921c0b9a63956ee69544376eaffcaf98f86d12222a6219e86b146
Opcode Fuzzy Hash: 9d9f86d56eedee9610f07b0c6b88fadb75964ba0194164bd5461f5ba7075cea8
Instruction Fuzzy Hash: 53516E715083009FD720DF65D885EABB7ECEF88758F00492EF58997261EB74A904CB9A

Function 00472FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00473C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472BB5,?,?), ref: 00473C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004730AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004730EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00473112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0047313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047317E
RegCloseKey.ADVAPI32(00000000), ref: 0047318B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 1bbd238de4bf0041223239e409781fdd60622f9bc744c1cb199e47a624dfdbbf
Instruction ID: 40ef9c69bc44b8ee681c93ed972ee91a519f477a549e24d5269077bb1bf06b47
Opcode Fuzzy Hash: 1bbd238de4bf0041223239e409781fdd60622f9bc744c1cb199e47a624dfdbbf
Instruction Fuzzy Hash: CD516A31508340AFC704EF65CC81EAAB7E9FF88318F04892EF55587291DB35EA09DB5A

Function 004784DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00478540
GetMenuItemCount.USER32(00000000), ref: 00478577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0047859F
GetMenuItemID.USER32(?,?), ref: 0047860E
GetSubMenu.USER32(?,?), ref: 0047861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0047866D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: e07690a17bb0ab3a2a3ed3cafd49bacb1a86ab6b668321234924edc63ead3559
Instruction ID: 19530940fbbd6aa31235ec4acab9867ada89aa89d000f73d391ee39b18a92dfe
Opcode Fuzzy Hash: e07690a17bb0ab3a2a3ed3cafd49bacb1a86ab6b668321234924edc63ead3559
Instruction Fuzzy Hash: E051AE31E00218AFCB01EF55C945AEEB7F4EF48314F10846EE919B7351CB78AE418B99

Function 00454AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00454B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00454B5B
IsMenu.USER32(00000000), ref: 00454B7B
CreatePopupMenu.USER32 ref: 00454BAF
GetMenuItemCount.USER32(000000FF), ref: 00454C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00454C3E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 2b63dfc6f49954188bfa89a1b6f0e94699265d4c72afc2e2158b66af1662d10f
Instruction ID: 8cccc56b0a5ba8a79b73ba7fb5720267e866f451b53197ab08ad7aa8a87a8215
Opcode Fuzzy Hash: 2b63dfc6f49954188bfa89a1b6f0e94699265d4c72afc2e2158b66af1662d10f
Instruction Fuzzy Hash: D951C370601209EFCF25CF64C888BAE7BF4AFC531DF14416AE8159F292D3789989CB59

Function 00468DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,004ADC00), ref: 00468E7C
WSAGetLastError.WSOCK32(00000000), ref: 00468E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00468EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00468EC5
_strlen.LIBCMT ref: 00468EF7
WSAGetLastError.WSOCK32(00000000), ref: 00468F6A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 5b94042169e2cd0fe72681a906b7fbeaa64f2cf2fb05560a765f2f689bfde054
Instruction ID: e98a3c2293501dcc16dd877c04e1be54db419d402539c973ba26ddb41fc8cf50
Opcode Fuzzy Hash: 5b94042169e2cd0fe72681a906b7fbeaa64f2cf2fb05560a765f2f689bfde054
Instruction Fuzzy Hash: 9141C471900204AFC718EBA5CD85EEEB7B9AF58314F10426FF41697291EF38AE40CB59

Function 0042ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

BeginPaint.USER32(?,?,?), ref: 0042AC2A
GetWindowRect.USER32(?,?), ref: 0042AC8E
ScreenToClient.USER32(?,?), ref: 0042ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0042ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0042AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0048E673

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 181a13cbdeb6ffccdd7f3a54740a8da3979ea52c190c2a359c5a8cb3842bb5fd
Instruction ID: 16b1f799ab01326a61263641e354708f97efd90707c0a3daf644d93714222162
Opcode Fuzzy Hash: 181a13cbdeb6ffccdd7f3a54740a8da3979ea52c190c2a359c5a8cb3842bb5fd
Instruction Fuzzy Hash: 1C41C171604210AFC710DF25EC84F7B7BA8EB59324F04066BFDA4872B1D7389845DB6A

Function 0047E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004D1628,00000000,004D1628,00000000,00000000,004D1628,?,0048DC5D,00000000,?,00000000,00000000,00000000,?,0048DAD1,00000004), ref: 0047E40B
EnableWindow.USER32(00000000,00000000), ref: 0047E42F
ShowWindow.USER32(004D1628,00000000), ref: 0047E48F
ShowWindow.USER32(00000000,00000004), ref: 0047E4A1
EnableWindow.USER32(00000000,00000001), ref: 0047E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0047E4E8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8a49cfc5e58bf9c0af508c46b2caa7d73e8dc743b6badc790a86dde7919416cd
Instruction ID: 60c473f1dae2412b81d5cb13b117225b4c8205eefcca727e4d5a3c319cc33e57
Opcode Fuzzy Hash: 8a49cfc5e58bf9c0af508c46b2caa7d73e8dc743b6badc790a86dde7919416cd
Instruction Fuzzy Hash: C9415030601140EFDB22CF66C499BD57BE1BF09304F1882FAEA5C9F2A2C735A846CB55

Function 004598BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004598D1

Part of subcall function 0042F4EA: std::exception::exception.LIBCMT ref: 0042F51E
Part of subcall function 0042F4EA: __CxxThrowException@8.LIBCMT ref: 0042F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00459908
EnterCriticalSection.KERNEL32(?), ref: 00459924
LeaveCriticalSection.KERNEL32(?), ref: 0045999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004599B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004599D2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: ee54717a45b8fb203d103027f74af0bb9010569880f370ba00fba522d1cb6d0d
Instruction ID: bd7907beb48af568d1814e86037ffe0377636d98c4181a52f27f309642341ee8
Opcode Fuzzy Hash: ee54717a45b8fb203d103027f74af0bb9010569880f370ba00fba522d1cb6d0d
Instruction Fuzzy Hash: 4C319E71A00105EBDB00EFA5DD85EAFB778FF45310B1480BAE904AB246D774DE14CBA8

Function 00469B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004677F4,?,?,00000000,00000001), ref: 00469B53

Part of subcall function 00466544: GetWindowRect.USER32(?,?), ref: 00466557

GetDesktopWindow.USER32 ref: 00469B7D
GetWindowRect.USER32(00000000), ref: 00469B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00469BB6

Part of subcall function 00457A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00457AD0

GetCursorPos.USER32(?), ref: 00469BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00469C44

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: eb4a9ac9355f861299333d312c766a7f708d58b2715876fd17d3ed5f277f3a9c
Instruction ID: 9b14e006236711f556fc2e69f31f918ac39a34fa935f8aec69d334e2ddb835b3
Opcode Fuzzy Hash: eb4a9ac9355f861299333d312c766a7f708d58b2715876fd17d3ed5f277f3a9c
Instruction Fuzzy Hash: 1131BC72504315ABC710DF549849A9BB7EDFF88314F00092BF995D7282EA75EE088B96

Function 0044AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0044AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0044AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0044AFC4
CloseHandle.KERNEL32(00000004), ref: 0044AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0044AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0044B012

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f048e7757aa7f2966121d914fb99b27bef2a97c8dc4e30231f8459326e23c76c
Instruction ID: 0e5b8cbf56253c6dc5e9ddc14b08cd5549672edfb62db7fd229d3ee7c2667599
Opcode Fuzzy Hash: f048e7757aa7f2966121d914fb99b27bef2a97c8dc4e30231f8459326e23c76c
Instruction Fuzzy Hash: C3215072540209AFEF118F94DD49FAF7BA9EF44309F044066FE01A2161C37ADD25DB65

Function 0047EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0042AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042AFE3
Part of subcall function 0042AF83: SelectObject.GDI32(?,00000000), ref: 0042AFF2
Part of subcall function 0042AF83: BeginPath.GDI32(?), ref: 0042B009
Part of subcall function 0042AF83: SelectObject.GDI32(?,00000000), ref: 0042B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0047EC20
LineTo.GDI32(00000000,00000003,?), ref: 0047EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0047EC42
LineTo.GDI32(00000000,00000000,?), ref: 0047EC52
EndPath.GDI32(00000000), ref: 0047EC62
StrokePath.GDI32(00000000), ref: 0047EC72

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fefcb5e1aaad5f01872865216f0045cef4df3c377b27879f16a9ff8284b6ad34
Instruction ID: 5bb9fd6c92001b3d92cc7171d14594b3c86774f480cb19bd5268fd5f32608b54
Opcode Fuzzy Hash: fefcb5e1aaad5f01872865216f0045cef4df3c377b27879f16a9ff8284b6ad34
Instruction Fuzzy Hash: 2A113572400148BFEB029F90DD88EEA7F6DEB08354F048122BE088A160C7719D55DBA4

Function 0044E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0044E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0044E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0044E209

Part of subcall function 00449AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00449A05,00000000,00000000,?,00449DDB), ref: 0044A53A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: fc51bdcd124abd5b448d23094d9d8916722677f4bdfafa9699922e2857f6d9bb
Instruction ID: f7c22d356b85a6d8d89bd4551227041ecab2d391f29f01325b44250d0d17e875
Opcode Fuzzy Hash: fc51bdcd124abd5b448d23094d9d8916722677f4bdfafa9699922e2857f6d9bb
Instruction Fuzzy Hash: 18018FB5E40314BFEB109BA68C45F5EBFB8EB58351F004077EA04A7390D6709C00CBA4

Function 00437B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00437B47

Part of subcall function 0043123A: __initp_misc_winsig.LIBCMT ref: 0043125E
Part of subcall function 0043123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00437F51
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00437F65
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00437F78
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00437F8B
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00437F9E
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00437FB1
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00437FC4
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00437FD7
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00437FEA
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00437FFD
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00438010
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00438023
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00438036
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00438049
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0043805C
Part of subcall function 0043123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0043806F

__mtinitlocks.LIBCMT ref: 00437B4C

Part of subcall function 00437E23: InitializeCriticalSectionAndSpinCount.KERNEL32(004CAC68,00000FA0,?,?,00437B51,00435E77,004C6C70,00000014), ref: 00437E41

__mtterm.LIBCMT ref: 00437B55

Part of subcall function 00437BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00437B5A,00435E77,004C6C70,00000014), ref: 00437D3F
Part of subcall function 00437BBD: _free.LIBCMT ref: 00437D46
Part of subcall function 00437BBD: DeleteCriticalSection.KERNEL32(004CAC68,?,?,00437B5A,00435E77,004C6C70,00000014), ref: 00437D68

__calloc_crt.LIBCMT ref: 00437B7A
GetCurrentThreadId.KERNEL32 ref: 00437BA3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 67e6c5dfb2da6558798e7718db0c7c99d6f1a0292634c551d28df6d55387eb99
Instruction ID: 548754dfd7c851cd1a2cf7c37750f3d5e3eec4a3a8fbb2e7386ae0be92b1b257
Opcode Fuzzy Hash: 67e6c5dfb2da6558798e7718db0c7c99d6f1a0292634c551d28df6d55387eb99
Instruction Fuzzy Hash: 08F0F6B210C3121AE63477757C07A4B66A09F0933CF2026AFF8E0E51D2FF2C9801846C

Function 004127EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00412825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00412830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0041283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00412843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041284B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5c166744af79c174bebaf424790f6b5fab5d70a3745e2548d394e23d8f553ec3
Instruction ID: 990e023599759efa2dff2b4c09627cb25c256f2aaac6b5a0f23f82501a04f3e5
Opcode Fuzzy Hash: 5c166744af79c174bebaf424790f6b5fab5d70a3745e2548d394e23d8f553ec3
Instruction Fuzzy Hash: AF0167B1902B5ABDE3008F6A8C85B56FFA8FF59354F00411BA15C47A42C7F5A864CBE5

Function 00459AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 9fb2e55531b3c44e2f55b0e5dad874ff2e382aa3ba42ffb74d5a796c196d481c
Instruction ID: 6adea6fe9b8a62a6e78e1b98b767a51795249ac439d6aa139e7ba477795de600
Opcode Fuzzy Hash: 9fb2e55531b3c44e2f55b0e5dad874ff2e382aa3ba42ffb74d5a796c196d481c
Instruction Fuzzy Hash: 4101A432602212EBDB291B64ED48DEF7769FF98703B44047BF903921A1DB789C05DB68

Function 00457BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00457C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00457C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00457C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00457C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00457C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00457C4C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f6ad88b1a3ad5c49eeb95902f1715f1629045e5f9dc0143e057d609260a0354e
Instruction ID: b68922bbca4e27251270d201775925268a3074792631bf44d15757968fe88865
Opcode Fuzzy Hash: f6ad88b1a3ad5c49eeb95902f1715f1629045e5f9dc0143e057d609260a0354e
Instruction Fuzzy Hash: 93F03A72A41158BBE7215B629C0EEEF7B7CEFD6B11F00003AFA0291051D7A45E41C6B9

Function 00459A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00459A33
EnterCriticalSection.KERNEL32(?,?,?,?,00485DEE,?,?,?,?,?,0041ED63), ref: 00459A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00485DEE,?,?,?,?,?,0041ED63), ref: 00459A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00485DEE,?,?,?,?,?,0041ED63), ref: 00459A5E

Part of subcall function 004593D1: CloseHandle.KERNEL32(?,?,00459A6B,?,?,?,00485DEE,?,?,?,?,?,0041ED63), ref: 004593DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00459A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00485DEE,?,?,?,?,?,0041ED63), ref: 00459A78

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 80446005868f2929a97ead8cd739233718d4be508c3f0d0019ac45ac171b1e09
Instruction ID: 2151a8c4ce89b76bc4952af1c1a9d542f5f111c3d5eac9028e67219dd5e2f6be
Opcode Fuzzy Hash: 80446005868f2929a97ead8cd739233718d4be508c3f0d0019ac45ac171b1e09
Instruction Fuzzy Hash: 8AF05832941211EBD7112BA4ED89EAB7729FF99302F140477FA03A10A5DBB99C05DB68

Function 00411CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0042F4EA: std::exception::exception.LIBCMT ref: 0042F51E
Part of subcall function 0042F4EA: __CxxThrowException@8.LIBCMT ref: 0042F533

__swprintf.LIBCMT ref: 00411EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00411D49

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: aabbb842e347173a2d0ce560739b51f76ab1660ce423522a8b6b9a14e79d35b8
Instruction ID: ec2db4e6ef85697718ac53a897e2636c93cf350fc970fa8692e7d3e6e470568e
Opcode Fuzzy Hash: aabbb842e347173a2d0ce560739b51f76ab1660ce423522a8b6b9a14e79d35b8
Instruction Fuzzy Hash: 2C91CC71504301AFCB24EF25C885CAFB7A4AF85704F00491FF985972A1DB78ED85CBAA

Function 0046AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046B006
CharUpperBuffW.USER32(?,?), ref: 0046B115
VariantClear.OLEAUT32(?), ref: 0046B298

Part of subcall function 00459DC5: VariantInit.OLEAUT32(00000000), ref: 00459E05
Part of subcall function 00459DC5: VariantCopy.OLEAUT32(?,?), ref: 00459E0E
Part of subcall function 00459DC5: VariantClear.OLEAUT32(?), ref: 00459E1A

Strings

AUTOIT.ERROR, xrefs: 0046B11B
Incorrect Parameter format, xrefs: 0046B03E, 0046B20B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e4baae0354ef2aafc1341785997d7e2af73d7d94d286ba1645c18fb32aa12ff3
Instruction ID: c6a415b3259b8fb9da5ea4b88d6e6932c92aed77063e7236d752eeeb76e80d55
Opcode Fuzzy Hash: e4baae0354ef2aafc1341785997d7e2af73d7d94d286ba1645c18fb32aa12ff3
Instruction Fuzzy Hash: 7F917C706083019FC710DF25D49499BBBE4EF89704F04486EF89ACB352EB35E985CB96

Function 00455347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C6F4: _wcscpy.LIBCMT ref: 0042C717

_memset.LIBCMT ref: 00455438
GetMenuItemInfoW.USER32(?), ref: 00455467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00455513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0045553D

Strings

0, xrefs: 00455430

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 707295b15cb05d2f8d195b57d525c611bd3d8ee11848401c4ff97befadc94945
Instruction ID: 7071df060fee197f5b9f9c6a0ff18dbecd001ab1fb3d2ffc961bf0295a7af8ec
Opcode Fuzzy Hash: 707295b15cb05d2f8d195b57d525c611bd3d8ee11848401c4ff97befadc94945
Instruction Fuzzy Hash: E7512531604701ABD7149B28C8607BBB7E4AF85366F04062FFC95D32E2E768DD48874A

Function 00450213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004502B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004502C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00450344

Strings

DllGetClassObject, xrefs: 004502B7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ceaa89672503ea7794a179777f271867eceb38e3785dddb962b57decbeb20a9c
Instruction ID: 26bbc360f214d97315334a572fc61f64827ff65cb58fc8c607f05a5c25fa89d2
Opcode Fuzzy Hash: ceaa89672503ea7794a179777f271867eceb38e3785dddb962b57decbeb20a9c
Instruction Fuzzy Hash: 62418F75A00204EFDB15CF54C885B9A7BB9EF44315B1480AEED099F206D7B8D948CBA8

Function 00455007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455075
GetMenuItemInfoW.USER32 ref: 00455091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004550D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004D1708,00000000), ref: 00455120

Strings

0, xrefs: 0045506D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 4c3acf4bcfc11ed1ccc0d67feffed67a2fbe6eb298ab361fb575bb0a0f19cb51
Instruction ID: d470c8b975c184d108498aa61d7873ba2f566148544dcd45d25e99fe461074ee
Opcode Fuzzy Hash: 4c3acf4bcfc11ed1ccc0d67feffed67a2fbe6eb298ab361fb575bb0a0f19cb51
Instruction Fuzzy Hash: A2419E30604B01AFD7109F25D894B6BBBE4AF85329F04462FFC5597392D734A808CB6A

Function 00470567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00470587

Strings

cdecl, xrefs: 004705DE
none, xrefs: 00470662
winapi, xrefs: 004705F8
stdcall, xrefs: 00470609

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: a8a99dfe1a7164a31941fed2ae71327287d8672afde2d6231cf31d2859089f01
Instruction ID: be02c713cb2e09a604c918e7837c6d2637c843dd3e5b66da9e9574242ef09d0b
Opcode Fuzzy Hash: a8a99dfe1a7164a31941fed2ae71327287d8672afde2d6231cf31d2859089f01
Instruction Fuzzy Hash: F531A370600216ABCF00DF56DD51AEEB3B4FF54314B10862FE426A72D1DB79A915CB88

Function 0044B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0044B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0044B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0044B8D1

Strings

ListBox, xrefs: 0044B84D
ComboBox, xrefs: 0044B815

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: f16aabdc9980421c20ac7038df8287ca394ced33ebfc7878f5874b81001e1835
Instruction ID: cf04bb12f4fa3bbc42d04eaf4cf7b62a3fed861ea4aab09a759ac43952ce3e21
Opcode Fuzzy Hash: f16aabdc9980421c20ac7038df8287ca394ced33ebfc7878f5874b81001e1835
Instruction Fuzzy Hash: 1C21E175A00208BFEB04AB65DC86EFF7778DF55358B10412FF021A21E1DB7C9D4A96A8

Function 004151AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041522F
_wcscpy.LIBCMT ref: 00415283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00415293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00483CB0

Strings

Line: , xrefs: 00483CD9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 15d8ea5e04f90963806108202341e39d57648780aa1e24a714f1ab396edb61e6
Instruction ID: 6b2717bb7cee4c69ba3a10ee91ded326ac5a325e64224d63b6fe6a89c8ee4841
Opcode Fuzzy Hash: 15d8ea5e04f90963806108202341e39d57648780aa1e24a714f1ab396edb61e6
Instruction Fuzzy Hash: 0E319271509740BAD321EB60EC46FDF77D8AB84314F00492FF585921A1DB78A5888B9E

Function 004643E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00464401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00464427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00464457
InternetCloseHandle.WININET(00000000), ref: 0046449E

Part of subcall function 00465052: GetLastError.KERNEL32(?,?,004643CC,00000000,00000000,00000001), ref: 00465067

Strings

, xrefs: 00464450

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 7e18acbda86bad11616689e970cd7b63fca90a838ecb4d52c5780330d2cbbbe3
Instruction ID: c758ba6d483fdca144a84615857f594f268484de12e501bad2c20adce6a2eae7
Opcode Fuzzy Hash: 7e18acbda86bad11616689e970cd7b63fca90a838ecb4d52c5780330d2cbbbe3
Instruction Fuzzy Hash: 002180B1500208BFEB119F95CC86EBB76ECEB88758F10842BF10592240EE688D05977A

Function 004790E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042D1BA
Part of subcall function 0042D17C: GetStockObject.GDI32(00000011), ref: 0042D1CE
Part of subcall function 0042D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0047915C
LoadLibraryW.KERNEL32(?), ref: 00479163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00479178
DestroyWindow.USER32(?), ref: 00479180

Strings

SysAnimate32, xrefs: 00479137

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7bf1340b4b3b6b230f60eeb8d24aeabd133444143279dca94d21f5022c725fb7
Instruction ID: 31f551eb5499d6621841e7ed13b2e5c5108b29f04c9e745c5a568076e96d13c6
Opcode Fuzzy Hash: 7bf1340b4b3b6b230f60eeb8d24aeabd133444143279dca94d21f5022c725fb7
Instruction Fuzzy Hash: D5218371600206BBFF104E64DC45EFB37A9EB95364F50862AF91892290C735DC61A768

Function 00459568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00459588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004595B9
GetStdHandle.KERNEL32(0000000C), ref: 004595CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00459605

Strings

nul, xrefs: 00459600

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3cdebb62f400d7104a5a8519de99e7a064aa0b18212379889e6566c9d60764e5
Instruction ID: dc68a005a136ac1b178f87e9998bccd0027ae0321cba0e9c797cc237afe5388b
Opcode Fuzzy Hash: 3cdebb62f400d7104a5a8519de99e7a064aa0b18212379889e6566c9d60764e5
Instruction Fuzzy Hash: 2921D171500209EBDB209F25CC04A9E77E4AF54321F204A2AFCA1D73D1E778DD58CB18

Function 00459634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00459653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00459683
GetStdHandle.KERNEL32(000000F6), ref: 00459694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004596CE

Strings

nul, xrefs: 004596C9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ff56116bfd015a0e71d5d73127ac12ddca08d04eb6ccbf3e65f0e2b018c5ceef
Instruction ID: 9f252e3c6dce64bec9557d34588c2e401567fffafb6d60c6a463a4f35a088ddc
Opcode Fuzzy Hash: ff56116bfd015a0e71d5d73127ac12ddca08d04eb6ccbf3e65f0e2b018c5ceef
Instruction Fuzzy Hash: F621A171500205EBDB209F69CC04E9A77E8AF55725F200A2AFCA1D33D1D7789C4DCB19

Function 0045DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0045DB5E
__swprintf.LIBCMT ref: 0045DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,004ADC00), ref: 0045DBB5

Strings

%lu, xrefs: 0045DB71

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1a63af3208143de0b618d9d1517732db48684f0235a4ec0c0efe494ef2ec6676
Instruction ID: 985dc9cdc5342d2d6866d4e6c4a521e449c2abd12a23b5a691f0006b2d3877cb
Opcode Fuzzy Hash: 1a63af3208143de0b618d9d1517732db48684f0235a4ec0c0efe494ef2ec6676
Instruction Fuzzy Hash: D021B335A00208AFCB10EF65DD85EEEB7B8EF49708B10406AF905D7251DB74EA45CB68

Function 0044C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0044C84A
Part of subcall function 0044C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0044C85D
Part of subcall function 0044C82D: GetCurrentThreadId.KERNEL32 ref: 0044C864
Part of subcall function 0044C82D: AttachThreadInput.USER32(00000000), ref: 0044C86B

GetFocus.USER32 ref: 0044CA05

Part of subcall function 0044C876: GetParent.USER32(?), ref: 0044C884

GetClassNameW.USER32(?,?,00000100), ref: 0044CA4E
EnumChildWindows.USER32(?,0044CAC4), ref: 0044CA76
__swprintf.LIBCMT ref: 0044CA90

Strings

%s%d, xrefs: 0044CA8A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 90aeb950a0279cf853540f36864cf2260ece180d1714973b9b69090a2e3d47cf
Instruction ID: 337674949166593d0cfc0d10ca0b4887febf2d4ebebe367b03156141f47cd7f6
Opcode Fuzzy Hash: 90aeb950a0279cf853540f36864cf2260ece180d1714973b9b69090a2e3d47cf
Instruction Fuzzy Hash: D611B4715002057BEB41BF618CC5FEA7778AF55718F04407BFE09AA182DB789945CB78

Function 00437A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00437AD8

Part of subcall function 00437CF4: __mtinitlocknum.LIBCMT ref: 00437D06
Part of subcall function 00437CF4: EnterCriticalSection.KERNEL32(00000000,?,00437ADD,0000000D), ref: 00437D1F

InterlockedIncrement.KERNEL32(?), ref: 00437AE5
__lock.LIBCMT ref: 00437AF9
___addlocaleref.LIBCMT ref: 00437B17

Strings

`I, xrefs: 00437AA3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `I
API String ID: 1687444384-1097155026
Opcode ID: 5c3daa0fe94c8260df0bd6faaa9ea327eba53d889ae39cddc8bc156e87cf4760
Instruction ID: 6754b5ef64742951b2c0705554d5123d6e8264e13ace1faf61660e6d1fc557e5
Opcode Fuzzy Hash: 5c3daa0fe94c8260df0bd6faaa9ea327eba53d889ae39cddc8bc156e87cf4760
Instruction Fuzzy Hash: 5D015EB5504701EED731DF76C90574AF7F0AF54329F20990FA4D6972A0CB78A644CB49

Function 0047E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047E33D
_memset.LIBCMT ref: 0047E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D3D00,004D3D44), ref: 0047E37B
CloseHandle.KERNEL32 ref: 0047E38D

Strings

D=M, xrefs: 0047E346

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=M
API String ID: 3277943733-3931605405
Opcode ID: 7797c68df051fd3cc790d89f96b2c871d3851cbcc360b811748a9a6b2687577a
Instruction ID: d08d992745afccacb3b8b0cd3f5a681ae48a9adde426758d2a899a44ba7bf27d
Opcode Fuzzy Hash: 7797c68df051fd3cc790d89f96b2c871d3851cbcc360b811748a9a6b2687577a
Instruction Fuzzy Hash: BAF05EF1641304BAE2105F65AC55F777F9DDB08756F008433BE08D62A2D3799E008AAE

Function 00471945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004719F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00471A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00471B49
CloseHandle.KERNEL32(?), ref: 00471BBF

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 49522e053124adb278f8dcf1b9097c52c78cddf57f45d71c3d6aa57846ce70cd
Instruction ID: fa7a296d99a476a86a2da45024a0719a2f8e20199fad8375743f7a6091745bc8
Opcode Fuzzy Hash: 49522e053124adb278f8dcf1b9097c52c78cddf57f45d71c3d6aa57846ce70cd
Instruction Fuzzy Hash: B0818771700214ABDF109F65C886BAEBBF5AF04724F14C45AF905AF392D7B8A941CF98

Function 0047E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0047E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0047E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0047E248
GetWindowLongW.USER32(?,000000EC), ref: 0047E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0047E281

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 753d6f1d92c134a526e18df4e5ff3a92b815d413ecc91364ccdb78d503043984
Instruction ID: e5de18613c4fa255ceab341328fb5b049988bc7db19e8eecb5530453eb2f3cd8
Opcode Fuzzy Hash: 753d6f1d92c134a526e18df4e5ff3a92b815d413ecc91364ccdb78d503043984
Instruction Fuzzy Hash: 46618134A00244AFDB20CF16C855FEA77BAEB4D300F5482EBE959973A1C779AD40CB19

Function 00451C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00451CB4
VariantClear.OLEAUT32(00000013), ref: 00451D26
VariantClear.OLEAUT32(00000000), ref: 00451D81
VariantClear.OLEAUT32(?), ref: 00451DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00451E26

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c34c68d8a981908d916abac5c616c0c141d0db5fef4a6e3667bb1f5e8b8b6258
Instruction ID: 01a14437ce13b90a8bf347915368b7b63144ffd9b614d2ff738383f043730fa0
Opcode Fuzzy Hash: c34c68d8a981908d916abac5c616c0c141d0db5fef4a6e3667bb1f5e8b8b6258
Instruction Fuzzy Hash: DE516AB5A00209AFCB14CF58C880AAAB7B9FF4C314B15856AED49DB311D334E915CFA4

Function 00470688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004706EE
GetProcAddress.KERNEL32(00000000,?), ref: 0047077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0047079B
GetProcAddress.KERNEL32(00000000,?), ref: 004707E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004707FB

Part of subcall function 0042E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0045A574,?,?,00000000,00000008), ref: 0042E675
Part of subcall function 0042E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0045A574,?,?,00000000,00000008), ref: 0042E699

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 273db6b2783379f2b0a7fff79e030fc983e3c7db2a3485b81e51e00c1f92c82e
Instruction ID: 11bdea1872083ca0d5b45e5852a417aa24bc98c86857839b915944f4755cece6
Opcode Fuzzy Hash: 273db6b2783379f2b0a7fff79e030fc983e3c7db2a3485b81e51e00c1f92c82e
Instruction Fuzzy Hash: 23515A75A00205DFCB04EFA9C4819EDB7B5BF18314B04C06AE919AB352DB38ED46CB89

Function 00472E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00473C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00472BB5,?,?), ref: 00473C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00472EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00472F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00472F75
RegCloseKey.ADVAPI32(?,?), ref: 00472FA1
RegCloseKey.ADVAPI32(00000000), ref: 00472FAE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 47e4933436c6ab4d64015885371e49b69c48d1cc5a73b0fccede704402c06752
Instruction ID: db6a2c6f5039ba3f6f963ac921372b76787664bba8147ee126b5c2171925493d
Opcode Fuzzy Hash: 47e4933436c6ab4d64015885371e49b69c48d1cc5a73b0fccede704402c06752
Instruction Fuzzy Hash: 00514B71608204AFD704EF55C981EAAB7F8FF88308F00882EF59997291DB74E945DB5A

Function 0047CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd0c014333a077a2251baec4d94aef24cb0927a46c0965b69e810dbd69840b2
Instruction ID: 6bd86e76cd5f0e308c191d645a4555045575542be1b12196704537cc7de98286
Opcode Fuzzy Hash: 3cd0c014333a077a2251baec4d94aef24cb0927a46c0965b69e810dbd69840b2
Instruction Fuzzy Hash: 6941C439D00204ABC724DB68CC84FEA7B69EB49310F14817BF85DA72E1C738AD41D698

Function 00461206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004612B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004612DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046131C

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00461341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00461349

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: dad89df7136e81ca585883126d843f8ceb4f65252e1a50ea9d0a8751835f4763
Instruction ID: 33f73bd1882a4a67d9b988f53d464e19bfe3fd2721ae18fe6635cdf8a75cdb0c
Opcode Fuzzy Hash: dad89df7136e81ca585883126d843f8ceb4f65252e1a50ea9d0a8751835f4763
Instruction Fuzzy Hash: E0415E35A00109DFCF01EF65C9919AEBBF5FF08314B1480AAE916AB3A1DB35EE41CB55

Function 0042B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0042B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0042B66C
GetAsyncKeyState.USER32(00000001), ref: 0042B691
GetAsyncKeyState.USER32(00000002), ref: 0042B69F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 46a20e0b829701043e2736b878e9f183f022ab2c619eb77a840fa27f342466a7
Instruction ID: ea5c49bc6a045c20aae30325ea5466259c30a1778b078819c2208b4997576a75
Opcode Fuzzy Hash: 46a20e0b829701043e2736b878e9f183f022ab2c619eb77a840fa27f342466a7
Instruction Fuzzy Hash: E7416131A04115BBCF159F65C844AEDBB74FF05324F10432BE929A62D0C738AD94EFAA

Function 0044B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0044B369
PostMessageW.USER32(?,00000201,00000001), ref: 0044B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0044B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0044B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0044B431

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 36505326f1787a1ab3289ef5a899208ee0989691f03bb790603c7d180b40fbec
Instruction ID: c6114021cf268e49b295ca73ad896ea605345acbffbf748d5dc20f77651af5d8
Opcode Fuzzy Hash: 36505326f1787a1ab3289ef5a899208ee0989691f03bb790603c7d180b40fbec
Instruction Fuzzy Hash: 2331DF71900219EBEF04CF68DD4DA9E3BB5EB44319F10422AF921AB2D1C3B4DD14CB95

Function 0044DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0044DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0044DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0044DC52
_wcsstr.LIBCMT ref: 0044DC5C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 37fe82f4b490a4516b23310d0b819ac787e4d778e8c7b78592c8d6fb5921b0b3
Instruction ID: a63f65483251d1d600654efb090371a79eac5aceaae257911f0fad0348c612f3
Opcode Fuzzy Hash: 37fe82f4b490a4516b23310d0b819ac787e4d778e8c7b78592c8d6fb5921b0b3
Instruction Fuzzy Hash: 4C212672A04240BBFB159F399D89E7B7BA8DF45750F10403FF809CA191EAA9DC41D2A8

Function 0044BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0044BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0044BCC2
__itow.LIBCMT ref: 0044BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0044BD00
__itow.LIBCMT ref: 0044BD11

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 45d5808e2f432aba9ebe24e21ce915c2c9c62a350d7d0d3995e74220ac8d06da
Instruction ID: 4081deab4f8184e485d69a1ed8f3105ce05963a3b3e38087a93fdd6c4841812b
Opcode Fuzzy Hash: 45d5808e2f432aba9ebe24e21ce915c2c9c62a350d7d0d3995e74220ac8d06da
Instruction Fuzzy Hash: D921DA75A003047AEB10AA658D86FDF7A68EF99314F00106BF906EB181DB68CD4547E9

Function 00456318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004150E6: _wcsncpy.LIBCMT ref: 004150FA

GetFileAttributesW.KERNEL32(?,?,?,?,004560C3), ref: 00456369
GetLastError.KERNEL32(?,?,?,004560C3), ref: 00456374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004560C3), ref: 00456388
_wcsrchr.LIBCMT ref: 004563AA

Part of subcall function 00456318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004560C3), ref: 004563E0

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: e8a9948f12555be78f035a8573176f37e59ebdbe5bacffc420a6cc6622af19b6
Instruction ID: a4d20869ffd47c14adb474a37beda6fb6fff047a4a22529e56530f8073d245dc
Opcode Fuzzy Hash: e8a9948f12555be78f035a8573176f37e59ebdbe5bacffc420a6cc6622af19b6
Instruction Fuzzy Hash: 0221F93190421556DB25AB74AC42FEB236CAF193A2F91007FFC05C31C2EB6C99898A5D

Function 00468B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0046A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0046A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00468BD3
WSAGetLastError.WSOCK32(00000000), ref: 00468BE2
connect.WSOCK32(00000000,?,00000010), ref: 00468BFE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 01ac4e1bb718de5b800077869236817ba7dbb371acb41085d03826d86e5413f0
Instruction ID: 6f9270b25347447add342da457f77a13a9c1a7e11193542f23a2f2c964780064
Opcode Fuzzy Hash: 01ac4e1bb718de5b800077869236817ba7dbb371acb41085d03826d86e5413f0
Instruction Fuzzy Hash: A921D1316002149FCB10EF69C985B7E73A8AF58724F04456EF916A73D2DB78AC018B6A

Function 00468420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00468441
GetForegroundWindow.USER32 ref: 00468458
GetDC.USER32(00000000), ref: 00468494
GetPixel.GDI32(00000000,?,00000003), ref: 004684A0
ReleaseDC.USER32(00000000,00000003), ref: 004684DB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e129cb2e01005dd128931fd219b40d64944643ffec29a7b5aeec741a5b2222fa
Instruction ID: 7eb5ea12079a87998d9ad24f7eee5d760849aa70fcb3038dddee9aca5b70f9a1
Opcode Fuzzy Hash: e129cb2e01005dd128931fd219b40d64944643ffec29a7b5aeec741a5b2222fa
Instruction Fuzzy Hash: 9D21A475A00204AFD700DFA5D985A9EB7F5EF48305F04847EE85997251DF74AC00CB58

Function 0042AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042AFE3
SelectObject.GDI32(?,00000000), ref: 0042AFF2
BeginPath.GDI32(?), ref: 0042B009
SelectObject.GDI32(?,00000000), ref: 0042B033

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b98d35192cd7674e7e223fc5e960f33633d5bef2c3dca124b6f982cca1be500f
Instruction ID: defb62e2d14b5dc61a60b9f8e46d82b728d0d2292644d69bb86668032924b8be
Opcode Fuzzy Hash: b98d35192cd7674e7e223fc5e960f33633d5bef2c3dca124b6f982cca1be500f
Instruction Fuzzy Hash: DC218E71A01315BBDB119F95FC847AE7B68F720355F54823BEC21922B0C37888518B99

Function 0043217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004321A9
CreateThread.KERNEL32(?,?,004322DF,00000000,?,?), ref: 004321ED
GetLastError.KERNEL32 ref: 004321F7
_free.LIBCMT ref: 00432200
__dosmaperr.LIBCMT ref: 0043220B

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 730fa535017701607b9e5ef1b58ee5727ae4111cd7c9f82ddc2743caa70aafbb
Instruction ID: 4bfc23fad344fdd233653d3f36b2dd68125afd2ca30dc7effa629700dcc71c73
Opcode Fuzzy Hash: 730fa535017701607b9e5ef1b58ee5727ae4111cd7c9f82ddc2743caa70aafbb
Instruction Fuzzy Hash: 73114832104306AF9B20AFA6DE41D6B3798EF0C774F10112FF92496181DBB9D8018AA8

Function 0044ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0044ABD7
GetLastError.KERNEL32(?,0044A69F,?,?,?), ref: 0044ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0044A69F,?,?,?), ref: 0044ABF0
HeapAlloc.KERNEL32(00000000,?,0044A69F,?,?,?), ref: 0044ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0044AC0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9fddd77adcfdfc88f722dee60f49a38f8333cd9d2923547f0c5927a8f0bcd665
Instruction ID: b2fb64370050a3796c16fcd9a1e03ca781d25c66129ae6c70a804cb58bc47ee6
Opcode Fuzzy Hash: 9fddd77adcfdfc88f722dee60f49a38f8333cd9d2923547f0c5927a8f0bcd665
Instruction Fuzzy Hash: 46011971640204BFEB104FA9DC89DAB3BADEF9A756714043AF945C3260DA719C50CF69

Function 00457A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00457A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00457A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00457A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00457A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00457AD0

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a1ab50dbaa400ee0f35af581b93bebd3d034504358e51fffec0234da4fa6e53b
Instruction ID: 746975d6f761098cdefc978455666e6c60c5cbcab41208852490033a1247a154
Opcode Fuzzy Hash: a1ab50dbaa400ee0f35af581b93bebd3d034504358e51fffec0234da4fa6e53b
Instruction Fuzzy Hash: 5C016D72C04619EBCF00AFE4ED499DDBB78FB58302F004477E802B2251DB789A54C7A9

Function 00449ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00449ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00449AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00449B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00449B15
CLSIDFromString.OLE32(?,?), ref: 00449B21

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1cc8a2f94725260517449aeb50518d65eec12019442650986c5528cd0426cdb7
Instruction ID: 56237133057e954482622df0bff4b56f6f8ca3d3ebd40510f2d6be53eebfbb56
Opcode Fuzzy Hash: 1cc8a2f94725260517449aeb50518d65eec12019442650986c5528cd0426cdb7
Instruction Fuzzy Hash: 97018F76A00204BFEB109F54ED48F9BBAEDEB58392F144036F905D2210D774ED00ABA4

Function 0044AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0044AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0044AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0044AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0044AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0044AAAF

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d46d5726169be317421ae8eed6a70f1b1da5d51b3fb809236447fcdb6b794044
Instruction ID: c1a9603be3acfe53a7f4d867b4225e7e1712979715b1dc59aac0c93ffdc08452
Opcode Fuzzy Hash: d46d5726169be317421ae8eed6a70f1b1da5d51b3fb809236447fcdb6b794044
Instruction Fuzzy Hash: 0AF0AF312402046FEB105FA4AC89E673BACFF49754F00003BFA01D7290DA609C15CA65

Function 0044AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0044AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0044AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0044AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0044AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0044AB10

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0e193d17cdf6ba65c0ab09260042c070dda179349033c92151f803f4e2e75f05
Instruction ID: 7b3094dd8073a0d4b54ac6e4c054ebd56232fdceee0a77b743a18eb2448949dc
Opcode Fuzzy Hash: 0e193d17cdf6ba65c0ab09260042c070dda179349033c92151f803f4e2e75f05
Instruction Fuzzy Hash: 69F062716402087FEB110FA4EC89E673B6DFF49795F00003BFA41C7290CA64AC11CB65

Function 0044EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0044EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0044ECAB
MessageBeep.USER32(00000000), ref: 0044ECC3
KillTimer.USER32(?,0000040A), ref: 0044ECDF
EndDialog.USER32(?,00000001), ref: 0044ECF9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 871ebd2dc50cb6d83e2542fe6b8797d59794c75f8c0ca65ea003d5911283b1bc
Instruction ID: 7c0e253e6daf71275f144a977830b0db213ad0456a6eb4ba7e01fcadcf456d5f
Opcode Fuzzy Hash: 871ebd2dc50cb6d83e2542fe6b8797d59794c75f8c0ca65ea003d5911283b1bc
Instruction Fuzzy Hash: BD01A430940704ABFB245B56DE8EB9677B8FF10705F00057BB583A24E0DBF8AA84CB48

Function 0042B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0042B0BA
StrokeAndFillPath.GDI32(?,?,0048E680,00000000,?,?,?), ref: 0042B0D6
SelectObject.GDI32(?,00000000), ref: 0042B0E9
DeleteObject.GDI32 ref: 0042B0FC
StrokePath.GDI32(?), ref: 0042B117

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a933078c1e41325a7fda665779402759be8dd26840c69f4cc75981d0f99e1c88
Instruction ID: d09e3ba8106f09b7fb0ffccf771ac6374f8d5cf7ff3259fc2f0692271a8bebb6
Opcode Fuzzy Hash: a933078c1e41325a7fda665779402759be8dd26840c69f4cc75981d0f99e1c88
Instruction Fuzzy Hash: 5CF0F630101204AFCB229F65FC0A7693B64E710366F488337E825851F1C7348966CF5C

Function 0045F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045F2DA
CoCreateInstance.OLE32(0049DA7C,00000000,00000001,0049D8EC,?), ref: 0045F2F2
CoUninitialize.OLE32 ref: 0045F555

Strings

.lnk, xrefs: 0045F28B, 0045F290, 0045F29E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 8f9f6183a8d804eedb8b9093ce08ccb399b402f89017405afb939c6d10efa3b7
Instruction ID: 56ca2aa1e8ab0d55dadeccbfee5ed0d702dd398b15755cccfc95ad1f1bf6af72
Opcode Fuzzy Hash: 8f9f6183a8d804eedb8b9093ce08ccb399b402f89017405afb939c6d10efa3b7
Instruction Fuzzy Hash: D4A14CB1204301AFD300EF55DC81EABB7A8EF98318F40492EF55597192EB74EA49CB96

Function 0045E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0041660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004153B1,?,?,004161FF,?,00000000,00000001,00000000), ref: 0041662F

CoInitialize.OLE32(00000000), ref: 0045E85D
CoCreateInstance.OLE32(0049DA7C,00000000,00000001,0049D8EC,?), ref: 0045E876
CoUninitialize.OLE32 ref: 0045E893

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

Strings

.lnk, xrefs: 0045E83B, 0045E84D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 668e621b4f843236c55c20dc755c86773dbb98216bad8e99c517538290258a07
Instruction ID: 8ed42b7ffcbf8c34fdfa87bac7f6017b0905d4b703ef9b035486e8dd125d5539
Opcode Fuzzy Hash: 668e621b4f843236c55c20dc755c86773dbb98216bad8e99c517538290258a07
Instruction Fuzzy Hash: 9CA19775A043019FCB14EF25C484D5ABBE5BF88314F00899EF9A59B3A2CB35ED49CB85

Function 0043325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004332ED

Part of subcall function 0043E0D0: __87except.LIBCMT ref: 0043E10B

Strings

pow, xrefs: 004332C5, 004332E2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0750a7a351930661fcc1e1418c311a1907902d47dc722e9d1e7a2f1656e447bd
Instruction ID: 917e370787e20e9ac7c3c789a3533865973c7ab29dfd68936cfab577bd1622d1
Opcode Fuzzy Hash: 0750a7a351930661fcc1e1418c311a1907902d47dc722e9d1e7a2f1656e447bd
Instruction Fuzzy Hash: FB517B71A0A20196CF157F1AC90137B2B949B48711F20ADBBF8D1823E9DF7C8D849A4E

Function 00454606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,004ADC50,?,0000000F,0000000C,00000016,004ADC50,?), ref: 00454645

Part of subcall function 0041936C: __swprintf.LIBCMT ref: 004193AB
Part of subcall function 0041936C: __itow.LIBCMT ref: 004193DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004546C5

Strings

THIS, xrefs: 00454703
REMOVE, xrefs: 00454676

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 99eb1063d92ffa89d9bb5e829bd753cc6b5cef06c9ff0b80d17b7bb1bcc13428
Instruction ID: 9d53be668d9fb5a327bbf5121fc8cddf821c48a50070adcd8d7b58695f76f920
Opcode Fuzzy Hash: 99eb1063d92ffa89d9bb5e829bd753cc6b5cef06c9ff0b80d17b7bb1bcc13428
Instruction Fuzzy Hash: 32415234A001199FCF00DF55C881AAEB7B5FF89309F14846AED16AF352DB389D89CB59

Function 0044C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0044BC08,?,?,00000034,00000800,?,00000034), ref: 00454335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0044C1D3

Part of subcall function 004542D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0044BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00454300

Part of subcall function 0045422F: GetWindowThreadProcessId.USER32(?,?), ref: 0045425A
Part of subcall function 0045422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0044BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0045426A
Part of subcall function 0045422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0044BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00454280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0044C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0044C28D

Strings

@, xrefs: 0044C2A5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 1fa1ad6eabfa0c436aa46e39dec3e043eb82f04723597a785a374a401d539bba
Instruction ID: 97a9d9f35f65140ac21fffe6615ecee2d13822cac0b05c15574c3fbb8fa1d40b
Opcode Fuzzy Hash: 1fa1ad6eabfa0c436aa46e39dec3e043eb82f04723597a785a374a401d539bba
Instruction Fuzzy Hash: 59415176D00218BFDB10DFA4CD81ADEB778BF49304F04409AF945B7181DAB56E89CB65

Function 0047A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ADC00,00000000,?,?,?,?), ref: 0047A6D8
GetWindowLongW.USER32 ref: 0047A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0047A705

Strings

SysTreeView32, xrefs: 0047A6AA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: cec0c1ffba73cebd5112c29abe5935a16720a1f01f8c524f03e458aec7f53b67
Instruction ID: 34812f4bd590aac53a1d70bd9b183c7009eef4c1eaab86ac7654d8077e9bf195
Opcode Fuzzy Hash: cec0c1ffba73cebd5112c29abe5935a16720a1f01f8c524f03e458aec7f53b67
Instruction Fuzzy Hash: E131B331600205AFDB158F34CC41BDB7769EB89324F24872AF879932E0C778E8609799

Function 00465180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004651C6

Strings

DF, xrefs: 0046522E
|, xrefs: 004651B5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DF
API String ID: 1413715105-52440868
Opcode ID: 0c59bd178daf4ac2d7fb1a55e7c25b15bf3a86f1a87f3b565fe955a487c33f11
Instruction ID: 0e3a8f5d2b0018d0b8c995439948e53949e20dc0c2c210d091c584513de02932
Opcode Fuzzy Hash: 0c59bd178daf4ac2d7fb1a55e7c25b15bf3a86f1a87f3b565fe955a487c33f11
Instruction Fuzzy Hash: 8B314A71C00109ABCF01EFA5CC85EEE7FB9FF18704F00015AF805A6166EB35A946CBA5

Function 0047A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0047A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0047A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0047A196

Strings

SysMonthCal32, xrefs: 0047A129

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ae4a772cbb5679667218635877ccbffa9cdd3e1528c133959c220de601507474
Instruction ID: 3d07f6a8656c98a60a218c76e638a6384608bc942360046108f403df068c4194
Opcode Fuzzy Hash: ae4a772cbb5679667218635877ccbffa9cdd3e1528c133959c220de601507474
Instruction Fuzzy Hash: 59219132510218ABEF118F94CC42FEE3B79EF88714F114225FE59AB1D0D679AC55CB94

Function 0047A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0047A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0047A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0047A956

Strings

msctls_updown32, xrefs: 0047A8BB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d148ef9ce7ae0178c9f29fb430c5e697fceb79d1acc397a0305d74544e503e15
Instruction ID: f4b732ce61ef04990da3c7ad1e8262ccf4f24b597dcf722976fd34360e4e1239
Opcode Fuzzy Hash: d148ef9ce7ae0178c9f29fb430c5e697fceb79d1acc397a0305d74544e503e15
Instruction Fuzzy Hash: 9121B2F5600209BFDB00DF14DC91DBB37ACEB9A358B05445AFA08973A1CB34EC218B69

Function 004799A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00479A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00479A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00479A65

Strings

Listbox, xrefs: 004799FD

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c7d075a14e7c419bfdde171d9583bbe656b380122719623c9ec7dcfbd2c2c8da
Instruction ID: b16847f54f3bbe551224f5b7a10f8a7b00d9c28c67af162b2df8198ff57283bf
Opcode Fuzzy Hash: c7d075a14e7c419bfdde171d9583bbe656b380122719623c9ec7dcfbd2c2c8da
Instruction Fuzzy Hash: 7821D772611118BFEF118F54DC85FFF3BAAEF89754F01812AF948572A0C6759C1187A4

Function 0047A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0047A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0047A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0047A48F

Strings

msctls_trackbar32, xrefs: 0047A444

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e678bb6a1d527a46139aa38c1b35a965afe505dcd88d3de11d13096f77acbd2a
Instruction ID: 5dbd2ac2b98247e172e9957a1bfa228c2db5509b112a01da0e74ef04d1773e25
Opcode Fuzzy Hash: e678bb6a1d527a46139aa38c1b35a965afe505dcd88d3de11d13096f77acbd2a
Instruction Fuzzy Hash: 40110A71200208BEEF209F75CC49FEB3769EFC8754F01422DFA49A6191D2B6E821C728

Function 00432287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00432350,?), ref: 004322A1
GetProcAddress.KERNEL32(00000000), ref: 004322A8

Strings

RoInitialize, xrefs: 00432290
combase.dll, xrefs: 0043229C

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: fcedfc9659ec0c7c64bc5119958f557a4720371b1e3e804458d48a2424c6a692
Instruction ID: 09ede9aae58cef9486e68371fe4ae4646b4b8eb1e797198e2bf9ef7d0be636f4
Opcode Fuzzy Hash: fcedfc9659ec0c7c64bc5119958f557a4720371b1e3e804458d48a2424c6a692
Instruction Fuzzy Hash: 11E01270A91300ABDF605FB1EE4EB1A3B64AB14B0AF104072B182D61A0CBFA4050CF1C

Function 0043235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00432276), ref: 00432376
GetProcAddress.KERNEL32(00000000), ref: 0043237D

Strings

RoUninitialize, xrefs: 00432365
combase.dll, xrefs: 00432371

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 778677b6a8caa6dc428da957c2ff63bfe522dcf52e03ffaf57b5f6c554d6dff9
Instruction ID: a31f54394a8b229da8a051bef5177e87c7ac8e844c2c36bb9f34271d07e84e43
Opcode Fuzzy Hash: 778677b6a8caa6dc428da957c2ff63bfe522dcf52e03ffaf57b5f6c554d6dff9
Instruction Fuzzy Hash: 9FE0BD70A86305ABDB60AF61EE0EB193B64B71470AF200437F509E31B4CBBA94208A1C

Function 0048AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0048AC60
__swprintf.LIBCMT ref: 0048AC94

Strings

%.3d, xrefs: 0048AC6E
WIN_XPe, xrefs: 0048ACD3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: cda00aeba2dd113d83b987a3eed122ba082014d44831d7c995bae8c2129a9bdd
Instruction ID: ed6aefd46cac5bf6410161ede234a9b3f9da04a218b558fb66ec53ee4bca7bb5
Opcode Fuzzy Hash: cda00aeba2dd113d83b987a3eed122ba082014d44831d7c995bae8c2129a9bdd
Instruction Fuzzy Hash: 98E012B1C04618DBEB50A750DE05DFD737CA708741F5408D3B906A2110D77D9BA6AB1F

Function 00472205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004721FB,?,004723EF), ref: 00472213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00472225

Strings

kernel32.dll, xrefs: 0047220E
GetProcessId, xrefs: 0047221F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: fc9da1b2b8e1fce5087c0a7ba7b6e1b85fefb403bded1bbd054a01d7b1269b9c
Instruction ID: 3924a98e2e59399ed5088d0bb09ecd68b8f7d19da3da61378ec378b7accb85c7
Opcode Fuzzy Hash: fc9da1b2b8e1fce5087c0a7ba7b6e1b85fefb403bded1bbd054a01d7b1269b9c
Instruction Fuzzy Hash: 9FD0A779800712AFC7214F30FB09B4276D4EB14304B11887FE846E2250D7F8D8808658

Function 004142F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004142EC,?,004142AA,?), ref: 00414304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414316

Strings

kernel32.dll, xrefs: 004142FF
Wow64RevertWow64FsRedirection, xrefs: 00414310

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 913e7605f0d524d0b44ee2cbc5430c987a84a9c54ddfb09f1f20248633be2ea2
Instruction ID: 0874cb1e3382c80ad4e36f397802e131c29ed0526b199c033dd3070212127dc4
Opcode Fuzzy Hash: 913e7605f0d524d0b44ee2cbc5430c987a84a9c54ddfb09f1f20248633be2ea2
Instruction Fuzzy Hash: 4CD0A7759007129FC7204F20E80DB5276D4AB24701B10843FE851D2264D7F8C8C08618

Function 0041434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004141BB,00414341,?,0041422F,?,004141BB,?,?,?,?,004139FE,?,00000001), ref: 00414359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041436B

Strings

kernel32.dll, xrefs: 00414354
Wow64DisableWow64FsRedirection, xrefs: 00414365

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 884fe836626ee1e49fea4f3d8286b88e30e8eb37f6c4400741fa02c30b2e9933
Instruction ID: bcd0c3a306c1f3c45e019965339ccb8996e7af0c30471b9f746d40f830373149
Opcode Fuzzy Hash: 884fe836626ee1e49fea4f3d8286b88e30e8eb37f6c4400741fa02c30b2e9933
Instruction Fuzzy Hash: 17D0A7759007129FC7204F30E809B4276D4AB20716B10843FE891D2250D7F8D8C08618

Function 00450564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0045052F,?,004506D7), ref: 00450572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00450584

Strings

UnRegisterTypeLibForUser, xrefs: 0045057E
oleaut32.dll, xrefs: 0045056D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 86ece393e60a1fa7707accc30790fb6a7a80835d3484a66ea30eae433763569a
Instruction ID: b21b3317a3c77d7f1e01db388c13e0df763c3e1ad02915f43559e0f511f5c779
Opcode Fuzzy Hash: 86ece393e60a1fa7707accc30790fb6a7a80835d3484a66ea30eae433763569a
Instruction Fuzzy Hash: C5D05E39800716AAC7209F20A809B0277E4AF14701B20883FEC4192254EAF8C4848A28

Function 00450539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0045051D,?,004505FE), ref: 00450547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00450559

Strings

RegisterTypeLibForUser, xrefs: 00450553
oleaut32.dll, xrefs: 00450542

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 45b903a4533446c3dd1c4be3605739d221c8462a8f25aba3df3463862aaec728
Instruction ID: ee59e23ee0f6a034b1eb35206856121915951727f2ea323caf8622d8373917b2
Opcode Fuzzy Hash: 45b903a4533446c3dd1c4be3605739d221c8462a8f25aba3df3463862aaec728
Instruction Fuzzy Hash: 7CD0A73980072AAFC720DF20E809B0276E4AB10302B60C43FE846D2255EAF8C884CA18

Function 0046ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0046ECBE,?,0046EBBB), ref: 0046ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0046ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0046ECE2
kernel32.dll, xrefs: 0046ECD1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: e3df4a6aaadb8d219b49e558a85ec70fab98a3b0eef5ec348a2577c270af705c
Instruction ID: 9e935221f50e00ae709b118c086d257a31122a312d588d7ec4c6cd902a8db6fe
Opcode Fuzzy Hash: e3df4a6aaadb8d219b49e558a85ec70fab98a3b0eef5ec348a2577c270af705c
Instruction Fuzzy Hash: DBD0A7B98007239FCB205F65E949B0376E8AF10300B20843FF846D2250EBF8C8848618

Function 0046BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0046BAD3,00000001,0046B6EE,?,004ADC00), ref: 0046BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0046BAFD

Strings

kernel32.dll, xrefs: 0046BAE6
GetModuleHandleExW, xrefs: 0046BAF7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 824c6417e4bf8bd2d824be6ca78a07ae596f41a6a6fc1b87fcb0e970766067a4
Instruction ID: 239926296e4094b45b65568183d6aaf57ec83597fe006d41ef081b979db3c630
Opcode Fuzzy Hash: 824c6417e4bf8bd2d824be6ca78a07ae596f41a6a6fc1b87fcb0e970766067a4
Instruction Fuzzy Hash: FFD05E75C00B129EC7309F21A849B1276E4AB10700B10443FA843D2654E7B8D8C0C65D

Function 00473BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00473BD1,?,00473E06), ref: 00473BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00473BFB

Strings

advapi32.dll, xrefs: 00473BE4
RegDeleteKeyExW, xrefs: 00473BF5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: b6bef8ec5ebec15aadda2a5262816ca1b5f56705468f59b126756dc9c381b53f
Instruction ID: a67e0e2a1e827335695acfb736f14fe8719594200cddcc33486598c0b9eb1c30
Opcode Fuzzy Hash: b6bef8ec5ebec15aadda2a5262816ca1b5f56705468f59b126756dc9c381b53f
Instruction Fuzzy Hash: CED0A7769007229FC7205FA0ED09B43BAF4AB11719B20883FE449E2254D7BCC4808E18

Function 00449B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c516d79c8338961fa857a5ea15e4569cb763489ab9bd697ba9e7bd4be009c197
Instruction ID: f54840b3a3f998abab4bed9b03dd9ad534d873c6ae72cb0cc2d51b49b8ed12aa
Opcode Fuzzy Hash: c516d79c8338961fa857a5ea15e4569cb763489ab9bd697ba9e7bd4be009c197
Instruction Fuzzy Hash: EDC15D75A0021AEFEB14CF94C884EAFB7B5FF48704F20459AE905AB291D734DE41EB94

Function 0046AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046AAB4
CoUninitialize.OLE32 ref: 0046AABF

Part of subcall function 00450213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045027B

VariantInit.OLEAUT32(?), ref: 0046AACA
VariantClear.OLEAUT32(?), ref: 0046AD9D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f4b901ded99774338a7c96425ab5a45cb6e508599952d50de266af8f44e49a8f
Instruction ID: d3cec052526a88191b8264ebe28c40fbd9c1d91494d1efb5085a12ca8a7ee0db
Opcode Fuzzy Hash: f4b901ded99774338a7c96425ab5a45cb6e508599952d50de266af8f44e49a8f
Instruction Fuzzy Hash: 7BA17835604B019FCB10EF15C491B5AB7E5BF88714F04445EFA96AB3A2DB38ED44CB8A

Function 004491CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004491DD
SysAllocString.OLEAUT32(?), ref: 00449286
VariantCopy.OLEAUT32 ref: 004492B5
VariantClear.OLEAUT32(?), ref: 004492DC

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5ddd23e8b0729d4bc55d5bae39a5ad49c673541f0e22b3ad22ced03f4a84fb7a
Instruction ID: b24994892b28ea22ed41cd7962b557d9e5a8685ba2ad242708bf07318edd6759
Opcode Fuzzy Hash: 5ddd23e8b0729d4bc55d5bae39a5ad49c673541f0e22b3ad22ced03f4a84fb7a
Instruction Fuzzy Hash: A45185306043069BEB24AF66D49566FB3E5EF5D314F20882FE946C72D1DB789C81A70D

Function 0043365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004336B7
_memcpy_s.LIBCMT ref: 00433729
__filbuf.LIBCMT ref: 004337AA
_memset.LIBCMT ref: 004337EE

Part of subcall function 00437C0E: __getptd_noexit.LIBCMT ref: 00437C0E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 53d79c8ecb3d3fe5b7629954e40d90ef5bfb24acafe66cc4ecbc36d81b619dec
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: 9551D5B0A00205AFDB249F6A888566F77A1AF48325F24972FF825863D0D778DF518B49

Function 0047C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01636678,?), ref: 0047C544
ScreenToClient.USER32(?,00000002), ref: 0047C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0047C5DA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 29778ceadc88e8043b24cae127be9cb281ee8e0c3a6fcb133308a472c28339b4
Instruction ID: 05c21488dbecdfa167331e3038b7816cd2669d1c04a8c9574ea230a7522a6a40
Opcode Fuzzy Hash: 29778ceadc88e8043b24cae127be9cb281ee8e0c3a6fcb133308a472c28339b4
Instruction Fuzzy Hash: 82514C75A00205EFCF20DF68D8C0AEE7BB5EB55324F10866AF9599B290D734ED41CB94

Function 0044C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0044C462
__itow.LIBCMT ref: 0044C49C

Part of subcall function 0044C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0044C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0044C505
__itow.LIBCMT ref: 0044C55A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ab0542c797ae680f34bc32dcf149f10d4139ff0be4ce629fa4971586f17fa215
Instruction ID: 94aa8f8244d48e76c93dd802fac7fd0a0f8affcbe3f7f1f337656ba9483b655c
Opcode Fuzzy Hash: ab0542c797ae680f34bc32dcf149f10d4139ff0be4ce629fa4971586f17fa215
Instruction Fuzzy Hash: 2B41C571A00219BBEF11DF55CD91BEE7BB5AF48704F04002FF905A3291DB789A45CBA9

Function 0045390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00453966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00453982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004539EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00453A4D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ef860633596be485adc8c2d2001e2cfec1f5757956d865553a94ebf13c823712
Instruction ID: c3a5fc2247ca57258dfbd45ab748ad776bb5d11102d32a0855e6eab2f4ab92db
Opcode Fuzzy Hash: ef860633596be485adc8c2d2001e2cfec1f5757956d865553a94ebf13c823712
Instruction Fuzzy Hash: 1B41E7F0A042086AEF218F6588057FEBBB59B55357F04015BFCC1922C2C7BC9E899769

Function 0045E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0045E742
GetLastError.KERNEL32(?,00000000), ref: 0045E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0045E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0045E7B9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bdef32a8ad46d848ed5936b1697a7e79bcc66746b9348510daef3cf5fc3c8590
Instruction ID: 7c82d8f7034c297a17edc80f6f1f559cedbe83e8a4f55341b4a5263fe7553a37
Opcode Fuzzy Hash: bdef32a8ad46d848ed5936b1697a7e79bcc66746b9348510daef3cf5fc3c8590
Instruction Fuzzy Hash: 0B414A39A00610DFCB15EF16C54494DBBE5BF59714B08809AED169B3A2CB78FD44CB89

Function 0047B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0047B5D1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 407ff049ce14b452d75764b25c7e584e8d68f2c6fd02a8a3057bb67f1aecd71f
Instruction ID: 57e28f881fa191b69b789a201495b93db2dab7d3e06c3b33892f8c859f32ca08
Opcode Fuzzy Hash: 407ff049ce14b452d75764b25c7e584e8d68f2c6fd02a8a3057bb67f1aecd71f
Instruction Fuzzy Hash: 2E31BE74601208BFEB248A18CC89FEA7765EB05758F54C113FB19D62E1C738A9408ADE

Function 0047D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0047D807
GetWindowRect.USER32(?,?), ref: 0047D87D
PtInRect.USER32(?,?,0047ED5A), ref: 0047D88D
MessageBeep.USER32(00000000), ref: 0047D8FE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 484d40a7e24bb3ac0e4d7325bb41d78b87c750840d4a41d58f662c46bc75195c
Instruction ID: bd834d0390477c0285ff9464f83b2979a01ba64205cbee16b8b392e58c799586
Opcode Fuzzy Hash: 484d40a7e24bb3ac0e4d7325bb41d78b87c750840d4a41d58f662c46bc75195c
Instruction Fuzzy Hash: 94418F70E10219EFCB11EF59D884BA977B5BF45310F1AC1BBE9289B260D334E945CB46

Function 00453A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00453AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00453AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00453B34
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00453B92

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ee1cb2a252a75a9602d05cf7c96861c714d2e44eea82e126ad1b221e09ad3506
Instruction ID: 27b72a86794425fe0b8d053071287e17dcd007313c081713a0b207d5bd7cc2c2
Opcode Fuzzy Hash: ee1cb2a252a75a9602d05cf7c96861c714d2e44eea82e126ad1b221e09ad3506
Instruction Fuzzy Hash: 2B31F431D00258AEEB218F6488197BE7BA59B55357F04016BEC81932D3C7BCAE4DC769

Function 00444004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00444038
__isleadbyte_l.LIBCMT ref: 00444066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00444094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004440CA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 7b108a0bb2571968fa02d0986387a7f6d4b93a724efe95f9a85180f7c6e31ba1
Instruction ID: 3bf6b04f36da3cd1fc6af00a07f0fc9eb4165bfe06db3e75784bc5fcf6265c2f
Opcode Fuzzy Hash: 7b108a0bb2571968fa02d0986387a7f6d4b93a724efe95f9a85180f7c6e31ba1
Instruction Fuzzy Hash: 3A31D231600206AFFB21DF75C845B6B7BA5BF81310F15402AE661872E0E735DCA1DB98

Function 00477CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00477CB9

Part of subcall function 00455F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00455F6F
Part of subcall function 00455F55: GetCurrentThreadId.KERNEL32 ref: 00455F76
Part of subcall function 00455F55: AttachThreadInput.USER32(00000000,?,0045781F), ref: 00455F7D

GetCaretPos.USER32(?), ref: 00477CCA
ClientToScreen.USER32(00000000,?), ref: 00477D03
GetForegroundWindow.USER32 ref: 00477D09

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7a851ad328cee1b16e2bd4f381e874094e9f9bfc1e45ce6079b745986ed6ae05
Instruction ID: 1e8d5d08c58c4f4f9afaf2b8480808f23e7f85ff3a1db76d80e28d2a1a114446
Opcode Fuzzy Hash: 7a851ad328cee1b16e2bd4f381e874094e9f9bfc1e45ce6079b745986ed6ae05
Instruction Fuzzy Hash: 00314472E00118AFCB00EFA6D9859EFBBF9EF54314B10806BE815E3211DA349E058BA4

Function 0047F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

GetCursorPos.USER32(?), ref: 0047F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0048E4C0,?,?,?,?,?), ref: 0047F226
GetCursorPos.USER32(?), ref: 0047F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0048E4C0,?,?,?), ref: 0047F2A6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5032b0c2194b7c4299a7984e93d0ed595972f3ce43f4abf7bb911aa90676e437
Instruction ID: 63e934ad27ac873e6da2f3885b345cfe2735ecc1dfff78e520f1f2a1c573745c
Opcode Fuzzy Hash: 5032b0c2194b7c4299a7984e93d0ed595972f3ce43f4abf7bb911aa90676e437
Instruction Fuzzy Hash: 5D217139601014BFCB15CF94D858DEB7BB5EB09720F0580BAF909572A2D3399D51DB98

Function 0046431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00464358

Part of subcall function 004643E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00464401
Part of subcall function 004643E2: InternetCloseHandle.WININET(00000000), ref: 0046449E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 021c05920f494ff87407bcf62c897d22b344578fd335e9af72131060eb765405
Instruction ID: 9cc24286abcb9e2702159473c7d2b96598c863b8fae1a8e55a5dcdd7c23c96d7
Opcode Fuzzy Hash: 021c05920f494ff87407bcf62c897d22b344578fd335e9af72131060eb765405
Instruction Fuzzy Hash: 0B21CF71700601BBEF119FA0DC00FBBB7A9FF94714F00402BBA1596750EB7598619B9A

Function 00468A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00468AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00468AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00468AFF
WSAGetLastError.WSOCK32(00000000), ref: 00468B16

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: fa39f2e54e03414bf6d013516220253155c22e91e3cf369861db77e9255f7be3
Instruction ID: a5558390a313f7459c5eb50eebe4cf880f672894f4d7221024302a8e9e67c137
Opcode Fuzzy Hash: fa39f2e54e03414bf6d013516220253155c22e91e3cf369861db77e9255f7be3
Instruction Fuzzy Hash: 5121C372A00124AFC7209F69C884A9EBBECEF59714F0041BBF849D7290DB789A418F94

Function 00478A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00478AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00478AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00478ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00478ADC

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6ab1f606fb6f75642a4dd57da16259963dbdfe9ee23026c79322001a07793ecc
Instruction ID: 9a301ab6d85809a24ee430c3f0f753741fd75d4908ac6fd873a8c4ae415f027b
Opcode Fuzzy Hash: 6ab1f606fb6f75642a4dd57da16259963dbdfe9ee23026c79322001a07793ecc
Instruction Fuzzy Hash: 0811B4317851116FDB049B19CD09FFA7799AF95324F14812FF91AC72E1CB78AC418798

Function 00450AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00451E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00450ABB,?,?,?,0045187A,00000000,000000EF,00000119,?,?), ref: 00451E77
Part of subcall function 00451E68: lstrcpyW.KERNEL32(00000000,?,?,00450ABB,?,?,?,0045187A,00000000,000000EF,00000119,?,?,00000000), ref: 00451E9D
Part of subcall function 00451E68: lstrcmpiW.KERNEL32(00000000,?,00450ABB,?,?,?,0045187A,00000000,000000EF,00000119,?,?), ref: 00451ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0045187A,00000000,000000EF,00000119,?,?,00000000), ref: 00450AD4
lstrcpyW.KERNEL32(00000000,?,?,0045187A,00000000,000000EF,00000119,?,?,00000000), ref: 00450AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0045187A,00000000,000000EF,00000119,?,?,00000000), ref: 00450B2E

Strings

cdecl, xrefs: 00450B25

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 19b82ab00df1371e5b016832701b64b2c9741df6213fc63da3ecb7d0aecc6632
Instruction ID: 145be95598b7e1a648dd04afa6e117c70f87bd8e37ea0e96bc8854903cea4303
Opcode Fuzzy Hash: 19b82ab00df1371e5b016832701b64b2c9741df6213fc63da3ecb7d0aecc6632
Instruction Fuzzy Hash: EC11B13A200305AFDB25AF64DC45E7A77A8FF45354B80413BEC06CB261EB75E844C7A8

Function 00442F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00442FB5

Part of subcall function 0043395C: __FF_MSGBANNER.LIBCMT ref: 00433973
Part of subcall function 0043395C: __NMSG_WRITE.LIBCMT ref: 0043397A
Part of subcall function 0043395C: RtlAllocateHeap.NTDLL(01610000,00000000,00000001,00000001,00000000,?,?,0042F507,?,0000000E), ref: 0043399F

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 54c38f9f08a0f519f703607504d9ecf4fc2804a6520cd809b06142924e8df86c
Instruction ID: 76b0ad49cdb85c388189d76d1fe121886c392acaaf7d6adad2480c7a152804b0
Opcode Fuzzy Hash: 54c38f9f08a0f519f703607504d9ecf4fc2804a6520cd809b06142924e8df86c
Instruction Fuzzy Hash: 9C113A71409211ABEF313F71AC0462A3BA4AF18369F60693BF849C6261CF7CCC40979C

Function 0045058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004505AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004505C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004505DD
FreeLibrary.KERNEL32(?), ref: 00450632

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: bf8619a0c9aba981bc15ccca1db7ff7e9fb4881d086a03c40d52b467fc4f2e37
Instruction ID: 4731fdb1b1567b0ae19da271165ce05f429b2441af8087529cf53811cff3dc9d
Opcode Fuzzy Hash: bf8619a0c9aba981bc15ccca1db7ff7e9fb4881d086a03c40d52b467fc4f2e37
Instruction Fuzzy Hash: 6D21AF79900209EFDB20CF91DC88ADABBB8EF40305F00846FE91692111D778EA59DF59

Function 00456713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00456733
_memset.LIBCMT ref: 00456754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004567A6
CloseHandle.KERNEL32(00000000), ref: 004567AF

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 43f9cf68ad243a26290874813f2d247d24e1a893440e2b8cc91cc2b019d852b3
Instruction ID: fd60b409f56f833d8a6cd2ffd74bc756abd75956c5152ccc18da0620cbfe824a
Opcode Fuzzy Hash: 43f9cf68ad243a26290874813f2d247d24e1a893440e2b8cc91cc2b019d852b3
Instruction Fuzzy Hash: 17110A72D012287AE73057A5AC4DFABBBBCEF48724F1041ABF904E71C0D2744E848B69

Function 0044B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0044AA79
Part of subcall function 0044AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0044AA83
Part of subcall function 0044AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0044AA92
Part of subcall function 0044AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0044AA99
Part of subcall function 0044AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0044AAAF

GetLengthSid.ADVAPI32(?,00000000,0044ADE4,?,?), ref: 0044B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0044B227
HeapAlloc.KERNEL32(00000000), ref: 0044B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0044B247

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 79fa0771b1b0de77c34839b3920780a75f91c359e85712ead06fb105e3eb68ba
Instruction ID: ddb838783a8d980ccf522e3005a5bb529784060da0dd22f8c7e97ea2b4c614ce
Opcode Fuzzy Hash: 79fa0771b1b0de77c34839b3920780a75f91c359e85712ead06fb105e3eb68ba
Instruction Fuzzy Hash: 40118F71A00205AFEB049F98DC89AAFB7A9FF95308F14806FE94297210D779EE44CB54

Function 0044B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0044B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0044B4DB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1bb350ae0722a71d9331574708964cf4b0afed708a673f82c82f2e754d377fa8
Instruction ID: 0cde940b2380dfbe2419275a40ecd7dcbc7a601a66b3a8a4632e56c5ce5e9487
Opcode Fuzzy Hash: 1bb350ae0722a71d9331574708964cf4b0afed708a673f82c82f2e754d377fa8
Instruction Fuzzy Hash: 6711487A900218FFEB11DFA9CD81E9DBBB4FB08700F2040A2E604B7290D771AE11DB94

Function 0042B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0042B5A5
GetClientRect.USER32(?,?), ref: 0048E69A
GetCursorPos.USER32(?), ref: 0048E6A4
ScreenToClient.USER32(?,?), ref: 0048E6AF

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 254648ca822ff78b7b2c07c0bd5a257e440f5d096f27a07920ce1ff14d7b983b
Instruction ID: 38adbe0424925ba1536d15aaa9292e66d33fb06dbb45d485947c45a5efc121bb
Opcode Fuzzy Hash: 254648ca822ff78b7b2c07c0bd5a257e440f5d096f27a07920ce1ff14d7b983b
Instruction Fuzzy Hash: AF110A31A01429BBCB10EF95DC459EE77B9EF19308F900466E901E7150D738AA92CBA9

Function 0045732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00457352
MessageBoxW.USER32(?,?,?,?), ref: 00457385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0045739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004573A2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: fcb416f9a989c42e7f02910b133a8696f5435dc7913b608b976dfed4ef512055
Instruction ID: e8bb2425b88c138615c9f3d1bc26131b162209e64043e56cf56b4ad77c314c7b
Opcode Fuzzy Hash: fcb416f9a989c42e7f02910b133a8696f5435dc7913b608b976dfed4ef512055
Instruction Fuzzy Hash: 89110872E04204AFC7019F6CEC05A9F7BAD9B48322F144377FC25D3252D6748D0487A9

Function 0042D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042D1BA
GetStockObject.GDI32(00000011), ref: 0042D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0042D1D8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 77a954fb8573469ab591b10b498ca751a64198622bb37dc6f3c0c7830843e23f
Instruction ID: 55f94a0f12abd240e0ba8da287b40f181f5b8fd68ec8dd77b74e083dc65b8265
Opcode Fuzzy Hash: 77a954fb8573469ab591b10b498ca751a64198622bb37dc6f3c0c7830843e23f
Instruction Fuzzy Hash: CE118B72A01619BFEB024F90EC54EFABB69FF18364F444127FA0552160CB359C60EBA8

Function 00444DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00444E16

Part of subcall function 004454F5: __fltout2.LIBCMT ref: 0044551E

__cftog_l.LIBCMT ref: 00444E3C
__cftoe_l.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 57016d5f6f7b9a0cbf3ace85b12a9f850bb74cc57af204a52d619faf8e644707
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 8E014C3200014EBBDF125E85DC029EE3F63BB58354B688456FE1859135D73ADAB2AB89

Function 00437452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00437A0D: __getptd_noexit.LIBCMT ref: 00437A0E

__lock.LIBCMT ref: 0043748F
InterlockedDecrement.KERNEL32(?), ref: 004374AC
_free.LIBCMT ref: 004374BF
InterlockedIncrement.KERNEL32(01621340), ref: 004374D7

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 3fdd3bbda3f26bf179df47909c5ed370fc3ee281713cac094f052e3268ac7909
Instruction ID: 35cf8e37dc949e82140368de4f1eae71442478175296d5358856b7f3032eeee2
Opcode Fuzzy Hash: 3fdd3bbda3f26bf179df47909c5ed370fc3ee281713cac094f052e3268ac7909
Instruction Fuzzy Hash: 5601A172909625A7C731AF259905B5EBB60BB1C718F15A11BF89463790C72C6901CFCE

Function 0047EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0042AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0042AFE3
Part of subcall function 0042AF83: SelectObject.GDI32(?,00000000), ref: 0042AFF2
Part of subcall function 0042AF83: BeginPath.GDI32(?), ref: 0042B009
Part of subcall function 0042AF83: SelectObject.GDI32(?,00000000), ref: 0042B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0047EA8E
LineTo.GDI32(00000000,?,?), ref: 0047EA9B
EndPath.GDI32(00000000), ref: 0047EAAB
StrokePath.GDI32(00000000), ref: 0047EAB9

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8c024d379c3136ef7e267075562d8a5e9e44ff27e5c0af04d24ea2f023b9dcdc
Instruction ID: b2e8b8fc649b8f27fbbac486eb314a5a8b2e1c13cb73f32e70f871bcc1b3e548
Opcode Fuzzy Hash: 8c024d379c3136ef7e267075562d8a5e9e44ff27e5c0af04d24ea2f023b9dcdc
Instruction Fuzzy Hash: B2F0E232402258BBDB129F94AC0EFCE3F19AF1A314F048223FE01610F183789521CBAD

Function 0044C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0044C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0044C85D
GetCurrentThreadId.KERNEL32 ref: 0044C864
AttachThreadInput.USER32(00000000), ref: 0044C86B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3be4cd699c1510bce34b0b461cd4d97d521e0b84dd0abcf34bf593af61285030
Instruction ID: a4fa697d9a3e91647062018159062b65f2a954dbd57dc30da3e84651cdb12074
Opcode Fuzzy Hash: 3be4cd699c1510bce34b0b461cd4d97d521e0b84dd0abcf34bf593af61285030
Instruction Fuzzy Hash: 33E0657154222876EB102B62DC4DEDB7F1CEF257A1F048032B50D85450C675C981C7E4

Function 0044B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0044B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0044AC9D), ref: 0044B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0044AC9D), ref: 0044B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0044AC9D), ref: 0044B0F1

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 36a0d75048c0d9be3209e197010c6c98503d60fb1aa5dbb6f85df83e5cddb8a9
Instruction ID: 74524ffbb3e46b94d1fb655a2312772ad862a2771309a36f7a1cc06a5c24715b
Opcode Fuzzy Hash: 36a0d75048c0d9be3209e197010c6c98503d60fb1aa5dbb6f85df83e5cddb8a9
Instruction Fuzzy Hash: 74E08632E012119BE7201FB15D0DB473BA8EF65796F01C839F641D6040EB788401C768

Function 0042B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0042B496
SetTextColor.GDI32(?,000000FF), ref: 0042B4A0
SetBkMode.GDI32(?,00000001), ref: 0042B4B5
GetStockObject.GDI32(00000005), ref: 0042B4BD
GetWindowDC.USER32(?,00000000), ref: 0048DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0048DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0048DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0048DE6A
GetPixel.GDI32(00000000,?,?), ref: 0048DE8A
ReleaseDC.USER32(?,00000000), ref: 0048DE95

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3f8704632c0e75f43ca24f0936bcd16855c3c8eb402154f1116d62cc76dde97f
Instruction ID: 50112e87be2f30852f0f0154de58da718e312b235e62c34a3ae1a7313ea698a1
Opcode Fuzzy Hash: 3f8704632c0e75f43ca24f0936bcd16855c3c8eb402154f1116d62cc76dde97f
Instruction Fuzzy Hash: 2DE0ED32900240AADB216F64EC4ABD93B11AB65335F14C677F7A9580E2C7754581DB15

Function 0044B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0044B2DF
UnloadUserProfile.USERENV(?,?), ref: 0044B2EB
CloseHandle.KERNEL32(?), ref: 0044B2F4
CloseHandle.KERNEL32(?), ref: 0044B2FC

Part of subcall function 0044AB24: GetProcessHeap.KERNEL32(00000000,?,0044A848), ref: 0044AB2B
Part of subcall function 0044AB24: HeapFree.KERNEL32(00000000), ref: 0044AB32

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e02b08b5b485128a0bb44ed4dce569c064d8c0e1825b94a5619bf74bac6fe40c
Instruction ID: b6ebfdd629baa519bf37bcac1fd7a12b6036ca1bd84f58e54d7e3addf7f1107d
Opcode Fuzzy Hash: e02b08b5b485128a0bb44ed4dce569c064d8c0e1825b94a5619bf74bac6fe40c
Instruction Fuzzy Hash: 59E0E636504005BFDB012FA5EC08859FF76FF983213108233F61581571CB32A471EB55

Function 0048B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0048B29A
GetDC.USER32(00000000), ref: 0048B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048B2C3
ReleaseDC.USER32 ref: 0048B2E2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 15deece9b16f2fdae2d1e23535f9a6a28c1152bdcba64f0a9ee23f361bc08d78
Instruction ID: f6f2778d9e5f1930d9cdc4fa28c516a2209d5b46f812ae5a8c111d73b3a71056
Opcode Fuzzy Hash: 15deece9b16f2fdae2d1e23535f9a6a28c1152bdcba64f0a9ee23f361bc08d78
Instruction Fuzzy Hash: 23E04FB1900204EFDB015F71D84CA6D7BB4EB5C364F11C83BFD5A87210CB7898418B48

Function 0048B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0048B2AE
GetDC.USER32(00000000), ref: 0048B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0048B2C3
ReleaseDC.USER32 ref: 0048B2E2

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0679684777abb856ac3c99020ffce6204d84a95336b0d1d10bed02ba84499608
Instruction ID: 70ec70184627ba5c58fe453e2c9b63142391eb171c2a98267e52fe1026e899de
Opcode Fuzzy Hash: 0679684777abb856ac3c99020ffce6204d84a95336b0d1d10bed02ba84499608
Instruction Fuzzy Hash: 42E046B1A00200EFDB005F71D848A6D7BA8EB5C364F11883BF95A8B210CBB898418B08

Function 0044DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0044DEAA

Strings

Container, xrefs: 0044DE29
AutoIt3GUI, xrefs: 0044DE22

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 06ac907439b2f390823124ff2e20a1ed227bb50cb58f5605e4ebd244f9da10a8
Instruction ID: caaf60f4ac3680db04d59953f6cfb4991cdfc9a1ab25511df37565d25b984bbd
Opcode Fuzzy Hash: 06ac907439b2f390823124ff2e20a1ed227bb50cb58f5605e4ebd244f9da10a8
Instruction Fuzzy Hash: DE913C74A00601AFEB14DF64C884F6AB7F5BF48714F20846EF94ACB291DBB4E845CB58

Function 0045290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00452A72

Strings

I/H, xrefs: 0045297F
I/H, xrefs: 004529FC, 00452A64, 00452A12

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscpy
String ID: I/H$I/H
API String ID: 3048848545-3901109334
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: f16e19eb140c8a9baa7af3498286bb97e140d4bc0e16ea98cd6ea20c78895d46
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 79414C71A00216AACF25DF89D1815FEB770EF0A316F54400BEC80A7353D7B85E8AC798

Function 0042BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0042BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0042BCF3

Strings

@, xrefs: 0042BCE8

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 21da6d15e3ca817b623b47af87e6daf90ac47f8e658beda3e88811b78cf9c3eb
Instruction ID: 1bf689df8457bd5c44b4d49a02cf236451e2879443becbfec152a6d8a8a5dfcc
Opcode Fuzzy Hash: 21da6d15e3ca817b623b47af87e6daf90ac47f8e658beda3e88811b78cf9c3eb
Instruction Fuzzy Hash: 47517D71608744ABE360AF11EC85BAFBBECFF94354F41485EF1C8411A6DFB084A8875A

Function 0045C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004144ED: __fread_nolock.LIBCMT ref: 0041450B

_wcscmp.LIBCMT ref: 0045C65D
_wcscmp.LIBCMT ref: 0045C670

Strings

FILE, xrefs: 0045C5A5

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5b0d0eba16d44ff05854417bd20b9105ed68c8cced796e2dca5e90cfa74dc188
Instruction ID: 3a59bc611d4a36118ea21c6f86ac736072893baa26f317f8f80da3420256d125
Opcode Fuzzy Hash: 5b0d0eba16d44ff05854417bd20b9105ed68c8cced796e2dca5e90cfa74dc188
Instruction Fuzzy Hash: 5241E872A0020A7EDF109BA5CC81FEF77B9DF89708F00406AFA01F7181D7789A058769

Function 0047A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0047A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0047A86F

Strings

', xrefs: 0047A7C3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5b060f6150296566c2fbd5f5dd0943d36ccb891b7dccd1180b7872ed752c64e7
Instruction ID: df0d06c3975999d3420f212a39c62cc5a75e3b6aa4152ba0fa56d7029d35760d
Opcode Fuzzy Hash: 5b060f6150296566c2fbd5f5dd0943d36ccb891b7dccd1180b7872ed752c64e7
Instruction Fuzzy Hash: 2F412874E013099FDB14DF68C880BDE7BB9FB48304F11406AE908AB381D774A952CFA6

Function 0047975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0047980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0047984A

Strings

static, xrefs: 004797AA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9cbbdd41917b552a6e4b6e5e7c6f3b844dd9ce940d07ef7098271dee245c6374
Instruction ID: 6f1fcb5843ac1f5c818102564327e2679437655490a7abf6e06d98d991e5bb6e
Opcode Fuzzy Hash: 9cbbdd41917b552a6e4b6e5e7c6f3b844dd9ce940d07ef7098271dee245c6374
Instruction Fuzzy Hash: 5F319071110604AAEB109F75DC80BFB73A9FF59764F00861EF8A9C7150DA38AC51C768

Function 00455157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004551C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00455201

Strings

0, xrefs: 004551BF

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 57886baccc68b22bd6bd355c073c5ed209e60a77fee4f006122da44205f12476
Instruction ID: 98827948d23d78b444b9b42d4d9ff022d48a1b29de4fcf806677f0bebbee31f0
Opcode Fuzzy Hash: 57886baccc68b22bd6bd355c073c5ed209e60a77fee4f006122da44205f12476
Instruction Fuzzy Hash: 3F310531A00704ABDB24CF89D854BBEBBF4AF45351F14006BFD85A62A2D7789948CF19

Function 0046658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00466608

Strings

, $, xrefs: 00466648
AUTOITCALLVARIABLE%d, xrefs: 004665FA

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: a5c7a8984b6b207a27f46b7069ccaee90e352d18d9b78483c7c3e0bcd79c353d
Instruction ID: 7467f7872bc7c2626849a34976cb38a9629e962a9ce5ac86ec3b5116d3b410a3
Opcode Fuzzy Hash: a5c7a8984b6b207a27f46b7069ccaee90e352d18d9b78483c7c3e0bcd79c353d
Instruction Fuzzy Hash: 7B218E71A00218ABCF11EF65D882FEE77B4AF45304F11445FF405AB191EB78EA45CBAA

Function 004793CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0047945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00479467

Strings

Combobox, xrefs: 00479429

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 24b06f1d3c964c0a542659c1f67c0a9de3461b3ce9855f9fafafb9f7ea830190
Instruction ID: 49a3216b925195458f163f843c0c2a292b9a7af1c32e12c88312dfc6ce393180
Opcode Fuzzy Hash: 24b06f1d3c964c0a542659c1f67c0a9de3461b3ce9855f9fafafb9f7ea830190
Instruction Fuzzy Hash: CA11B6713002087FEF119E64DC81FFB376EEB883A4F10812AF918973A0D6399C528768

Function 0047DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0042B34E: GetWindowLongW.USER32(?,000000EB), ref: 0042B35F

GetActiveWindow.USER32 ref: 0047DA7B
EnumChildWindows.USER32(?,0047D75F,00000000), ref: 0047DAF5

Strings

T1F, xrefs: 0047DAFB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1F
API String ID: 3814560230-3440819305
Opcode ID: d4d97808603640f6926f2ef28f008995ee3515483d6e35b830cce5263c4df7c0
Instruction ID: ddae3f2b98f05d4f6250856e0d88ba6cb70f30ce86967f127e6ea6a6e8052d54
Opcode Fuzzy Hash: d4d97808603640f6926f2ef28f008995ee3515483d6e35b830cce5263c4df7c0
Instruction Fuzzy Hash: CA212A35615201EFC714DF28E850AA677F5FF59320F25462BE86A873E0D734B840CB68

Function 004798FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0042D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0042D1BA
Part of subcall function 0042D17C: GetStockObject.GDI32(00000011), ref: 0042D1CE
Part of subcall function 0042D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0042D1D8

GetWindowRect.USER32(00000000,?), ref: 00479968
GetSysColor.USER32(00000012), ref: 00479982

Strings

static, xrefs: 00479945

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fc9774a6d599f5ad7d7f45ff6660e96f27b7cd6f6e7f8b311ffa2d94ef0e4215
Instruction ID: d491615f3a206f4ae6196440530606b0a667da0e807d4d6cb29fdec2e67eaffb
Opcode Fuzzy Hash: fc9774a6d599f5ad7d7f45ff6660e96f27b7cd6f6e7f8b311ffa2d94ef0e4215
Instruction Fuzzy Hash: 6F112CB2510209AFDB04DFB8CC45EEA7BB8FB48354F05462EF955D2250D738E851DB54

Function 00479617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00479699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004796A8

Strings

edit, xrefs: 0047967D

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3ecf5f39a06189be9bc85aa0c79a2055c5ff952cf7a056ba3d6c732472a0b907
Instruction ID: 82b55cef058d4d939aaa24889a10cbfc957542157ba903f6873597400a1f154b
Opcode Fuzzy Hash: 3ecf5f39a06189be9bc85aa0c79a2055c5ff952cf7a056ba3d6c732472a0b907
Instruction Fuzzy Hash: 78119E71500208ABEF105FA4DC44EFB3B6AEB15378F60832AF969932E0C739DC519768

Function 00455262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004552D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004552F4

Strings

0, xrefs: 004552CE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5521a330af807d1eaba27fa4afb8095a6cb364d2807d60911dd85939ee313ff5
Instruction ID: 1498dc996eeb07b49aa9b7c1fb549df67b2c1fe5f8ad32c05656961fb29728b7
Opcode Fuzzy Hash: 5521a330af807d1eaba27fa4afb8095a6cb364d2807d60911dd85939ee313ff5
Instruction Fuzzy Hash: 5D11D371A01614ABDB10DA99D914BBA77B8AB05751F040077FD05A72B1D3B8ED08CB99

Function 00464D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00464DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00464E1E

Strings

<local>, xrefs: 00464DE6

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4688056092bf3329aa4ce397a114d4ecbdaa7700242586da192e1ec716d5dedb
Instruction ID: f35570c0b643999c3cb03b2930bf117b5979567f7ff51ee0067b8bf2c2bcc3fe
Opcode Fuzzy Hash: 4688056092bf3329aa4ce397a114d4ecbdaa7700242586da192e1ec716d5dedb
Instruction Fuzzy Hash: F611E0B0900221BBDF248F51CC88EFBFAA8FF56751F10822BF10546240E3785941C6F6

Function 0043A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004437A7
___raise_securityfailure.LIBCMT ref: 0044388E

Strings

(M, xrefs: 00443889

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (M
API String ID: 3761405300-1960611114
Opcode ID: bd708df5f622090fdce387b79b712afb0215fd9ac19271bfe72a61e620822ba9
Instruction ID: 24ac5eae8874abb07ca19468fbc00d0696ba85afb0728b037f6b255853fd88df
Opcode Fuzzy Hash: bd708df5f622090fdce387b79b712afb0215fd9ac19271bfe72a61e620822ba9
Instruction Fuzzy Hash: 9621E2B5502204DAEB40DF65E985B453BF5FB48319F20983BE5098B3A1E3B4A980CF4D

Function 0046A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0046A84E
htons.WSOCK32(00000000,?,00000000), ref: 0046A88B

Strings

255.255.255.255, xrefs: 0046A866

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: e639932bb92c23762fa66e58457b564385edbe6bf18e71789e334ccdf4158c9c
Instruction ID: be72ee6d9a1d1aa7a560d39f9b4a1fb31a46ac2ee54d02815704df5d14c8a60b
Opcode Fuzzy Hash: e639932bb92c23762fa66e58457b564385edbe6bf18e71789e334ccdf4158c9c
Instruction Fuzzy Hash: A401C475600304ABCB10EF68C886FADB364EF44314F10846BE516A73D1E779E8158B5B

Function 0044B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0044B7EF

Strings

ListBox, xrefs: 0044B7B9
ComboBox, xrefs: 0044B78B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 4774570f363ef0959f673899c68badc50b9ce6214f5685ca384e05b6d3ae355e
Instruction ID: 50edc98c106b932b74f37f9373f2574024242eca1d1f92f97ee619f8fa4deb17
Opcode Fuzzy Hash: 4774570f363ef0959f673899c68badc50b9ce6214f5685ca384e05b6d3ae355e
Instruction Fuzzy Hash: D301F571640114ABDB04EBA4CC42EFE3379AF45314710061FF461932C2DB78590887A8

Function 0044B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0044B6EB

Strings

ListBox, xrefs: 0044B6B5
ComboBox, xrefs: 0044B687

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 2a662205d7ab96e33bbb53e0ac1cc70c0698f2f8328e43202d965d64f3ef0bd4
Instruction ID: 2990784ab934e24b8b92e3167fc650c2c5b4243f46ed8d3ba6afba1256834476
Opcode Fuzzy Hash: 2a662205d7ab96e33bbb53e0ac1cc70c0698f2f8328e43202d965d64f3ef0bd4
Instruction Fuzzy Hash: 25018475A41104ABDB04EBA5CE52FFF73B89F05344F10002FB402A3281DB989E1887EE

Function 0044B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0044B76C

Strings

ListBox, xrefs: 0044B738
ComboBox, xrefs: 0044B70A

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 670a7febc4a7e3b8625b402cb66bfb634e3524142758484f696362f97284be1e
Instruction ID: 3a03c8fd60c178fd2ae647588d4725a95986fdd64c9a2f032ee5575cdf5cca39
Opcode Fuzzy Hash: 670a7febc4a7e3b8625b402cb66bfb634e3524142758484f696362f97284be1e
Instruction Fuzzy Hash: 3E018475680104BADB04E6A4DA42FFE73A89B15344B10002FB401B3192DB689E0987AD

Function 00434D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00434D9E
__calloc_crt.LIBCMT ref: 00434DB7

Strings

"M, xrefs: 00434DCE

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: __calloc_crt
String ID: "M
API String ID: 3494438863-1273950097
Opcode ID: d6a4e3e7e6a352fe7c3d98b417e747479f86baff58c2b5641124a51de18f7d9d
Instruction ID: 6f40db5d328d19517876ecdd26c0099eea240a697c1930f5d638e0d8fd26842e
Opcode Fuzzy Hash: d6a4e3e7e6a352fe7c3d98b417e747479f86baff58c2b5641124a51de18f7d9d
Instruction Fuzzy Hash: 8DF04C7020A2025AE3148F5ABD40BE667E4FB5C724F10507FF200CA294E77CD8818B9C

Function 00414024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00410000,00000063,00000001,00000010,00000010,00000000), ref: 00414048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004567E9,00000063,00000000,75A50280,?,?,00413EE1,?,?,000000FF), ref: 004841B3

Strings

>A, xrefs: 00414028

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >A
API String ID: 1578290342-2754608871
Opcode ID: 6a21a2d58aff5ec4ce5a2631acbac05fc29a60f34b9f3c933a3eed889aff5be6
Instruction ID: 2cc723422c72a666259eadd1a50aa58a5c57cb81a827ff4b0d25ab0f78b4f053
Opcode Fuzzy Hash: 6a21a2d58aff5ec4ce5a2631acbac05fc29a60f34b9f3c933a3eed889aff5be6
Instruction Fuzzy Hash: CAF06D31741321B7E6205B1AFC4AFD63FA9A758BB5F104527FA14AA1E0D2E494808B9C

Function 00457744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00457762
_wcscmp.LIBCMT ref: 00457774

Strings

#32770, xrefs: 0045776E

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 8d2cf52eb49a1897352eb4ee7bf7f73facd83f7c4db3381b29e99525f90d6d8c
Instruction ID: fdb2b5af58779a1a4506751f987bc79c667882b029603a232ca0f14ee6995e02
Opcode Fuzzy Hash: 8d2cf52eb49a1897352eb4ee7bf7f73facd83f7c4db3381b29e99525f90d6d8c
Instruction Fuzzy Hash: 06E09277A042242BD720ABA5AC49F87FBACAB65765F00006BB905E3141D664AA0587E8

Function 0044A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0044A63F

Part of subcall function 004313F1: _doexit.LIBCMT ref: 004313FB

Strings

Error allocating memory., xrefs: 0044A638
AutoIt, xrefs: 0044A633

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 17e57bf1bfb5dc48582ed112940ef2b16ced0726720fa0a2c9817bce07c7d905
Instruction ID: 35d84e7d82ade84fbffbc8f86d5be6f8fe773a0aacfed885f4fe17045b82a64a
Opcode Fuzzy Hash: 17e57bf1bfb5dc48582ed112940ef2b16ced0726720fa0a2c9817bce07c7d905
Instruction Fuzzy Hash: 0CD05B313C432833D31436997D1BFC975488B29B95F14003BBF08955D249EED99041ED

Function 0048AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0048ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0048AEBD

Strings

WIN_XPe, xrefs: 0048ACD3

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: db70b7b358ef3b54303050e8dc4d0137b831dd5a6d593655f99dd66e92739479
Instruction ID: 94c99a913c9484aba2b35362acaaede6f81a881e821ec043bc66814ed695d252
Opcode Fuzzy Hash: db70b7b358ef3b54303050e8dc4d0137b831dd5a6d593655f99dd66e92739479
Instruction Fuzzy Hash: 70E06570C00109DFDB11EBA5D9449ECF7B8AB58300F1084A7E002B2260DBB45A85DF3A

Function 004786CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004786E2
PostMessageW.USER32(00000000), ref: 004786E9

Part of subcall function 00457A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00457AD0

Strings

Shell_TrayWnd, xrefs: 004786DB

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d9c7b8eead11efad4b291914df12913c9e5f27e076faaac72b75a3377fd8f358
Instruction ID: e03843c4374babc8d8fdad8d1f1cda1b6286a23fe41c7da822a320d6f378fcc4
Opcode Fuzzy Hash: d9c7b8eead11efad4b291914df12913c9e5f27e076faaac72b75a3377fd8f358
Instruction Fuzzy Hash: 8AD0C9317853147BE6646770AC0BFC66A589B54B22F11083AB645AA1D1C9A8AD40875C

Function 00478698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004786A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004786B5

Part of subcall function 00457A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00457AD0

Strings

Shell_TrayWnd, xrefs: 0047869B

Memory Dump Source

Source File: 00000000.00000002.1277927055.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1277881690.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278001146.00000000004BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278063299.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278096228.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_LOI REQUEST.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ce31679cbbbed40f4264f6a2da3bb25f46dd5b88bedeca20f5c624e3ce6838ff
Instruction ID: bad59880fd43ec88827a739532b685f6edc10647a6682564418e372b232661b0
Opcode Fuzzy Hash: ce31679cbbbed40f4264f6a2da3bb25f46dd5b88bedeca20f5c624e3ce6838ff
Instruction Fuzzy Hash: D2D01235784314B7E7647770AC0BFC67A589B54B22F11083BB749AA1D1C9E8ED40C75C

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LOI REQUEST.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut9044.tmp

C:\Users\user\AppData\Local\Temp\poufs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
LOI REQUEST.exe

Function 0043B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00413D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0042DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0041406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0045FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00413F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0045BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00413742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00413E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 0043ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 01658218 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004149FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 004136B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01657FD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149
fileCOMMON