Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Analysis ID:	1427160
MD5:	a10aff228a835255b89419bebf24bdb2
SHA1:	959e432c06de820e4778461befb789bde41ebba8
SHA256:	c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe" MD5: A10AFF228A835255B89419BEBF24BDB2)

MP3SoundRecorder.exe (PID: 4908 cmdline: "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe" MD5: 4B4596685B04D3D2FA26D3DB2566E3D9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

File created: C:\Program Files (x86)\MP3SoundRecorder\readme.txt

Jump to behavior

Source:	Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Source:	Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FA449B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FAF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FAF47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA3833
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA3B56

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr	String found in binary or memory: http://bbs.xdowns.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cooolsoft.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cooolsoft.comopenU
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr	String found in binary or memory: http://www.xdowns.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.qwerks.com/order/buynow.asp?ProductID=2689
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.qwerks.com/order/buynow.asp?ProductID=2689openU

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA1097 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

0_2_00FA1097

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00FCCB26
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008C2A85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_008C2A85
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_0229FA33 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_0229FA33
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_022A24FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_022A24FF

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F43B4C
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fe14f271-e
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_adb1a7c2-9

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F43633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00F43633
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F41290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00F41290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F41287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_00F41287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00FCC216
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCD4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00FCD4A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCD422 NtdllDialogWndProc_W,	0_2_00FCD422
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC5E7 SendMessageW,NtdllDialogWndProc_W,	0_2_00FCC5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00FCC502
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F416DE GetParent,NtdllDialogWndProc_W,	0_2_00F416DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F416B5 NtdllDialogWndProc_W,	0_2_00F416B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F4167D NtdllDialogWndProc_W,	0_2_00F4167D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00FCC668
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCD7F6 NtdllDialogWndProc_W,	0_2_00FCD7F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC8F9 NtdllDialogWndProc_W,	0_2_00FCC8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC8CA NtdllDialogWndProc_W,	0_2_00FCC8CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F4189B NtdllDialogWndProc_W,	0_2_00F4189B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC9A8 ClientToScreen,NtdllDialogWndProc_W,	0_2_00FCC9A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC973 NtdllDialogWndProc_W,	0_2_00FCC973
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCC928 NtdllDialogWndProc_W,	0_2_00FCC928
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCCAE6 GetWindowLongW,NtdllDialogWndProc_W,	0_2_00FCCAE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00FCCB26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCBFF6 ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00FCBFF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FCBF9A NtdllDialogWndProc_W,	0_2_00FCBF9A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FAA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FAA279

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F98638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74775590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00F98638

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FA5264

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F4E060	0_2_00F4E060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6DAF5	0_2_00F6DAF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F4FE40	0_2_00F4FE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F570FE	0_2_00F570FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F53190	0_2_00F53190
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F41287	0_2_00F41287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6F359	0_2_00F6F359
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F62345	0_2_00F62345
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F63307	0_2_00F63307
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F76452	0_2_00F76452
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F725AE	0_2_00F725AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F55680	0_2_00F55680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F61604	0_2_00F61604
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6277A	0_2_00F6277A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F558C0	0_2_00F558C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F56841	0_2_00F56841
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F67813	0_2_00F67813
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F4E800	0_2_00F4E800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F769C4	0_2_00F769C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F58968	0_2_00F58968
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA8932	0_2_00FA8932
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F9E928	0_2_00F9E928
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F7890F	0_2_00F7890F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F61AF8	0_2_00F61AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6CCA1	0_2_00F6CCA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FC7E0D	0_2_00FC7E0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F76F36	0_2_00F76F36
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6BF26	0_2_00F6BF26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F61F10	0_2_00F61F10
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008C39BA	1_2_008C39BA
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008BAC07	1_2_008BAC07
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B6420	1_2_008B6420
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_022922D9	1_2_022922D9
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_022A1890	1_2_022A1890
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_0229A59B	1_2_0229A59B
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_0229D5EE	1_2_0229D5EE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: String function: 00F47F41 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: String function: 00F68A80 appears 40 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: String function: 008B6C3C appears 40 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: String function: 008B73B0 appears 46 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: String function: 02295C6C appears 44 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: String function: 008B1C50 appears 48 times

Source: MP3SoundRecorder.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: COM executable for DOS
Source: aut404E.tmp.0.dr	Static PE information: Resource name: RT_BITMAP type: COM executable for DOS

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636259761.000000000181C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636338074.000000000181C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634977408.000000000180E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636138801.000000000181C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636138801.00000000017FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634924208.00000000017FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: MP3SoundRecorder.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: aut404E.tmp.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: MP3SoundRecorder.exe.0.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: aut404E.tmp.0.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9902734766016016
Source: MP3SoundRecorder.exe.0.dr	Static PE information: Section: CODE ZLIB complexity 0.9996700802364865
Source: MP3SoundRecorder.exe.0.dr	Static PE information: Section: DATA ZLIB complexity 0.9964192708333334
Source: aut404E.tmp.0.dr	Static PE information: Section: CODE ZLIB complexity 0.9996700802364865
Source: aut404E.tmp.0.dr	Static PE information: Section: DATA ZLIB complexity 0.9964192708333334

Source: classification engine

Classification label: mal56.evad.winEXE@3/28@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FAA0F4 GetLastError,FormatMessageW,

0_2_00FAA0F4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F984F3 AdjustTokenPrivileges,CloseHandle,		0_2_00F984F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F98AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F98AA3

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FA3C99

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F44FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F44FE9

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

File created: C:\Program Files (x86)\MP3SoundRecorder

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

File created: C:\Users\user\AppData\Local\Temp\aut3EF2.tmp

Jump to behavior

Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe

File read: C:\Program Files (x86)\MP3SoundRecorder\set.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Process created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Process created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: mp3dec2.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: mp3dec2.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: prmixer.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: record.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

File written: C:\Program Files (x86)\MP3SoundRecorder\set.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Static file information: File size 1375744 > 1048576

Source:	Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Source:	Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_01111B00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01111B00

Source: initial sample

Static PE information: section where entry point is pointing to: .aspack

Source: mp3dec2.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x10f0e
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Static PE information: real checksum: 0x0 should be: 0x152e6b
Source: prmixer.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x368c9
Source: record.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x2d618
Source: MP3SoundRecorder.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x57c68
Source: lame_enc.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x22e2b
Source: mp3decdll.dll.0.dr	Static PE information: real checksum: 0x30ce4 should be: 0x30c6e
Source: aut404E.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x57c68
Source: aut3F51.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x22e2b

Source: lame_enc.dll.0.dr	Static PE information: section name: UPX2
Source: MP3SoundRecorder.exe.0.dr	Static PE information: section name: .aspack
Source: MP3SoundRecorder.exe.0.dr	Static PE information: section name: .adata
Source: aut3F51.tmp.0.dr	Static PE information: section name: UPX2
Source: aut404E.tmp.0.dr	Static PE information: section name: .aspack
Source: aut404E.tmp.0.dr	Static PE information: section name: .adata

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA31E7 push esi; ret	0_2_00FA31EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F543CB push edi; ret	0_2_00F543CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F543B7 push edi; ret	0_2_00F543B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA8538 push FFFFFF8Bh; iretd	0_2_00FA853A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6E88F push edi; ret	0_2_00F6E891
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6E9A8 push esi; ret	0_2_00F6E9AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F68AC5 push ecx; ret	0_2_00F68AD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F87AA9 push es; retf	0_2_00F87AAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6EB83 push esi; ret	0_2_00F6EB85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6EC6C push edi; ret	0_2_00F6EC6E
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B73EB push ecx; ret	1_2_008B73FB
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B6C3C push eax; ret	1_2_008B6C5A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B6530 push eax; ret	1_2_008B6544
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B6530 push eax; ret	1_2_008B656C
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_022963E0 push eax; ret	1_2_0229640E
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_02295C6C push eax; ret	1_2_02295C8A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_10003520 push eax; ret	1_2_1000354E

Source: mp3decdll.dll.0.dr

Static PE information: section name: .text entropy: 6.804610237839352

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\record.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Users\user\AppData\Local\Temp\aut3F51.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	File created: C:\Users\user\AppData\Local\Temp\aut404E.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

File created: C:\Program Files (x86)\MP3SoundRecorder\readme.txt

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F44A35
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008B4764 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_008B4764
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_022948CD IsIconic,GetWindowPlacement,GetWindowRect,	1_2_022948CD

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F63307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F63307

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aut3F51.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-83362

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-82154

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	API coverage: 8.0 %
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FA449B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FAF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FAF47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA3833
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00FA3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FA3B56

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F44AFE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	API call chain: ExitProcess graph end node			graph_0-85030
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	API call chain: ExitProcess graph end node			graph_0-82156

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F43B4C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F75BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00F75BFC

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_01111B00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01111B00

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F981D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F981D4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F6A2D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Code function: 0_2_00F6A2A4 SetUnhandledExceptionFilter,	0_2_00F6A2A4
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008BBEF6 SetUnhandledExceptionFilter,	1_2_008BBEF6
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_008BBF0A SetUnhandledExceptionFilter,	1_2_008BBF0A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_0229BC8B SetUnhandledExceptionFilter,	1_2_0229BC8B
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: 1_2_0229BC9D SetUnhandledExceptionFilter,	1_2_0229BC9D

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F98A73 LogonUserW,

0_2_00F98A73

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F43B4C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA15F8 SendInput,keybd_event,

0_2_00FA15F8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA4CFA mouse_event,

0_2_00FA4CFA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

0_2_00F981D4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00FA4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA4A08

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F687AB cpuid

0_2_00F687AB

Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	1_2_008C764C
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	1_2_008B3240
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	Code function: GetLocaleInfoA,	1_2_008BECF2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F75007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F75007

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F8215F GetUserNameW,

0_2_00F8215F

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F73ED6 _cvtdate,_cvtdate,_cvtdate,_cvtdate,__invoke_watson,__lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F73ED6

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Code function: 0_2_00F44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F44AFE

Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_81
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_XP
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_XPe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_7
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	Binary or memory string: WIN_8
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	1 Masquerading	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Valid Accounts	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	21 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	2 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Software Packing	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	18%	ReversingLabs
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe	9%	ReversingLabs
C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll	0%	ReversingLabs
C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll	0%	ReversingLabs
C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll	0%	ReversingLabs
C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll	0%	ReversingLabs
C:\Program Files (x86)\MP3SoundRecorder\record.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\aut3F51.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\aut404E.tmp	9%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.cooolsoft.comopenU	MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.cooolsoft.com	MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://bbs.xdowns.com	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr	false	high
http://www.xdowns.com	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr	false	high
https://www.qwerks.com/order/buynow.asp?ProductID=2689	MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://www.qwerks.com/order/buynow.asp?ProductID=2689openU	MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427160
Start date and time:	2024-04-17 06:34:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@3/28@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 68 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	254326
Entropy (8bit):	7.939413551207235
Encrypted:	false
SSDEEP:	6144:2lYZJa4Kx8MqxEmleJPOJx0z5uMA4NmxmrVJ6+/gxfN3eiGh:9ZJa4MfqxJoPOY8MA4NmMhR/gvup
MD5:	9186D8FC4B4298CA4FC0CAA405970A9E
SHA1:	F6F97CF79D261908A5872C657ABA9CEFD9C170C6
SHA-256:	CFF94F945B47337DCF86A255F34C86F7970CD03B194329BE0CBD0B980A33AC61
SHA-512:	5DB9AC188A464E382C58C877CF4B4D8C4E528C5DB93FE8F501CAD8352EE74B59FC910D3DE011C0D42E1AC6EC53C16A81F1BCF73E106A8117863E557E74A3F43E
Malicious:	false
Reputation:	low
Preview:	ITSF....`.......2+.........\|.{.......".....\|.{......."..`...............x.......T.......................v...............ITSP....T...........................................j..].!......."..T...............PMGL,................/..../#IDXHDR...'.../#ITBITS..../#STRINGS...F.../#SYSTEM..v.../#TOPICS...'.0./#URLSTR...[.k./#URLTBL...W.../$FIftiMain..../$OBJINST...h.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...d../$WWKeywordLinks/..../$WWKeywordLinks/Property...`../CommandLine.htm...C.V./continuerec_1.gif.....Z./continuerec_2.gif...r.../continuerecord.htm.....;./icon.bmp.....0./intro.htm..d.-./license.htm....(./mixer.htm....#./mixerbutton.bmp...4.../newpic/..../newpic/mainform.gif.....g./newpic/playback.gif...8.`./newpic/recording.gif...}.K./newpic/startpause.bmp...X.H./newselectsoundsource.gif...H..R./pause.bmp... .t./playback.htm...C.E./queue.bmp...@.`./queue.gif...t.j./queue.htm..4.../reccontrol.gif......t./record.bmp.....H./recsrc.htm......./recsrcimg/..../recsrcimg/propertie

C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300544
Entropy (8bit):	7.946293590597341
Encrypted:	false
SSDEEP:	6144:DMvKdn0a438+zR6WDg6oBDsE2YlTbNBDe5MFwK:DP1ByxsdVNTnXFj
MD5:	4B4596685B04D3D2FA26D3DB2566E3D9
SHA1:	A585BAA7927B7D9ED48E71D16BE1CB082380CCF9
SHA-256:	0FEBAD3D37A4181E6FB0C4B22E3C474ED31FECA37ED5CDF467C47034A12801D1
SHA-512:	46A1919C33A4C560D148E819D723774D70A59A39D1BDCFBFDD8B21C35E79D539408A3C0EEDAA8DEB773A35FE460852840997EB46F7AE6E03301866A0CEA81C39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................F...~.......@.......`....@..........................p...................@...........................O..............................TO..............................<O......................................................CODE.....P.......x..................@...DATA..... ...`.......\|..............@...BSS......0..........................@....idata...0..........................@....tls................................@....rdata..............................@....reloc..............................@....rsrc...............................@....aspack.. ...@.......~..............@....adata.......`......................@...................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	7.903347237793537
Encrypted:	false
SSDEEP:	3072:b8KlV9fLjSvBMI1RLT9wYwmgxBVxe+2/EG:bevBMI/LT5wmg/je+NG
MD5:	B3827CD4220B03A488558AB1D0375688
SHA1:	F8B691DF0C58AB126AABF716D8AD9B45E0486403
SHA-256:	5AA9F5DD3532CD512B6A995BFC732FA41920497E58F4A1C4090943B8CC0BE272
SHA-512:	E5B32A8AAE9BFF6F4D7C5877A60D07383573BED7276495BC01D6CAFA5A9ECBE15CBDB40F55D2BF8B8492FFEA5E3115DF53E649356E82C51B956E7E191C373C22
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.ML..#...#...#...".).#.z.0...#.w.(...#...-...#.w.).V.#...#./.#...'...#.Rich..#.........PE..L...&.D;...........!................`...............................................................................`...........`...........................$.......................................................................................UPX0....................................UPX1................................@...UPX2................................@......................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	4.297587200388853
Encrypted:	false
SSDEEP:	768:hTVxT/fNIJBrC03MNQTPvOwT+Opxqrh8o:h5xT/fifbTzsCo
MD5:	E37E04A72F9C06A0DDB327C7A85C4433
SHA1:	68DD5BC160AD3838264E3BE75211F0A709790B8E
SHA-256:	B77EF65A7E415A6AA4B10244057951D37E6C19750FEC58E271360AA0DC5D94C3
SHA-512:	DE33FEC8A9A560B4712C8F17EB34F66F44216E8B05D46F10B4E60636F7FDA299CD91D8D893914F741D701497A95E636114E21C4F8533B082A9DF49B5AA1C0C20
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.*...D...D...D...J...D. .N...D.t.W...D...E.\.D. .O...D..@...D.Rich..D.................PE..L......A...........!.....P...`...............`.......................................................................k..H...0f..<...............................8....................................................`...............................text....E.......P.................. ..`.rdata.......`.......`..............@..@.data... 2...p...0...p..............@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	6.456979492008777
Encrypted:	false
SSDEEP:	3072:TTZqQ6wUHD2hpk1vnYqZxRyejSX5BoGLtgj56vXHBkTok:TNeHacnbR+JBpgl6vXK
MD5:	76B1F2224A863FC0E3425550D15EF207
SHA1:	74D97423122708827F081340F228BA6A2D86376A
SHA-256:	A51FA1D9D4804EB49701E14D6A28439C66D750969B679087D2C4BC14C02E29E3
SHA-512:	91CD30A7247A37DCBD0A6FE899A0676F89C62494AE04B226A37279E210201A9663C96479B49B4486BA0E70E22AEDE8FA42C078338B1E38B5E25315C4150F01F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@!K..@%..@%..@%..\)..@%..\+..@%..@%..@%.f_6..@%..@$..@%.._/._@%.._..6@%..F#..@%.._!..@%.Rich.@%.................PE..L...@9.;...........!.................T...............................................................................1..P....(..x....p..."...........................................................................................................text...&........................... ..`.rdata..@b.......d..................@..@.data...X/...@...L..................@....rsrc...."...p..."...h..............@..@.reloc..r ......."..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	188416
Entropy (8bit):	5.676399653833384
Encrypted:	false
SSDEEP:	3072:r/GhuLRnmnrVROZI1GclZJ4ePvRtQLhG3f7yUCa5lQHVIaDYlo:K4RmnTYI1hlnfvTQmf7eaE1Ol
MD5:	43D7D7490FA34F55ABB2D91A886F9F86
SHA1:	FCB09BC35908631DB403A05BB9E4B0B72A0BB003
SHA-256:	38CA4D2075D74F4AC6A5DADE53754320CD31A4270E2C6AB0498FF4BCF4F07ACC
SHA-512:	E48EFFED54499CFA39EA252064F71BBA157E2AFB55F7006F6F670D9B1E9A4BD3C8F4D7869658FA5E7B7B043C162DF565F64EE07CE3D704647858971B6DC72038
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.<.:.R.:.R.:.R.).;.;.R.....=.R...K.<.R.)...8.R.....+.R.:.S.-.R.?.].!.R.?.....R.?.2.[.R.?...;.R....;.R.?...;.R.Rich:.R.........PE..L......A...........!.................f....................................... ..........................................8............p...>.........................................................p...H...................T...@....................text.............................. ..`.rdata..Hi.......p..................@..@.data....Q....... ..................@....rsrc....>...p...@...0..............@..@.reloc...g.......p...p..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\readme.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1678
Entropy (8bit):	6.02025799625631
Encrypted:	false
SSDEEP:	24:Li4RGmzKk1DB1rnvMMpabJQqJjXcrJS2IYvYpVH9Ps7FXkgHgOf:WHmjD17vMMpAJQIeIS2s7FX1gOf
MD5:	1A78084A052A8F98EA1036F9A29206BF
SHA1:	8974C6154EDCF6F79209451B281A15975B10D255
SHA-256:	166606F9CF93E5190A64791B811B867DEBC3901B4E75E7235034BBBD939C3810
SHA-512:	6A0922CE92E015D8F1C3CC754DD409513D15D9A8F5780FC19B92B01F3C6328CFF0533382A33CEDBCCA58F9A105F309A72E5CD273A2A30601ADCA406DC978CF84
Malicious:	false
Reputation:	low
Preview:	.......................................................................................................... http://www.xdowns.com ...............~ ..============================================================.. .......... www.xDowns.com ..........\|.......... .. ................ .......... ......................... .. .............................. .. .................................... .. ....................................! .. x..........\.....\...\....,....x............... ...............(...................) ..============================================================..........................................................http://bbs.xdowns.com..============================================================.......:.......Kaspersky + Lockdown + .......... ..........................

C:\Program Files (x86)\MP3SoundRecorder\record.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	5.78498891254806
Encrypted:	false
SSDEEP:	1536:5WHOnjZfuVB/T8R5pnIKlQnLrYmGQFT7/iPGJGuAMo0yh31PklmjJQmDylNSJZuG:5Bj8BcnpmLsyTXJ9o0yRtJQm2lNg
MD5:	0900B5101C195E81136D9AE29F2FFAB1
SHA1:	23AA366CD9680A7CB9D852EAFD792ECFACC1B2A0
SHA-256:	DB1773367D1F1577083C92F8AF9AAAD2697730A8E2114BD979077A2EB83CB3E1
SHA-512:	29F3BCFE931D3E213362DDB9006CF3CEE1279797EDC296921075301BE4C5B54A88941F252F055EA0141D15CBA2E75BCD8A349A064B9811340A91CD74043EE944
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X.]U9..U9..U9..U9..S9..:&.._9...%..I9..:&..*9..,...~9..U9...8..7&..D9......Y9...?..T9......T9..RichU9..........PE..L......?...........!.....P... ......YY.......`......................................................................p................0.......................P.......................................................`...............................text....I.......P.................. ..`.rdata..KG...`...P...`..............@..@.data....p.......@..................@....rsrc........0... ..................@..@.reloc..d-...P...0..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\set.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	Generic INItialization configuration [set]
Category:	dropped
Size (bytes):	562
Entropy (8bit):	5.189931836975605
Encrypted:	false
SSDEEP:	12:BjbM/vpb2WzoCReP1FXRj5fiw3WUsFkFTkry4Ls5/kBfjRb:uJTUCIDXp5XmUTF4rxWsj5
MD5:	3BDFF134BB920CB94E0F8C276D15B641
SHA1:	23FEC0CA9EA4B75ED0A01BA8856D365EDDD9C375
SHA-256:	E4DDEF3D1E5063D0E57BD70798C45A118B4FE8675029F14AEEE3A7578E9E05BB
SHA-512:	FFDB18835EF95258F16D101DAE452C67E5C02D49B281684A67A2AC1D108A5C7643EA9E3D849FA428D0A86FBAA3048A949A59F6E3E99513D256C9DAED50536ED8
Malicious:	false
Reputation:	low
Preview:	[AlwaysOnTop]..AlwaysOnTop=0..[set]..RecordType=1..Channels=2..Sample Rate=44100..MP3 Rate=128..Buffer Number=32..Buffer Size=1024..Advanced=0..[General]..UseSystemMixer=0..DeviceId=-1..bOpenTagEditAuto=0..[Queue]..Disable=0..Count=0..[Reg]..Name=..........Code=12345678..[AutoPause]..Enable=0..LowerLevel=30..LouderLevel=30..LowerTime=5..[AutoRestart]..Enable=0..LowerLevel=30..LowerTime=5..[AutoName]..Enable=0..Year=1..Month=1..Day=1..Hour=1..Minute=1..Second=1..Path=c:\..[AutoStop]..Enable=0..Hour=0..Minute=10..Second=0..Start=0..[Pos]..Left=350..top=330..

C:\Program Files (x86)\MP3SoundRecorder\ti.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.158098863201471
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll19l/Ft/HtAiotuZt/vXzpH/lzlFtpFXpFXppHtzpjljj/7/L:k9ij1hbR5z/J755n
MD5:	134C8BED1FC5E4A3E770601AE8F27DA5
SHA1:	6FF5A0F9C9EDAD8A30CE4892F1B8BF3D313D2160
SHA-256:	B736782A412A078E8D46EA43199F2F8725CB40EA470EC314763F9CB2A88C9954
SHA-512:	237941DA48A648AA55624001AD3E7F8BF2289DE4D6B5FDEA78C9C552C7D21CD05D2D6665FA52AC0D761BDBBE3313BF4C8BA07DA8E8E8E2DE48DC1E1E0670BC81
Malicious:	false
Reputation:	low
Preview:	..............(.......(....... ........................................................................................................................................................................................................................................?...?...?...?...?...?...?...7...7...'...........?......

C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	1.918815286822728
Encrypted:	false
SSDEEP:	3:PFErXllvlNl/AXll19l/Ft/HtAiotuZt/ll/N1/llXnNFHFX/ltv3lJ/55JXlSgj:k9ij1555JXogzpp/55n
MD5:	D4A8A26BC05798DE629125ECAB178DCF
SHA1:	1F34985655F53D96919BF924331209EA453691AD
SHA-256:	70A4F4FA3F62EB7D9023F7C2C80FD19CD3F6763F8E18B8867FCEAFB9A91CFE35
SHA-512:	87D801D3DA3E9EE5AC20A9456B4B081B83AC936765F5A58A2D087D3C8B5AB5D2972B058C24D8738970724C61F731AD5639DD0441F5BAFA34164A74D9A692D1F6
Malicious:	false
Reputation:	low
Preview:	..............(.......(....... ......................................................................................................................... ......." ......""......""".....""""...."""" ...""" ...."" ....." ...... ......................................................?......................................

C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.3372642643566
Encrypted:	false
SSDEEP:	6:k9ij1ndbVjVjVjVjVjVjVjVLhdv55PjjjjjjjjR55n:k9ipnlhz5555n
MD5:	10CDAAE9BB0E5503BE19C70F5D96D784
SHA1:	3F4BAB436233416E2F36DC5EBD4426D1795DB090
SHA-256:	7CA6E55DD3E7608A93003A0A13503DD90DAC11070C20CE8DC7AC3FF36F4560C3
SHA-512:	A53C56F3B6D7B5EE444550799D1CA5EA394E77F5457FE7D2D25A71C7793D690A689E59A223AC84FAA2C59B84BC4259F8DC3F031F21CA1D2A16A0557B570A1BE6
Malicious:	false
Reputation:	low
Preview:	..............(.......(....... .................................................................................................................................".."....".."....".."....".."....".."....".."....".."....".."........................................................................................

C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.465926643547854
Encrypted:	false
SSDEEP:	6:k9ij1I//jCCWttCCqlu//P5WNiNitmUwNiNidqqn:k9ipIktylepWNiNitmUwNiNidqqn
MD5:	56D9E71AA6D883DAF91A61A090F0B8D7
SHA1:	B62A19F231EC20898B36523D64CAFE6D23E43F54
SHA-256:	36D560BC9082DC3198CC83A129286D7F5EAA85566106D57B4F436BEA4DA4AC01
SHA-512:	1B82616DCD7B271AB831B2B3B82505A499425E08DA09718D710A2FD7453E47EAA113C5AD9E1DD2E49232AC3002CF267C7B5FF3E5D7EFF510235A9FFC2BE32637
Malicious:	false
Reputation:	low
Preview:	..............(.......(....... ...............................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:	dropped
Size (bytes):	318
Entropy (8bit):	2.3372642643566
Encrypted:	false
SSDEEP:	6:k9ij1nd1Hbbbbbbbfdv55PjjjjjjjjR55n:k9ipnDHbbbbbbbfz5555n
MD5:	41C3E289FE1BBAF48D87F1ABFE10867D
SHA1:	6CF911651CB36EDF3FFF6C9D59E730D447F09943
SHA-256:	21A8DA8C9C907426211BB2E8995D665145900D052C61230BC364B46CA027C16B
SHA-512:	F50A9AE9C7E2959AF508473631DF95F594A52932610271BD3B0AAE559B42DFBE2CED8C57CA45575517B8990BAFCD66DFD1AB59C2A859607CA6BC70B642A73F31
Malicious:	false
Reputation:	low
Preview:	..............(.......(....... .....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut3EF2.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	254326
Entropy (8bit):	7.939413551207235
Encrypted:	false
SSDEEP:	6144:2lYZJa4Kx8MqxEmleJPOJx0z5uMA4NmxmrVJ6+/gxfN3eiGh:9ZJa4MfqxJoPOY8MA4NmMhR/gvup
MD5:	9186D8FC4B4298CA4FC0CAA405970A9E
SHA1:	F6F97CF79D261908A5872C657ABA9CEFD9C170C6
SHA-256:	CFF94F945B47337DCF86A255F34C86F7970CD03B194329BE0CBD0B980A33AC61
SHA-512:	5DB9AC188A464E382C58C877CF4B4D8C4E528C5DB93FE8F501CAD8352EE74B59FC910D3DE011C0D42E1AC6EC53C16A81F1BCF73E106A8117863E557E74A3F43E
Malicious:	false
Preview:	ITSF....`.......2+.........\|.{.......".....\|.{......."..`...............x.......T.......................v...............ITSP....T...........................................j..].!......."..T...............PMGL,................/..../#IDXHDR...'.../#ITBITS..../#STRINGS...F.../#SYSTEM..v.../#TOPICS...'.0./#URLSTR...[.k./#URLTBL...W.../$FIftiMain..../$OBJINST...h.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...d../$WWKeywordLinks/..../$WWKeywordLinks/Property...`../CommandLine.htm...C.V./continuerec_1.gif.....Z./continuerec_2.gif...r.../continuerecord.htm.....;./icon.bmp.....0./intro.htm..d.-./license.htm....(./mixer.htm....#./mixerbutton.bmp...4.../newpic/..../newpic/mainform.gif.....g./newpic/playback.gif...8.`./newpic/recording.gif...}.K./newpic/startpause.bmp...X.H./newselectsoundsource.gif...H..R./pause.bmp... .t./playback.htm...C.E./queue.bmp...@.`./queue.gif...t.j./queue.htm..4.../reccontrol.gif......t./record.bmp.....H./recsrc.htm......./recsrcimg/..../recsrcimg/propertie

C:\Users\user\AppData\Local\Temp\aut3F51.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	7.903347237793537
Encrypted:	false
SSDEEP:	3072:b8KlV9fLjSvBMI1RLT9wYwmgxBVxe+2/EG:bevBMI/LT5wmg/je+NG
MD5:	B3827CD4220B03A488558AB1D0375688
SHA1:	F8B691DF0C58AB126AABF716D8AD9B45E0486403
SHA-256:	5AA9F5DD3532CD512B6A995BFC732FA41920497E58F4A1C4090943B8CC0BE272
SHA-512:	E5B32A8AAE9BFF6F4D7C5877A60D07383573BED7276495BC01D6CAFA5A9ECBE15CBDB40F55D2BF8B8492FFEA5E3115DF53E649356E82C51B956E7E191C373C22
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.ML..#...#...#...".).#.z.0...#.w.(...#...-...#.w.).V.#...#./.#...'...#.Rich..#.........PE..L...&.D;...........!................`...............................................................................`...........`...........................$.......................................................................................UPX0....................................UPX1................................@...UPX2................................@......................................................................................................................................................................................................................................................................................................................................................................................................................1.20.UPX!....

C:\Users\user\AppData\Local\Temp\aut3F90.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	17916
Entropy (8bit):	7.676611513885136
Encrypted:	false
SSDEEP:	384:KcyWQf32QhAxUdw59BpI1GHFZlS2cJu5Lux4LgLAo6cAc1:e7f32FxU6bB0GHFns8LeXX6cAE
MD5:	910F5FC2316FB8633542D15640344D5B
SHA1:	D3AF3854E208F0571743AB1D1912362446FDFC62
SHA-256:	8839A262D32350A0FC26E855089871372E1D454239DE73665EB540E9B7BA35B8
SHA-512:	D4040831C1D5E8FD253696981BB68DDFE97D634EC9C9F159BCA0AC73DCDB2E800121CD5AC9205AAF6007D09D8E21D80A8A7EAAF3DF61BCF585F2AED494D8D85A
Malicious:	false
Preview:	EA06.........................Z..F@.~...!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.D.K..E..Lh.&..:V6...H74.l.. .`....E....~6..zw..l\. .Zlv....s.Q`..d.........Mx ..........K...R...H.....D..(... .#..... ......X...d.#@...Z...@.A0.@ ....a..N .,......P~....u..x.....(..j.........\........B..0.........p.> .....p..&......\|<.u..l.....$:..........o.`.?.......................d..3.h....CGD.....$.........G@..10.fn....8y.......?.X%...WOC.[..p.....-N...I!.\|_#....x>xn..<.28>...K....0:..I..ey..%~...D1 ..n....@.P.:....4.H.e...M..X..@.j.S.....K._...Q............>..O@@w.......V.`.[...8`..../..........<.x.p@@...l.@\|...........B'.!.`....$d.T.b.HeF.P. .#.`...@2... ....%.:.Zg...../...j...,.......z...Hkx>$....Z4...:@.?h.....'...h.e.>.(.(N.....~2...."..C@.*......@.j...5.)...`.&...M..7n.....z..M......).... ..w......}..I.j3...g...b....j.:...V..4`5.........\V`..h.y.h..I#.....\.L...`.!(..$.N=.I...2....p.(M.....+..^,.^..%.......{...........Q.U.VKU..V.@ ...B.h...._

C:\Users\user\AppData\Local\Temp\aut3FE0.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	102828
Entropy (8bit):	7.6807859802114375
Encrypted:	false
SSDEEP:	3072:551BAA5BRwHDRNGBT0KzDiiZDQ/Z876ff:uHDRgV/ewD2Z8eH
MD5:	D19261CA582DE168E9840254BFF614DC
SHA1:	94905F40449AD83A6C264BA4F88A6AA4B5B2FE0F
SHA-256:	66BD00AB9F4CBA850344782678D599419DC57CF566004952E37125D50BCD907D
SHA-512:	AAAA73179A84334C22EEA0E614976F6B028297BF9C9AE66894EDB2064048053B8F63736935E38CF8ABBC8AEBC15C2EC82121A3EE9C9D860201171A3A7D37DF85
Malicious:	false
Preview:	EA06.........................Z..F@.~...!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.h...P$...M_.... ..%y....`.....6..@.)&....{+...\|.".g.....#..@.)..ER.........P.. .....@...`...@!..\....m 0..b..)i....@.$...Q.....Q....@.n...6.C `...\.Y..l.......P..e.(...U.... ._.A..z#./......P~ ..l..e.]...6..c ......@ ..u..a.X`.....S.. .A..Y.@..........p..}....9..(......c..@;..MZ..>J...e.[..K..(....X.............{........@......P(.B. .@...H....@..(.....j@...kh..4@...A..'.....@..6....(........h....0.SGp.V...Z.......Et...........(... .....{(.................4........<..6.@..........e.Z/...0.i....kG..A...:...5..Q...H..h..Z..'....... .....+.....P........Q4@.m...p....G..q...b...s...P.u.........h.......... .D3....ptI$..h..@...F.0.=?.[.B....q~..........n........d....M......@....a...a..x.+....BC.....g..g'.V.....UZ....h...[...V+0>4.r.`'......P-...B....@...{......nd..%..$.%.$.......Fj.\|..GUoG.....$.t..I..I...K.H...c..1.$,...p.{.P....{x.5...-.7../4....'2.D. ...?.@+:....

C:\Users\user\AppData\Local\Temp\aut404E.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300544
Entropy (8bit):	7.946293590597341
Encrypted:	false
SSDEEP:	6144:DMvKdn0a438+zR6WDg6oBDsE2YlTbNBDe5MFwK:DP1ByxsdVNTnXFj
MD5:	4B4596685B04D3D2FA26D3DB2566E3D9
SHA1:	A585BAA7927B7D9ED48E71D16BE1CB082380CCF9
SHA-256:	0FEBAD3D37A4181E6FB0C4B22E3C474ED31FECA37ED5CDF467C47034A12801D1
SHA-512:	46A1919C33A4C560D148E819D723774D70A59A39D1BDCFBFDD8B21C35E79D539408A3C0EEDAA8DEB773A35FE460852840997EB46F7AE6E03301866A0CEA81C39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................F...~.......@.......`....@..........................p...................@...........................O..............................TO..............................<O......................................................CODE.....P.......x..................@...DATA..... ...`.......\|..............@...BSS......0..........................@....idata...0..........................@....tls................................@....rdata..............................@....reloc..............................@....rsrc...............................@....aspack.. ...@.......~..............@....adata.......`......................@...................................................................................................

C:\Users\user\AppData\Local\Temp\aut408D.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	93458
Entropy (8bit):	7.730877374138863
Encrypted:	false
SSDEEP:	1536:9LsrOlCjraYs/07XL6aHYA96BUfy6mN6nefIiyK1lgFHic/H9jAJBwM2LSanO4pn:3EjrLVDL6h5MzeA81GUc/HhiBAJPpRR
MD5:	9E3963B38826F4C9F4D5C9015EEB0004
SHA1:	A5954A4D4029D9AC537BC7EBC18CB0F4400775EE
SHA-256:	61C3994FA1FE354C4A36143A5CFECDE65A5D4C6154EACAA64DA4BB4F8AB8A6FA
SHA-512:	9CEBA3615BF7D528DD0368320C7014716119C8B3548754CD12E42372718D22D1F56502FC18D5184FCAC0561C60C0EF44BB90DA389EB0D1E339419C8DF7F94972
Malicious:	false
Preview:	EA06.........................Z..F@............'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.C...<.N..-..&.;i..v..nv..... .gi{.........(~.V.YT....K.?.Ww..............[......[k.....(@.ER..........X......;.>5..S^..:C....P........^.0.)...4...@.2...b......A..(..............>"....p..w>p.. .U.@.....'..@1......#.1.u...R..\|.P\|."........[... .a. .8...d.........Y,7K...H..~f.......0..p.> .J.....=.. ......\.V0.......'i..G.@.\...x.I....`....\|. ........................p........`........hc...C...A....B.....{..g..Q$......^co.HO.W...,.V6...Tq.I$B....^......I4.... ..z=..F/..F0.k.g...T-........oG....`...m2I.......!..I!..G....W..-w...s*../...z0...?.......F....< ..7..gX...QQ.g@.q^.:@.qQ..j.....Db..J...;..i.H...P.\.....s..L^RH......./....h0LM.....14..&....$.....................t..........$..M:...`..+.0.@...P.\..~.b.........drQ...=.@n...r...A......i....O.&.F@>.....u.....n..t.....~......th..I..z4...k.....XH.!...>.F..$.Z.5j..+...@rK.b.h.........B+....[.............].I...%

C:\Users\user\AppData\Local\Temp\aut40DD.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	1190
Entropy (8bit):	7.559505246351056
Encrypted:	false
SSDEEP:	24:nwx2OMhKy4aC3pzV7D/y0A0zQiHdpXT5L6Uzk+eWowcVbzM+rCoh0RmqRBiyX:wx2O5asJ1A0zQiHrdsW8VbFOM0Rl9
MD5:	F09797C73773E45FC13905C2F05666FC
SHA1:	520CFC040DC1D258BF50ED1C641649C91E466080
SHA-256:	925E0CCC5AB89A7887C443F4AC35E0CBA26394F5CC0A2CBD4F011CA734476776
SHA-512:	0865E732C5FC1D1D31E40BB00177E6BF80353B1F89313A7F0625155E19015340CAD58DE85F4B2AA08C864DF26A58D451A7358FCBAA4B0CC24AA4652539920E57
Malicious:	false
Preview:	EA06.......W.....7?.'k...\|..N.3...{w........v..........N&.c..q..m..q..p.'.......-.....8.....m.]_....u.......q~}>..u..t....KU....k}..id.....:....{...d....9u..m.h......\|...a.H!.........H... ....* .....?....{...@.U..d..$.C...x.}..c...:...$.S...w.......6[..Ck..o9_]..a..j9.g....H9{P......v.=..m..........p..m.......[..c...v.........%...@#....w.=g[w...u ;..E...=.#...j9[...i...:.-.....q9}....[^'+...s:]M.....n..//+.....5. s...W6..F.....\|r...x.........y...+N.....m..n.?N.....s.....Q...7}-..w..u..H...... ..Wm........a...6.@,.w...9..k....tz...}....;...z.2..oC...Ca\.^.{...6z=...lV+...@&..@.'..n8`d6..a..,.+... ..)........8.].go..\|x.}..A......gG...p.......ntz.....nz\|=......\~7....r.:M.e...7.`96Q....=.....4z......z:.....&..8...b..@...w...a..W.o...9.n..k..yw.....S.*.Ci..l.;.h................c]>......\|{.0...[.....@ ../...@..o.y..v.V.......g e....V...=H..9.'..I.Eg....k..j.<.......'..u..a.[7.+...u.s.......]..m..=.......>..M.L.[..w....1.......}...D....W........

C:\Users\user\AppData\Local\Temp\aut410C.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	76178
Entropy (8bit):	7.732510822919388
Encrypted:	false
SSDEEP:	1536:25Ict1L3WF+vDoWYdMmHudSgY8HrgMTkv/x2QDTqd2PAuR1rGdNGlJy/NAT61eq0:2lt53WF+v8W20rNLWv/sQ/qd53NGlJy+
MD5:	BCA07FD934915443E4F4BC9FB1751166
SHA1:	281D1ED796BBBEB035DA91B04C1CDE4AD049EC28
SHA-256:	2DD30C2F9CB7D296D15CDFB0CABF4D523982E3EBEA4D54474863F1A389DC90A3
SHA-512:	D490E36F0F06C6294569FFE4627EDC7642DF3EEA9A048B53082DFD835C869EC16BB6B5140E57354235BE5CE11FF6D7FB99AC26D614646C29803631DAB74C8164
Malicious:	false
Preview:	EA06..@......................Z..F@.~...!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.D.F....g>.p.'.`...M.W..........^xt.. .F<....E.ug..t.M..Q....k......)...T..5Q.H.ER..........X......>.....S^..:C.....H... ...U...)...,...@.2...b..a......(..............>..h.....f20....U.@.......P.@>..........=.0...]t...........@.# .=..#...t.. ..8.. ........p.K.....\..M...V....>....s.X........e`......e.[..K$..q.(&...B..Q..8........\.................../.j..".H.B...j.LL..!.....Z....14.F.....>.8.C.M.b...EF......]..P.\.........\|..o..M.b..'..B....;...t...P.M....4...C.......z...L?.. .)...,..h.._.V.~Z....@.q4.........A.@0w.D..........Q...a...#...h........)...N........./..C_..K.Q.azWH......X.P.S.Q.b@...C...V..G..;..4`...V..*....;......X...`.-S.....-... 8^....$T}.....Pb...0.d.H....nch..M....=..............n......`.Q..n...d.g@.\...@ .mci..ba.....p.@..H\|..].9..z`1.<. ...F.!.....L]V).....Z,cG...-P.F.....m....8.$`..f.G.d...D.....`..pw.d.....=...C.E.z..z/.....M7..m......J

C:\Users\user\AppData\Local\Temp\aut417B.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	430
Entropy (8bit):	7.070361362551091
Encrypted:	false
SSDEEP:	12:n7ZhxZtqLIXbUQ+bqxLe230m3CR8P0ikrTD:ndhxZALmUvqxe230m3CR8P013
MD5:	06BECC156F8B5CC2F71B4C8C8293D345
SHA1:	6B8F1880E45EB174B3F4F1A03C8EBEBF0E4B81D9
SHA-256:	0EECCC0E49F192DFECEE387DC354F14F508842691AF8FD9432AE9AA6F0B82353
SHA-512:	C8269E5084EC5ECDF3BC4CEC1C536E7E0145952E53F6664B90701BAC97F04B040780932E2EBC401C6754FCCB89D5FF9A9E473D049B5A5661C8FFCE8A73309391
Malicious:	false
Preview:	EA06...2..m.{...O.U-...6...........@.b.e...VJ...e..a.....n.Ym.9......m..e.AR..,...c0.4).....&3).6.B...[...u...)..d.%.....FL&S@.R.v..v[ ..G...+......;...e..m7....t.Yn....d..@!..>.e.U,6z-..t..n....u..l.....s...P.F.o.....J.g..)..m.{..r.;^'O..>..*..k6..X.....a.....-...T.}..r.Yn.[d.f..]l......T..,.P.<..;...t.E.@.~0......l7 .6.o.]-..-..y..i.....-6..R..... .SP....9.p.S5;........`.y.......T...[.`..2.f.OfsP.......s.l(

C:\Users\user\AppData\Local\Temp\aut41AB.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	188
Entropy (8bit):	5.208201477984995
Encrypted:	false
SSDEEP:	3:DLS/tClQlta+lXZgZd0tLl85xJacllTUVeEl4Zlh8OlmYlMcis6mD/Q4ou6:DLS/gQ3aSOZetRia8v49YfCw/Tol
MD5:	92E7169C213CB151A9B07DD24F156FF0
SHA1:	B265A28FDE426FCF10C12FCDCF4D0F76F3A2DD64
SHA-256:	1F0E21ADA9E150CB591D40EC69BFBD6A538A974A48E46FDD69C2D9B8C8F4D31A
SHA-512:	B5BB829A516B38494A486317F9E17A3D7804AAFC1A114904AF26604226560D68C51C10F77F384AFAC2CD5D68A8DB712240F999FDFF6BDE5F178236E09DB68F59
Malicious:	false
Preview:	EA06...>.@ .DB!............@...&@..@`.@..........:..........8....@.$...........$.M..@.w...0P.g3...p!......\|@...s8......o.....8..^........<@>.....?.@8...8..<..C.........&d.........g.....

C:\Users\user\AppData\Local\Temp\aut41EA.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.019540973612407
Encrypted:	false
SSDEEP:	3:DLS/tClQlta+lXZgZd0tLl85xJacllTYB0XQHBw3dl7Jwp1TvaAREW:DLS/gQ3aSOZetRia8kqN3dl7J9qd
MD5:	385555964D7D7EF5B3BB0F3864B3FF29
SHA1:	B254E93EBD6C7B70C1A40CB1B733E616E07371E2
SHA-256:	2BE14322D0BAE7FADE7454168B23FC556E277240487638DCACABF375EC10403F
SHA-512:	6B62E538E294679468D5A5D34CD3C64DEE4383FB398EB3AEBEDE816B4D41C73C9A44B55E75197C70C4CE66D4B86379CB13C4DB6710385CE16B6BA2BAF5649400
Malicious:	false
Preview:	EA06...>.@ .DB!............@...&@..@`.@..........:..........8....@.$...........$.M..@.~...Fd@.9.H..5"....#R.....@...8.....Dd...p.C...\|.....!... ...\|.....c..a......

C:\Users\user\AppData\Local\Temp\aut421A.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.8618722408189
Encrypted:	false
SSDEEP:	3:DLS/tClQlta+lXZgZd0tLl85xJacllTPli1sBmtllD6C:DLS/gQ3aSOZetRia8zli1sI/D
MD5:	D809BF27175DB098EB67258617B2CB42
SHA1:	DE694C316CAC3BB4D90FEA98C6983E19536A3FDF
SHA-256:	A3CFCAEACA7C91D6E8494FF13D4BD36E5BE8C0FD590678BC3A8371195E79C679
SHA-512:	47744F6B71BC54849A26CEE30D926371F6863EA166C12143271C31B4E343989E92377EE1B2F4FE8D53875F344AAF07A628D0753A3FCE0905391173BA4C0703EE
Malicious:	false
Preview:	EA06...>.@ .DB!............@...&@..@`.@..........:..........8....@.$...........$.M..@.~........./........$d.......&<8p.O....

C:\Users\user\AppData\Local\Temp\aut424A.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	5.234339897518092
Encrypted:	false
SSDEEP:	3:DLS/tClQlta+lXZgZd0tLl85xJacllTLa2ycJa1b2m6l7JxEFMl5jy7x9rVKJ:DLS/gQ3aSOZetRia8PycJax4JGFk5jOk
MD5:	F28B906ECEDE2B3559A67980FD7974AD
SHA1:	87CCA7B7BEAD6B1632E9A65F8980A3D24FAEE4F2
SHA-256:	FFFA7E464C9D72574AD03BE12C0FFEA372F884A285E4D66F82CE48D5F0ED65D0
SHA-512:	766EB53B1BBD8A1D6E42E95437375842E2479CECA564E03B33CA7ABF990A028724AA894A1BCC844B5AF0DF3A7C13FFB9CDEF5F3B42AD76E1F7B9C980B4CA0808
Malicious:	false
Preview:	EA06...>.@ .DB!............@...&@..@`.@..........:..........8....@.$...........$.M..@.~X......s...?2..\|..>_..C.....G......... ...@?.......@<.p.Np `......".X..h.

C:\Users\user\AppData\Local\Temp\aut427A.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File Type:	data
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.8618722408189
Encrypted:	false
SSDEEP:	3:DLS/tClQlta+lXZgZd0tLl85xJacllTPlj1uaWBmtllD6C:DLS/gQ3aSOZetRia8zlZsI/D
MD5:	F7E5C3E52EC923F67948F22B64948233
SHA1:	BF037923FF3D9922C2ADF24A4DE6AA2649A5C595
SHA-256:	FD1124A62EBC0AE860155195D8BF5617CF5C55A0AA17BBA377C10D30A2C6AF62
SHA-512:	C1707DE47EFF0E20C01468163C8BE0D48C499E7910DAD29A936F1D2B269E4DE17CA29058F26729A10492C381AB6AF36787613C5E22BBB6D86D8C40B6AB1E412D
Malicious:	false
Preview:	EA06...>.@ .DB!............@...&@..@`.@..........:..........8....@.$...........$.M..@.~..................$d.......&<8p.O....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9918886564205565
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
File size:	1'375'744 bytes
MD5:	a10aff228a835255b89419bebf24bdb2
SHA1:	959e432c06de820e4778461befb789bde41ebba8
SHA256:	c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160
SHA512:	5f6bfff9f54d767b377526170f709a37f6fa4bdb066ba837a2603d0aca75f42a0cfdc9c8d4b6f52fdbe0d34573f8e5b13628c6a4f76554d20c36aef41f4f60b4
SSDEEP:	24576:14GHnhIzO6YYXsf9vA5eNizYpnjfONnXfoMBtyfuzRODhXym0Iwzl7DDEb81O:Cshd6YYXYNA5L+njat9ROEJNDEo1
TLSH:	FB55338CEA48032BD02B4A7C4C4119E57E7F7C25153655827342FBAEA5BC928C727B9F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	6f4d0d0d6d43572b

Static PE Info

General

Entrypoint:	0x5d1b00
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DAD3669 [Mon Oct 21 04:39:05 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 0057C000h
lea edi, dword ptr [esi-0017B000h]
push edi
jmp 00007FB02080F1BDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FB02080F19Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FB02080F1BDh
jne 00007FB02080F1DAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FB02080F1D1h
dec eax
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FB02080F186h
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FB02080F204h
xor ecx, ecx
sub eax, 03h
jc 00007FB02080F1C3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FB02080F227h
sar eax, 1
mov ebp, eax
jmp 00007FB02080F1BDh
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FB02080F17Eh
inc ecx
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FB02080F170h
add ebx, ebx
jne 00007FB02080F1B9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FB02080F1A1h
jne 00007FB02080F1BBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FB02080F196h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FB02080F1C0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2cb78c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d2000	0xf978c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2cbbb0	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1d1ce4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x17b000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x17c000	0x56000	0x55e00	4e987b2c15fb5e828ba382dad82f303f	False	0.9873231668486172	data	7.93641543922509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d2000	0xfa000	0xf9c00	61b16aaf91bbde9ffe56adf884e01ab4	False	0.9902734766016016	data	7.996084162183421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d2354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1d2480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	Great Britain	0.5308809636277751
RT_STRING	0xcb6a0	0x594	empty	English	Great Britain	0
RT_STRING	0xcbc34	0x68a	empty	English	Great Britain	0
RT_STRING	0xcc2c0	0x490	empty	English	Great Britain	0
RT_STRING	0xcc750	0x5fc	empty	English	Great Britain	0
RT_STRING	0xccd4c	0x65c	empty	English	Great Britain	0
RT_STRING	0xcd3a8	0x466	empty	English	Great Britain	0
RT_STRING	0xcd810	0x158	empty	English	Great Britain	0
RT_RCDATA	0x1d66ac	0xf4844	data			0.9997473890209078
RT_GROUP_ICON	0x2caef4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x2caf0c	0x14	data	English	Great Britain	1.15
RT_VERSION	0x2caf24	0x204	data	Chinese	China	0.5872093023255814
RT_MANIFEST	0x2cb12c	0x65d	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.4076120319214242

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
Chinese	China

Target ID:	0
Start time:	06:34:52
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"
Imagebase:	0xf40000
File size:	1'375'744 bytes
MD5 hash:	A10AFF228A835255B89419BEBF24BDB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:34:53
Start date:	17/04/2024
Path:	C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"
Imagebase:	0x400000
File size:	300'544 bytes
MD5 hash:	4B4596685B04D3D2FA26D3DB2566E3D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 9%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00F43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F43B7A
IsDebuggerPresent.KERNEL32 ref: 00F43B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,010052F8,010052E0,?,?), ref: 00F43BFD

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Part of subcall function 00F50A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F43C26,010052F8,?,?,?), ref: 00F50ACE

SetCurrentDirectoryW.KERNELBASE(?), ref: 00F43C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FF7770,00000010), ref: 00F7D3EC
SetCurrentDirectoryW.KERNEL32(?,010052F8,?,?,?), ref: 00F7D424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FF4260,010052F8,?,?,?), ref: 00F7D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F7D4B1

Part of subcall function 00F43A58: GetSysColorBrush.USER32(0000000F), ref: 00F43A62
Part of subcall function 00F43A58: LoadCursorW.USER32(00000000,00007F00), ref: 00F43A71
Part of subcall function 00F43A58: LoadIconW.USER32(00000063), ref: 00F43A88
Part of subcall function 00F43A58: LoadIconW.USER32(000000A4), ref: 00F43A9A
Part of subcall function 00F43A58: LoadIconW.USER32(000000A2), ref: 00F43AAC
Part of subcall function 00F43A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F43AD2
Part of subcall function 00F43A58: RegisterClassExW.USER32(?), ref: 00F43B28

Part of subcall function 00F439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00F43A15
Part of subcall function 00F439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F43A36
Part of subcall function 00F439E7: ShowWindow.USER32(00000000), ref: 00F43A4A
Part of subcall function 00F439E7: ShowWindow.USER32(00000000), ref: 00F43A53

Part of subcall function 00F443DB: _memset.LIBCMT ref: 00F44401
Part of subcall function 00F443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F444A6

Strings

runas, xrefs: 00F7D4A5
This is a third-party compiled AutoIt script., xrefs: 00F7D3E4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 54fde043760c0cd52ff3979ad11f91c4a7da1a3ef2452660ff8e636d011580f3
Instruction ID: 7df7bc06b585d8d59da0e907935d32ac78bf6ddf024ec4a360071d974a178147
Opcode Fuzzy Hash: 54fde043760c0cd52ff3979ad11f91c4a7da1a3ef2452660ff8e636d011580f3
Instruction Fuzzy Hash: 6951E031D08248AADF12FBB4DC46EBDBFB9AF45710F004169FD91A2191CB795A09BB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00F436D2
KillTimer.USER32(?,00000001), ref: 00F436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F4371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F4372A
CreatePopupMenu.USER32 ref: 00F4373E
PostQuitMessage.USER32(00000000), ref: 00F4375F

Strings

TaskbarCreated, xrefs: 00F43725

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 9d33ed1c631a3a105d9cd60c17e4909e21551311fcbda9a299008a6c254b1938
Instruction ID: 3ccb9df195840855f5ef43ac9cee9bdc194d1b6eee3a690491f288e55914e581
Opcode Fuzzy Hash: 9d33ed1c631a3a105d9cd60c17e4909e21551311fcbda9a299008a6c254b1938
Instruction Fuzzy Hash: 334137B260410ABBDF255F68DC0EF793F56EF01320F540125FD86D62D2CA699E14BB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,?,00000000), ref: 00F44B2B

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

GetCurrentProcess.KERNEL32(?,00FCFAEC,00000000,00000000,?,?,00000000), ref: 00F44BF8
IsWow64Process.KERNEL32(00000000,?,00000000), ref: 00F44BFF
GetNativeSystemInfo.KERNELBASE(00000000,?,00000000), ref: 00F44C45
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00F44C50
GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00F44C81
GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00F44C8D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b37e0262635a0f3965ab0c8134771c185f5c2b687470483e2ca564c22f2a64a3
Instruction ID: fbc0e17cbcfdf6a7f1e9d1b3a122fe362bdc7129a699651b92d2bb204783f814
Opcode Fuzzy Hash: b37e0262635a0f3965ab0c8134771c185f5c2b687470483e2ca564c22f2a64a3
Instruction Fuzzy Hash: 5991073194A7C4DEC731CB7885912AAFFF5AF65310B48899ED4CB93B41D224F908E71A

Uniqueness

Uniqueness Score: -1.00%

Function 00F44FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F44EEE,?,?,00000000,00000000), ref: 00F45010
LoadResource.KERNEL32(?,00000000,?,?,00F44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F44F8F), ref: 00F7DC90
SizeofResource.KERNEL32(?,00000000,?,?,00F44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F44F8F), ref: 00F7DCA5
LockResource.KERNEL32(00F44EEE,?,?,00F44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00F44F8F,00000000), ref: 00F7DCB8

Strings

SCRIPT, xrefs: 00F45006

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT
API String ID: 3473537107-3967369404
Opcode ID: 442fe777a25d9249ca9bcaa562b61e8939bf2a3ce22eec347948f26f9c2815e5
Instruction ID: 29911843e86092d8294405ff7bb2871e2344d063a8df64fe0c74848bdfc579dd
Opcode Fuzzy Hash: 442fe777a25d9249ca9bcaa562b61e8939bf2a3ce22eec347948f26f9c2815e5
Instruction Fuzzy Hash: AA119E75600705AFD7219B69DD49F67BFBEEBC9B11F10416CF80587250DB61EC04A660

Uniqueness

Uniqueness Score: -1.00%

Function 01111B00 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 01111C3A
GetProcAddress.KERNEL32(?,0110AFF9), ref: 01111C58
ExitProcess.KERNEL32(?,0110AFF9), ref: 01111C69
VirtualProtect.KERNELBASE(00F40000,00001000,00000004,?,00000000), ref: 01111CB7
VirtualProtect.KERNELBASE(00F40000,00001000), ref: 01111CCC

Memory Dump Source

Source File: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 7dd30341f19eae816fe2864692f5213f1f9528b6865dc288a5fcfd4b5c04551e
Instruction ID: a23441aa24862bc4a84b27ec2dc50e2b3dd7c3315aa71d09420a00ffecf98b31
Opcode Fuzzy Hash: 7dd30341f19eae816fe2864692f5213f1f9528b6865dc288a5fcfd4b5c04551e
Instruction Fuzzy Hash: 42510572A452566BD7298E7C9CC07A0FBB4FB4226471D0738C7E1C73CAF7A4580687A9

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 738561394c27aa9b7ae0dac50e4c52f0dbd709b679a8b089f4e194aed82ee266
Instruction ID: 311c3496ac7af42dc9ac04b7db03db2989eccca3330e856e9939f0a4bd18153e
Opcode Fuzzy Hash: 738561394c27aa9b7ae0dac50e4c52f0dbd709b679a8b089f4e194aed82ee266
Instruction Fuzzy Hash: A0926C71A083418FD724DF14C480B6ABBE1BF89314F14896DF98A8B351DB75EC49EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F7E6F1), ref: 00FA44AB
FindFirstFileW.KERNELBASE(?,?), ref: 00FA44BC
FindClose.KERNEL32(00000000), ref: 00FA44CC

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 424cbf3ab00e4bd74cc74021f552bb3e7220783551ad101cf41216bc38db10ac
Instruction ID: 6c6b8bda71251e09254ebc65d4d8ec48414795d2d36783aeef4ea3a2fadf3bc1
Opcode Fuzzy Hash: 424cbf3ab00e4bd74cc74021f552bb3e7220783551ad101cf41216bc38db10ac
Instruction Fuzzy Hash: 1FE02072C10404675610E738EC0ECE9B75DAE4A335F100716FD35C30D0E7B46D14A5D5

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973cbb958883610b2e9d40ce3fd45e75272c88e1a9d934777299749a2e583d0a
Instruction ID: 3ae52eddb5cb4bc101d23d2b7688f3b61d458c4b2c91a02bf9fe42644031d4b2
Opcode Fuzzy Hash: 973cbb958883610b2e9d40ce3fd45e75272c88e1a9d934777299749a2e583d0a
Instruction Fuzzy Hash: 67228C75E002168FDB24DF58C880ABABBF0FF44320F148569EC569B351E778A985EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F50B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F50BBB
timeGetTime.WINMM ref: 00F50E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F50FB3
Sleep.KERNEL32(0000000A), ref: 00F50FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 00F5105A
DestroyWindow.USER32 ref: 00F51066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F51080
Sleep.KERNEL32(0000000A,?,?), ref: 00F851DC
TranslateMessage.USER32(?), ref: 00F85FB9
DispatchMessageW.USER32(?), ref: 00F85FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F85FDB

Strings

@TRAY_ID, xrefs: 00F85AE8
@COM_EVENTOBJ, xrefs: 00F85849
@GUI_WINHANDLE, xrefs: 00F852E8
@GUI_CTRLID, xrefs: 00F85293
@GUI_CTRLHANDLE, xrefs: 00F8533D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 5bc2544d6b426695669d21ec9a663a5aa2e26cc51e7325f8d2f97c794f48dc61
Instruction ID: ef408c8064b263b5c872a4580923937e1fe063b3812824bbec0fb9b0227045bb
Opcode Fuzzy Hash: 5bc2544d6b426695669d21ec9a663a5aa2e26cc51e7325f8d2f97c794f48dc61
Instruction Fuzzy Hash: 49B2E370608741DFD724EF24C885BAEBBE5BF84714F14491DF98987291CB79E848EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FA91FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FA9008: __time64.LIBCMT ref: 00FA9012

Part of subcall function 00F45045: _fseek.LIBCMT ref: 00F4505D

__wsplitpath.LIBCMT ref: 00FA92DD

Part of subcall function 00F6426E: __wsplitpath_helper.LIBCMT ref: 00F642AE

_wcscpy.LIBCMT ref: 00FA92F0
_wcscat.LIBCMT ref: 00FA9303
__wsplitpath.LIBCMT ref: 00FA9328
_wcscat.LIBCMT ref: 00FA933E
_wcscat.LIBCMT ref: 00FA9351

Part of subcall function 00FA904E: _memmove.LIBCMT ref: 00FA9087
Part of subcall function 00FA904E: _memmove.LIBCMT ref: 00FA9096

_wcscmp.LIBCMT ref: 00FA9298

Part of subcall function 00FA97DD: _wcscmp.LIBCMT ref: 00FA98CD
Part of subcall function 00FA97DD: _wcscmp.LIBCMT ref: 00FA98E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FA94FB
_wcsncpy.LIBCMT ref: 00FA956E
DeleteFileW.KERNEL32(?,?), ref: 00FA95A4
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA95BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA95CB
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA95DD

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c99ba53c673fa5bf7a5144f6eafd4ea1318de4bc265e753fbe9a5caee590f1b8
Instruction ID: 5c2efb7afcd236a17326a4ce68a6218faa5f7d4589db5ebf2976c3ba6fdb64a4
Opcode Fuzzy Hash: c99ba53c673fa5bf7a5144f6eafd4ea1318de4bc265e753fbe9a5caee590f1b8
Instruction Fuzzy Hash: 06C15AB1D04219ABCF21DFA4CC85ADEBBBDEF49310F0040AAF609E7241DB749A449F61

Uniqueness

Uniqueness Score: -1.00%

Function 00F471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F44864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F472BA,?,?,?,?,00F4108C,-01004E84), ref: 00F44882

Part of subcall function 00F6068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F472C5,?,?,?,?,00F4108C,-01004E84), ref: 00F606AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,00F4108C,-01004E84), ref: 00F47308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,00F4108C,-01004E84), ref: 00F7EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,00F4108C,-01004E84), ref: 00F7EC62
RegCloseKey.ADVAPI32(?,?,?,?,?,00F4108C,-01004E84), ref: 00F7ECA0
_wcscat.LIBCMT ref: 00F7ECF9

Strings

\, xrefs: 00F7ED1C
Include, xrefs: 00F7EC18, 00F7EC59
\Include\, xrefs: 00F472C5
Software\AutoIt v3\AutoIt, xrefs: 00F472FE

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 935b3c8f61370a7653131746c1e801baa2ce91cf17f1c4d727f1311c053026b3
Instruction ID: c77069c18fe4c07a40bcb2b9e3941ab209da83413a6030d7e55970dc06fca473
Opcode Fuzzy Hash: 935b3c8f61370a7653131746c1e801baa2ce91cf17f1c4d727f1311c053026b3
Instruction Fuzzy Hash: F671D3714087019EC325EF25DC4189FBBF9FF88310F40492EF485831A5EB3A9908EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F43A62
LoadCursorW.USER32(00000000,00007F00), ref: 00F43A71
LoadIconW.USER32(00000063), ref: 00F43A88
LoadIconW.USER32(000000A4), ref: 00F43A9A
LoadIconW.USER32(000000A2), ref: 00F43AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F43AD2
RegisterClassExW.USER32(?), ref: 00F43B28

Part of subcall function 00F43041: GetSysColorBrush.USER32(0000000F), ref: 00F43074
Part of subcall function 00F43041: RegisterClassExW.USER32(00000030), ref: 00F4309E
Part of subcall function 00F43041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F430AF
Part of subcall function 00F43041: LoadIconW.USER32(000000A9), ref: 00F430F2

Strings

#, xrefs: 00F43B0D
0, xrefs: 00F43B06
AutoIt v3, xrefs: 00F43B17

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 2da13111ca97bcb27c630a9514be0b5c6e385dfcc0230061d63100bc87293d72
Instruction ID: 4569fd24c5c1a3235c2654b846d88c51466acac3e02cfa76a26de91a185d9d3f
Opcode Fuzzy Hash: 2da13111ca97bcb27c630a9514be0b5c6e385dfcc0230061d63100bc87293d72
Instruction Fuzzy Hash: AF213771900308EFEB22DFA4ED0AB9DBFB5EF09711F00012AF544A6295D3BA5654AF84

Uniqueness

Uniqueness Score: -1.00%

Function 00F43778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00F43834
/AutoIt3OutputDebug, xrefs: 00F438A4
/AutoIt3ExecuteScript, xrefs: 00F438CE
/ErrorStdOut, xrefs: 00F4388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F437C0
CMDLINERAW, xrefs: 00F4380D
/AutoIt3ExecuteLine, xrefs: 00F438B9

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 3901055d8ecb7404de83f649215a324f62398218a11f45dd02fa0277099b1fb9
Instruction ID: b934323717f2c97b2ac145a3a830abb70734940e995c89305537bc3f104e6ccb
Opcode Fuzzy Hash: 3901055d8ecb7404de83f649215a324f62398218a11f45dd02fa0277099b1fb9
Instruction Fuzzy Hash: 5BA17372D142199ADF15FBA0CC92EEEBB78BF14300F40042AF856B7191DF795A09EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F4FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F4FC06
OleUninitialize.OLE32(?,00000000), ref: 00F4FCA5
UnregisterHotKey.USER32(?), ref: 00F4FDFC
DestroyWindow.USER32(?), ref: 00F8492F
FreeLibrary.KERNEL32(?), ref: 00F84994
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F849C1

Strings

close all, xrefs: 00F4FC01

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 57b04c5702ff79b21cd327b1b15f72b23569ac15fb17a357967dc197064fbd13
Instruction ID: b12870df0cbc86b0afe9ab56f3498334b11ad0177ab5c1ddeb855d2afe8520d9
Opcode Fuzzy Hash: 57b04c5702ff79b21cd327b1b15f72b23569ac15fb17a357967dc197064fbd13
Instruction Fuzzy Hash: 6CA18131B01213CFCB29EF14C995B6AF764BF04710F5542ADE90AAB252DB34AD1AEF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F43019 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 69
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F43074
RegisterClassExW.USER32(00000030), ref: 00F4309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F430AF
LoadIconW.USER32(000000A9), ref: 00F430F2

Strings

+, xrefs: 00F4305D
AutoIt v3 GUI, xrefs: 00F43090
0, xrefs: 00F43056
TaskbarCreated, xrefs: 00F430A4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 88db8f756425dc176b093d3ffe95f6676af634f5e7cc37254ab4c833c02f0ded
Instruction ID: e3384b7106434adfb9061838a242779098216dbcf082b456c675042b02c490d4
Opcode Fuzzy Hash: 88db8f756425dc176b093d3ffe95f6676af634f5e7cc37254ab4c833c02f0ded
Instruction Fuzzy Hash: 4C3127B1940309EFDB518FA4ED89A9DBBF1FF09710F10412AE980E6290D7BA4649DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F43041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F43074
RegisterClassExW.USER32(00000030), ref: 00F4309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F430AF
LoadIconW.USER32(000000A9), ref: 00F430F2

Strings

+, xrefs: 00F4305D
AutoIt v3 GUI, xrefs: 00F43090
0, xrefs: 00F43056
TaskbarCreated, xrefs: 00F430A4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: eafa9e7ed8b538418774ac7f676cb03144fdaa38a263ba4af22c652dfc4c1c4f
Instruction ID: f99e2cdf85a6aeb42c20324171760b923c5473f0d00a5a2028a7857de303a7d1
Opcode Fuzzy Hash: eafa9e7ed8b538418774ac7f676cb03144fdaa38a263ba4af22c652dfc4c1c4f
Instruction Fuzzy Hash: C221E3B1950208AFDB11DFA4ED8AB9DBBF5FB08700F00412AFA51A7290D7B646489F91

Uniqueness

Uniqueness Score: -1.00%

Function 00F473E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F7ED92
7523D0D0.COMDLG32(?), ref: 00F7EDDC

Part of subcall function 00F448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F448A1,?,?,?,00F472BA,?,?,?,?,00F4108C), ref: 00F448CE

Part of subcall function 00F60911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F60930

Strings

au3, xrefs: 00F7EDD5
AutoIt script files (*.au3, *.a3x), xrefs: 00F7EDC0
Run Script:, xrefs: 00F7EDB1
X, xrefs: 00F7EDAA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: NamePath$7523FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3285060876-1954568251
Opcode ID: 056bb3db11fe95df13a4e3dee4ef8ffd94b27c8ae6997e4265f295b5fc0f3730
Instruction ID: 1b1493f2e9c1e0aad54719b6839612918f95dfb63a249cf8acb61618eed63926
Opcode Fuzzy Hash: 056bb3db11fe95df13a4e3dee4ef8ffd94b27c8ae6997e4265f295b5fc0f3730
Instruction Fuzzy Hash: 0021C631A0024C9BDF11DF94CC45BEE7BF9AF49710F00405AE908A7252DFF85949AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F69C66 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00F69C66

Part of subcall function 00F63307: RtlEncodePointer.NTDLL(00000000), ref: 00F6330A
Part of subcall function 00F63307: __initp_misc_winsig.LIBCMT ref: 00F63325
Part of subcall function 00F63307: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F6A020
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F6A034
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F6A047
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F6A05A
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F6A06D
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F6A080
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F6A093
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F6A0A6
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F6A0B9
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F6A0CC
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F6A0DF
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F6A0F2
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F6A105
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F6A118
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F6A12B
Part of subcall function 00F63307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F6A13E

__mtinitlocks.LIBCMT ref: 00F69C6B
__mtterm.LIBCMT ref: 00F69C74

Part of subcall function 00F69CDC: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00F69DD6
Part of subcall function 00F69CDC: _free.LIBCMT ref: 00F69DDD
Part of subcall function 00F69CDC: RtlDeleteCriticalSection.NTDLL(00FFEC00), ref: 00F69DFF

__calloc_crt.LIBCMT ref: 00F69C99
__initptd.LIBCMT ref: 00F69CBB
GetCurrentThreadId.KERNEL32 ref: 00F69CC2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 466668ce1fc16355251fd4b779bd1f2e4e6caf792921cdfed69400ecf00a85ce
Instruction ID: 8ad5cecfd38f3abd7a4f3789b6ea86636ebc9708e303c15d8c9a3417e7b6076a
Opcode Fuzzy Hash: 466668ce1fc16355251fd4b779bd1f2e4e6caf792921cdfed69400ecf00a85ce
Instruction Fuzzy Hash: D4F06D32A5D71359EA347678BD0765A36DDDF02730B210719F464C91D2EFB48541B161

Uniqueness

Uniqueness Score: -1.00%

Function 00F439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00F43A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F43A36
ShowWindow.USER32(00000000), ref: 00F43A4A
ShowWindow.USER32(00000000), ref: 00F43A53

Strings

edit, xrefs: 00F43A30
AutoIt v3, xrefs: 00F43A0D, 00F43A12, 00F43A13

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4d198babc6a4827d44770f656d26c32b1a57f5936643796cd1110a7f4a8b263c
Instruction ID: bf1c356536cb214f17d461804df889e901f44c536f2e87c681efdd9eb8e27857
Opcode Fuzzy Hash: 4d198babc6a4827d44770f656d26c32b1a57f5936643796cd1110a7f4a8b263c
Instruction Fuzzy Hash: 9EF01770500294BAEA3257236C0DE2B7E7EDBCBF50F00402EB904A2164C26A0810DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F655EB
_memcpy_s.LIBCMT ref: 00F6565D
__read_nolock.LIBCMT ref: 00F656BB
__filbuf.LIBCMT ref: 00F656DE
_memset.LIBCMT ref: 00F65722

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 24a5ddc182637a8aaa3a9d00c0938485edd4c5b822ff2d41088c3fb68c12f61c
Instruction ID: ba5662cd32f907fc50fcec47d6f470a730e524bac192b31dcac44f48e4cc7d1c
Opcode Fuzzy Hash: 24a5ddc182637a8aaa3a9d00c0938485edd4c5b822ff2d41088c3fb68c12f61c
Instruction Fuzzy Hash: 7F51B271E00B0ADBDF248E69C88466E77B6AF40B34F24872DF825A62D0D7719D50EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F44F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F44F6F

_free.LIBCMT ref: 00F7E5BC
_free.LIBCMT ref: 00F7E603

Part of subcall function 00F46BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F46D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F7E392
Bad directive syntax error, xrefs: 00F7E5EB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: db873771e951e7687ebb910e428eb0d62000c8b34d07191de855428d6719472b
Instruction ID: 3e1f57bd7adcedfa48fdab8d8ccad6abaada063ca573dfa85549e4b2b5d1255f
Opcode Fuzzy Hash: db873771e951e7687ebb910e428eb0d62000c8b34d07191de855428d6719472b
Instruction Fuzzy Hash: 2D917F71910219AFCF04EFA4CC919EDBBB4FF09314B14846AF815EB2A1EB34A914EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F435A1,SwapMouseButtons,00000004,?), ref: 00F435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F435A1,SwapMouseButtons,00000004,?,?,?,?,00F42754), ref: 00F435F5
RegCloseKey.KERNELBASE(00000000,?,?,00F435A1,SwapMouseButtons,00000004,?,?,?,?,00F42754), ref: 00F43617

Strings

Control Panel\Mouse, xrefs: 00F435D2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 279e8f7412b1adfcaa67b8e7acb295604d031e9d944ad9d653a3d7a6cf8913bd
Instruction ID: 4af6e8d0c0434f8737e3a3a2d66cd36ff15a51ebdec293ea7c22d7c624d455cc
Opcode Fuzzy Hash: 279e8f7412b1adfcaa67b8e7acb295604d031e9d944ad9d653a3d7a6cf8913bd
Instruction Fuzzy Hash: 08115771A10209BFDB209F64DC81EEEBBB9EF04750F128469FC05D7210E2719F44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9604 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F45045: _fseek.LIBCMT ref: 00F4505D

Part of subcall function 00FA97DD: _wcscmp.LIBCMT ref: 00FA98CD
Part of subcall function 00FA97DD: _wcscmp.LIBCMT ref: 00FA98E0

_free.LIBCMT ref: 00FA974B
_free.LIBCMT ref: 00FA9752
_free.LIBCMT ref: 00FA97BD

Part of subcall function 00F62ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00F69BA4,00000000,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011), ref: 00F62EE9
Part of subcall function 00F62ED5: GetLastError.KERNEL32(00000000,?,00F69BA4,00000000,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011,?,?,00F6339E), ref: 00F62EFB

_free.LIBCMT ref: 00FA97C5

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 7d9a7371b5b87e50d948750c2ef27707bdedd119c849d3afe3f5622887fdef91
Instruction ID: 61739b70b3e40177fcd2cab43753248c7aee492e66984888c0adc21e8d6fbacb
Opcode Fuzzy Hash: 7d9a7371b5b87e50d948750c2ef27707bdedd119c849d3afe3f5622887fdef91
Instruction Fuzzy Hash: 7F515DF1904219AFDF249F64CC81A9EBBB9EF48710F1005AEF609A7342DB755A80DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00F6487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F64910
__flush.LIBCMT ref: 00F64930
__write.LIBCMT ref: 00F64963
__flsbuf.LIBCMT ref: 00F64991

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a923b7873566b4085d2997abdcc727cb28eed7f6b1c1778fc8c8b24037643a51
Instruction ID: 31c9ad500aa9e193a00006c6f7fc8c56e372ebe8124d553d004c7ba0c147c0ee
Opcode Fuzzy Hash: a923b7873566b4085d2997abdcc727cb28eed7f6b1c1778fc8c8b24037643a51
Instruction Fuzzy Hash: 4041D431E0474AAFDB18EE79C88096F7BB6AF85370B24863DE855C7640D670FD80AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FCFAC0), ref: 00FA3AA8
GetLastError.KERNEL32 ref: 00FA3AB7
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00FA3AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FCFAC0), ref: 00FA3B23

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c97bdfe2495eae9a9d2413fc341fe6686a4e350117fa905bb3368d4719638719
Instruction ID: 13aa937191e9b23577854e8a2fb85852739cc460a79c0b4599a249820244c77a
Opcode Fuzzy Hash: c97bdfe2495eae9a9d2413fc341fe6686a4e350117fa905bb3368d4719638719
Instruction Fuzzy Hash: 3F21E7B05083019FC300EF24C98199BFBE9EE46764F144A1EF499C72A1D734DE09EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F44531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F44560

Part of subcall function 00F4410D: _memset.LIBCMT ref: 00F4418D
Part of subcall function 00F4410D: _wcscpy.LIBCMT ref: 00F441E1
Part of subcall function 00F4410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F441F1

KillTimer.USER32(?,00000001,?,?), ref: 00F445B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F445C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F7D5FE

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 48a5f417cb2ddc6e3c03f6c35c3754d387662b96ef9fe051b8a027e35a346ff4
Instruction ID: e1122e3733408960099ca2f5d2a5f9f1ca240a7dad7802b28a2595448ee1612b
Opcode Fuzzy Hash: 48a5f417cb2ddc6e3c03f6c35c3754d387662b96ef9fe051b8a027e35a346ff4
Instruction Fuzzy Hash: A221DAB19047849FEB328B24CC55BE7BFEC9F01318F08409EE68D67245DB742984AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA8E55
__fread_nolock.LIBCMT ref: 00FA8E6A

Strings

EA06, xrefs: 00FA8E9C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 77b7235d062526615f336af12fbfa719a4d5f7fc4ab15a2ee048773861bbd70c
Instruction ID: 0f762defcf001afad14f24b4b1bc42596260602ca53d777e6c7f9382fc4ef1f5
Opcode Fuzzy Hash: 77b7235d062526615f336af12fbfa719a4d5f7fc4ab15a2ee048773861bbd70c
Instruction Fuzzy Hash: 7401B972D04218BEDB28CBA8CC56EFE7BF8DB15711F00459AF552D2181E9B9E6089760

Uniqueness

Uniqueness Score: -1.00%

Function 00F60F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F6588C: __FF_MSGBANNER.LIBCMT ref: 00F658A3
Part of subcall function 00F6588C: __NMSG_WRITE.LIBCMT ref: 00F658AA
Part of subcall function 00F6588C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 00F658CF

std::exception::exception.LIBCMT ref: 00F60F6C
__CxxThrowException@8.LIBCMT ref: 00F60F81

Part of subcall function 00F6871B: RaiseException.KERNEL32(?,?,?,00FF9E78,?,?,?,?,?,00F60F86,?,00FF9E78,?,00000001), ref: 00F68770

Strings

bad allocation, xrefs: 00F60F61

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 66e9a90118f3db48282a8a45a79349759850dcd4bf3dc77f5130ba763f736cf7
Instruction ID: b754731c3ffc0ef9a03d925c77550d4ad32847c1b96828c10fab707865b20eb1
Opcode Fuzzy Hash: 66e9a90118f3db48282a8a45a79349759850dcd4bf3dc77f5130ba763f736cf7
Instruction Fuzzy Hash: D5F0C83590421D66CB24BA98EC01ADF7BADDF10360F24096AFD0896293EFB59E51F2D1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FA99A1
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FA99B8

Strings

aut, xrefs: 00FA99B2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 138ff2e7c9096b98e535594602269851e4072a0ce72064e6fa87ec8b55a119d2
Instruction ID: cf9fb896ef16d0a7d1afd6af45c30b24885e9a8f674f34451b95f7fc2675ac70
Opcode Fuzzy Hash: 138ff2e7c9096b98e535594602269851e4072a0ce72064e6fa87ec8b55a119d2
Instruction Fuzzy Hash: 6BD05B7554030D6BDB509B90DC0EFDAB73CD704700F0002B1BB54920A1D97095599B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F602E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F60313
Part of subcall function 00F602E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F6031B
Part of subcall function 00F602E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F60326
Part of subcall function 00F602E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F60331
Part of subcall function 00F602E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F60339
Part of subcall function 00F602E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F60341

Part of subcall function 00F56259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00F562B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F4FB2D
OleInitialize.OLE32(00000000), ref: 00F4FBAA
CloseHandle.KERNEL32(00000000), ref: 00F84921

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: 53f4c6cff7cb32696cd9693388de24f82c2c43be91d032bd5eef989b50c85a4d
Instruction ID: 58b6cdd6606d3494ef3e0d2d5204fd6f9adb929c3b411bcd039cecba39494d95
Opcode Fuzzy Hash: 53f4c6cff7cb32696cd9693388de24f82c2c43be91d032bd5eef989b50c85a4d
Instruction Fuzzy Hash: C581E3B0A052408FC7A6DF39FD556997BE5FB4830AF52812AD488C729AEF7E4804DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F6588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F658A3

Part of subcall function 00F6A2EB: __NMSG_WRITE.LIBCMT ref: 00F6A312
Part of subcall function 00F6A2EB: __NMSG_WRITE.LIBCMT ref: 00F6A31C

__NMSG_WRITE.LIBCMT ref: 00F658AA

Part of subcall function 00F6A348: GetModuleFileNameW.KERNEL32(00000000,010033BA,00000104,?,?,?), ref: 00F6A3DA
Part of subcall function 00F6A348: ___crtMessageBoxW.LIBCMT ref: 00F6A488

Part of subcall function 00F6321F: ___crtCorExitProcess.LIBCMT ref: 00F63225
Part of subcall function 00F6321F: ExitProcess.KERNEL32 ref: 00F6322E

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 00F658CF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0762aa96997c36f4a17783eb9c9decf1d0d0c0ca1457713fe3730a50202871e8
Instruction ID: fa7c66f0c32a4c99754b176a6328793d796a9d2c05eab75d6811b99f22c83b90
Opcode Fuzzy Hash: 0762aa96997c36f4a17783eb9c9decf1d0d0c0ca1457713fe3730a50202871e8
Instruction Fuzzy Hash: 3F01F132680B029FD6223775EC02B2E7358EF82BB0F10012AF501BB682DE79CD01B761

Uniqueness

Uniqueness Score: -1.00%

Function 00FA994B Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FA95F1,?,?,?,?,?,00000004), ref: 00FA9964
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FA95F1,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FA997A
CloseHandle.KERNEL32(00000000,?,00FA95F1,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FA9981

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 76292dbab389b21355dfeac1ddaa35e64593dd15a1725941f1c6e734692f5732
Instruction ID: 65fd9a5254482f5c807d78fc4a4b43b6b1e7b2d5bcf8c229af42b063d48fb921
Opcode Fuzzy Hash: 76292dbab389b21355dfeac1ddaa35e64593dd15a1725941f1c6e734692f5732
Instruction Fuzzy Hash: 06E08632540218B7DB211B54EC0AFDABB19AB45770F148220FB546A0E087B12915A798

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA8DC4

Part of subcall function 00F62ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00F69BA4,00000000,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011), ref: 00F62EE9
Part of subcall function 00F62ED5: GetLastError.KERNEL32(00000000,?,00F69BA4,00000000,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011,?,?,00F6339E), ref: 00F62EFB

_free.LIBCMT ref: 00FA8DD5
_free.LIBCMT ref: 00FA8DE7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: da83f3a9c8313d5dba728f7a15bdec3741db116714464bd9b18197c9301ee2d0
Instruction ID: f148eb807f7eb8ea6e179917d24737b98dbb5db3491938c1111d5a4ad5865b99
Opcode Fuzzy Hash: da83f3a9c8313d5dba728f7a15bdec3741db116714464bd9b18197c9301ee2d0
Instruction Fuzzy Hash: 29E05BE1B01B0143DA64657CAD40E9333DC9F697B17140D2DF40AD75C2CE68F882A134

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F7FF5A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 46168c15b8b6a6be68cb805ed967c294d3643dfce9c3761c299ef0248962afe8
Instruction ID: ac821bbb332f9e42f33c837057934ed157458774d9ced9377fa09d6f2eb76713
Opcode Fuzzy Hash: 46168c15b8b6a6be68cb805ed967c294d3643dfce9c3761c299ef0248962afe8
Instruction Fuzzy Hash: 1D223A719083019FD724DF14C894B6ABBE1FF84314F15896DE89A8B362DB35EC45EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F44DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F44E1A

Strings

EA06, xrefs: 00F7DC25

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: c8b6ca1f03430a72ae2acc77574186f4f25564122f9e4bc48a597082e291b8f5
Instruction ID: faad0d76d290d3057a1939e26c7a351d4a0178b42337e43fddda590b3c6d2751
Opcode Fuzzy Hash: c8b6ca1f03430a72ae2acc77574186f4f25564122f9e4bc48a597082e291b8f5
Instruction Fuzzy Hash: BE415C62E041585BDF219F64CC517BE7FA6AF05310F684065FD82BB282C629BD44B7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F4492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745EC8D0.UXTHEME ref: 00F44992

Part of subcall function 00F634EC: __lock.LIBCMT ref: 00F634F2
Part of subcall function 00F634EC: RtlDecodePointer.NTDLL(00000001), ref: 00F634FE
Part of subcall function 00F634EC: RtlEncodePointer.NTDLL(?), ref: 00F63509

Part of subcall function 00F44A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F44A73
Part of subcall function 00F44A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F44A88

Part of subcall function 00F43B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F43B7A
Part of subcall function 00F43B4C: IsDebuggerPresent.KERNEL32 ref: 00F43B8C
Part of subcall function 00F43B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010052F8,010052E0,?,?), ref: 00F43BFD
Part of subcall function 00F43B4C: SetCurrentDirectoryW.KERNELBASE(?), ref: 00F43C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00F449D2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: f4542a0aa55e3c650db8d17bc52dca10adb19ac8accd1ff762c257c96117520d
Instruction ID: 2180445d195c328c841428126d5a73227e49800590904415a3c8542b53b9e061
Opcode Fuzzy Hash: f4542a0aa55e3c650db8d17bc52dca10adb19ac8accd1ff762c257c96117520d
Instruction Fuzzy Hash: 5111DF719083059FC711EF28DC4590AFFE8EF89710F00451EF485932A1DBBA9948EF82

Uniqueness

Uniqueness Score: -1.00%

Function 00F6576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6579C
__lock_file.LIBCMT ref: 00F657BD

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9f09d890a56bb79f94b8d6f6e9a3dc4409c4567dba165b3dedbb81eeef1b3f8a
Instruction ID: b6894210b7af8b4d331d349bff2efe8eaa15abee8143b7e8df7d81f30c838f94
Opcode Fuzzy Hash: 9f09d890a56bb79f94b8d6f6e9a3dc4409c4567dba165b3dedbb81eeef1b3f8a
Instruction Fuzzy Hash: B2018471C01A4DEBCF11AFA88C0189E7B72BF81760F144219F8146A151DB798A12FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F65516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

__lock_file.LIBCMT ref: 00F6555B

Part of subcall function 00F66D8E: __lock.LIBCMT ref: 00F66DB1

__fclose_nolock.LIBCMT ref: 00F65566

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7aabcc2c13ce3396ceb696d8ba72a3a7ef1ca1d3dd92b71eddcb20d97f813e3c
Instruction ID: ec3d64ea9d73e45d5a46963187484adc2dcd9e8ec545042d3c1be93f6732c549
Opcode Fuzzy Hash: 7aabcc2c13ce3396ceb696d8ba72a3a7ef1ca1d3dd92b71eddcb20d97f813e3c
Instruction Fuzzy Hash: 18F09071901B05AAD710AB758C0AB6E76A26F40775F288209B416BB1C1CF7C8D02BB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F6321F Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00F63225

Part of subcall function 00F631EB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,FFFFFFFE,00000008,?,00F6322A,?,?,00F634C3,?,00FF9EF0,0000001C,00F63302,?,00000001,00000000), ref: 00F631FA
Part of subcall function 00F631EB: GetProcAddress.KERNEL32(FFFFFFFE,CorExitProcess), ref: 00F6320C

ExitProcess.KERNEL32 ref: 00F6322E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: c724839909cb150500d88d90eec42043b9616b04885558a98d4ed9294677f517
Instruction ID: d93c1772eb97e20637a83a9d24017e1e0a488fafb57d5cada7f0c09918698748
Opcode Fuzzy Hash: c724839909cb150500d88d90eec42043b9616b04885558a98d4ed9294677f517
Instruction Fuzzy Hash: D4B0923000420CBBDB012F11DC0A8487F2AFF05A90B008020F80409031DB73AA92AA80

Uniqueness

Uniqueness Score: -1.00%

Function 00F80005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F80010

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 27afde8cfaa2ae5813f5f0dba194725489b2692563f7c6375559e13f45e3b37e
Instruction ID: 440c5726d3d659e36ebdfd33fb548420b7103a7b2d209b9278e7e8a3ad0c5421
Opcode Fuzzy Hash: 27afde8cfaa2ae5813f5f0dba194725489b2692563f7c6375559e13f45e3b37e
Instruction Fuzzy Hash: E14106749083418FDB24DF14C484B1ABBE1BF85318F1988ACE9998B762C776E849DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F480D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F48109

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7b10f55ceb290050180f6ddfbcf751638d38cb934b1af478937ae6434547f185
Instruction ID: 48e31e6d1611e19705ed86b019edd000824ed2164d70e632bb1a7fcbfc79f71c
Opcode Fuzzy Hash: 7b10f55ceb290050180f6ddfbcf751638d38cb934b1af478937ae6434547f185
Instruction Fuzzy Hash: 3C115176604605DFC724DF28D481916BBF5FF48354720C82EE88ACB361DB32E842DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F44F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F44D13: FreeLibrary.KERNEL32(00000000,?), ref: 00F44D4D

Part of subcall function 00F653CB: __wfsopen.LIBCMT ref: 00F653D6

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F44F6F

Part of subcall function 00F44CC8: FreeLibrary.KERNEL32(00000000), ref: 00F44D02

Part of subcall function 00F44DD0: _memmove.LIBCMT ref: 00F44E1A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3f066a15f0b9d813bb73ca170a024967d8b771f431e4279a72c47366df42c042
Instruction ID: 782295eba085959dcdbe5eeaa722b5aa0e138134fc8fcb0623e21c3e20b7ccea
Opcode Fuzzy Hash: 3f066a15f0b9d813bb73ca170a024967d8b771f431e4279a72c47366df42c042
Instruction Fuzzy Hash: 4811EB3160060AABDF10FF74CC52F6DBBA59F40710F10842DFD41B7181DA79AA05B761

Uniqueness

Uniqueness Score: -1.00%

Function 00F800DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F800EA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0ba92002aedf14bacb51c284c2f6f46d7843fd7c5f36988be44a275e08a3eb21
Instruction ID: 59e79e96be7b3bf06c38f121bc9e5634f06f3a8871d5dbd9c08386ca032910d8
Opcode Fuzzy Hash: 0ba92002aedf14bacb51c284c2f6f46d7843fd7c5f36988be44a275e08a3eb21
Instruction Fuzzy Hash: B2210FB0908341DFDB24DF14C844B1BBBE1BF88314F058968E99A57762DB35E809EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F649D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F64A16

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 202f16a0a563166eb884ac98d68dacec18272d1d3ac4ca5bfa778f7d856d1a02
Instruction ID: efcd01c78ca14c00aa0840119b61a7ad391eb0d8031a7c8dab8ef22dca47f665
Opcode Fuzzy Hash: 202f16a0a563166eb884ac98d68dacec18272d1d3ac4ca5bfa778f7d856d1a02
Instruction Fuzzy Hash: C3F0AF32940245BBDF11BFB48C067AE36A1AF00365F048618B824AB191DBBC9911FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F44FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F44FDE

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d83df2d46a0885ce613a2fd6987c178baa03aff396ba628ad4684caa57c570e4
Instruction ID: 8d8079c46136e825554a2c00516d127f81bfda1ae90c623149c39439abd37906
Opcode Fuzzy Hash: d83df2d46a0885ce613a2fd6987c178baa03aff396ba628ad4684caa57c570e4
Instruction Fuzzy Hash: DEF015B1505712CFCB349F64E894A12BFE1BF043393248A3EE9D7A3A10C731A848EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F60911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F60930

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 753010f0e2aa79cb4de44acc0b6c15027fcecef1ce61fb02cc31bac57fdef08b
Instruction ID: e7572736be1da7abef53e5f9a2fb4898c57594a064f9ef14639bfd5f886a65c1
Opcode Fuzzy Hash: 753010f0e2aa79cb4de44acc0b6c15027fcecef1ce61fb02cc31bac57fdef08b
Instruction Fuzzy Hash: 27E0CD3690522C57C720E65C9C06FFAB7EDDF88790F0441B6FC0CD7204D9685C859691

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FA8F6A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction ID: 2b48f23fe917217a766deeb0bb43178488e108533f13fdf22bea64d227340576
Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
Instruction Fuzzy Hash: 55E092B1604B009FDB388A24DC007A373E1AB06314F00081CF29AD3241EFA3B842DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4804 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00FA481D

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: b076450697e4200daf6dd88c3eeb275c77c43684b955371e9f7aab608a774fa9
Instruction ID: 89e5b507a67c09da905f9df1b27fff724cccf133b1f9e3c2d42f56fe5982f2f8
Opcode Fuzzy Hash: b076450697e4200daf6dd88c3eeb275c77c43684b955371e9f7aab608a774fa9
Instruction Fuzzy Hash: A8D05EA691032C2BDB64E6789C0EDB77BADDB44221F0006A17C5CC3112E9289D4986E0

Uniqueness

Uniqueness Score: -1.00%

Function 00F653CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F653D6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 75ca6c02ef3f016371420b81e1b5187e19de0eb381794439cdaeaa0e39976feb
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 5DB0927644020C77CE012A82EC03A493B5A9B40BA4F408021FB0C282A2AAB7A660A689

Uniqueness

Uniqueness Score: -1.00%

Function 00F634D8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00F634E2

Part of subcall function 00F633A9: __lock.LIBCMT ref: 00F633B7
Part of subcall function 00F633A9: RtlDecodePointer.NTDLL(00FF9EF0), ref: 00F633F6
Part of subcall function 00F633A9: RtlDecodePointer.NTDLL ref: 00F63407
Part of subcall function 00F633A9: RtlEncodePointer.NTDLL(00000000), ref: 00F63420
Part of subcall function 00F633A9: RtlDecodePointer.NTDLL(-00000004), ref: 00F63430
Part of subcall function 00F633A9: RtlEncodePointer.NTDLL(00000000), ref: 00F63436
Part of subcall function 00F633A9: RtlDecodePointer.NTDLL ref: 00F6344C
Part of subcall function 00F633A9: RtlDecodePointer.NTDLL ref: 00F63457

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: b0799d13f087c4f5e6b61ebb164c9397f0574c925bb110849453dd666e0ab345
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: F0B0123158030C33E9102941EC03F053B0C4740B60F100020FA0C2C2E1A9D3766050C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FCCB26 Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00FCCBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FCCBFF
GetWindowLongW.USER32(?,000000F0), ref: 00FCCC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FCCC6A
SendMessageW.USER32 ref: 00FCCC93
_wcsncpy.LIBCMT ref: 00FCCCFF
GetKeyState.USER32(00000011), ref: 00FCCD20
GetKeyState.USER32(00000009), ref: 00FCCD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FCCD43
GetKeyState.USER32(00000010), ref: 00FCCD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FCCD76
SendMessageW.USER32 ref: 00FCCD9D
SendMessageW.USER32(?,00001030,?,00FCB37C), ref: 00FCCEA1
SetCapture.USER32(?), ref: 00FCCED3
ClientToScreen.USER32(?,?), ref: 00FCCF38
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FCCF5F
ReleaseCapture.USER32 ref: 00FCCF6A
GetCursorPos.USER32(?), ref: 00FCCFA4
ScreenToClient.USER32(?,?), ref: 00FCCFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FCD00D
SendMessageW.USER32 ref: 00FCD03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FCD078
SendMessageW.USER32 ref: 00FCD0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FCD0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FCD0D7
GetCursorPos.USER32(?), ref: 00FCD0F7
ScreenToClient.USER32(?,?), ref: 00FCD104
GetParent.USER32(?), ref: 00FCD124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FCD18D
SendMessageW.USER32 ref: 00FCD1BE
ClientToScreen.USER32(?,?), ref: 00FCD21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FCD24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FCD276
SendMessageW.USER32 ref: 00FCD299
ClientToScreen.USER32(?,?), ref: 00FCD2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FCD31F

Part of subcall function 00F425DB: GetWindowLongW.USER32(?,000000EB), ref: 00F425EC

GetWindowLongW.USER32(?,000000F0), ref: 00FCD3BB

Strings

F, xrefs: 00FCD29F
@GUI_DRAGID, xrefs: 00FCCF06

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: fe38b0bc532858fbebf0c2e08bbfef1a340a71a73a9754ead3855b30f1a487e7
Instruction ID: 8bc2f06f61c6ed81603f64c21c9f1069fe4a9e5edf167d92cf67d3f39061f5dd
Opcode Fuzzy Hash: fe38b0bc532858fbebf0c2e08bbfef1a340a71a73a9754ead3855b30f1a487e7
Instruction Fuzzy Hash: 4B429F30604342AFD721CF64CA46FAABBE5BF89320F14092DF599972A1C732DD44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7E0D Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FC8502

Strings

%d/%02d/%02d, xrefs: 00FC823B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 2007ef059a3df0569c26fd4218ab97bea951d5126d30855c08d1ff97db06fb6f
Instruction ID: 68347bc8b9b40938f4464863e611aa78f7b1df203cc6abb4e6c4afb03cfa8033
Opcode Fuzzy Hash: 2007ef059a3df0569c26fd4218ab97bea951d5126d30855c08d1ff97db06fb6f
Instruction Fuzzy Hash: AE12F27190020AABEB258F24CE4AFAB7BB4EF45360F14452DF515DB2E0DFB48946EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F570FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F57323
_memset.LIBCMT ref: 00F57699
_memmove.LIBCMT ref: 00F5780C

Strings

\b(?=\w), xrefs: 00F93ABF
Q\E, xrefs: 00F5812B
[:<:]], xrefs: 00F575D9
DEFINE, xrefs: 00F92459
\b(?<=\w), xrefs: 00F93AC9
[:>:]], xrefs: 00F575F2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: a88eb793d3ea4dda52fda1f24dce9fdc283ba5ac4cafff684c5cfe5132918093
Instruction ID: be5c533eafc549fdf1dd77248bb4535bfb9719105354a3a97e1bda3645784115
Opcode Fuzzy Hash: a88eb793d3ea4dda52fda1f24dce9fdc283ba5ac4cafff684c5cfe5132918093
Instruction Fuzzy Hash: FD93A475E00215DBEF24CF98D881BADB7B1FF48720F25816AE945EB290E7749D81EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F44A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F44A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F7D9BE
IsIconic.USER32(?), ref: 00F7D9C7
ShowWindow.USER32(?,00000009), ref: 00F7D9D4
SetForegroundWindow.USER32(?), ref: 00F7D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F7D9F4
GetCurrentThreadId.KERNEL32 ref: 00F7D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F7DA28
SetForegroundWindow.USER32(?), ref: 00F7DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7DA40
keybd_event.USER32(00000012,00000000), ref: 00F7DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7DA55
keybd_event.USER32(00000012,00000000), ref: 00F7DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7DA63
keybd_event.USER32(00000012,00000000), ref: 00F7DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7DA72
keybd_event.USER32(00000012,00000000), ref: 00F7DA77
SetForegroundWindow.USER32(?), ref: 00F7DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00F7DAA1

Strings

Shell_TrayWnd, xrefs: 00F7D9B9

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f63a2e5807ff1de2e0b434929578dd545d0477bc25ea9f43f0295eb97420fa3e
Instruction ID: 353d95bc8d4655b42cc6d9b44e38a542ed0b4aa564b27c7c85373128f3df6288
Opcode Fuzzy Hash: f63a2e5807ff1de2e0b434929578dd545d0477bc25ea9f43f0295eb97420fa3e
Instruction Fuzzy Hash: 3A316271A4031CBBEB205F619D4AF7E7E7DEF44B60F144026FA04EB191C6B05D01BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F98638 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F98AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F98AED
Part of subcall function 00F98AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F98B1A
Part of subcall function 00F98AA3: GetLastError.KERNEL32 ref: 00F98B27

_memset.LIBCMT ref: 00F9867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F986CD
CloseHandle.KERNEL32(?), ref: 00F986DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F986F5
GetProcessWindowStation.USER32 ref: 00F9870E
SetProcessWindowStation.USER32(00000000), ref: 00F98718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F98732

Part of subcall function 00F984F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00F98508
Part of subcall function 00F984F3: CloseHandle.KERNEL32(?), ref: 00F9851A

Strings

winsta0\default, xrefs: 00F987B3
default, xrefs: 00F9872D
winsta0, xrefs: 00F986F0
, xrefs: 00F9868A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: b202e37a48d17573d8fbcbf603d503b3b5ca1770e437d542d007e5bc552f9820
Instruction ID: b96d939827c4cf2fa178c8eb3b8022f64de3cd3450e8ee129cdcd6614f9b0716
Opcode Fuzzy Hash: b202e37a48d17573d8fbcbf603d503b3b5ca1770e437d542d007e5bc552f9820
Instruction Fuzzy Hash: D3818971C0020DAFEF119FA4CD45AEEBBB9EF05398F144129F914A7161DB358E16EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

DragQueryPoint.SHELL32(?,?), ref: 00FCC691

Part of subcall function 00FCAB69: ClientToScreen.USER32(?,?), ref: 00FCAB92
Part of subcall function 00FCAB69: GetWindowRect.USER32(?,?), ref: 00FCAC08
Part of subcall function 00FCAB69: PtInRect.USER32(?,?,00FCC07E), ref: 00FCAC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00FCC6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FCC705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FCC728
_wcscat.LIBCMT ref: 00FCC758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FCC76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00FCC788
SendMessageW.USER32(?,000000B1,?,?), ref: 00FCC79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00FCC7C1
DragFinish.SHELL32(?), ref: 00FCC7C8
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00FCC8BB

Strings

@GUI_DRAGFILE, xrefs: 00FCC86A
@GUI_DRAGID, xrefs: 00FCC833
@GUI_DROPID, xrefs: 00FCC7E8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 0ff2f632164a84496f4c311c238c2e8e343f5765dc5746c91de54fc44c5682c9
Instruction ID: 5a36d885ea1a25d4d52d6a6f67dcd4a9536bd5860693d2e27e4317dc0e129756
Opcode Fuzzy Hash: 0ff2f632164a84496f4c311c238c2e8e343f5765dc5746c91de54fc44c5682c9
Instruction Fuzzy Hash: DC617D71108305AFC701EF60DC86E9BBBE9EF88710F00091DF695932A1DB749A49EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FAA299
__swprintf.LIBCMT ref: 00FAA2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAA2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FAA31D
_memset.LIBCMT ref: 00FAA33C
_wcsncpy.LIBCMT ref: 00FAA378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FAA3AD
CloseHandle.KERNEL32(00000000), ref: 00FAA3B8
RemoveDirectoryW.KERNEL32(?), ref: 00FAA3C1
CloseHandle.KERNEL32(00000000), ref: 00FAA3CB

Strings

:, xrefs: 00FAA2DC
\??\%s, xrefs: 00FAA2B5
\, xrefs: 00FAA2D1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5eda5df7588b78a62aa586222f731ffb0427fa95fb4c752f4634e58370badc3f
Instruction ID: dbd4647971cf0f6dbb28fe38553e62c12fd4df6987958dfac2e9b3ae2a62f397
Opcode Fuzzy Hash: 5eda5df7588b78a62aa586222f731ffb0427fa95fb4c752f4634e58370badc3f
Instruction Fuzzy Hash: 0031C3B1900209ABDB20DFA0DC45FEB73BDEF89750F1040B6FA08D2060E7759648EB25

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FCC266
GetFocus.USER32 ref: 00FCC276
GetDlgCtrlID.USER32(00000000), ref: 00FCC281
_memset.LIBCMT ref: 00FCC3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FCC3D7
GetMenuItemCount.USER32(?), ref: 00FCC3F7
GetMenuItemID.USER32(?,00000000), ref: 00FCC40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FCC43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FCC486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FCC4BE
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00FCC4F3

Strings

0, xrefs: 00FCC3A4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: a1a3f7b694de11debd8d4853aa27c6731ef26b0c1c27aa947c073c0ee2a7a2c9
Instruction ID: fe3837df963ab03438d23979d110da7a1c619665916846a61f36fbbef7761750
Opcode Fuzzy Hash: a1a3f7b694de11debd8d4853aa27c6731ef26b0c1c27aa947c073c0ee2a7a2c9
Instruction Fuzzy Hash: D3819E715083029FD714CF14DA96F6BBBE9FB88324F00892DF99993291C731D805EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F981D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F98546
Part of subcall function 00F9852A: GetLastError.KERNEL32(?,00F9800A,?,?,?), ref: 00F98550
Part of subcall function 00F9852A: GetProcessHeap.KERNEL32(00000008,?,?,00F9800A,?,?,?), ref: 00F9855F
Part of subcall function 00F9852A: RtlAllocateHeap.NTDLL(00000000,?,00F9800A), ref: 00F98566
Part of subcall function 00F9852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9857D

Part of subcall function 00F985C7: GetProcessHeap.KERNEL32(00000008,00F98020,00000000,00000000,?,00F98020,?), ref: 00F985D3
Part of subcall function 00F985C7: RtlAllocateHeap.NTDLL(00000000,?,00F98020), ref: 00F985DA
Part of subcall function 00F985C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F98020,?), ref: 00F985EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F98238
_memset.LIBCMT ref: 00F9824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F9826C
GetLengthSid.ADVAPI32(?), ref: 00F9827D
GetAce.ADVAPI32(?,00000000,?), ref: 00F982BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F982D6
GetLengthSid.ADVAPI32(?), ref: 00F982F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F98302
RtlAllocateHeap.NTDLL(00000000), ref: 00F98309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F9832A
CopySid.ADVAPI32(00000000), ref: 00F98331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F98362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F98388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F9839C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 562a465342fbf8f6477270e5935ea97bb770382de0c9338f64d4ddfb409372cc
Instruction ID: 044b2c6e3de22ce05c3f5e9db62c98269398ff682c73efa03c9f5f45d547d3bd
Opcode Fuzzy Hash: 562a465342fbf8f6477270e5935ea97bb770382de0c9338f64d4ddfb409372cc
Instruction Fuzzy Hash: 74615B71900209EFEF10CFA4DC45EEEBB79FF06750F448229E915A7291DB359A06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F56841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00F91425
LIMIT_RECURSION=, xrefs: 00F91552
BSR_UNICODE), xrefs: 00F9168E
LIMIT_MATCH=, xrefs: 00F914C6
UTF), xrefs: 00F91450
ANY), xrefs: 00F91634
BSR_ANYCRLF), xrefs: 00F91674
LF), xrefs: 00F915FA
NO_START_OPT), xrefs: 00F914A5
CR), xrefs: 00F915DD
ANYCRLF), xrefs: 00F91651
CRLF), xrefs: 00F91617
UCP), xrefs: 00F91463
NO_AUTO_POSSESS), xrefs: 00F91484

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: ea5bc76b6b382ff4a97a458ae2a9eb01ce7ee7cbffdfddf461ac86743a383365
Instruction ID: f8ba538a8de100e4359ed5c5170b4e1b018e22599ed170476b7b84ca1ce94108
Opcode Fuzzy Hash: ea5bc76b6b382ff4a97a458ae2a9eb01ce7ee7cbffdfddf461ac86743a383365
Instruction Fuzzy Hash: D7729275E0021ADBEF24CF58C8807ADB7B5FF48321F54816AE915EB290EB349D45EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F448A1,?,?,?,00F472BA,?,?,?,?,00F4108C), ref: 00F448CE

Part of subcall function 00FA4AD8: GetFileAttributesW.KERNEL32(?,00FA374F), ref: 00FA4AD9

FindFirstFileW.KERNEL32(?,?), ref: 00FA38E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FA398F
MoveFileW.KERNEL32(?,?), ref: 00FA39A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FA39BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA39E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FA39FD

Strings

\*.*, xrefs: 00FA3892, 00FA389B, 00FA38B0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: deb9f5b0e7495bd6650eaaf4126ff9a50050aa35ada097259cc317f2bf881715
Instruction ID: aa2e8cd143135d45d661f79db8ad57781e5f0566f05a8ee1cc91fa2da9cdafba
Opcode Fuzzy Hash: deb9f5b0e7495bd6650eaaf4126ff9a50050aa35ada097259cc317f2bf881715
Instruction Fuzzy Hash: CF51727180524C9ACF11FBA0CD929EEBB79AF16300F644165F84277192DF786F09EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FAF47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FAF4CC
Sleep.KERNEL32(0000000A), ref: 00FAF4FC
_wcscmp.LIBCMT ref: 00FAF510
_wcscmp.LIBCMT ref: 00FAF52B
FindNextFileW.KERNEL32(?,?), ref: 00FAF5C9
FindClose.KERNEL32(00000000), ref: 00FAF5DF

Strings

*.*, xrefs: 00FAF4B1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 52144089d31a2999ea2776fc4d814d0502a95aab7d32f9d1a79623cbbf97decf
Instruction ID: 44d43ea48a2162cd6c1f5d1eafc6559e60eadf269f50311e0c066cbd8af31a50
Opcode Fuzzy Hash: 52144089d31a2999ea2776fc4d814d0502a95aab7d32f9d1a79623cbbf97decf
Instruction Fuzzy Hash: EF4163B1D0021AAFDF11DFA4CC45AEEBBB4FF05320F144566E815A72A1EB349E49EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

GetSystemMetrics.USER32(0000000F), ref: 00FCD4E6
GetSystemMetrics.USER32(0000000F), ref: 00FCD506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FCD741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FCD75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FCD780
ShowWindow.USER32(00000003,00000000), ref: 00FCD79F
InvalidateRect.USER32(?,00000000,00000001), ref: 00FCD7C4
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00FCD7E7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 72e0fde1d857505422d225e623a0a1968a74086283eb9330459d626eb43ef397
Instruction ID: 700141fe07c4a71f6e5ce3db800f7921029fed302acfeae37e8d33142eca9800
Opcode Fuzzy Hash: 72e0fde1d857505422d225e623a0a1968a74086283eb9330459d626eb43ef397
Instruction Fuzzy Hash: 77B18B75A0021AEFDF18CF28CAC6BAD7BB1BF04711F088179EC489B695D734A954EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9E928 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F9E93A

Strings

|, xrefs: 00F9E96A
(, xrefs: 00F9E980
InterfaceDispatch, xrefs: 00F9EAF0
Release, xrefs: 00F9EC58
AddRef, xrefs: 00F9EC10
QueryInterface, xrefs: 00F9EB83

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 5e45b665053c7ebbb3577a28b5449123fc6423e952d2d56261bf53c67e78ace9
Instruction ID: 78af4afa04e004e6c73fd83ca9d3400a4f5747639b407265625bb58e634e1d03
Opcode Fuzzy Hash: 5e45b665053c7ebbb3577a28b5449123fc6423e952d2d56261bf53c67e78ace9
Instruction Fuzzy Hash: 28322575A00605DFDB28DF19C481A6AB7F0FF48320B15C56EE89ADB3A1EB70E941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F55A05
_memmove.LIBCMT ref: 00F55A55
_memmove.LIBCMT ref: 00F55ABB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bcb6c596ee7ee2351414c762c9ee58ebb9c1f42ca1ce60ba57fd5f8b55fe9821
Instruction ID: c5d0db15ac20655532e19523113b83a42915ea2f3314b4b59a805c90a148a628
Opcode Fuzzy Hash: bcb6c596ee7ee2351414c762c9ee58ebb9c1f42ca1ce60ba57fd5f8b55fe9821
Instruction Fuzzy Hash: 1612CC70A00609EFDF14DFA5C991AAEB7F5FF48700F204529E806E7251EB39AD15EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FA10D6
GetKeyboardState.USER32(?), ref: 00FA10EB
SetKeyboardState.USER32(?), ref: 00FA114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FA1178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FA1195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FA11D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FA11FA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0ee696e0462220f376a2e9c1b7fe96998f30fbf36c26c6192eb2965ceb4fb14c
Instruction ID: dda26805e2d10b7083b69d7ebe479a5bb924040fee608c07ec04183a9d9c20be
Opcode Fuzzy Hash: 0ee696e0462220f376a2e9c1b7fe96998f30fbf36c26c6192eb2965ceb4fb14c
Instruction Fuzzy Hash: 2A51D3E0A047D63DFB3687248C45BBABEAD7F07310F098589E1D5868C2D694EC98F760

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBFF6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

Part of subcall function 00F42344: GetCursorPos.USER32(?), ref: 00F42357
Part of subcall function 00F42344: ScreenToClient.USER32(010057B0,?), ref: 00F42374
Part of subcall function 00F42344: GetAsyncKeyState.USER32(00000001), ref: 00F42399
Part of subcall function 00F42344: GetAsyncKeyState.USER32(00000002), ref: 00F423A7

ReleaseCapture.USER32 ref: 00FCC06A
SetWindowTextW.USER32(?,00000000), ref: 00FCC114
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FCC127
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00FCC209

Strings

@GUI_DRAGFILE, xrefs: 00FCC19E
@GUI_DROPID, xrefs: 00FCC15B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: cbb18216078dda6bebe66a3e23b537b9cfe0bd6f8132df686670ed6c2a6062a8
Instruction ID: 66d894327cfac21ddd8e5c830d00cd210ec79a730823f457b605b26a2534c15b
Opcode Fuzzy Hash: cbb18216078dda6bebe66a3e23b537b9cfe0bd6f8132df686670ed6c2a6062a8
Instruction Fuzzy Hash: E351BE71208305AFDB10EF14CC4AF6A7BE1FB84314F04452DF995972E2CB79A948EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F448A1,?,?,?,00F472BA,?,?,?,?,00F4108C), ref: 00F448CE

Part of subcall function 00FA4AD8: GetFileAttributesW.KERNEL32(?,00FA374F), ref: 00FA4AD9

FindFirstFileW.KERNEL32(?,?), ref: 00FA3BCD
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FA3C1D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA3C2E
FindClose.KERNEL32(00000000), ref: 00FA3C45
FindClose.KERNEL32(00000000), ref: 00FA3C4E

Strings

\*.*, xrefs: 00FA3B9F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2859205c1435015b9c2a50326287cd29433788b40cbe9429c976a182a7c76a15
Instruction ID: 5c5c76e3f3a0fdf089eef77920471830d4205740e59725fee7f56a989afb870f
Opcode Fuzzy Hash: 2859205c1435015b9c2a50326287cd29433788b40cbe9429c976a182a7c76a15
Instruction Fuzzy Hash: AF3170714083859BC301FF64CC959AFBBE8AE96714F444E2DF8D193191DB249A0DE762

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F98AED
Part of subcall function 00F98AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F98B1A
Part of subcall function 00F98AA3: GetLastError.KERNEL32 ref: 00F98B27

ExitWindowsEx.USER32(?,00000000), ref: 00FA52A0

Strings

SeShutdownPrivilege, xrefs: 00FA5270
, xrefs: 00FA528E
@, xrefs: 00FA5293

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 73112d8deb13aed551bec80217a00870a9823ae8219f42c2ecf309e3332b9561
Instruction ID: 987c4f92dab6732a02e06885d12b0e071301b97f485cb0460909d07f74e7d9b0
Opcode Fuzzy Hash: 73112d8deb13aed551bec80217a00870a9823ae8219f42c2ecf309e3332b9561
Instruction Fuzzy Hash: 5201F7F2A906166AFB2866689C4BFBA72D8AB07FA1F240525FD07D20D2E9505C04B5A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F55680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F60F36: std::exception::exception.LIBCMT ref: 00F60F6C
Part of subcall function 00F60F36: __CxxThrowException@8.LIBCMT ref: 00F60F81

_memmove.LIBCMT ref: 00F905AE
_memmove.LIBCMT ref: 00F906C3
_memmove.LIBCMT ref: 00F9076A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: b7beea8711aa9ce26875b3104d467e34ffef8ab5a04c1132b37e4f105f64a238
Instruction ID: 0e03d191dc264ca3d16fe9bd38efee89f38c15f880b07efcd732ddbe8c495472
Opcode Fuzzy Hash: b7beea8711aa9ce26875b3104d467e34ffef8ab5a04c1132b37e4f105f64a238
Instruction Fuzzy Hash: 0F02F0B0E00209DFDF04DF64D891AAEBBB5FF84310F248069E806DB255EB35DA15EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F41287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00F419FA
GetSysColor.USER32(0000000F), ref: 00F41A4E
SetBkColor.GDI32(?,00000000), ref: 00F41A61

Part of subcall function 00F41290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00F412D8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 54ffc06b09f6f82fe128476753917d98c8a7ac259781b00eb18674497fcf7f66
Instruction ID: 11c173ff8ab8ab2d2bc88d262d19ee4c21e265030608c4ab3754e1f1275ec813
Opcode Fuzzy Hash: 54ffc06b09f6f82fe128476753917d98c8a7ac259781b00eb18674497fcf7f66
Instruction Fuzzy Hash: 73A15972501546BAE638AF288C49F7F3D5DFB82361F14411AFC06D2186DB2D9D81F6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F53190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 1dfbbe38f78be7add4ff03603f8e56ca6c9430e5b55ddfa62a971c1557dab5f8
Instruction ID: 7950375677a65af23921d9423bc54d16c58fdc190dadc7537dce4a3763a0d833
Opcode Fuzzy Hash: 1dfbbe38f78be7add4ff03603f8e56ca6c9430e5b55ddfa62a971c1557dab5f8
Instruction Fuzzy Hash: DE22BF716083019FC724EF28C891B6FB7E4BF84750F14491CF99697291EB75EA08EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3C99 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FA3CBE
Process32FirstW.KERNEL32(00000000,?), ref: 00FA3CCC
Process32NextW.KERNEL32(00000000,?), ref: 00FA3CEC
CloseHandle.KERNEL32(00000000), ref: 00FA3D96

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6e584a796539306556d35a484ab026e1badc3d9cb941d5ebd46939d573f9ca44
Instruction ID: 3cf581305fccaa255b4b50c4ec91ca27065a3ca737097dd685207673ecfc4ad5
Opcode Fuzzy Hash: 6e584a796539306556d35a484ab026e1badc3d9cb941d5ebd46939d573f9ca44
Instruction Fuzzy Hash: 7C31A271508305DFC300EF10CC85AAFBBF8AF96754F54092DF881872A1EB74AA49DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC502 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

GetCursorPos.USER32(?), ref: 00FCC53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F7BB2B,?,?,?,?,?), ref: 00FCC551
GetCursorPos.USER32(?), ref: 00FCC59E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F7BB2B,?,?,?), ref: 00FCC5D8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 23fe1b2584f927fba17215c6fefd197b1953e1b8856b733968167d855166c661
Instruction ID: 22c93ce0b462f75baf4d54f3cc2a679127d55148d880c75868286fcf49f75669
Opcode Fuzzy Hash: 23fe1b2584f927fba17215c6fefd197b1953e1b8856b733968167d855166c661
Instruction Fuzzy Hash: 8A31A736A00018AFCB15CF54C959FEA7BF5EB49320F484469FA0987261D735AD51EFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F41290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00F412D8
GetClientRect.USER32(?,?), ref: 00F7B77B
GetCursorPos.USER32(?), ref: 00F7B785
ScreenToClient.USER32(?,?), ref: 00F7B790

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: b39e6f7c3de2e479b67aededecbce5a50d21835be0edcd4d8423b04ce064521a
Instruction ID: f9f9fe4a4808a968ebff933cd0593f34822b99874d5f9683013939e29067126d
Opcode Fuzzy Hash: b39e6f7c3de2e479b67aededecbce5a50d21835be0edcd4d8423b04ce064521a
Instruction Fuzzy Hash: 8D115835A0011DEBCB10DFA4D98ADEEBBB9FB05300F404456F941E3240D774BA95ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F98AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F60F36: std::exception::exception.LIBCMT ref: 00F60F6C
Part of subcall function 00F60F36: __CxxThrowException@8.LIBCMT ref: 00F60F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F98AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F98B1A
GetLastError.KERNEL32 ref: 00F98B27

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0a6e55f6d4a99b46c0c908a50488ac85c3425aa6a2a1e6cd6cb6012cd7f92721
Instruction ID: 88e486a356ff763eb2a21e8bd86921e1952f3f9650419f3f53b97fefc9484a70
Opcode Fuzzy Hash: 0a6e55f6d4a99b46c0c908a50488ac85c3425aa6a2a1e6cd6cb6012cd7f92721
Instruction Fuzzy Hash: 3311C1B2914208AFE728DF54DC86D2BBBBDFB44720B20816EF44697241EB30AC05DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FA4A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA4A48
FreeSid.ADVAPI32(?), ref: 00FA4A58

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4534bd0ad7ef553c350b60907655ad3cd5e78e13aaf68957497cf84d6c4adf19
Instruction ID: a87f35236832d29dd11d6abfb1168428dfce21a0bbec613763411b4b0eb6e608
Opcode Fuzzy Hash: 4534bd0ad7ef553c350b60907655ad3cd5e78e13aaf68957497cf84d6c4adf19
Instruction Fuzzy Hash: B6F03C75D5120CBFDB00DFE09D8AEADBBB9EB08711F004469A901E2181D6756A049B54

Uniqueness

Uniqueness Score: -1.00%

Function 00F416DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

Part of subcall function 00F425DB: GetWindowLongW.USER32(?,000000EB), ref: 00F425EC

GetParent.USER32(?), ref: 00F7B93A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00F419B3,?,?,?,00000006,?), ref: 00F7B9B4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 452229a67d4a9ac0b9276d59b09e0bd939f6a73187a704845479f421b9ebc5b4
Instruction ID: c253f79552bc6804cd301b3ba17142f883372d481d67a2d4b0d80b7d8840abfd
Opcode Fuzzy Hash: 452229a67d4a9ac0b9276d59b09e0bd939f6a73187a704845479f421b9ebc5b4
Instruction Fuzzy Hash: 5521A534600118AFDB218F28CC88FA93FA6BF0A370F588255FA695B2E1C7315D51FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC5E7 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00F7BABA,?,?,?), ref: 00FCC65B

Part of subcall function 00F425DB: GetWindowLongW.USER32(?,000000EB), ref: 00F425EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00FCC641

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: e58a5591f90143b0f7a0d1f48e9c6cf221f6bd9ce26c1268b657e2bdb886c9f4
Instruction ID: 39b97d091935aeb65424308ce3b0f232bc214852fe6b34d46e2fe972e6929456
Opcode Fuzzy Hash: e58a5591f90143b0f7a0d1f48e9c6cf221f6bd9ce26c1268b657e2bdb886c9f4
Instruction Fuzzy Hash: 8701B531200204ABDB219F14DE49F667BA6FB85724F144528FD495B2E1CB326855FF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC9A8 Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FCC9CB
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00F7BB96,?,?,?,?,?), ref: 00FCC9F4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 194596d6cec37b87faf6391408aea5c7de5ba9fcde102c5dbb15b7168b3dda3d
Instruction ID: b144f5c03c497c41710fed0271fd9090ee8d6bfbe7a8f679a6e158e04db39d39
Opcode Fuzzy Hash: 194596d6cec37b87faf6391408aea5c7de5ba9fcde102c5dbb15b7168b3dda3d
Instruction Fuzzy Hash: E9F0307241011CFFDF058F45DD09DAEBFB9FB44311F04415AF94562161D3716A54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA15F8 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FA1633
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00FA1646

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 22baad558e316721d68546c8fd5bc86af5a215f5132bb99696ef46c6f1db3bfe
Instruction ID: 258cd235b99261bf907849e49ec5d5c14babd1885370f0b9607c192775d116c1
Opcode Fuzzy Hash: 22baad558e316721d68546c8fd5bc86af5a215f5132bb99696ef46c6f1db3bfe
Instruction Fuzzy Hash: CFF049B190020DABDB00DF94C906BFEBBB4FF04315F04845AF915D6292C3798615EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FB957D,?,00FCFB84,?), ref: 00FAA121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FB957D,?,00FCFB84,?), ref: 00FAA133

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1c606fec37ec14c4bee361ad5d8735fc0818cce283c8f823697e54373aca817e
Instruction ID: ef29fc9209899d1fd139db846afd4697de4d3938b44f79f259e6269949ef7d0a
Opcode Fuzzy Hash: 1c606fec37ec14c4bee361ad5d8735fc0818cce283c8f823697e54373aca817e
Instruction Fuzzy Hash: 5BF0E23550422DBBDB10AFA4CC49FEA776DFF09361F008166B809D3180D7349948DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCCAE6 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FCCAEE
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00F7BB15,?,?,?,?), ref: 00FCCB1C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: f96db12fffb195bd3af35a319ef5832eaf3830c2ea19eb91a94b5b963bfc8bf7
Instruction ID: 87d88af5e4992ba80f5f9390a1f4f6208b3668fb665210c76fa409602a068a54
Opcode Fuzzy Hash: f96db12fffb195bd3af35a319ef5832eaf3830c2ea19eb91a94b5b963bfc8bf7
Instruction Fuzzy Hash: 94E08670140219BFEB145F19DD1BFBA3B54E704760F108519F99ADA0E1C770D850F760

Uniqueness

Uniqueness Score: -1.00%

Function 00F984F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00F98508
CloseHandle.KERNEL32(?), ref: 00F9851A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d98f0767ac182f9376e2e6c5276e17c9722a07d95751539ccf45b465174cb28e
Instruction ID: 322e04ef3da275d00b4747c6e4876a987cfb9c472306d6b5d011c37dfe3fa652
Opcode Fuzzy Hash: d98f0767ac182f9376e2e6c5276e17c9722a07d95751539ccf45b465174cb28e
Instruction Fuzzy Hash: 85E0B672014610EFEB252B64EC09D77BBAAEB443607248829B49681474DB62ACA5EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F68ED7,?), ref: 00F6A2DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00F6A2E3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3e8a93af8f604ff9f2992d3aa11e1b660f5d2787fe84acc94ee9c7a79c4fdafd
Instruction ID: b2e650702eb017514c99f131e33b4d4870fd95b8a578d63e645bfb3fdecbb5bf
Opcode Fuzzy Hash: 3e8a93af8f604ff9f2992d3aa11e1b660f5d2787fe84acc94ee9c7a79c4fdafd
Instruction Fuzzy Hash: B1B0923105424CBBCA002B91ED0AF88BF6AEB84AA2F404020FA0D86060CB625654AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F841BB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: c8df2e67fad50e3a6b92f4e789d1a848caa72188f547ed499bdad3de811f388e
Instruction ID: 23d7bc54a03f6d867b5b6ae1439362bc2c517944464031e7249613219e0cc1a2
Opcode Fuzzy Hash: c8df2e67fad50e3a6b92f4e789d1a848caa72188f547ed499bdad3de811f388e
Instruction Fuzzy Hash: 1DA27C75E04205CFCB24CF58C480AAABBB2FF58320F248169ED46AB355D775ED46EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F6F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6383f06ba9b024f767da52eda68ca2fdaa195011c122564419465be664b60b0
Instruction ID: 3ac9e9df00052bd4ddc27793d0f0dceca5375468e26ce504a6a0ed91789f0422
Opcode Fuzzy Hash: e6383f06ba9b024f767da52eda68ca2fdaa195011c122564419465be664b60b0
Instruction Fuzzy Hash: 7D322822D2AF054DD7236634D832335A349AFB73D5F55D737F819B59AAEB28C4836100

Uniqueness

Uniqueness Score: -1.00%

Function 00F725AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cad65751e12346afe4c38f84a7cf0c13a0701613fba7be0a67bf71388ebf275
Instruction ID: a22a4fccd866c1d0b16fd6acfa0b48b8c27ac327a3c528484ab553d04b527247
Opcode Fuzzy Hash: 7cad65751e12346afe4c38f84a7cf0c13a0701613fba7be0a67bf71388ebf275
Instruction Fuzzy Hash: 09B11020D2AF444DD32396398831336BB5DAFBB6C5F52D71BFC2A74D22EB2285836141

Uniqueness

Uniqueness Score: -1.00%

Function 00FA8932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FA8944

Part of subcall function 00F6537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FA9017,00000000,?,?,?,?,00FA91C8,00000000,?), ref: 00F65383
Part of subcall function 00F6537A: __aulldiv.LIBCMT ref: 00F653A3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 0a97f774f0bf5877a5003bfdbd4ee8157332f640f883bb61f02d5619f7824f29
Instruction ID: cd1786a6a0dc2b77ba31e5b830fadcaa6a9fc6018e0d6974e85cbfe3fefc0399
Opcode Fuzzy Hash: 0a97f774f0bf5877a5003bfdbd4ee8157332f640f883bb61f02d5619f7824f29
Instruction Fuzzy Hash: F321D272625610CBC72ACF25D441A52B3E1EBA9721F288E2CD1E5CB2C0CA7AA905DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD7F6 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00FCD8A2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 72c8f5b59da5831f3787be58d060b01317dd808039dbbbbec8be8c23c9a80de7
Instruction ID: 845c6bf1f73b2fc25bb997a7a2866197da6d40ba2b4cad2b77e2483793665ea0
Opcode Fuzzy Hash: 72c8f5b59da5831f3787be58d060b01317dd808039dbbbbec8be8c23c9a80de7
Instruction Fuzzy Hash: 62110471604157ABFB295A28CE07F7D3714DB41720F24433CFA669A1D2CA64AD01B364

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD422 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F425DB: GetWindowLongW.USER32(?,000000EB), ref: 00F425EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00F7BAD2,?,?,?,?,00000000,?), ref: 00FCD49C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 739f20391d9f4fe9b2a59730e727128b1fdd6bfb2bbb220dd71ee34a0b703014
Instruction ID: a81ac26174fb348ec1d3cdb5bb9e32c15e2358386ad66cf6642bae628f4d7386
Opcode Fuzzy Hash: 739f20391d9f4fe9b2a59730e727128b1fdd6bfb2bbb220dd71ee34a0b703014
Instruction Fuzzy Hash: 5601D271A0011AABDB18DE25CA4AFAA3B56AB41334F084139FA491B191C731BC10F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBF9A Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

Part of subcall function 00F42344: GetCursorPos.USER32(?), ref: 00F42357
Part of subcall function 00F42344: ScreenToClient.USER32(010057B0,?), ref: 00F42374
Part of subcall function 00F42344: GetAsyncKeyState.USER32(00000001), ref: 00F42399
Part of subcall function 00F42344: GetAsyncKeyState.USER32(00000002), ref: 00F423A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00F7BB7F,?,?,?,?,?,00000001,?), ref: 00FCBFEC

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 3c0d61d6df1983de4141866b26b7d2cbe3ae4c83c08b5c1e450d9c56084a3237
Instruction ID: 75aa22279ae3537861fa9fe0eba8f37e745721d716b49dd08282b71410ef0bbb
Opcode Fuzzy Hash: 3c0d61d6df1983de4141866b26b7d2cbe3ae4c83c08b5c1e450d9c56084a3237
Instruction Fuzzy Hash: FEF08234200229ABDB15AF49DC0AFBE3BA5EB44350F404029FD855B291CB76A960FFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00F41B04,?,?,?,?,?), ref: 00F418E2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b439d0294b3992042c8f429ee77dc977772fadc1ad3e49b373422e02969feb68
Instruction ID: 0cbc5881251179181ca7bfdd60ce460c2f9b9c56a423de01acfbd1f6c288c81e
Opcode Fuzzy Hash: b439d0294b3992042c8f429ee77dc977772fadc1ad3e49b373422e02969feb68
Instruction Fuzzy Hash: F0F0BE30600218DFDB19DF04D854A363BB2FB40320F504128FD924B2A0DB32D890FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC928 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00FCC968

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 10cb7b1b0e38da92d0160f0e6972948174dd8b1720295b51be56b5d35337ec3e
Instruction ID: 707338afc2c7f4b05501b0266bc268ae255a716d7a9de3f4530b7fc8ccfe0ea7
Opcode Fuzzy Hash: 10cb7b1b0e38da92d0160f0e6972948174dd8b1720295b51be56b5d35337ec3e
Instruction Fuzzy Hash: D9F06531540259AFDB21DF58DD05FC67B95EB05720F044018FA55672E1CB707910EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4CFA Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00FA4D1D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 281e37d1746b3a7fb9b97eb42adf7eee4f0c87236915bbdc4874118c0a829911
Instruction ID: 4241083c31659fe21b5ea36635f201469240a4476448532ad6c8528f1b148f29
Opcode Fuzzy Hash: 281e37d1746b3a7fb9b97eb42adf7eee4f0c87236915bbdc4874118c0a829911
Instruction Fuzzy Hash: 31D05EE152020638FC280B289C1FF762109F7C27A2FA409493602860C5A8E87841B835

Uniqueness

Uniqueness Score: -1.00%

Function 00F98A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F986B1), ref: 00F98A93

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 09658ad339a46abbfc2c18b62df4a37986a0dc08ff68549501e126b7e966e07b
Instruction ID: 24f4b9d2d1200d67e0a7a41503ceee3aca3711c3948325456ebf601ac850b953
Opcode Fuzzy Hash: 09658ad339a46abbfc2c18b62df4a37986a0dc08ff68549501e126b7e966e07b
Instruction Fuzzy Hash: 99D05E322A050EABEF018EA4DD02EAE3B6AEB04B01F408111FE15C60A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00F41AEE,?,?,?), ref: 00F416AB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 2abaf90fed13c9f7737d9bd6cbd3e9dbcb38957647d50ebc4923d3b8cafa1299
Instruction ID: fe868f8f7d03b78510e110f25bf572a45fc65130df5c7aada599b8d887ae5ab5
Opcode Fuzzy Hash: 2abaf90fed13c9f7737d9bd6cbd3e9dbcb38957647d50ebc4923d3b8cafa1299
Instruction Fuzzy Hash: B9E0EC35140208FBDF56AF90DC15E653F2AFB48310F508468FA851B2A1CB3BA522EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC973 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00F7BB3C,?,?,?,?,?,?), ref: 00FCC99E

Part of subcall function 00FCB669: _memset.LIBCMT ref: 00FCB678
Part of subcall function 00FCB669: _memset.LIBCMT ref: 00FCB687
Part of subcall function 00FCB669: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01006F20,01006F64), ref: 00FCB6B6
Part of subcall function 00FCB669: CloseHandle.KERNEL32 ref: 00FCB6C8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 153af77b661d1b72d658b20063053ebca1405348f5268dc7d1820ff05be076ff
Instruction ID: ebd216b3fe30a5046f2864cbe05fb492042629a691e289d478fb844bafd6dc8e
Opcode Fuzzy Hash: 153af77b661d1b72d658b20063053ebca1405348f5268dc7d1820ff05be076ff
Instruction Fuzzy Hash: B0E0B636210209DFCB12AF44EE56E993BA6FB08314F054069FE09576B2C732AE60FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F416B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

Part of subcall function 00F4201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F420D3
Part of subcall function 00F4201B: KillTimer.USER32(-00000001,?,?,?,?,00F416CB,00000000,?,?,00F41AE2,?,?), ref: 00F4216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00F41AE2,?,?), ref: 00F416D4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 11851d83d9ae93adabb2f3f74988dbeb44b0fd67b0ffcf002b00f3e04482fb26
Instruction ID: 062b26768cf2d126ef7aa44bfa059670d23ae2cc6fea5431bc1b2d5c02d61b24
Opcode Fuzzy Hash: 11851d83d9ae93adabb2f3f74988dbeb44b0fd67b0ffcf002b00f3e04482fb26
Instruction Fuzzy Hash: 66D01230180308B7EA112B50DD1BF5A7E19AB14750F808420BF04291D3CB766810B558

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC8F9 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00FCC91E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c272649f5478593c6d7ddc9050f7501c29b8e1f7812ee8f3848f9ffd46424c2d
Instruction ID: 569d7190602fbd3ba58d7b26776b4cf395b515afb2d5c4d9431ba9d04429bee1
Opcode Fuzzy Hash: c272649f5478593c6d7ddc9050f7501c29b8e1f7812ee8f3848f9ffd46424c2d
Instruction Fuzzy Hash: 40E0E23524020CEFCB01DF88D949D863BA5AB1D300F004054FE0547262C772A864EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCC8CA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 00FCC8EF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: b3b79356c83ea2330189904bcba1e11943a16aa78322ad5d12876af5f2b99158
Instruction ID: 770e1989eedf3c7b1ea0d0e84d184eb84ceead4176f5d8a2688db7c22a9629ec
Opcode Fuzzy Hash: b3b79356c83ea2330189904bcba1e11943a16aa78322ad5d12876af5f2b99158
Instruction Fuzzy Hash: B5E0E23524020CEFCB01DF88D889E863BA5AB1D300F004054FE0557262C771A820EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F8215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F82171

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 996c4850d6e3cccf9ac82e4b539c75ce9ceaec3bfcc711969bb3d702ee696779
Instruction ID: 599c7346b9d8b11d9faa4e737b27b2ced08cdf2dab5c04a2cddfbb1866a79242
Opcode Fuzzy Hash: 996c4850d6e3cccf9ac82e4b539c75ce9ceaec3bfcc711969bb3d702ee696779
Instruction Fuzzy Hash: EBC04CF180110DDBCB05DB90DA88DEEB7BCFB04704F104156A101F2100D7749B449B71

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F6A2AA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 30df340f9bec44b2ff0c203daba541a6c701f40c8fa1e53052ddc7b9746f9dc0
Instruction ID: 2b4728bdd902005131413a3f7c01c6e718d737f6809a7b511e317431b0f10c3f
Opcode Fuzzy Hash: 30df340f9bec44b2ff0c203daba541a6c701f40c8fa1e53052ddc7b9746f9dc0
Instruction Fuzzy Hash: D3A0123000010CB78A001B41EC05844BF5DD6401907004020F40C41021873255105580

Uniqueness

Uniqueness Score: -1.00%

Function 00F58968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acdac50bb64691044ff6dfcd252f318963cfb09fdd609248eff39e6cd00416a
Instruction ID: e6402879ba710623aed677241729eb110d7aa85725767ad540670bed3d876ac6
Opcode Fuzzy Hash: 6acdac50bb64691044ff6dfcd252f318963cfb09fdd609248eff39e6cd00416a
Instruction Fuzzy Hash: 32226A71E00545EBEF398A18C49477C77A5FF417A6F28802ADE81AB492DB349D8BF740

Uniqueness

Uniqueness Score: -1.00%

Function 00F62345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: ee4a77b75388837144e60dd5e7ffa6fe88d5e809a8d03a521b07cae4de2d580b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 0BC18232A155930ADF6D8639C43413EBEA16EA27B231E075DE8B3DB1D5EF20C564F620

Uniqueness

Uniqueness Score: -1.00%

Function 00F6277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 17d621afaa7ba23d41c0ffe3cf7a47243b18a788e4dc5dcd6b5b3d75086d776a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C0C18233A1559309DFAD463A847413EBFA16BA27B231E076DE4B2DB1C5EF24C524F620

Uniqueness

Uniqueness Score: -1.00%

Function 00F61F10 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 74b1ff3983d3e577d5a5e8cf1eb83ef8c4d4991005836aee2ff9f430f6d13d3d
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 51C19332A095930ADF6D4639C47413EFEA16AA27B231E076DE4B3DB1D4EF20C564F620

Uniqueness

Uniqueness Score: -1.00%

Function 00F61AF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1c2386016d3a760b824d15169cce7bc8939232a9f59bc6ad8e90129e61943a88
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: CCC16F32A1919309DF6D463AC43417EBEA17AA27B231E076DE4B3DB1D4EF20D564F620

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FCA662
GetSysColorBrush.USER32(0000000F), ref: 00FCA693
GetSysColor.USER32(0000000F), ref: 00FCA69F
SetBkColor.GDI32(?,000000FF), ref: 00FCA6B9
SelectObject.GDI32(?,00000000), ref: 00FCA6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 00FCA6F3
GetSysColor.USER32(00000010), ref: 00FCA6FB
CreateSolidBrush.GDI32(00000000), ref: 00FCA702
FrameRect.USER32(?,?,00000000), ref: 00FCA711
DeleteObject.GDI32(00000000), ref: 00FCA718
InflateRect.USER32(?,000000FE,000000FE), ref: 00FCA763
FillRect.USER32(?,?,00000000), ref: 00FCA795
GetWindowLongW.USER32(?,000000F0), ref: 00FCA7C0

Part of subcall function 00FCA8FC: GetSysColor.USER32(00000012), ref: 00FCA935
Part of subcall function 00FCA8FC: SetTextColor.GDI32(?,?), ref: 00FCA939
Part of subcall function 00FCA8FC: GetSysColorBrush.USER32(0000000F), ref: 00FCA94F
Part of subcall function 00FCA8FC: GetSysColor.USER32(0000000F), ref: 00FCA95A
Part of subcall function 00FCA8FC: GetSysColor.USER32(00000011), ref: 00FCA977
Part of subcall function 00FCA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FCA985
Part of subcall function 00FCA8FC: SelectObject.GDI32(?,00000000), ref: 00FCA996
Part of subcall function 00FCA8FC: SetBkColor.GDI32(?,00000000), ref: 00FCA99F
Part of subcall function 00FCA8FC: SelectObject.GDI32(?,?), ref: 00FCA9AC
Part of subcall function 00FCA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00FCA9CB
Part of subcall function 00FCA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FCA9E2
Part of subcall function 00FCA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00FCA9F7
Part of subcall function 00FCA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FCAA1F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: d13c501a64755880f0bdcb0827fe76c0b0bcb2168015b6e4880cf75a6dcabda4
Instruction ID: 7f81e2d0f5ae232c0c51b8f60126b847924b25a831b5fda6fb08978ca0e63648
Opcode Fuzzy Hash: d13c501a64755880f0bdcb0827fe76c0b0bcb2168015b6e4880cf75a6dcabda4
Instruction Fuzzy Hash: 28916F72408309AFD7109F64DD09E5BBBAAFF88335F140A29F562D71A0D731E948EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FAAD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FAADAA
GetDriveTypeW.KERNEL32(?,00FCFAC0,?,\\.\,00FCF910), ref: 00FAAE87
SetErrorMode.KERNEL32(00000000,00FCFAC0,?,\\.\,00FCF910), ref: 00FAAFE5

Strings

SSD, xrefs: 00FAAF12
SATA, xrefs: 00FAAF98
RAMDisk, xrefs: 00FAAEB1
SSA, xrefs: 00FAAF6E
CDROM, xrefs: 00FAAEBB
Fixed, xrefs: 00FAAECF
Virtual, xrefs: 00FAAFAD
ATA, xrefs: 00FAAF60
\\.\, xrefs: 00FAADFC
iSCSI, xrefs: 00FAAF8A
USB, xrefs: 00FAAF7C
ATAPI, xrefs: 00FAAF59
SCSI, xrefs: 00FAAF52
Network, xrefs: 00FAAEC5
Fibre, xrefs: 00FAAF75
SAS, xrefs: 00FAAF91
Removable, xrefs: 00FAAED9
FileBackedVirtual, xrefs: 00FAAFB4
MMC, xrefs: 00FAAFA6
1394, xrefs: 00FAAF67
Unknown, xrefs: 00FAAEA7, 00FAAF4B
PhysicalDrive, xrefs: 00FAAE33
RAID, xrefs: 00FAAF83

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2aa571f976c62b2e6a03cbe0973b0bb065b7ef6d03807fd0d0ae99e607f845e5
Instruction ID: e78e87a89f56b21f1733bec0fa80bf6e21393abf6038860dfb1a2b912bcfc5bf
Opcode Fuzzy Hash: 2aa571f976c62b2e6a03cbe0973b0bb065b7ef6d03807fd0d0ae99e607f845e5
Instruction Fuzzy Hash: 2F5181F5648209AFCB08EB10CDC29B9B771EF467507204056FA06A72A1CB75DD4AFB83

Uniqueness

Uniqueness Score: -1.00%

Function 00F46A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F46A91
__wcsnicmp.LIBCMT ref: 00F46AA9
__wcsnicmp.LIBCMT ref: 00F46AC1
__wcsnicmp.LIBCMT ref: 00F46AD9
__wcsnicmp.LIBCMT ref: 00F46AF1
__wcsnicmp.LIBCMT ref: 00F46B09
__wcsnicmp.LIBCMT ref: 00F46B21
__wcsnicmp.LIBCMT ref: 00F46B35
__wcsnicmp.LIBCMT ref: 00F46B76
__wcsnicmp.LIBCMT ref: 00F46B8A
__wcsnicmp.LIBCMT ref: 00F46B9E
__wcsnicmp.LIBCMT ref: 00F46BB2

Strings

Cannot parse #include, xrefs: 00F7E749
#notrayicon, xrefs: 00F46AA3
Unterminated group of comments, xrefs: 00F7E75C
#comments-end, xrefs: 00F46B98
#requireadmin, xrefs: 00F46ABB
#comments-start, xrefs: 00F46B1B, 00F46B70
#ce, xrefs: 00F46BAC
#cs, xrefs: 00F46B2F, 00F46B84
#OnAutoItStartRegister, xrefs: 00F46AD3
#include, xrefs: 00F46B03
Bad directive syntax error, xrefs: 00F7E673
#include-once, xrefs: 00F46AEB
#pragma compile, xrefs: 00F46A8B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 4803945f82d959b60d12664b82c7392353443077d16c01fefb4eeabf290329d4
Instruction ID: 5e1c801bce03d017accf7de60ff94206d67a1cfc3393f1d850069334bcd1aa5b
Opcode Fuzzy Hash: 4803945f82d959b60d12664b82c7392353443077d16c01fefb4eeabf290329d4
Instruction Fuzzy Hash: 2D812971A00305ABCB24BB20CC82FAE7B69EF55710F044026FD45EA193EB68DE55F693

Uniqueness

Uniqueness Score: -1.00%

Function 00F42C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F42CA2
DeleteObject.GDI32(00000000), ref: 00F42CE8
DeleteObject.GDI32(00000000), ref: 00F42CF3
DestroyCursor.USER32(00000000), ref: 00F42CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F42D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F7C5BB
6F570200.COMCTL32(?,000000FF,?), ref: 00F7C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F7CA1D

Part of subcall function 00F41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F42036,?,00000000,?,?,?,?,00F416CB,00000000,?), ref: 00F41B9A

SendMessageW.USER32(?,00001053), ref: 00F7CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F7CA71

Strings

0, xrefs: 00F7C8B1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF570200InvalidateMoveRect
String ID: 0
API String ID: 2008601239-4108050209
Opcode ID: fb6ca93cbb8b2bdd626078ac7f32b7b0b67d97853a9f05f50accf097e109f284
Instruction ID: a78914369c629f8181f6da6bd0017a30dd07dc5875b6c009636ecbcb3020b2e3
Opcode Fuzzy Hash: fb6ca93cbb8b2bdd626078ac7f32b7b0b67d97853a9f05f50accf097e109f284
Instruction Fuzzy Hash: 6A129031A00201DFDB64CF24C985BA9BBA5FF44321F54857EF949DB262C731E846EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FCA935
SetTextColor.GDI32(?,?), ref: 00FCA939
GetSysColorBrush.USER32(0000000F), ref: 00FCA94F
GetSysColor.USER32(0000000F), ref: 00FCA95A
CreateSolidBrush.GDI32(?), ref: 00FCA95F
GetSysColor.USER32(00000011), ref: 00FCA977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FCA985
SelectObject.GDI32(?,00000000), ref: 00FCA996
SetBkColor.GDI32(?,00000000), ref: 00FCA99F
SelectObject.GDI32(?,?), ref: 00FCA9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 00FCA9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FCA9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00FCA9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FCAA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FCAA46
InflateRect.USER32(?,000000FD,000000FD), ref: 00FCAA64
DrawFocusRect.USER32(?,?), ref: 00FCAA6F
GetSysColor.USER32(00000011), ref: 00FCAA7D
SetTextColor.GDI32(?,00000000), ref: 00FCAA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FCAA99
SelectObject.GDI32(?,00FCA62C), ref: 00FCAAB0
DeleteObject.GDI32(?), ref: 00FCAABB
SelectObject.GDI32(?,?), ref: 00FCAAC1
DeleteObject.GDI32(?), ref: 00FCAAC6
SetTextColor.GDI32(?,?), ref: 00FCAACC
SetBkColor.GDI32(?,?), ref: 00FCAAD6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1c60ac8752ed0cdcd5098ee6d17cc70d53aef889ab6d548f9f19db129b60e550
Instruction ID: e403cd801734b2849cbb23831b5c3e4d6143d4570ade1c2cfbacaa81ab644a96
Opcode Fuzzy Hash: 1c60ac8752ed0cdcd5098ee6d17cc70d53aef889ab6d548f9f19db129b60e550
Instruction Fuzzy Hash: 38517E7180020DFFDB109FA4DE4AEAEBB7AEF48320F154625F911AB2A1C7759944EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F55F88 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

GetForegroundWindow.USER32(00FCF910,?,?,?,?,?), ref: 00F56042
IsWindow.USER32(?), ref: 00F90F79

Strings

ACTIVE, xrefs: 00F90D46
REGEXPTITLE, xrefs: 00F90D72
TITLE, xrefs: 00F90F0E
ALL, xrefs: 00F90EE0
REGEXPCLASS, xrefs: 00F90DC4
HANDLE, xrefs: 00F90D5C
LAST, xrefs: 00F90D30
INSTANCE, xrefs: 00F90EB8
CLASS, xrefs: 00F90DA3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 863a8c1fb3ef2b00d63cda3d152701179cf4da79adddc743eac14c855b0ec23b
Instruction ID: 92b94a36d9a3a2c4b713c031a5c016ed8177591bace83653052ca8714bae8385
Opcode Fuzzy Hash: 863a8c1fb3ef2b00d63cda3d152701179cf4da79adddc743eac14c855b0ec23b
Instruction Fuzzy Hash: 04D1D430508702AFDF14EF20C891AAAFBA1FF54354F104A29F855835A2CF34EA59FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F9A885
__swprintf.LIBCMT ref: 00F9A926
_wcscmp.LIBCMT ref: 00F9A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F9A98E
_wcscmp.LIBCMT ref: 00F9A9CA
GetClassNameW.USER32(?,?,00000400), ref: 00F9AA01
GetDlgCtrlID.USER32(?), ref: 00F9AA53
GetWindowRect.USER32(?,?), ref: 00F9AA89
GetParent.USER32(?), ref: 00F9AAA7
ScreenToClient.USER32(00000000), ref: 00F9AAAE
GetClassNameW.USER32(?,?,00000100), ref: 00F9AB28
_wcscmp.LIBCMT ref: 00F9AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00F9AB62
_wcscmp.LIBCMT ref: 00F9AB76

Part of subcall function 00F637AC: _iswctype.LIBCMT ref: 00F637B4

Strings

%s%u, xrefs: 00F9A920

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 8579633a141ac68a9c33b915b374b3f4b505c70870485ad54bb0e15e567fda0e
Instruction ID: 0e9f84cd73ccd56fcd2c5150cd5cb9afb756e9166973fca24242cab2462aaecf
Opcode Fuzzy Hash: 8579633a141ac68a9c33b915b374b3f4b505c70870485ad54bb0e15e567fda0e
Instruction Fuzzy Hash: C6A1BF71604706AFEB14DF24C884FAAB7E9FF44324F104629F999C2190DB34E949EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F9B1DA
_wcscmp.LIBCMT ref: 00F9B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F9B213
CharUpperBuffW.USER32(?,00000000), ref: 00F9B230
_wcscmp.LIBCMT ref: 00F9B24E
_wcsstr.LIBCMT ref: 00F9B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00F9B297
_wcscmp.LIBCMT ref: 00F9B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F9B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00F9B317
_wcscmp.LIBCMT ref: 00F9B327
GetClassNameW.USER32(00000010,?,00000400), ref: 00F9B34F
GetWindowRect.USER32(00000004,?), ref: 00F9B3B8

Strings

@, xrefs: 00F9B1BB
ThumbnailClass, xrefs: 00F9B2A2, 00F9B322

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f1dc6f3035a917ff4761cb9e9d2d637ff91c24d78ad85cbdadb067499c81a6de
Instruction ID: 55701cc262ba5133df3a69fdc1f45295292c8c9d5ebd8579e8ea66ddded3c963
Opcode Fuzzy Hash: f1dc6f3035a917ff4761cb9e9d2d637ff91c24d78ad85cbdadb067499c81a6de
Instruction Fuzzy Hash: 8081C4714083099FEF05DF14DA85FAABBE8EF44724F048469FD858A0A2DB34DD49EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F9B03E

Strings

ACTIVE, xrefs: 00F9B019
ALL, xrefs: 00F9B0D2
[CLASS:, xrefs: 00F9B08E
[ALL, xrefs: 00F9B0E4
CLASSNAME=, xrefs: 00F9B07B
[REGEXPTITLE:, xrefs: 00F9B066
[HANDLE:, xrefs: 00F9B04A
HANDLE=, xrefs: 00F9B037
[LAST, xrefs: 00F9B0EB
LAST, xrefs: 00F9B003
REGEXP=, xrefs: 00F9B053
[ACTIVE, xrefs: 00F9B02B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 89f860376a0a27aa8faa5ce9db4d0a561928a4dcb4eba3a1bf5479e5966baefb
Instruction ID: b2f21e832906b9477cdf619049b16ff7d8edba297380cd5a2d1eaecb59e28281
Opcode Fuzzy Hash: 89f860376a0a27aa8faa5ce9db4d0a561928a4dcb4eba3a1bf5479e5966baefb
Instruction Fuzzy Hash: 78316D31A48309A6EB24FA60DE43ABFB7649F10B10F200115F951710F2EF59AF14F652

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F9C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F9C2E5
SetWindowTextW.USER32(?,?), ref: 00F9C2FC
GetDlgItem.USER32(?,000003EA), ref: 00F9C311
SetWindowTextW.USER32(00000000,?), ref: 00F9C317
GetDlgItem.USER32(?,000003E9), ref: 00F9C327
SetWindowTextW.USER32(00000000,?), ref: 00F9C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F9C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F9C368
GetWindowRect.USER32(?,?), ref: 00F9C371
SetWindowTextW.USER32(?,?), ref: 00F9C3DC
GetDesktopWindow.USER32 ref: 00F9C3E2
GetWindowRect.USER32(00000000), ref: 00F9C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F9C435
GetClientRect.USER32(?,?), ref: 00F9C442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F9C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F9C492

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f9eb3a2cfbac113f89e60a900e9c0b0fbb54bcc373675921bbace401ddb5fb4d
Instruction ID: 87ab8543e6d395381cd33cc5b06ad60bf1251feb8ec34ad91405f3b625be55df
Opcode Fuzzy Hash: f9eb3a2cfbac113f89e60a900e9c0b0fbb54bcc373675921bbace401ddb5fb4d
Instruction Fuzzy Hash: 59513D31900709AFEB20DFA8DE86F6EBBB6FF04715F004528E586A75A0C775A944EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7DC3 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FA7E08
VariantCopy.OLEAUT32(00000000,?), ref: 00FA7E11
VariantClear.OLEAUT32(00000000), ref: 00FA7E1D
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FA7F0B
__swprintf.LIBCMT ref: 00FA7F3B
VarR8FromDec.OLEAUT32(?,?), ref: 00FA7F67
VariantInit.OLEAUT32(?), ref: 00FA8018
SysFreeString.OLEAUT32(00000016), ref: 00FA80AC
VariantClear.OLEAUT32(?), ref: 00FA8106
VariantClear.OLEAUT32(?), ref: 00FA8115
VariantInit.OLEAUT32(00000000), ref: 00FA8153

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FA7F35
Default, xrefs: 00FA7FC8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: a623c13fc827d024802db13df7e9902ce5cb0c805277be6cc1e15056a6a45bc6
Instruction ID: ad0a7f5d5ead2d3c6f8177b9278ce784b378f8e754c903888b13fddea1d7b7dd
Opcode Fuzzy Hash: a623c13fc827d024802db13df7e9902ce5cb0c805277be6cc1e15056a6a45bc6
Instruction Fuzzy Hash: 00D1E3B2A08616DBDF20AF65DC85F6ABBB8FF06710F248095E4059B190CB74DC45FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9CC2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FA9D09

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FA9D2A
__swprintf.LIBCMT ref: 00FA9D83
__swprintf.LIBCMT ref: 00FA9D9C
_wprintf.LIBCMT ref: 00FA9E43
_wprintf.LIBCMT ref: 00FA9E61

Strings

Error: , xrefs: 00FA9E0B
"%s" (%d) : ==> %s:, xrefs: 00FA9E5C
Incorrect parameters to object property !, xrefs: 00FA9DE5
Line %d (File "%s"):, xrefs: 00FA9D7D, 00FA9D96
^ ERROR , xrefs: 00FA9DD8
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA9E3E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 622d26d43c8a73ebac99bb33ece30b68e1e37854ab5c0de7011db89fbd3debae
Instruction ID: 17880d9491b639ec9c1ef80bf59be6c551b4544ca8733cecc052cc998960c3ae
Opcode Fuzzy Hash: 622d26d43c8a73ebac99bb33ece30b68e1e37854ab5c0de7011db89fbd3debae
Instruction Fuzzy Hash: 3351A171804209ABCF15FBE0CD82EEEBB78AF14700F100161B90572192DB796F59FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F49997: __itow.LIBCMT ref: 00F499C2
Part of subcall function 00F49997: __swprintf.LIBCMT ref: 00F49A0C

CharLowerBuffW.USER32(?,?), ref: 00FAA455
GetDriveTypeW.KERNEL32 ref: 00FAA4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAA4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAA521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAA54F

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Strings

type cdaudio alias cd wait, xrefs: 00FAA4CD
set cd door , xrefs: 00FAA4F0
open, xrefs: 00FAA47C
close, xrefs: 00FAA45B
open , xrefs: 00FAA4B1
close cd wait, xrefs: 00FAA53A
closed, xrefs: 00FAA469, 00FAA472
wait, xrefs: 00FAA50C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 93c8d897b0283365589cbec5e249a98794283d2bfdd8c9d796a38195b607daa5
Instruction ID: 6b0bef55849797817099f00307daa4a77c5ee5be4c23c8848af9e40f4125bb6a
Opcode Fuzzy Hash: 93c8d897b0283365589cbec5e249a98794283d2bfdd8c9d796a38195b607daa5
Instruction Fuzzy Hash: D8515B715183049FC700EF20CC9186ABBF4EF88758F14496DF88657261DB75EE0AEB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000001,?,00F7E382,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001), ref: 00F9FC10
LoadStringW.USER32(00000000,?,00F7E382,00000001), ref: 00F9FC19

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

GetModuleHandleW.KERNEL32(00000000,01005310,?,00000FFF,?,?,00F7E382,00000001,0000138C,00000001,00000001,00000001,?,00000000,00000001,00000001), ref: 00F9FC3B
LoadStringW.USER32(00000000,?,00F7E382,00000001), ref: 00F9FC3E
__swprintf.LIBCMT ref: 00F9FC8E
__swprintf.LIBCMT ref: 00F9FC9F
_wprintf.LIBCMT ref: 00F9FD48
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F9FD5F

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F9FD43
Error: , xrefs: 00F9FD16
Line %d:, xrefs: 00F9FC99
^ ERROR, xrefs: 00F9FCF4
Line %d (File "%s"):, xrefs: 00F9FC88

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: e58312612a0afb431750941e68aeb0d7d2796a792c863bb0145d6e461ae4531c
Instruction ID: 6294a1dbb644bb708a295a0f52c402881365d7926199fc97979794ad65a2f7b3
Opcode Fuzzy Hash: e58312612a0afb431750941e68aeb0d7d2796a792c863bb0145d6e461ae4531c
Instruction Fuzzy Hash: B741207280421DAADF15FBE0CD86DEEB779AF14700F500165B905B2092DB396F49EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9E13E Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 475COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F9E168
VariantInit.OLEAUT32(?), ref: 00F9E212
VariantClear.OLEAUT32(?), ref: 00F9E24C

Strings

$@, xrefs: 00F9E3C4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: $@
API String ID: 3740757921-3337466569
Opcode ID: 4dca5c48d40018b1a1f3e6eb9ac23cdbddacdc5ad6edb1b2e0299ae52bff33e4
Instruction ID: a562e6f725524157402a8c29db4ec502336ba0aa797466def8b4234e290690d4
Opcode Fuzzy Hash: 4dca5c48d40018b1a1f3e6eb9ac23cdbddacdc5ad6edb1b2e0299ae52bff33e4
Instruction Fuzzy Hash: 830282729043119FEB24CF28C885A6ABBE4FF88760F14492EF985DB2A1D770EC45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F97FD7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F98546
Part of subcall function 00F9852A: GetLastError.KERNEL32(?,00F9800A,?,?,?), ref: 00F98550
Part of subcall function 00F9852A: GetProcessHeap.KERNEL32(00000008,?,?,00F9800A,?,?,?), ref: 00F9855F
Part of subcall function 00F9852A: RtlAllocateHeap.NTDLL(00000000,?,00F9800A), ref: 00F98566
Part of subcall function 00F9852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9857D

Part of subcall function 00F985C7: GetProcessHeap.KERNEL32(00000008,00F98020,00000000,00000000,?,00F98020,?), ref: 00F985D3
Part of subcall function 00F985C7: RtlAllocateHeap.NTDLL(00000000,?,00F98020), ref: 00F985DA
Part of subcall function 00F985C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F98020,?), ref: 00F985EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F9803B
_memset.LIBCMT ref: 00F98050
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F9806F
GetLengthSid.ADVAPI32(?), ref: 00F98080
GetAce.ADVAPI32(?,00000000,?), ref: 00F980BD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F980D9
GetLengthSid.ADVAPI32(?), ref: 00F980F6
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F98105
RtlAllocateHeap.NTDLL(00000000), ref: 00F9810C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F9812D
CopySid.ADVAPI32(00000000), ref: 00F98134
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F98165
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F9818B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F9819F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: b21eb6598d7ab05860f48567ec841b60647b89fce3d4b6a8152d85aab1ca3e46
Instruction ID: ac2971d2bda3f71960eb065cdad26f46cab179cc2f3c58d70288c6770ed1389e
Opcode Fuzzy Hash: b21eb6598d7ab05860f48567ec841b60647b89fce3d4b6a8152d85aab1ca3e46
Instruction Fuzzy Hash: 6F616A71900209EFEF10CFA4DC85EEEBB79FF05750F04812AE915A7291DB359A46EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9ED4 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00FCFB78), ref: 00FA9F1B

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00FA9F3D
__swprintf.LIBCMT ref: 00FA9F96
__swprintf.LIBCMT ref: 00FA9FAF
_wprintf.LIBCMT ref: 00FAA065
_wprintf.LIBCMT ref: 00FAA083

Strings

Error: , xrefs: 00FAA02D
"%s" (%d) : ==> %s:, xrefs: 00FAA07E
^ ERROR, xrefs: 00FAA007
Line %d (File "%s"):, xrefs: 00FA9F90, 00FA9FA9
"%s" (%d) : ==> %s:%s%s, xrefs: 00FAA060

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 5700b52f1a6b0a7c7c9b28989a3ef101742cd798e4cfc589878950fd31903bca
Instruction ID: 4c65cd15488251aba87df0fe232c6865e9aae8f3a40d9c7dd5fc1fa6e9d9640b
Opcode Fuzzy Hash: 5700b52f1a6b0a7c7c9b28989a3ef101742cd798e4cfc589878950fd31903bca
Instruction Fuzzy Hash: A6517271804219ABCF15FBA0CD86EEEBB78AF15300F104165F905721A1DB396F59FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBA67 Relevance: 21.1, APIs: 14, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FCBA8A
GetFileSize.KERNEL32(00000000,00000000), ref: 00FCBAA1
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FCBAAC
CloseHandle.KERNEL32(00000000), ref: 00FCBAB9
GlobalFix.KERNEL32(00000000), ref: 00FCBAC2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FCBAD1
GlobalUnWire.KERNEL32(00000000), ref: 00FCBADA
CloseHandle.KERNEL32(00000000), ref: 00FCBAE1
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FD2CAC,?), ref: 00FCBB0B
GlobalFree.KERNEL32(00000000), ref: 00FCBB1B
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FCBB3F
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00FCBB6A
DeleteObject.GDI32(00000000), ref: 00FCBB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FCBBA8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Global$File$CloseHandleObject$AllocCopyCreateDeleteFreeImageLoadMessagePictureReadSendSizeWire
String ID:
API String ID: 237262595-0
Opcode ID: 074bb82cb30c289d43370e30fd6ebb86b87716f2e58287481f78e2deb2bf19a8
Instruction ID: 946431c05868fd43bbcfb41cfdc1fc154382c45462a92265c815a97ae73827e9
Opcode Fuzzy Hash: 074bb82cb30c289d43370e30fd6ebb86b87716f2e58287481f78e2deb2bf19a8
Instruction Fuzzy Hash: EF415E75900209FFDB119F65DE4AEAABBB9FF89721F104068F905D7250D7309D04EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F46BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F60AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F46C6C,?,00008000), ref: 00F60AF3

Part of subcall function 00F448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F448A1,?,?,?,00F472BA,?,?,?,?,00F4108C), ref: 00F448CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F46D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00F46E5A

Part of subcall function 00F459CD: _wcscpy.LIBCMT ref: 00F45A05

Part of subcall function 00F637BD: _iswctype.LIBCMT ref: 00F637C5

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F7E7EF
Unterminated string, xrefs: 00F7EB3D
Bad directive syntax error, xrefs: 00F7EAF6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F7E77A
EA06, xrefs: 00F7E7AB
AU3!, xrefs: 00F46CC1
Error opening the file, xrefs: 00F7E796, 00F7E811

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 418b92577936c5d42e8041131dd871472b1b9597e20b7f1b99532f6a63577011
Instruction ID: 7e40e773a9af6c09635211259e9c728088243fb6ff45a79a557c525dc0da0cf5
Opcode Fuzzy Hash: 418b92577936c5d42e8041131dd871472b1b9597e20b7f1b99532f6a63577011
Instruction Fuzzy Hash: E4029F315083419FC724EF24C881AAFBBE5EF99714F04491EF88997262DB38D949EB43

Uniqueness

Uniqueness Score: -1.00%

Function 00F445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F445F9
GetMenuItemCount.USER32(01005890), ref: 00F7D6FD
GetMenuItemCount.USER32(01005890), ref: 00F7D7AD
GetCursorPos.USER32(?), ref: 00F7D7F1
SetForegroundWindow.USER32(00000000), ref: 00F7D7FA
TrackPopupMenuEx.USER32(01005890,00000000,?,00000000,00000000,00000000), ref: 00F7D80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F7D819

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 032cd1538fb3c74bd328fb924fbe23050f10bdbeca4e0490f59193f105107a83
Instruction ID: 731265963654303021e97f728c43e2ff44cd5fbced97136cca5cca6449c59fa7
Opcode Fuzzy Hash: 032cd1538fb3c74bd328fb924fbe23050f10bdbeca4e0490f59193f105107a83
Instruction Fuzzy Hash: 9371F471A00209BEEB259F14DC45FAAFF75FF05364F248216F518A61D0C7B56810EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9E488 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 404COMMON

Download Yara Rule

APIs

Part of subcall function 00F9F1FE: VariantInit.OLEAUT32(?), ref: 00F9F218
Part of subcall function 00F9F1FE: VariantClear.OLEAUT32(00000013), ref: 00F9F28A
Part of subcall function 00F9F1FE: VariantClear.OLEAUT32(?), ref: 00F9F35C

VariantClear.OLEAUT32(?), ref: 00F9E580
VariantInit.OLEAUT32(?), ref: 00F9E5E3

Part of subcall function 00F9F09A: SysStringLen.OLEAUT32(?), ref: 00F9F0A7
Part of subcall function 00F9F09A: lstrcpyW.KERNEL32(00000000,?), ref: 00F9F0D8

VariantClear.OLEAUT32(?), ref: 00F9E442
VariantClear.OLEAUT32(?), ref: 00F9E464
DispCallFunc.OLEAUT32(00000008,?,?,00000015,?,?,?,?), ref: 00F9E649
VariantClear.OLEAUT32(?), ref: 00F9E65B
VariantCopy.OLEAUT32(?,?), ref: 00F9E6C7

Part of subcall function 00F9F16B: VariantCopyInd.OLEAUT32(?,?), ref: 00F9F195
Part of subcall function 00F9F16B: VariantClear.OLEAUT32(?), ref: 00F9F1AC

VariantClear.OLEAUT32(?), ref: 00F9E752
VariantClear.OLEAUT32(?), ref: 00F9E76B
VariantClear.OLEAUT32(?), ref: 00F9E7F1

Strings

$@, xrefs: 00F9E3C4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$CopyInit$CallDispFuncStringlstrcpy
String ID: $@
API String ID: 1298823706-3337466569
Opcode ID: ba3264da9a2952b855049148bce3b91dd8e6e2f6ed754f4d1ef4eb8289f450d5
Instruction ID: b4d8a6a50518f1a3ea2e5f8003bffd0dc1781f08af9cb260bff5b7a1d22f0167
Opcode Fuzzy Hash: ba3264da9a2952b855049148bce3b91dd8e6e2f6ed754f4d1ef4eb8289f450d5
Instruction Fuzzy Hash: F1E191B59043119FEB20DF18C884A2ABBE4FF88724F54482EF985D7261D735E845EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F7E5F9,00000010,?,Bad directive syntax error,00FCF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F9FAF3
LoadStringW.USER32(00000000,?,00F7E5F9,00000010), ref: 00F9FAFA

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

_wprintf.LIBCMT ref: 00F9FB2D
__swprintf.LIBCMT ref: 00F9FB4F
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F9FBBE

Strings

Line %d:, xrefs: 00F9FB49
%s (%d) : ==> %s.: %s %s, xrefs: 00F9FB28
Line %d (File "%s"):, xrefs: 00F9FB64
Error: , xrefs: 00F9FB8C
., xrefs: 00F9FBA4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: ec5ae48c8f72b7cfd175d82536caaa609cdcda90481140bc540bce4283eb5067
Instruction ID: 1b4195246d8814895c313afb92ebd05ee2caa6e951beba737f26d88e8959862b
Opcode Fuzzy Hash: ec5ae48c8f72b7cfd175d82536caaa609cdcda90481140bc540bce4283eb5067
Instruction Fuzzy Hash: 5D21603294021EABDF12EFA0CC56EEE7B35BF14700F0444A6F915620A2DB75AA58FB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FA536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Part of subcall function 00F47A84: _memmove.LIBCMT ref: 00F47B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FA53D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FA53ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA53FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FA5410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FA5421

Strings

close PlayMe, xrefs: 00FA53E8, 00FA5415
play PlayMe, xrefs: 00FA541C
alias PlayMe, xrefs: 00FA53B0
open , xrefs: 00FA5386
play PlayMe wait, xrefs: 00FA540B
status PlayMe mode, xrefs: 00FA53D2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5ac2ee0647ae35e7301faa767baadcaf79eb59db8767ee72aa5f573102263a6b
Instruction ID: e779f3be528972540a05ad44244177e046fa7881e7c3cfe2da76d6b8e14e5386
Opcode Fuzzy Hash: 5ac2ee0647ae35e7301faa767baadcaf79eb59db8767ee72aa5f573102263a6b
Instruction Fuzzy Hash: 4B11B26195022D79DB20F761DC9ADFFBE7CEF96F80F000429BD01A20E1EEA45D45E9A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA46F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00FA4713
gethostname.WS2_32(?,00000100), ref: 00FA472D
gethostbyname.WS2_32(?), ref: 00FA473A
_wcscpy.LIBCMT ref: 00FA4762
_memmove.LIBCMT ref: 00FA4775
inet_ntoa.WS2_32(?), ref: 00FA4780
_strcat.LIBCMT ref: 00FA478E
_wcscpy.LIBCMT ref: 00FA47A5
WSACleanup.WS2_32 ref: 00FA47B3
_wcscpy.LIBCMT ref: 00FA47C1

Strings

0.0.0.0, xrefs: 00FA475C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 91856a71c46a457df803abfe1677bfd5771bc7297ce085b57905a1d7531ee1c1
Instruction ID: d07aa261a2d27f5339853fe708341532eded2ca20c2b6d3e37e4b7b027e15328
Opcode Fuzzy Hash: 91856a71c46a457df803abfe1677bfd5771bc7297ce085b57905a1d7531ee1c1
Instruction Fuzzy Hash: 0D11E771D04118AFCB21A720ED4AEEAB7BDDF43721F044175F40597091EFB4AA85B691

Uniqueness

Uniqueness Score: -1.00%

Function 00FA034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA03C8
SetKeyboardState.USER32(?), ref: 00FA0433
GetAsyncKeyState.USER32(000000A0), ref: 00FA0453
GetKeyState.USER32(000000A0), ref: 00FA046A
GetAsyncKeyState.USER32(000000A1), ref: 00FA0499
GetKeyState.USER32(000000A1), ref: 00FA04AA
GetAsyncKeyState.USER32(00000011), ref: 00FA04D6
GetKeyState.USER32(00000011), ref: 00FA04E4
GetAsyncKeyState.USER32(00000012), ref: 00FA050D
GetKeyState.USER32(00000012), ref: 00FA051B
GetAsyncKeyState.USER32(0000005B), ref: 00FA0544
GetKeyState.USER32(0000005B), ref: 00FA0552

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d34f928b7e6a02ea5800db43e5e60bb2da10dda52c68ead6d1e5f63e9c253f89
Instruction ID: c14f99a1bd014f0aea814fc45c56e8486c21053af491fd2a61e7660637c06797
Opcode Fuzzy Hash: d34f928b7e6a02ea5800db43e5e60bb2da10dda52c68ead6d1e5f63e9c253f89
Instruction Fuzzy Hash: 6551B9A4D087882EFB35DB6098117AEBFB49F03390F4C859999C2571C3DE649A4CEB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F9C545
GetWindowRect.USER32(00000000,?), ref: 00F9C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F9C5B5
GetDlgItem.USER32(?,00000002), ref: 00F9C5C0
GetWindowRect.USER32(00000000,?), ref: 00F9C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F9C626
GetDlgItem.USER32(?,000003E9), ref: 00F9C634
GetWindowRect.USER32(00000000,?), ref: 00F9C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F9C688
GetDlgItem.USER32(?,000003EA), ref: 00F9C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F9C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00F9C6C0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a8937dfaa2734fad58e2486ebdeea545af1a3acc893373e0901b92eaf31a1a2d
Instruction ID: 2f52ac211d4bc59a81ae41164e838b7789c6949574a96f2d15987013be73df7e
Opcode Fuzzy Hash: a8937dfaa2734fad58e2486ebdeea545af1a3acc893373e0901b92eaf31a1a2d
Instruction Fuzzy Hash: 9D512F71F00209ABDF18CFA9DD9AEAEBBB6EB88311F14812DF519D7290D7709D049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F425DB: GetWindowLongW.USER32(?,000000EB), ref: 00F425EC

GetSysColor.USER32(0000000F), ref: 00F421D3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5f16c5d4d1150342900aa724f5223102177aa0d197f269288e1d6dea260ae650
Instruction ID: 91e4df2d44dcb37fa29a912ade35432d97e034b6b791aa52ead27b9bea6a6e78
Opcode Fuzzy Hash: 5f16c5d4d1150342900aa724f5223102177aa0d197f269288e1d6dea260ae650
Instruction Fuzzy Hash: B841CE31400114EBEB615F28EC88BB93B66EB06331F588275FD658B1E1C7718E42FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FAA931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00FCF910), ref: 00FAA995
GetDriveTypeW.KERNEL32(00000061,00FF89A0,00000061), ref: 00FAAA5F
_wcscpy.LIBCMT ref: 00FAAA89

Strings

unknown, xrefs: 00FAAA20
ramdisk, xrefs: 00FAAA09
all, xrefs: 00FAA99B
fixed, xrefs: 00FAA9DD
cdrom, xrefs: 00FAA9B1
network, xrefs: 00FAA9F3
removable, xrefs: 00FAA9C7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 4bc8c8a13f47b71e33331e1df62836d194527e1ceaa927416e173bca377c50e1
Instruction ID: ff7e2a961935b85ef8bc9bc293f5d4f6b36bd9e70b1748253e57acecbee674e0
Opcode Fuzzy Hash: 4bc8c8a13f47b71e33331e1df62836d194527e1ceaa927416e173bca377c50e1
Instruction Fuzzy Hash: 9C51ED712183019BC710EF14CC92AAFBBE5EF85750F10482DF896972A2DB79D909EA53

Uniqueness

Uniqueness Score: -1.00%

Function 00F49997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F499C2
__swprintf.LIBCMT ref: 00F49A0C
__i64tow.LIBCMT ref: 00F7F93F

Strings

%.15g, xrefs: 00F49A06
0x%p, xrefs: 00F7F921
False, xrefs: 00F7F907
True, xrefs: 00F7F900

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 96482eced536f8f6ae496ea624a0bfe2c65f9a972f454f5021a287cddd62d9c3
Instruction ID: 1ca4802d14e234322c2ceb97ed0502f45199d98e0d86fa4be6f516af8fc49fe2
Opcode Fuzzy Hash: 96482eced536f8f6ae496ea624a0bfe2c65f9a972f454f5021a287cddd62d9c3
Instruction Fuzzy Hash: E541E632A08205AFDB249B34DC42F7677F4EF44310F20846EE949C7291EA759942F752

Uniqueness

Uniqueness Score: -1.00%

Function 00F97B04 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

_memset.LIBCMT ref: 00F97B93
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F97BC8
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F97BE4
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F97C00
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F97C2A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F97C5D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F97C62

Strings

\CLSID, xrefs: 00F97B4A
\IPC$, xrefs: 00F97BAA
SOFTWARE\Classes\, xrefs: 00F97B34

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Close$ConnectConnection2OpenQueryRegistryValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 4211336532-22481851
Opcode ID: 7c0cde09e59c0a66913acb13e2389e167576a0f4e9babef3fb9aff1063c9f9b6
Instruction ID: 3124cb76fb7c9aab798eb0aa5cd0ce30220d114c717b3bbdea5e0cc0380b0656
Opcode Fuzzy Hash: 7c0cde09e59c0a66913acb13e2389e167576a0f4e9babef3fb9aff1063c9f9b6
Instruction Fuzzy Hash: 2441E772C1432DABDF15FBA4DC85DEEBB78BF08710B044169E915A3161DB349E09AA90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC719C
CreateMenu.USER32 ref: 00FC71B7
SetMenu.USER32(?,00000000), ref: 00FC71C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC7253
IsMenu.USER32(?), ref: 00FC7269
CreatePopupMenu.USER32 ref: 00FC7273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC72A0
DrawMenuBar.USER32 ref: 00FC72A8

Strings

0, xrefs: 00FC7192
F, xrefs: 00FC7294

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: cd54c7d3bc8e311e1befc9cf4bb0e814555aa0315b5a49b4589ca03f3e93aa25
Instruction ID: a52a9ceef7dba27634840be2e23b439599cdb0991cf7c4327cdda7e2a058efb5
Opcode Fuzzy Hash: cd54c7d3bc8e311e1befc9cf4bb0e814555aa0315b5a49b4589ca03f3e93aa25
Instruction Fuzzy Hash: 42415574A0020AEFDB20DF64DA49F9ABBB5FB49310F140429F94AA7350C731A914EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FC7590
CreateCompatibleDC.GDI32(00000000), ref: 00FC7597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FC75AA
SelectObject.GDI32(00000000,00000000), ref: 00FC75B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FC75BD
DeleteDC.GDI32(00000000), ref: 00FC75C6
GetWindowLongW.USER32(?,000000EC), ref: 00FC75D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001,?,?,?,?,00F7CC15,?,?,?,?,?,?,?), ref: 00FC75E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FC75F0

Strings

static, xrefs: 00FC7528

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0ab3f910c1e8b8942f08615c7a441319bff105d15c3fe41615ee51f561efde8c
Instruction ID: d2384adf13b932b7dfdb3cc19686ba811245a9f23f44ee3bb27a5543008f9a1f
Opcode Fuzzy Hash: 0ab3f910c1e8b8942f08615c7a441319bff105d15c3fe41615ee51f561efde8c
Instruction Fuzzy Hash: 27317071504219BBDF12AF64DE0AFDB7B6AFF09720F150228FA15961A0C735D814EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F66F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F66FBB

Part of subcall function 00F68CA8: __getptd_noexit.LIBCMT ref: 00F68CA8

__gmtime64_s.LIBCMT ref: 00F67054
__gmtime64_s.LIBCMT ref: 00F6708A
__gmtime64_s.LIBCMT ref: 00F670A7
__allrem.LIBCMT ref: 00F670FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F67119
__allrem.LIBCMT ref: 00F67130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6714E
__allrem.LIBCMT ref: 00F67165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F67183
__invoke_watson.LIBCMT ref: 00F671F4

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 052718bba1bf0176139d2b4506b9c462110ce498a905b37618ee761e7c00cdee
Instruction ID: c45e08f6d2dabb8bb9efd536d8061e0304f98270003dac8f6270c921c6486ca6
Opcode Fuzzy Hash: 052718bba1bf0176139d2b4506b9c462110ce498a905b37618ee761e7c00cdee
Instruction Fuzzy Hash: EF71E772E00716ABE714AE79DC41B5AB3A8AF15334F14823BF514D7281F774EA40AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FA281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA283A
GetMenuItemInfoW.USER32(01005890,000000FF,00000000,00000030), ref: 00FA289B
SetMenuItemInfoW.USER32(01005890,00000004,00000000,00000030), ref: 00FA28D1
Sleep.KERNEL32(000001F4), ref: 00FA28E3
GetMenuItemCount.USER32(?), ref: 00FA2927
GetMenuItemID.USER32(?,00000000), ref: 00FA2943
GetMenuItemID.USER32(?,-00000001), ref: 00FA296D
GetMenuItemID.USER32(?,?), ref: 00FA29B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FA29F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA2A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA2A2D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 368a956d263f24a38ac133eb6bdc9c12dafa649b1b707dc817c25b12630595c1
Instruction ID: b257d7e049121b0c8db4745c71afb9eb2a3f7a5ecc10411f1b0ada51601d1cee
Opcode Fuzzy Hash: 368a956d263f24a38ac133eb6bdc9c12dafa649b1b707dc817c25b12630595c1
Instruction Fuzzy Hash: FC6191B1A00249AFDB61CF68CD88EBFBBB9EB46714F140459F842A3251D735AD05FB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FC6FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FC6FDA
GetWindowLongW.USER32(?,000000F0), ref: 00FC6FFE
_memset.LIBCMT ref: 00FC700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FC7021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FC7099

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1f207e557558a8576f2e9f1fb63641f58cbd7ee66088d216756486f9454f720e
Instruction ID: 4247a6babc6180c86a5b760b3d517a50f2d7cf41feacf4d2fa11b49bf4521210
Opcode Fuzzy Hash: 1f207e557558a8576f2e9f1fb63641f58cbd7ee66088d216756486f9454f720e
Instruction Fuzzy Hash: F0618C75900209AFDB11DFA4CD82FEE77B8EB08710F14415AFA04AB2A1C775AE45EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F96EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F96F15
SafeArrayAllocData.OLEAUT32(?), ref: 00F96F6E
VariantInit.OLEAUT32(?), ref: 00F96F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F96FA0
VariantCopy.OLEAUT32(?,?), ref: 00F96FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F97007
VariantClear.OLEAUT32(?), ref: 00F9701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00F97029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F97032
VariantClear.OLEAUT32(?), ref: 00F97044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9704F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 92664af94e0dfafde41187b38a469cfe648d41e6aa717cdb37fc1b5f616058e4
Instruction ID: 2d11ff541996fd62985a136f6e17795adb8fdd14472955e2d2a36960b6a88dce
Opcode Fuzzy Hash: 92664af94e0dfafde41187b38a469cfe648d41e6aa717cdb37fc1b5f616058e4
Instruction Fuzzy Hash: 46416E31E002199FDF04EFA4DC49DAEBBB9EF48314F008069E915E7261DB35A949EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA0062
GetAsyncKeyState.USER32(000000A0), ref: 00FA00E3
GetKeyState.USER32(000000A0), ref: 00FA00FE
GetAsyncKeyState.USER32(000000A1), ref: 00FA0118
GetKeyState.USER32(000000A1), ref: 00FA012D
GetAsyncKeyState.USER32(00000011), ref: 00FA0145
GetKeyState.USER32(00000011), ref: 00FA0157
GetAsyncKeyState.USER32(00000012), ref: 00FA016F
GetKeyState.USER32(00000012), ref: 00FA0181
GetAsyncKeyState.USER32(0000005B), ref: 00FA0199
GetKeyState.USER32(0000005B), ref: 00FA01AB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 29aa44c771643929cad0a815e9dc9da4c4a5a9a6e1125cda0e20e02d3e2e6a10
Instruction ID: 27a7ace7f96f574a3c6c229ef95f31c053a7c505a6d2718738ad184c16a3da0d
Opcode Fuzzy Hash: 29aa44c771643929cad0a815e9dc9da4c4a5a9a6e1125cda0e20e02d3e2e6a10
Instruction Fuzzy Hash: 8D41B8B4D047C969FF318B60A8147E5FEA16F13364F088499D6C6471C2EF9499C8E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9228 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB927C
VariantInit.OLEAUT32(?), ref: 00FB934D
VariantInit.OLEAUT32(?), ref: 00FB944E
VariantClear.OLEAUT32(?), ref: 00FB9458
VariantClear.OLEAUT32(?), ref: 00FB94B5

Strings

get__NewEnum, xrefs: 00FB9254
_NewEnum, xrefs: 00FB9236
Incorrect Object type in FOR..IN loop, xrefs: 00FB9431
Null Object assignment in FOR..IN loop, xrefs: 00FB92DD, 00FB940B, 00FB94C3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 313bb8e90554c94591fdc0f28ccb07827c292507a0b2161bf908fcd5dd33a34a
Instruction ID: a46ffa44eddd2803dd73ea24ae0e3898729bc8cbd2db0d99dc7044ee6123a175
Opcode Fuzzy Hash: 313bb8e90554c94591fdc0f28ccb07827c292507a0b2161bf908fcd5dd33a34a
Instruction Fuzzy Hash: E0917F71E04219EBDF24DFA6C844FEEBBB8EF45720F108559E605AB280D7B09905DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F562F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F563A8
_memmove.LIBCMT ref: 00F56444
_memset.LIBCMT ref: 00F56468

Strings

internal error: opcode not recognized, xrefs: 00F5647B
argument not compiled in 16 bit mode, xrefs: 00F910CD
failed to get memory, xrefs: 00F56486
internal error: missing capturing bracket, xrefs: 00F910D5
argument is not a compiled regular expression, xrefs: 00F910DD
ERCP, xrefs: 00F56313

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-264027815
Opcode ID: c02a6697a6642a49600012126e8eca500ee944ebfcea228ac4eacc9cfbc69342
Instruction ID: ac73608bd7e9dc2fbffe471e587fb1a6e196a3fb75404dfdb61dcb50ddcb01e0
Opcode Fuzzy Hash: c02a6697a6642a49600012126e8eca500ee944ebfcea228ac4eacc9cfbc69342
Instruction Fuzzy Hash: 6951C371D00309DBDB24CF55C8817AAB7F4FF04315F20856EEA5ACB251E775AA88EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F99251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F992D6
GetDlgCtrlID.USER32 ref: 00F992E1
GetParent.USER32 ref: 00F992FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F99300
GetDlgCtrlID.USER32(?), ref: 00F99309
GetParent.USER32(?), ref: 00F99325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F99328

Strings

ComboBox, xrefs: 00F9925E
ListBox, xrefs: 00F99293

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 132e8118fe7d16eda80e8cd74d8baae03b7259463f2d26ef711a60ae4a3f4166
Instruction ID: b0abd84ac823fe4ec6b49b08ea348866b544548936cdaa72a28e54a692b7f44b
Opcode Fuzzy Hash: 132e8118fe7d16eda80e8cd74d8baae03b7259463f2d26ef711a60ae4a3f4166
Instruction Fuzzy Hash: C221C470D04208BBDF04AB65CC86EFDBB69EF59310F100159B961972E1DB795819FB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F9933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F993BF
GetDlgCtrlID.USER32 ref: 00F993CA
GetParent.USER32 ref: 00F993E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F993E9
GetDlgCtrlID.USER32(?), ref: 00F993F2
GetParent.USER32(?), ref: 00F9940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F99411

Strings

ComboBox, xrefs: 00F99349
ListBox, xrefs: 00F9937E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4aad9580fadef695f8957bb5b224abc2c2c459568900fb896154087b3b0e368b
Instruction ID: 5d3394024508f2e3fbb669938838db59a8d973aadfc2bef30c11f9cce83c10c2
Opcode Fuzzy Hash: 4aad9580fadef695f8957bb5b224abc2c2c459568900fb896154087b3b0e368b
Instruction Fuzzy Hash: 9921D6709002087BDF10ABA5CC85EFEBB79EF54300F104019F951972A1DB795819FB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F99425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F99431
GetClassNameW.USER32(00000000,?,00000100), ref: 00F99446
_wcscmp.LIBCMT ref: 00F99458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F994D3

Strings

largeicons, xrefs: 00F99467
list, xrefs: 00F994B5
SHELLDLL_DefView, xrefs: 00F99452
details, xrefs: 00F99481
smallicons, xrefs: 00F9949B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: b30caf58e943f058e38463e86d30f896e88f49dc5ae7adcf320a0f5fbee7b231
Instruction ID: b8f2ad1769dfcff98bd2a540ad90160ebb76ac4b75a182e0af747946f9fcc0f9
Opcode Fuzzy Hash: b30caf58e943f058e38463e86d30f896e88f49dc5ae7adcf320a0f5fbee7b231
Instruction Fuzzy Hash: B9113A3764C30ABAFE22662CAC07DA6B39C8F04730B20802AFA00E10F1FAD1A8567540

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FA7B15

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 766a162df1c8af06f90f3f52da0b9f0b1347070020bfc7bf8533697b41011fdd
Instruction ID: eb11b819ded64d184003e25af3bca9d48d8ad5981502d3eda971f0fd1b3ce431
Opcode Fuzzy Hash: 766a162df1c8af06f90f3f52da0b9f0b1347070020bfc7bf8533697b41011fdd
Instruction Fuzzy Hash: 11B182B190431A9FDB10EF94CC85FBEB7B5EF4A321F244469E500EB251D734A945EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3F8E Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FA3FA2
__swprintf.LIBCMT ref: 00FA3FAF

Part of subcall function 00F63818: __woutput_l.LIBCMT ref: 00F63871

FindResourceW.KERNEL32(?,?,0000000E), ref: 00FA3FD9
LoadResource.KERNEL32(?,00000000), ref: 00FA3FE5
LockResource.KERNEL32(00000000), ref: 00FA3FF2
FindResourceW.KERNEL32(?,?,00000003), ref: 00FA4012
LoadResource.KERNEL32(?,00000000), ref: 00FA4024
SizeofResource.KERNEL32(?,00000000), ref: 00FA4033
LockResource.KERNEL32(?), ref: 00FA403F
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00FA40A0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: dd768d2decc9d47cab681acd618208da71d2b52ddf892e53d363f559f4335039
Instruction ID: 0443b876387d19f0306c3ed18413afc0c1cb5d52469ea3aa9df71ab79bb3636e
Opcode Fuzzy Hash: dd768d2decc9d47cab681acd618208da71d2b52ddf892e53d363f559f4335039
Instruction Fuzzy Hash: 903192B190120AAFDB119F60DD45EBBBBAEEF45301F048425FA01D3141D775EA65FBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA14FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FA1521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA1535
GetWindowThreadProcessId.USER32(00000000), ref: 00FA153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA1576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA1588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA15CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA15E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FA0599,?,00000001), ref: 00FA15ED

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 5ef068281bc0f16fb18133d6b210a7c427883056c506630a56b5daf40b6ad7b3
Instruction ID: 6b5741aa37cccbcb222fd0333685bc8eda9e2023cb034d38539648e11e975513
Opcode Fuzzy Hash: 5ef068281bc0f16fb18133d6b210a7c427883056c506630a56b5daf40b6ad7b3
Instruction Fuzzy Hash: 7A31E3B5D00208BFEB219F90DE45F7A77ABFB85361F594019F901C7180D7769D44AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BF22 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F42231
SetTextColor.GDI32(?,000000FF), ref: 00F4223B
SetBkMode.GDI32(?,00000001), ref: 00F42250
GetStockObject.GDI32(00000005), ref: 00F42258
GetClientRect.USER32(?), ref: 00F7BF3B
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F7BF52
GetWindowDC.USER32(?), ref: 00F7BF5E
GetPixel.GDI32(00000000,?,?), ref: 00F7BF6D
ReleaseDC.USER32(?,00000000), ref: 00F7BF7F
GetSysColor.USER32(00000005), ref: 00F7BF9D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 8c2fac62bc9db9fbc262606fe756cc4549182e658a6b2ef1c46714e7034882ee
Instruction ID: eb1019475b6694dbc41702db9319498be040b7d2721dd54c01de73c86befd464
Opcode Fuzzy Hash: 8c2fac62bc9db9fbc262606fe756cc4549182e658a6b2ef1c46714e7034882ee
Instruction Fuzzy Hash: F8218932500208EFEB605FA4ED0AFE9BBA2EB09331F144235FA25960E1CB310A55FF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F9A844), ref: 00F9A782

Strings

CLASSNN, xrefs: 00F9A524
NAME, xrefs: 00F9A5B4
TEXT, xrefs: 00F9A6B9
REGEXPCLASS, xrefs: 00F9A547
INSTANCE, xrefs: 00F9A690
CLASS, xrefs: 00F9A501

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a35c65568fe93b111d82aeb719e284593729f5ffd427424f17dcb967044be25c
Instruction ID: 130c72efb6c3531398f3a12af3c87759c83906b87d6f80498de400ea865b2042
Opcode Fuzzy Hash: a35c65568fe93b111d82aeb719e284593729f5ffd427424f17dcb967044be25c
Instruction Fuzzy Hash: 4691C230A0460AABEF18EF70C882BE9FB74BF04314F148119E959A7151DF346999FBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F42EAE

Part of subcall function 00F41DB3: GetClientRect.USER32(?,?), ref: 00F41DDC
Part of subcall function 00F41DB3: GetWindowRect.USER32(?,?), ref: 00F41E1D
Part of subcall function 00F41DB3: ScreenToClient.USER32(?,?), ref: 00F41E45

GetDC.USER32 ref: 00F7CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F7CEC5
SelectObject.GDI32(00000000,00000000), ref: 00F7CED3
SelectObject.GDI32(00000000,00000000), ref: 00F7CEE8
ReleaseDC.USER32(?,00000000), ref: 00F7CEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F7CF7B

Strings

U, xrefs: 00F7CE50

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b99e91107782cf4bc769b8567367505ab8b12e7b62721a4fca7986589e3c80d8
Instruction ID: 216ca7e0dba74d549daa28cc732762d2de3f1c27702081fb8712534b6f77ee35
Opcode Fuzzy Hash: b99e91107782cf4bc769b8567367505ab8b12e7b62721a4fca7986589e3c80d8
Instruction Fuzzy Hash: BC718031900205DFCF218F64CC85AEA7BB6FF49360F14826AFD595A266C7359841FFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F42036,?,00000000,?,?,?,?,00F416CB,00000000,?), ref: 00F41B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F420D3
KillTimer.USER32(-00000001,?,?,?,?,00F416CB,00000000,?,?,00F41AE2,?,?), ref: 00F4216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F7BE26
DeleteObject.GDI32(00000000), ref: 00F7BE9C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: d7dab339239859f0ab8350eed2fffcedd5d29e07eb50b4020a82e9c43a20168b
Instruction ID: 337469aef143dbccde4cbf9ab139e4887f56f821b9d27d766d366bb863257abf
Opcode Fuzzy Hash: d7dab339239859f0ab8350eed2fffcedd5d29e07eb50b4020a82e9c43a20168b
Instruction Fuzzy Hash: FC619F31900600DFDB369F18DD49B2ABBF2FF40322F908429E98697A64C775A985FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FA36DB,?), ref: 00FA46CC

Part of subcall function 00FA46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FA36DB,?), ref: 00FA46E5

Part of subcall function 00FA4AD8: GetFileAttributesW.KERNEL32(?,00FA374F), ref: 00FA4AD9

lstrcmpiW.KERNEL32(?,?), ref: 00FA4DE7
_wcscmp.LIBCMT ref: 00FA4E01
MoveFileW.KERNEL32(?,?), ref: 00FA4E1C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ac4017b4228d8054f4b749667e280dc6f6aee097323fc4916c25bc5226f0918c
Instruction ID: fc3b132d696469094a29cd662e9571a4a5924b28919abfce10e32f3a3b7ee6ef
Opcode Fuzzy Hash: ac4017b4228d8054f4b749667e280dc6f6aee097323fc4916c25bc5226f0918c
Instruction Fuzzy Hash: C75132B24087859BC764EB90DC819DFB7ECAF85310F10092EB585D3152EF78B68C9766

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FC8731

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cadef0ebe8db757e0625fa3ec61bd0c035ed6a323df2f4379270a5ef3075c502
Instruction ID: 81c5c2d4625bafc881403c806eca038d17d99ee51bb9585e96a73f520f5fbbd1
Opcode Fuzzy Hash: cadef0ebe8db757e0625fa3ec61bd0c035ed6a323df2f4379270a5ef3075c502
Instruction Fuzzy Hash: 4C51C530900206BEEF209B24CE87F997B65EF053A0F604529FA15E65E0CF75AD81FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F7C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F7C499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F7C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F7C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F7C4F0
DestroyCursor.USER32(00000000), ref: 00F7C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F7C51C
DestroyCursor.USER32(?), ref: 00F7C52B

Part of subcall function 00FCA4E1: DeleteObject.GDI32(00000000), ref: 00FCA51A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 12e3535068606b0b11bbf9eb15407329020997ff37ac210259e22498a6f5b0a4
Instruction ID: 743b2945c79dc8518c7f2cb2d850c4114c6ca02029b02ad7b2010e1fd349afa5
Opcode Fuzzy Hash: 12e3535068606b0b11bbf9eb15407329020997ff37ac210259e22498a6f5b0a4
Instruction Fuzzy Hash: 3C518970A10209EFDB24DF24DC46FAA7BB5FB58320F504129F946A7290D770ED90EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F99930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9AC57
Part of subcall function 00F9AC37: GetCurrentThreadId.KERNEL32 ref: 00F9AC5E
Part of subcall function 00F9AC37: AttachThreadInput.USER32(00000000,?,00F9987C,?,00000001), ref: 00F9AC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F99950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F9996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F99970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F99979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F99997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F9999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F999A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F999BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F999BD

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9dd122a19ce702f91959a82c7dabebf1b3232042219ebe3f48738790cc124922
Instruction ID: 9d10a28cf7779634776baf56b8a91f583f18d8901641004d0f0ec65a66926305
Opcode Fuzzy Hash: 9dd122a19ce702f91959a82c7dabebf1b3232042219ebe3f48738790cc124922
Instruction Fuzzy Hash: EF11E17155061CBFFB106B65CC8AF6ABB2EEB4C755F110429F244AB0A1C9F35C10EAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F98BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F98864,00000B00,?,?), ref: 00F98BEC
RtlAllocateHeap.NTDLL(00000000,?,00F98864), ref: 00F98BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F98864,00000B00,?,?), ref: 00F98C08
GetCurrentProcess.KERNEL32(?,00000000,?,00F98864,00000B00,?,?), ref: 00F98C10
DuplicateHandle.KERNEL32(00000000,?,00F98864,00000B00,?,?), ref: 00F98C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F98864,00000B00,?,?), ref: 00F98C23
GetCurrentProcess.KERNEL32(00F98864,00000000,?,00F98864,00000B00,?,?), ref: 00F98C2B
DuplicateHandle.KERNEL32(00000000,?,00F98864,00000B00,?,?), ref: 00F98C2E
CreateThread.KERNEL32(00000000,00000000,00F98C54,00000000,00000000,00000000), ref: 00F98C48

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 48bb85d4df3b05d23b3633e5b9b7e4cadd80cf6232a9b8d72b410217de9e19c3
Instruction ID: af7a11ad050431b4717c500664c3f5786b712d6fc583eaaf3f984e403977f021
Opcode Fuzzy Hash: 48bb85d4df3b05d23b3633e5b9b7e4cadd80cf6232a9b8d72b410217de9e19c3
Instruction Fuzzy Hash: 7001BBB5240348FFEB10ABA5DD4EF6B7BADEB89711F044421FA05DB1A1CA719804DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9C38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FB9CB9, 00FB9FDD
Not an Object type, xrefs: 00FB9C90

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1fcde83d07ddcf53bb19916f936ab41c5ca8a0c2f80bd2bbe3dbca4e244150d7
Instruction ID: 5bb61e5c3eb1f911108ce01365bf2f5cfb47a425d740a33d1572408182292931
Opcode Fuzzy Hash: 1fcde83d07ddcf53bb19916f936ab41c5ca8a0c2f80bd2bbe3dbca4e244150d7
Instruction Fuzzy Hash: F5C18071A0421A9BDF14DFAAC884BEEB7B5EF48324F148429EA05E7280D7B0DD45DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FA30CD

Strings

question, xrefs: 00FA3086
warning, xrefs: 00FA30B6
stop, xrefs: 00FA309E
info, xrefs: 00FA306E
blank, xrefs: 00FA304F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 32f57232f17a718367c580b5abaf1549fdf3c9b72a14cabf983c16f9049671d9
Instruction ID: 4335fe3df3cbd19ef51172b4f19ab252a3480343b8b717540ff29fbe1d0667e9
Opcode Fuzzy Hash: 32f57232f17a718367c580b5abaf1549fdf3c9b72a14cabf983c16f9049671d9
Instruction Fuzzy Hash: 3711EB7660C34BBED7209B54DC43D7A77AC9F06378F14802AF60096181DBB5AF4175A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FA4353
LoadStringW.USER32(00000000), ref: 00FA435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FA4370
LoadStringW.USER32(00000000), ref: 00FA4377
_wprintf.LIBCMT ref: 00FA439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FA43BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FA4398

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 62161b4c253583ac40aa73c2aa4d269401972a4d9a5adad227e36ba69a42cfbe
Instruction ID: e810611ad9ba34b7be51579c0d654539586578f9da32ca4b71044273b17cefc1
Opcode Fuzzy Hash: 62161b4c253583ac40aa73c2aa4d269401972a4d9a5adad227e36ba69a42cfbe
Instruction Fuzzy Hash: 030162F290020CBFEB119BA0DE8AEF6B76DDB08301F4005A5B705E3051EA759E897B75

Uniqueness

Uniqueness Score: -1.00%

Function 00F42A5A Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?), ref: 00F42ACF
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F42B17
ShowWindow.USER32(FFFFFFFF,00000006), ref: 00F7C39A
ShowWindow.USER32(FFFFFFFF,?), ref: 00F7C406

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 595453b5877f94244ff66ab4111d5b95ea41e29010d45442b7aea9644462273d
Instruction ID: faac14d6f9b9c900219ed6c27aed6f3980fee5c1cec01450c1f0a8270b790ace
Opcode Fuzzy Hash: 595453b5877f94244ff66ab4111d5b95ea41e29010d45442b7aea9644462273d
Instruction Fuzzy Hash: B341F831A046809AD7B59B38CD8CB6A7F92EB85320F94C83EFC4B97560C67D9845F711

Uniqueness

Uniqueness Score: -1.00%

Function 00FA716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FA7186

Part of subcall function 00F60F36: std::exception::exception.LIBCMT ref: 00F60F6C
Part of subcall function 00F60F36: __CxxThrowException@8.LIBCMT ref: 00F60F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FA71BD
RtlEnterCriticalSection.NTDLL(?), ref: 00FA71D9
_memmove.LIBCMT ref: 00FA7227
_memmove.LIBCMT ref: 00FA7244
RtlLeaveCriticalSection.NTDLL(?), ref: 00FA7253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FA7268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA7287

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 65b78b13d72ba14aec07b8f9ff6d53d2279170cab6ce4b0040a172fe5186ca06
Instruction ID: 4aff78cd5a5760268112e655211bb44e0e67cec7de3d6ea192ff6db9eb258fe9
Opcode Fuzzy Hash: 65b78b13d72ba14aec07b8f9ff6d53d2279170cab6ce4b0040a172fe5186ca06
Instruction Fuzzy Hash: A2319071900205EBCB10EF54DD86EABB7B8EF45310B2441A5F904AB246DB709E15EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC621D
GetDC.USER32(00000000), ref: 00FC6225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC6230
ReleaseDC.USER32(00000000,00000000), ref: 00FC623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00FC6278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FC6289
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FC62C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FC62E3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 604738e106253fae96a07c79e602d2cffe9b81a79671b7395cbad9a15b7a819d
Instruction ID: 1f68b9fc6a51d4b887c5e29bc88e9bb65aff3b4ece22a75c0d4183ac186a17f3
Opcode Fuzzy Hash: 604738e106253fae96a07c79e602d2cffe9b81a79671b7395cbad9a15b7a819d
Instruction Fuzzy Hash: FF319F72200214BFEF118F14DD4AFEA7BAAEF09721F040069FE08DA291C6759C45EB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BE71 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F9BE86
_memcmp.LIBCMT ref: 00F9BEA8
_memcmp.LIBCMT ref: 00F9BEC0
_memcmp.LIBCMT ref: 00F9BED3
_memcmp.LIBCMT ref: 00F9BEED
_memcmp.LIBCMT ref: 00F9BF00
_memcmp.LIBCMT ref: 00F9BF18
_memcmp.LIBCMT ref: 00F9BF33

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7cfac0bade345bcb9f5d767e0614f98aa3440dca5dd528fa27a5b10eecc5cda8
Instruction ID: ec54fe37ace0cf6411c23f23ce9d03be7c3d8deb1eb703adb5ab4b317822a208
Opcode Fuzzy Hash: 7cfac0bade345bcb9f5d767e0614f98aa3440dca5dd528fa27a5b10eecc5cda8
Instruction Fuzzy Hash: 2221C2A6A042067BFB157521AF46FFB335DAE70369B0C0011FE0496242F796DE14B6F2

Uniqueness

Uniqueness Score: -1.00%

Function 00F65F1C Relevance: 12.1, APIs: 8, Instructions: 82threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00F65F1D

Part of subcall function 00F69B44: GetLastError.KERNEL32(?,?,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011,?,?,00F6339E,00000008,00F62DD9), ref: 00F69B46
Part of subcall function 00F69B44: __calloc_crt.LIBCMT ref: 00F69B67
Part of subcall function 00F69B44: __initptd.LIBCMT ref: 00F69B89
Part of subcall function 00F69B44: GetCurrentThreadId.KERNEL32 ref: 00F69B90
Part of subcall function 00F69B44: SetLastError.KERNEL32(00000000,?,00F68CAD,00F74FF7,?,00F6A2F2,00000003,00F6323D,?,00F69DAE,00000011,?,?,00F6339E,00000008,00F62DD9), ref: 00F69BA8

CloseHandle.KERNEL32(?,?,00F65EFC), ref: 00F65F31
__freeptd.LIBCMT ref: 00F65F38
RtlExitUserThread.NTDLL(00000000,?,00F65EFC), ref: 00F65F40
GetLastError.KERNEL32(?,?,00F65EFC), ref: 00F65F70
RtlExitUserThread.NTDLL(00000000,?,?,00F65EFC), ref: 00F65F77
__freefls@4.LIBCMT ref: 00F65F93

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
String ID:
API String ID: 3304096619-0
Opcode ID: 7a6d4820d0d801e0c3256b6abcc8d8414864925af89a4ed7428673d1a8fec44d
Instruction ID: a149b14c62491ef0bb4b7ba88a3f6aecab95c90a22b9e063aff42a318a16619a
Opcode Fuzzy Hash: 7a6d4820d0d801e0c3256b6abcc8d8414864925af89a4ed7428673d1a8fec44d
Instruction Fuzzy Hash: 6A21F935808605ABC7217BB8CD46A5EB7A9FF00720F108529F958DB255EB38DC45F792

Uniqueness

Uniqueness Score: -1.00%

Function 00F41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d12c6de5fb8cd783924ab64f83e50577b79063549d537c4d4c10533c998549
Instruction ID: 9d599aba75dee80f61eed5d1f728d6d2eced69fdb8ce8a62258545ee773814a7
Opcode Fuzzy Hash: e6d12c6de5fb8cd783924ab64f83e50577b79063549d537c4d4c10533c998549
Instruction Fuzzy Hash: BC715B31900109EFCB14CF98CC49ABEBF79FF86320F248159F915AA251D734AA91EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01741FF0), ref: 00FCB41F
IsWindowEnabled.USER32(01741FF0), ref: 00FCB42B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FCB50F
SendMessageW.USER32(01741FF0,000000B0,?,?), ref: 00FCB546
IsDlgButtonChecked.USER32(?,?), ref: 00FCB583
GetWindowLongW.USER32(01741FF0,000000EC), ref: 00FCB5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FCB5BD

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 725c43afab4968055bdabbbea20b3280e0e21e4154e12f838916b1d05da20857
Instruction ID: aa2729762acaf8a1e181cc23ceb4f25d807e5f358ccecdc259691d73da48332b
Opcode Fuzzy Hash: 725c43afab4968055bdabbbea20b3280e0e21e4154e12f838916b1d05da20857
Instruction Fuzzy Hash: E871B238A08246AFEB25DF54CA97FAABBA9FF49310F14405DE98597252C731A844EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FA127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FA12BD
GetKeyboardState.USER32(?), ref: 00FA12D2
SetKeyboardState.USER32(?), ref: 00FA1333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FA1361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FA1380
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FA13C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FA13E9

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c006d13816c94a6e27701370b6ab84f016847e696ce371c521b461bea8397e3d
Instruction ID: 2958264068cafd92596cefcebead948f65679f1f0ef315a52008a1036f0f0374
Opcode Fuzzy Hash: c006d13816c94a6e27701370b6ab84f016847e696ce371c521b461bea8397e3d
Instruction Fuzzy Hash: F851E2E0E147D53DFB3686288C45BBABEE97B07314F098589E0D5468C2C6D9EC98F760

Uniqueness

Uniqueness Score: -1.00%

Function 00FA56A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00000200,?), ref: 00FA56B1
_wcsncpy.LIBCMT ref: 00FA56E6
_wcsncpy.LIBCMT ref: 00FA5718
_wcsncpy.LIBCMT ref: 00FA574B
_wcsncpy.LIBCMT ref: 00FA578D
_wcsncpy.LIBCMT ref: 00FA57C7
_wcsncpy.LIBCMT ref: 00FA57F6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 8a54902e73bfb1c9feb448c39fb473190ec22a9eef910fe2a627a1b603244842
Instruction ID: 5b28d084481ae2340358f9f5400181ab1fd26f92ff22ae44d9cd701bfb9113a8
Opcode Fuzzy Hash: 8a54902e73bfb1c9feb448c39fb473190ec22a9eef910fe2a627a1b603244842
Instruction Fuzzy Hash: 9B41B3A6C20A1875CB51FBB49C469DFB7B8AF05710F108466F918E3162E738A744E3E5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA36B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA46AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FA36DB,?), ref: 00FA46CC

Part of subcall function 00FA46AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FA36DB,?), ref: 00FA46E5

lstrcmpiW.KERNEL32(?,?), ref: 00FA36FB
_wcscmp.LIBCMT ref: 00FA3717
MoveFileW.KERNEL32(?,?), ref: 00FA372F
_wcscat.LIBCMT ref: 00FA3777
SHFileOperationW.SHELL32(?), ref: 00FA37E3

Strings

\*.*, xrefs: 00FA3771

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ca314d4997b0b26f853bf55b2d92a626c2e3ec2e3209d10118b04cbe97a1a345
Instruction ID: 24e2c0582f94ddf4b8027833000306b306b25ff75e935fa328adfc4073021409
Opcode Fuzzy Hash: ca314d4997b0b26f853bf55b2d92a626c2e3ec2e3209d10118b04cbe97a1a345
Instruction Fuzzy Hash: 33416FF250C345AAC751EF64D841ADBB7E8EF8A350F00092EF48AC3151EA78D788E756

Uniqueness

Uniqueness Score: -1.00%

Function 00FC72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC72DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC7383
IsMenu.USER32(?), ref: 00FC739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC73E3
DrawMenuBar.USER32 ref: 00FC73F6

Strings

0, xrefs: 00FC72D0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0b96bfffed167828ddee36d24a90214d00952dc9ed5df668d2eccd05a6c6cc6d
Instruction ID: ebd6314e76394468b9a8e5ee8113640675d4f5ef4a8f1b9ca75f0a56741e496e
Opcode Fuzzy Hash: 0b96bfffed167828ddee36d24a90214d00952dc9ed5df668d2eccd05a6c6cc6d
Instruction Fuzzy Hash: 87413875A0430AEFDB21EF50D985E9ABBF9FB04324F048029ED55A7260D731AD54EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F9F9A2
__wcsnicmp.LIBCMT ref: 00F9F9C3
__wcsnicmp.LIBCMT ref: 00F9F9DD

Strings

#notrayicon, xrefs: 00F9F99A
#requireadmin, xrefs: 00F9F9BD
#OnAutoItStartRegister, xrefs: 00F9F9D7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 7506e891a635297bf71208804fce010e20ab3844bd7cb5e2b87ec4336d27fef7
Instruction ID: 39e99bd8e9b104965dfc6c3fd46bbd8f9b4942ff8f7c779779167f082e52fa1b
Opcode Fuzzy Hash: 7506e891a635297bf71208804fce010e20ab3844bd7cb5e2b87ec4336d27fef7
Instruction Fuzzy Hash: 9F21293350861176EB31AA259C02FBB73D9DF65320F644036F88AC6182EB999D4AF395

Uniqueness

Uniqueness Score: -1.00%

Function 00F64112 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00F64123
GetProcAddress.KERNEL32(00000000), ref: 00F6412A
RtlEncodePointer.NTDLL(00000000), ref: 00F64136
RtlDecodePointer.NTDLL(00000001), ref: 00F64153

Strings

RoInitialize, xrefs: 00F64112
combase.dll, xrefs: 00F6411E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: dffa20a635da77f2f43e09ce1467f8368e5b405235ef8f6a1eeeb16330ddc0cf
Instruction ID: c394c8458f3c7dadd6c689474ef3d58f50b308668b388713f8aaf066c1534880
Opcode Fuzzy Hash: dffa20a635da77f2f43e09ce1467f8368e5b405235ef8f6a1eeeb16330ddc0cf
Instruction Fuzzy Hash: 59E04670690344AFEB222B70ED0AF847AA7BB5AB02F104025B441DA1A4CABA8048AB00

Uniqueness

Uniqueness Score: -1.00%

Function 00F641E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize), ref: 00F641F8
GetProcAddress.KERNEL32(00000000), ref: 00F641FF
RtlEncodePointer.NTDLL(00000000), ref: 00F6420A
RtlDecodePointer.NTDLL ref: 00F64225

Strings

RoUninitialize, xrefs: 00F641E7
combase.dll, xrefs: 00F641F3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 595d36a6fc4361b583acd016d83d03845fbe6f17b7da33bf1717b3b18b1e8ad4
Instruction ID: 4bc85a91ea7442dfbf183e1c6f3e7c330e1835d47d40d07f7cbed64fb548fa98
Opcode Fuzzy Hash: 595d36a6fc4361b583acd016d83d03845fbe6f17b7da33bf1717b3b18b1e8ad4
Instruction Fuzzy Hash: 15E0EC70580304AFEB525B61EE0EF457AB6BB08742F244025F441D6194CBB78108AB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F41DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F41DDC
GetWindowRect.USER32(?,?), ref: 00F41E1D
ScreenToClient.USER32(?,?), ref: 00F41E45
GetClientRect.USER32(?,?), ref: 00F41F74
GetWindowRect.USER32(?,?), ref: 00F41F8D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dea8354924326b92bff18967cea42f918a1194a21afba4b3c41d5227a3b149e9
Instruction ID: 81643b8390938380268ce8f49124ca0e9da424d799742f7b975ec6680b8c18c8
Opcode Fuzzy Hash: dea8354924326b92bff18967cea42f918a1194a21afba4b3c41d5227a3b149e9
Instruction Fuzzy Hash: 41B14C7990024ADBDF10CFA8C5847EDBBB1FF08320F14852AEC59DB254DB30AA95EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA66B4
_memmove.LIBCMT ref: 00FA65EF

Part of subcall function 00F49997: __itow.LIBCMT ref: 00F499C2
Part of subcall function 00F49997: __swprintf.LIBCMT ref: 00F49A0C

_memmove.LIBCMT ref: 00FA6662
_memmove.LIBCMT ref: 00FA6749
_memmove.LIBCMT ref: 00FA6762
_memmove.LIBCMT ref: 00FA677E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d5717be5a42e3218e9e13ee014b2eb61392a3c7f0171a190442e970d3c57c12b
Instruction ID: 8f87022b21f2d2292e726a5170f235e7384b630edcc2c152811813d923072ec2
Opcode Fuzzy Hash: d5717be5a42e3218e9e13ee014b2eb61392a3c7f0171a190442e970d3c57c12b
Instruction Fuzzy Hash: 55618DB160465AABCF11EF20CC82EFF3BA4AF45318F084558FD559B292DF78A901EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F9F218
VariantClear.OLEAUT32(00000013), ref: 00F9F28A
VariantClear.OLEAUT32(00000000), ref: 00F9F2E5
_memmove.LIBCMT ref: 00F9F30F
VariantClear.OLEAUT32(?), ref: 00F9F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F9F38A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 0aba2ed01521dfe4f7b0bef794d85130467ab870d15f851c7760afb9c60baa93
Instruction ID: 4107997784ffc381dcc0548a20e19f74b7dd7f82f5441b4a5dd4455f7841abef
Opcode Fuzzy Hash: 0aba2ed01521dfe4f7b0bef794d85130467ab870d15f851c7760afb9c60baa93
Instruction Fuzzy Hash: 075148B5A00209EFDB14CF58C884EAAB7B8FF4C314B15856AE959DB300D734E955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA2550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA259B
IsMenu.USER32(00000000), ref: 00FA25BB
CreatePopupMenu.USER32 ref: 00FA25EF
GetMenuItemCount.USER32(000000FF), ref: 00FA264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FA267E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e4206952dbc881b0735d5807737ba1feaded407e887aac7046779a58b277a4ff
Instruction ID: bbc97c169b5bd813ab421344f9064f2ddb4b0aeb706e31f0215ad806974d9990
Opcode Fuzzy Hash: e4206952dbc881b0735d5807737ba1feaded407e887aac7046779a58b277a4ff
Instruction Fuzzy Hash: 9D51B0B0B02209DFCF64CF6CD988BADBBF5BF46324F144569E81197290DB709904EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F42612: GetWindowLongW.USER32(?,000000EB), ref: 00F42623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F4179A
GetWindowRect.USER32(?,?), ref: 00F417FE
ScreenToClient.USER32(?,?), ref: 00F4181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F4182C
EndPaint.USER32(?,?), ref: 00F41876

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 2938f97ed8f504ee21c5271c8c540cc1a4217102cd49cd3c29ad37ee6936ee3b
Instruction ID: 7897d4719d38d042861bedf183ac0e8873ac7996e12b280ca40a4189b8e164db
Opcode Fuzzy Hash: 2938f97ed8f504ee21c5271c8c540cc1a4217102cd49cd3c29ad37ee6936ee3b
Instruction Fuzzy Hash: DA41C1315043049FD721DF24CC85FB67BF8FB4A324F144229FAA4872A2C7359985EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010057B0,00000000,01741FF0,?,?,010057B0,?,00FCB5DC,?,?), ref: 00FCB746
EnableWindow.USER32(?,00000000), ref: 00FCB76A
ShowWindow.USER32(010057B0,00000000,01741FF0,?,?,010057B0,?,00FCB5DC,?,?), ref: 00FCB7CA
ShowWindow.USER32(?,00000004,?,00FCB5DC,?,?), ref: 00FCB7DC
EnableWindow.USER32(?,00000001), ref: 00FCB800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FCB823

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a1e19c27062b8e1b8aee57dcca946702f1985215e4d61bb42c4fe6cbe481804c
Instruction ID: ee22e0fa9453bed4cdb4a6d94224ca14bdc088877b8dbb347b4ac9b200e2dfa3
Opcode Fuzzy Hash: a1e19c27062b8e1b8aee57dcca946702f1985215e4d61bb42c4fe6cbe481804c
Instruction Fuzzy Hash: 01415438900145EFDB22CF24D68BF947BE5BF45320F1841B9ED489F2A2C731A846EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DDFA Relevance: 9.1, APIs: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 00F9DE3D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F9DE63
SysAllocString.OLEAUT32(00000000), ref: 00F9DE66
SysAllocString.OLEAUT32(?), ref: 00F9DE84
SysFreeString.OLEAUT32(?), ref: 00F9DE8D
SysAllocString.OLEAUT32(?), ref: 00F9DEC0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: a47fa3e19cc31f7e4747257fb07fb45dd1f15804d7db43d05344aa55993fa23d
Instruction ID: 7b99323b294a0a1f68619da59b026b34ca190b2012207a8d2ba8f884a735f17f
Opcode Fuzzy Hash: a47fa3e19cc31f7e4747257fb07fb45dd1f15804d7db43d05344aa55993fa23d
Instruction Fuzzy Hash: 1721C436A0021DAFAF10EFB8DD89CBB73ADEB19360B108525FA04DF290D670DC45A760

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DED3 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 00F9DF18
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F9DF3E
SysAllocString.OLEAUT32(00000000), ref: 00F9DF41
SysAllocString.OLEAUT32(?), ref: 00F9DF62
SysFreeString.OLEAUT32(?), ref: 00F9DF6B
SysAllocString.OLEAUT32(?), ref: 00F9DF93

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: 783975e8b0359030e4af4210bc77e9b443a73d6aacd9da6a987e6261c2f8ca8b
Instruction ID: 6062a4860d561fe3bdcb6542dd1d0792b31b1284f0f80b96bb04082c39361791
Opcode Fuzzy Hash: 783975e8b0359030e4af4210bc77e9b443a73d6aacd9da6a987e6261c2f8ca8b
Instruction Fuzzy Hash: 1F217735A04108AFAF10DFA8DC89DABB7ECEB09364B108125FA15CB260D670DC45E764

Uniqueness

Uniqueness Score: -1.00%

Function 00F98B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F983D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F983E8
Part of subcall function 00F983D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F983F2
Part of subcall function 00F983D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F98401
Part of subcall function 00F983D1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F98408
Part of subcall function 00F983D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F9841E

GetLengthSid.ADVAPI32(?,00000000,00F98757), ref: 00F98B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F98B98
RtlAllocateHeap.NTDLL(00000000), ref: 00F98B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F98BB8
GetProcessHeap.KERNEL32(00000000,00000000,00F98757), ref: 00F98BCC
HeapFree.KERNEL32(00000000), ref: 00F98BD3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 40850b3257d5d0207e398d64e1c5f9cce07b06baac9be401147c6a57fd36a6ff
Instruction ID: f456426f7f844fc64358c81c4270daa0ab2ef5e88b1d2a5d1283253fd35463c3
Opcode Fuzzy Hash: 40850b3257d5d0207e398d64e1c5f9cce07b06baac9be401147c6a57fd36a6ff
Instruction Fuzzy Hash: 9D11B4B1900208FFEF149F54CD09FAEB769EB86365F184019E84597150CB319905EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F9BA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F9BA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F9BA8F
ReleaseDC.USER32(00000000,00000000), ref: 00F9BA97
MulDiv.KERNEL32(000009EC,00F9B727,00000000), ref: 00F9BAAE
MulDiv.KERNEL32(000009EC,016A52EC,?), ref: 00F9BAC0

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c0c8d6a2775f66e54002139eb8f38bb5a2b857d6480c023f84f6ba91aec928d1
Instruction ID: b977e6a84c902775b7fb93ec1ff6d954557c9722a012f7af80fecbd597636bd5
Opcode Fuzzy Hash: c0c8d6a2775f66e54002139eb8f38bb5a2b857d6480c023f84f6ba91aec928d1
Instruction Fuzzy Hash: 1A0184B5E00318BBEF109BA59E46E5EBFB9EB48721F004065FE04E7291D6309D04DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBF14 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F4134D
Part of subcall function 00F412F3: SelectObject.GDI32(?,00000000), ref: 00F4135C
Part of subcall function 00F412F3: BeginPath.GDI32(?), ref: 00F41373
Part of subcall function 00F412F3: SelectObject.GDI32(?,00000000), ref: 00F4139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00FCBF3E
LineTo.GDI32(00000000,00000003,?), ref: 00FCBF52
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FCBF60
LineTo.GDI32(00000000,00000000,?), ref: 00FCBF70
EndPath.GDI32(00000000), ref: 00FCBF80
StrokePath.GDI32(00000000), ref: 00FCBF90

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8cfc999a6d14be59259c6f0b5d86504f8049d84712b643158a8fe4f548558774
Instruction ID: 8ac709eefc3768d24a5cd10e9b0d206fe3124fa23ce67104912365fbc74829b2
Opcode Fuzzy Hash: 8cfc999a6d14be59259c6f0b5d86504f8049d84712b643158a8fe4f548558774
Instruction Fuzzy Hash: 4711397640010DBFDB129F90DD89EAA7FADFF08360F048025BA089A161C7719E58EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F602E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F60313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F6031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F60326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F60331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F60339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F60341

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2a92696026d53e44984bd4d7ecb51de322b09509da84db404f25a7564d00e758
Instruction ID: 4683cf2275bd7c648360db1f5962157c92ca096f4f08a18b48b775682af6f07d
Opcode Fuzzy Hash: 2a92696026d53e44984bd4d7ecb51de322b09509da84db404f25a7564d00e758
Instruction Fuzzy Hash: 6D016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FA54A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FA54B6
GetWindowThreadProcessId.USER32(?,?), ref: 00FA54C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA54D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA54DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FA54E5

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d515d749b3f2f6572171b6684686adf9d084dcbd969b4e994f2bd66278d52a0f
Instruction ID: f04d464fd4b89d3dc7246bee818b5ea4dfd312320ffee23342d34d9b15c5ff8c
Opcode Fuzzy Hash: d515d749b3f2f6572171b6684686adf9d084dcbd969b4e994f2bd66278d52a0f
Instruction Fuzzy Hash: 5BF0903264015CBBE3215BA2DD0EEEFBB7DEFCAB11F000169FA00D2090D7A11A05A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA72D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FA72EC
RtlEnterCriticalSection.NTDLL(?), ref: 00FA72FD
TerminateThread.KERNEL32(00000000,000001F6,?,00F51044,?,?), ref: 00FA730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F51044,?,?), ref: 00FA7317

Part of subcall function 00FA6CDE: CloseHandle.KERNEL32(00000000,?,00FA7324,?,00F51044,?,?), ref: 00FA6CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA732A
RtlLeaveCriticalSection.NTDLL(?), ref: 00FA7331

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c6317a2aca96b6e3d8e3c381268cd0aa9e25d17eccfabc14a3a3f5e26fe1c2cf
Instruction ID: 46a80e3137c7fe9445dcc2dd85717fd41b7ed87dc0d9487ae31dd70a93d19282
Opcode Fuzzy Hash: c6317a2aca96b6e3d8e3c381268cd0aa9e25d17eccfabc14a3a3f5e26fe1c2cf
Instruction Fuzzy Hash: E0F08976540716EBD7112B64EE4DDDBB73BFF46312B050532F502920A0CB765815EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5FE06: _wcscpy.LIBCMT ref: 00F5FE29

_memset.LIBCMT ref: 00FA2E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA2EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA2F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FA2F8F

Strings

0, xrefs: 00FA2E6B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 73fded412aedf57d87d3f69dd5dfba44559883887bde6b2bda0ec45ea0cd0ddf
Instruction ID: ecfca120804a535856742e63c5f7460d3368923e6eb5fb0347e5044ae512b8e2
Opcode Fuzzy Hash: 73fded412aedf57d87d3f69dd5dfba44559883887bde6b2bda0ec45ea0cd0ddf
Instruction Fuzzy Hash: 3651B0B1B083019ED7A59F2CC88576BB7F8EF86320F140A2DF895D7191DB64CD44AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA2AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FA2AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00FA2B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01005890,00000000), ref: 00FA2B63

Strings

0, xrefs: 00FA2AAD

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 7d007e032362d91cdc2b27346d3c9a7d800f87b9328020546bff4efb7747d854
Instruction ID: cb6fe9c482e408069a7f409bf23a41d37076313a9dbe86c179b9c1979b8e202e
Opcode Fuzzy Hash: 7d007e032362d91cdc2b27346d3c9a7d800f87b9328020546bff4efb7747d854
Instruction Fuzzy Hash: E541D0B17043029FD724DF28CC81F2ABBE9AF86360F144A1DF96697291C774E904DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F99152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F991D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F991E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F99219

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Strings

ComboBox, xrefs: 00F99160
ListBox, xrefs: 00F99195

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 115129f9062d8a3dcb8b15a51f5b363e74fc2a3716c2e934a23c98e900165ea4
Instruction ID: 2d3f2e0d6a196921116c95e530180fcee7d00721b46127348055a953c9e525d6
Opcode Fuzzy Hash: 115129f9062d8a3dcb8b15a51f5b363e74fc2a3716c2e934a23c98e900165ea4
Instruction Fuzzy Hash: 6D210131904208BBEF14AB68CC86DFEBB79DF45360B21412DF825972E1DB784D0AB620

Uniqueness

Uniqueness Score: -1.00%

Function 00F4410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F7D51C

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

_memset.LIBCMT ref: 00F4418D
_wcscpy.LIBCMT ref: 00F441E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F441F1

Strings

Line: , xrefs: 00F7D545

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: acf5778fc93a011a43605a11694f422acfdeb1a686c367d3a7c76f6956d788a7
Instruction ID: a9ca9e2f29c4e68ab8b0d9f1de6f3745ffecd6859ae02cc4559edf67af202912
Opcode Fuzzy Hash: acf5778fc93a011a43605a11694f422acfdeb1a686c367d3a7c76f6956d788a7
Instruction Fuzzy Hash: F031A4714083049AE732EB60DC46FDBBBE8AF45310F14451EF98592091EB78A648EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FA6E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA6E98
GetStdHandle.KERNEL32(0000000C), ref: 00FA6EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FA6EE4

Strings

nul, xrefs: 00FA6EDF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f1a0856808a1d4a8f51ec949cc2156e69c9b34d5b96c4453fbd444b3bf3dba3a
Instruction ID: 7a5019967fc725b8eaaa0877d559bf5adbc90392ad18897865f2713371980807
Opcode Fuzzy Hash: f1a0856808a1d4a8f51ec949cc2156e69c9b34d5b96c4453fbd444b3bf3dba3a
Instruction Fuzzy Hash: 3321D6B9A00209AFDF209F28DC45A9AB7F4AF46730F284619FDA0D72D0DB709C50EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA6F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA6F64
GetStdHandle.KERNEL32(000000F6), ref: 00FA6F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FA6FAF

Strings

nul, xrefs: 00FA6FAA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3c4a0296104a619d8858949e121e866aac18f5ec8082b506630c410885333b68
Instruction ID: 1cce36614136aa5b3021aea54e262609c998a6470d607408a33c3d832f3ac1d7
Opcode Fuzzy Hash: 3c4a0296104a619d8858949e121e866aac18f5ec8082b506630c410885333b68
Instruction Fuzzy Hash: BD21B6B5A003059FDB209F69AC05A99B7E8AF46730F280659FCA1D72D0E7709841A750

Uniqueness

Uniqueness Score: -1.00%

Function 00FAACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FAACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FAAD32
__swprintf.LIBCMT ref: 00FAAD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FCF910), ref: 00FAAD89

Strings

%lu, xrefs: 00FAAD45

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8e0b5ab0dc3eea08cb997a8e30f645f105b4aaedb0420d908c97c28d78d754c4
Instruction ID: 248c1a11c051d4cbaa4b9a7973ea5b20415819510383ebbd20edd619b6f7c0d3
Opcode Fuzzy Hash: 8e0b5ab0dc3eea08cb997a8e30f645f105b4aaedb0420d908c97c28d78d754c4
Instruction Fuzzy Hash: F9218671A00109AFCB10DF65CD85DEEBBB8EF89704B004069F905DB351DB75EA05EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

Part of subcall function 00F9A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F9A179
Part of subcall function 00F9A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9A18C
Part of subcall function 00F9A15C: GetCurrentThreadId.KERNEL32 ref: 00F9A193
Part of subcall function 00F9A15C: AttachThreadInput.USER32(00000000), ref: 00F9A19A

GetFocus.USER32 ref: 00F9A334

Part of subcall function 00F9A1A5: GetParent.USER32(?), ref: 00F9A1B3

GetClassNameW.USER32(?,?,00000100), ref: 00F9A37D
EnumChildWindows.USER32(?,00F9A3F5), ref: 00F9A3A5
__swprintf.LIBCMT ref: 00F9A3BF

Strings

%s%d, xrefs: 00F9A3B9

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 95e53ba0d954e3c407e33ea21a566a5e95bbb7b70504c29f6dbda557b7149d42
Instruction ID: ad424656f5278dc533c9029d9c652f04626165614085ca85c902dbc9afcd594e
Opcode Fuzzy Hash: 95e53ba0d954e3c407e33ea21a566a5e95bbb7b70504c29f6dbda557b7149d42
Instruction Fuzzy Hash: 6D11AF716002096BEF11BF60DC86FEA7779AF44710F004075BD08AA152CA799949BBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1E38 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA1E69

Strings

REMOVE, xrefs: 00FA1E6F
EXISTS, xrefs: 00FA1E91
KEYS, xrefs: 00FA1E80
APPEND, xrefs: 00FA1EA2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 3cc893798dbe8293d3a897f9476a2b49a502f6e433caf198e7a52da734fc1dcf
Instruction ID: 4ca0abba942742c5fc1a671c3c88a6183c75aafb32c9b64945ab53edfb77c5db
Opcode Fuzzy Hash: 3cc893798dbe8293d3a897f9476a2b49a502f6e433caf198e7a52da734fc1dcf
Instruction Fuzzy Hash: 00113C70D101088BCF10EF54D8D18FEB7B4BF26314B188565E854677A2DB32690AEB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F42357
ScreenToClient.USER32(010057B0,?), ref: 00F42374
GetAsyncKeyState.USER32(00000001), ref: 00F42399
GetAsyncKeyState.USER32(00000002), ref: 00F423A7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: df9ac67f457c7a73140a8fe02ea6ea60235dd80ab8bcb4ba6169878ad1bb0cb0
Instruction ID: 8df89914744d62358989f96b3d210a34b007a06ca4fe98fbcde4290d5b8ba1e7
Opcode Fuzzy Hash: df9ac67f457c7a73140a8fe02ea6ea60235dd80ab8bcb4ba6169878ad1bb0cb0
Instruction Fuzzy Hash: B1417D35908109FBCB159F68CC44BEDBBB4FB05334F60837AF828962A1C7746954EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F96700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F9673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00F96789
TranslateMessage.USER32(?), ref: 00F967B2
DispatchMessageW.USER32(?), ref: 00F967BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F967CB

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 0648f9817aa58768305a0a9d0aedbf7106d412912ef57aff66778a0940327f72
Instruction ID: 247cc11e33c011f1e80711ca7fe8d733a59a1cea9faac9ad46be368ceed44515
Opcode Fuzzy Hash: 0648f9817aa58768305a0a9d0aedbf7106d412912ef57aff66778a0940327f72
Instruction Fuzzy Hash: E431A331D01206AFEF318FB49C48FB6BBECAF01328F140165E565C7191EB299489FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F98CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F98CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00F98D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F98DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00F98DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F98DBA

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ba17fa45afacfa87cfdfc98ddf5cc91c6da27b33e47abef65aa9f93f3e491b69
Instruction ID: d02ce4c1fd740457e657783e6186bde0cefa8b29614064539c44d3dfc6e2a04f
Opcode Fuzzy Hash: ba17fa45afacfa87cfdfc98ddf5cc91c6da27b33e47abef65aa9f93f3e491b69
Instruction Fuzzy Hash: 9931E071900219EBEF04CF68DD4DA9E7BB5EB15325F10422AF925E71D0C7B09915EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F9B4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F9B4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F9B51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F9B541
_wcsstr.LIBCMT ref: 00F9B54B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: c3b60a1b81b93b21cd935395209d7cf2cba7606c7d475f01bb7eb1ff53d9dd32
Instruction ID: 6e083f16dbef2abc818f2a0d7379744fcfa7aee99af02f513f083053500c2fdd
Opcode Fuzzy Hash: c3b60a1b81b93b21cd935395209d7cf2cba7606c7d475f01bb7eb1ff53d9dd32
Instruction Fuzzy Hash: 5021DA32604204BAFF259F39AD45E7B7B99DF45760F154039F805CA161EF65DC40B7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F995C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F995E2

Part of subcall function 00F47D2C: _memmove.LIBCMT ref: 00F47D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F99614
__itow.LIBCMT ref: 00F9962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F99654
__itow.LIBCMT ref: 00F99665

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 743bd276003738e600dc73a498820d65941ecde10a636bc29744560baf6a0572
Instruction ID: b6a1f212feeb5c3d720b6a39eb5a3d9837a98d5410e5b3322ae9254ef59b665e
Opcode Fuzzy Hash: 743bd276003738e600dc73a498820d65941ecde10a636bc29744560baf6a0572
Instruction Fuzzy Hash: AC210731B04318BBEF10AB69CC8AEAE7BA9DF59720F054028FE04D7251D6B48D45B791

Uniqueness

Uniqueness Score: -1.00%

Function 00F412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F4134D
SelectObject.GDI32(?,00000000), ref: 00F4135C
BeginPath.GDI32(?), ref: 00F41373
SelectObject.GDI32(?,00000000), ref: 00F4139C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4b7401fa0459294ac4bed894560c5d9224e727ddb6db25a1e3289237b4e92f59
Instruction ID: 572a150916f6db9bcb0e854d5ed4aa419ddde4f576745fd4b5fb354d027bf505
Opcode Fuzzy Hash: 4b7401fa0459294ac4bed894560c5d9224e727ddb6db25a1e3289237b4e92f59
Instruction Fuzzy Hash: D521AF30C00208EFDB228F25DD09B697FE9FB04721F244226FC90A61A4D3769A95EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BF60 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F9BF75
_memcmp.LIBCMT ref: 00F9BF93
_memcmp.LIBCMT ref: 00F9BFA6
_memcmp.LIBCMT ref: 00F9BFBE
_memcmp.LIBCMT ref: 00F9BFD6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 100d59ee26aa6dfb081d6c1ccb3f5f346ae223518c16c5a921407ad76406e145
Instruction ID: 6615f3b4240cff44d3e5b9bcdcc7e141484edcef7b79031e8aa37801b20574fd
Opcode Fuzzy Hash: 100d59ee26aa6dfb081d6c1ccb3f5f346ae223518c16c5a921407ad76406e145
Instruction Fuzzy Hash: 0001B5A2A041057BFA156650AF42FBB735DAE703A9B084022FD0597342E796DE14F6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FA4B61
__beginthreadex.LIBCMT ref: 00FA4B7F
MessageBoxW.USER32(?,?,?,?), ref: 00FA4B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FA4BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FA4BB1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a9e44b032bbb13e22d0da77d762310182a10ba8d39f8d0290ed0246a002fc46c
Instruction ID: d08b925420ac3c6c8c0c9758df9cf6c7765208235e71e39d7fe50af4a3f182ef
Opcode Fuzzy Hash: a9e44b032bbb13e22d0da77d762310182a10ba8d39f8d0290ed0246a002fc46c
Instruction Fuzzy Hash: 1F1108B2904258BBD7119BA8DC04E9A7FADEF8A320F144265F814D3241D7B6D9049BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F98546
GetLastError.KERNEL32(?,00F9800A,?,?,?), ref: 00F98550
GetProcessHeap.KERNEL32(00000008,?,?,00F9800A,?,?,?), ref: 00F9855F
RtlAllocateHeap.NTDLL(00000000,?,00F9800A), ref: 00F98566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9857D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: b3faaf7b836030b00c8ff5359c4d803b95c574636138c7c8f165b1c2c932918c
Instruction ID: 896f1a681b46e54bca4e3a2913e146fb1c5547b2bce54fd8c06da844ad27aa00
Opcode Fuzzy Hash: b3faaf7b836030b00c8ff5359c4d803b95c574636138c7c8f165b1c2c932918c
Instruction Fuzzy Hash: 19018671600208FFEF155FA6DD49D6B7F6DFF463A5B18052AF809C3120DA318D05EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00FA52EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FA5307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FA5315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FA531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FA5327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FA5363

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 171cb9aa07719587d11826f001ccb4bef4363c0844b0c29a2f70f7ebbb598230
Instruction ID: 01b5a99c1eece99c2fa42c3a689a375a97724848b7176f623f713cb6ad9ea6aa
Opcode Fuzzy Hash: 171cb9aa07719587d11826f001ccb4bef4363c0844b0c29a2f70f7ebbb598230
Instruction Fuzzy Hash: AA01ADB2C01A1DDBDF009FA4ED89AEEFB7AFB4AB10F05005AE801F3140CB709514A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F983D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F983E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F983F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F98401
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F98408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F9841E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: c20f0f51494b335bd89470047fbd56d11bfd3f34f1c9c6694c7c503d3600b7ba
Instruction ID: 119010e12758cc71a674f734ee26291f88f67191151a84706126864467a2df40
Opcode Fuzzy Hash: c20f0f51494b335bd89470047fbd56d11bfd3f34f1c9c6694c7c503d3600b7ba
Instruction Fuzzy Hash: C5F0C830244209FFEB105F69DC8DEA77BADFF8A7A4B000025F905C3150CB769C45EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F98432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F98449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F98453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F98462
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F98469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9847F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 360a1b6b7b3e8e14d3f4ad6c88198b5aad9ce18402bdc940f43cadabd219e9d1
Instruction ID: d3c58028188d092f0240c09ccf0dc333427dbb8cdb703a52d10707d41cb3f894
Opcode Fuzzy Hash: 360a1b6b7b3e8e14d3f4ad6c88198b5aad9ce18402bdc940f43cadabd219e9d1
Instruction Fuzzy Hash: 19F06231240309BFEB115FA9EC89E677FADFF4A7A4F080125F945C7150CB619D45EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F9C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F9C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F9C4D0
MessageBeep.USER32(00000000), ref: 00F9C4E8
KillTimer.USER32(?,0000040A), ref: 00F9C504
EndDialog.USER32(?,00000001), ref: 00F9C51E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3a625187b03781eb4844e8cfe1f5758986b28ebbcd5c76e4dc0c59eb35b05249
Instruction ID: 41134a32e2d2f8f72a8c4ad444074007432e396e0fe41dfc366848e538e0a6b6
Opcode Fuzzy Hash: 3a625187b03781eb4844e8cfe1f5758986b28ebbcd5c76e4dc0c59eb35b05249
Instruction Fuzzy Hash: FB01673090070897FB209B24DD4EFA6B7B9FF00705F044569E586A10E1DBF46958AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F413BF
StrokeAndFillPath.GDI32(?,?,00F7BA08,00000000,?), ref: 00F413DB
SelectObject.GDI32(?,00000000), ref: 00F413EE
DeleteObject.GDI32 ref: 00F41401
StrokePath.GDI32(?), ref: 00F4141C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: aeaa838e1cab1f0a5fb527af9accf0f4d2844caa621e0b0dcbdd53883034fb0c
Instruction ID: 91eb2be34cf7cd495a31e705b8683d1a8ba93a9d3d14a078cd0e4044db11fde7
Opcode Fuzzy Hash: aeaa838e1cab1f0a5fb527af9accf0f4d2844caa621e0b0dcbdd53883034fb0c
Instruction Fuzzy Hash: 9FF0313000430CDBDB225F56ED4DB587FA5BB01726F088224ECA9590F5C7364A95EF10

Uniqueness

Uniqueness Score: -1.00%

Function 00F98C54 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F98C5F
CloseHandle.KERNEL32(?), ref: 00F98C74
CloseHandle.KERNEL32(?), ref: 00F98C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F98C85
HeapFree.KERNEL32(00000000), ref: 00F98C8C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 92b33bb90e4de3874fa93d1bcb97c53355dc50149bb2b68f91de1a0ebcef94e1
Instruction ID: 246237415a72bcdaea2454e48dfed6afcbd682315210ef22351db186d9d933b4
Opcode Fuzzy Hash: 92b33bb90e4de3874fa93d1bcb97c53355dc50149bb2b68f91de1a0ebcef94e1
Instruction Fuzzy Hash: AEE0C936004409FBD6011FE1EE0DD05FB6AFF893227144231F21582070CB325424EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F52E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F60F36: std::exception::exception.LIBCMT ref: 00F60F6C
Part of subcall function 00F60F36: __CxxThrowException@8.LIBCMT ref: 00F60F81

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F47BB1: _memmove.LIBCMT ref: 00F47C0B

__swprintf.LIBCMT ref: 00F5302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F52EC6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: b46bc4e78137614cf19c8707c76ad6795fbcd0ad84ae3d352565770f712ba2f1
Instruction ID: a3ad7672cd8a1ff0126e17ee9a8a986f829d00cc687e183fa9dcaa66155bcfcb
Opcode Fuzzy Hash: b46bc4e78137614cf19c8707c76ad6795fbcd0ad84ae3d352565770f712ba2f1
Instruction Fuzzy Hash: 93915B715087019FC714FF28DC9586FBBA4EF85750F00491DF9829B2A1EB64EE48EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F6518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F6521D

Part of subcall function 00F70270: __87except.LIBCMT ref: 00F702AB

Strings

pow, xrefs: 00F651F5, 00F65212

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 560c283c6cbf013cd232d08312c4a5c2abe588685de1a5ea5ffbcb0963b81f69
Instruction ID: b9a52b803e675234f7ddb8c54eaa9737dd8205fa77c2ccdbad245580a46f2177
Opcode Fuzzy Hash: 560c283c6cbf013cd232d08312c4a5c2abe588685de1a5ea5ffbcb0963b81f69
Instruction Fuzzy Hash: F9515822E0DA05D7DB11BB24CD5136E3B95AF40B20F24C95BF0D9962A5EF298CC8B647

Uniqueness

Uniqueness Score: -1.00%

Function 00F6017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00F601C0
+, xrefs: 00F601B7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: dffb050ef373c4ca48c08e99f3b88568a2998d976dbd89eae1bcb4f5c42c7615
Instruction ID: 66464423d05c1d3508962a4ea178510b11d9f80de4315e3ca99e2b25dfbe2fcb
Opcode Fuzzy Hash: dffb050ef373c4ca48c08e99f3b88568a2998d976dbd89eae1bcb4f5c42c7615
Instruction Fuzzy Hash: DE5156359042459FEF16DF28C894AFA7BB0FF96720F244055FC919B2A1CB349C46E760

Uniqueness

Uniqueness Score: -1.00%

Function 00F99AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA17ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F99558,?,?,00000034,00000800,?,00000034), ref: 00FA1817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F99B01

Part of subcall function 00FA17B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F99587,?,?,00000800,?,00001073,00000000,?,?), ref: 00FA17E2

Part of subcall function 00FA170F: GetWindowThreadProcessId.USER32(?,?), ref: 00FA173A
Part of subcall function 00FA170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F9951C,00000034,?,?,00001004,00000000,00000000), ref: 00FA174A
Part of subcall function 00FA170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F9951C,00000034,?,?,00001004,00000000,00000000), ref: 00FA1760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F99B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F99BBB

Strings

@, xrefs: 00F99BD3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f08d44ad7b9f33aa86aee73044c067a93ed0e36f1a6a831762117264a482d8ae
Instruction ID: 1ae94e6bdec8bf341e02297cdb7be55616ac9873528a1db3f137dd4281af7409
Opcode Fuzzy Hash: f08d44ad7b9f33aa86aee73044c067a93ed0e36f1a6a831762117264a482d8ae
Instruction Fuzzy Hash: 93415C7690021CAFDF10EFA4CD81EDEBBB8EB49710F014099FA55B7180CA746E49EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F9D87B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F9D919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F9D92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F9D9AC

Strings

DllGetClassObject, xrefs: 00F9D91F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: e444bf5ea2e8ffddde0e80399c83758e94fd172202636062553c2687114b825b
Instruction ID: 436b9f0e66657a45224350c68d177a5498d3de13562bcfdeb98f42fa18033916
Opcode Fuzzy Hash: e444bf5ea2e8ffddde0e80399c83758e94fd172202636062553c2687114b825b
Instruction Fuzzy Hash: FE41A371600204DFEF04EF55C884B9ABBB9EF45314B2580A9ED069F246D7B5DD44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FC7C7C
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FC7C8A
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FC7C91

Strings

msctls_updown32, xrefs: 00FC7BF6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fc01aa9da0b002e1bbbf3a95c8b6046baa71182bb839f80ba6bb4923b4a85524
Instruction ID: 576b5954368d3a126bb22ffa86a596d8dd4d2c04bc7c6bf3754cbd66ff128910
Opcode Fuzzy Hash: fc01aa9da0b002e1bbbf3a95c8b6046baa71182bb839f80ba6bb4923b4a85524
Instruction Fuzzy Hash: C12151B560420AAFDB11DF24DD82EA737EDEF59364F040459FA049B261CB31EC51AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBC104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F81CB7,?), ref: 00FBC112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FBC124

Strings

GetSystemWow64DirectoryW, xrefs: 00FBC11E
kernel32.dll, xrefs: 00FBC10D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9c0fa156241414cd7ca405b23551c28b168ede6695f3454d2946cce9280a9c1d
Instruction ID: d00ced33693374b13ab351fb3fb1af78126efd7de697dd6cec3dee7c662594ee
Opcode Fuzzy Hash: 9c0fa156241414cd7ca405b23551c28b168ede6695f3454d2946cce9280a9c1d
Instruction Fuzzy Hash: C1E08674A00313CFC7205F2AC819F82B6D4EF04358B448439D445D2150D774D844EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F44C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00F44C2E,?,00000000), ref: 00F44CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F44CB5

Strings

kernel32.dll, xrefs: 00F44C9E
GetNativeSystemInfo, xrefs: 00F44CAF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 820685451f7a63b0c970a5952842911528e16dda59dfde6a9d8ef409ad296ece
Instruction ID: e837394d3d8335ae9c88107faf35706bea425d0385cdb31357dae77f1c9ad6b1
Opcode Fuzzy Hash: 820685451f7a63b0c970a5952842911528e16dda59dfde6a9d8ef409ad296ece
Instruction Fuzzy Hash: A4D0C230900327CFD7204F30DB4AB02F6D6AF00750B18C83E9882D6550D770D884E610

Uniqueness

Uniqueness Score: -1.00%

Function 00F44D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F44CE1,?), ref: 00F44DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F44DB4

Strings

kernel32.dll, xrefs: 00F44D9D
Wow64RevertWow64FsRedirection, xrefs: 00F44DAE

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 171f6f74d2ecf80201384a379f441bb24854c5e195be70aa76451038c93c23b7
Instruction ID: e753399db5a8942b280e3cacad60b4a6b700e0455ac0aeb2984af616bb651959
Opcode Fuzzy Hash: 171f6f74d2ecf80201384a379f441bb24854c5e195be70aa76451038c93c23b7
Instruction Fuzzy Hash: 35D0C730D00713CFC7208F31C90AB42BAE6AF00368B18C83ED8C2E6560E770E884EA10

Uniqueness

Uniqueness Score: -1.00%

Function 00F44D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F44D2E,?,00F44F4F,?,010052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F44D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F44D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F44D7B
kernel32.dll, xrefs: 00F44D6A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8fbdb80b21467968ad57a23a73e51e6d1fa5f1b4edbc461c17f8e02ebd5fc8ac
Instruction ID: 752bcf457499a2a6c18a166e6330ea7a1eeb126addc2f44b7e4ef47adb67271c
Opcode Fuzzy Hash: 8fbdb80b21467968ad57a23a73e51e6d1fa5f1b4edbc461c17f8e02ebd5fc8ac
Instruction Fuzzy Hash: C8D0C230D00713CFC7204F30C909B16BAE9AF04355B08C83E9892D2260E770D884EA11

Uniqueness

Uniqueness Score: -1.00%

Function 00F81A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F81A71
__swprintf.LIBCMT ref: 00F81AA2

Strings

%.3d, xrefs: 00F81A7C
WIN_XPe, xrefs: 00F81AE1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dec716be3187b884142c144b0a68bf04b3b92baa5f7e719fd7cb49a28526b9e3
Instruction ID: 212ba2bf19abdc2b52e81b90613db27b00bfa9b4921d00582139642404d25f4d
Opcode Fuzzy Hash: dec716be3187b884142c144b0a68bf04b3b92baa5f7e719fd7cb49a28526b9e3
Instruction Fuzzy Hash: 56D01273C0511DEBCB48AA90CC85EFA737CFB08300F145252F502E2050E269CB95FB21

Uniqueness

Uniqueness Score: -1.00%

Function 00F974A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde0b409478620758d635cc78a92cce3d364b0e5c9d443ce3bcac931820e40c4
Instruction ID: 2829ae5f6676981909728fbfa9f393c86a8995620a247fa6318813e99a71a884
Opcode Fuzzy Hash: cde0b409478620758d635cc78a92cce3d364b0e5c9d443ce3bcac931820e40c4
Instruction Fuzzy Hash: BCC16B75A14316EFEB14DFA8C884EAEB7B5FF48710B158598E805EB250D730ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F96BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F96BE4
SysAllocString.OLEAUT32(00000000), ref: 00F96C8D
VariantCopy.OLEAUT32 ref: 00F96CBC
VariantClear.OLEAUT32(?), ref: 00F96CE3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0f5c48b598052720e232ad9038e6243fcd7c94fe02c62abb91cf85cd1b17056f
Instruction ID: f4f27e2dfd00d2adb531b693680b95db11bd3e497a4f76b1bdfd850db46ca752
Opcode Fuzzy Hash: 0f5c48b598052720e232ad9038e6243fcd7c94fe02c62abb91cf85cd1b17056f
Instruction Fuzzy Hash: 9A51B631B143069BEF24AF65D891B6AF7E5EF44310F20882FF5A6CB291DB749840B715

Uniqueness

Uniqueness Score: -1.00%

Function 00F99D42 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F99D94
__itow.LIBCMT ref: 00F99DC5

Part of subcall function 00F9A015: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F9A080

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F99E2E
__itow.LIBCMT ref: 00F99E85

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 46e9573f6405d17bb8ea95149de23ef8f47ba06c7649d74748bc03a239627f18
Instruction ID: d43e067b05f4173e16014845eb1de22381bd6ef92189f07a50183ab401610afd
Opcode Fuzzy Hash: 46e9573f6405d17bb8ea95149de23ef8f47ba06c7649d74748bc03a239627f18
Instruction Fuzzy Hash: E4417170E04309ABEF21EF54CC85BEEBFB9AF44710F000059B94567291DBB49E44EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC8910

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 88d5afaeddc84a4af1b3ed27699385321b69badd64245852bf6b07329db99269
Instruction ID: 12f50893b45e70cc3bb0af0100129c4f8bbfce8a2f76031ec33add9617efa51d
Opcode Fuzzy Hash: 88d5afaeddc84a4af1b3ed27699385321b69badd64245852bf6b07329db99269
Instruction Fuzzy Hash: 7931E530A0110ABFEF318A54CE47FB83765EB067A0F544119FA51E7AE0CF319942BB42

Uniqueness

Uniqueness Score: -1.00%

Function 00FCAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FCAB92
GetWindowRect.USER32(?,?), ref: 00FCAC08
PtInRect.USER32(?,?,00FCC07E), ref: 00FCAC18
MessageBeep.USER32(00000000), ref: 00FCAC89

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4734b1e47bbda816af7e4e3cbe47c5635e7fb1ab890e397d1ae086ebe97adb95
Instruction ID: 73651935ba50ced6f5e450cef5a786feba4174ca564f8f1ca1934575af8d1bd5
Opcode Fuzzy Hash: 4734b1e47bbda816af7e4e3cbe47c5635e7fb1ab890e397d1ae086ebe97adb95
Instruction Fuzzy Hash: 72417C30A0011ADFCF12CF58CA86F59BBF6FB48318F1481A9E8549B254D735E945EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FA0E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FA0E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FA0EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FA0F2C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a9c2fdefdf68c26b2068304f7c7dab86a4150463b58615b2e3e4be3c9a4f0206
Instruction ID: a87d3c457e5474593a5740758a8a7c5575a75114877820de0437927ec49ae81f
Opcode Fuzzy Hash: a9c2fdefdf68c26b2068304f7c7dab86a4150463b58615b2e3e4be3c9a4f0206
Instruction Fuzzy Hash: 4A3168F0E4020CAEFB308B24AC45BFEBBA5EB4A330F18461AF0D0521D1CB758955B7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FA0F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FA0FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FA1012
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FA1064

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8633fe64884b08da4ce80c93760677c58d1f40ffaa71e54c53b4c1c0e19c94a9
Instruction ID: 8eb9d06c1f39e69ab4941c2ea5eaed85c3efe432eb59691649998d9a01234ce7
Opcode Fuzzy Hash: 8633fe64884b08da4ce80c93760677c58d1f40ffaa71e54c53b4c1c0e19c94a9
Instruction Fuzzy Hash: 0A315CB0D00288DEFF348A248C05BFABBB6BF47330F09821AE491521D1C7794995B761

Uniqueness

Uniqueness Score: -1.00%

Function 00F76345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F7637B
__isleadbyte_l.LIBCMT ref: 00F763A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F763D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F7640D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 55e463fbea74579e6351fb4bd8d9dc37171a4dffbd282c5339abcebe3d20912b
Instruction ID: ddf712cd298502755dc7e4f73d4e37adcde31e50fa42db161f24ef5783b55cc0
Opcode Fuzzy Hash: 55e463fbea74579e6351fb4bd8d9dc37171a4dffbd282c5339abcebe3d20912b
Instruction Fuzzy Hash: 56318131A00A46EFEB25CF65CC45BAA7BA6FF41320F15812AF858C7291D731DC50EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F9897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F98449
Part of subcall function 00F98432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F98453
Part of subcall function 00F98432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F98462
Part of subcall function 00F98432: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F98469
Part of subcall function 00F98432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F989CB
_memcmp.LIBCMT ref: 00F989EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F98A24
HeapFree.KERNEL32(00000000), ref: 00F98A2B

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 4b44d29195917dfb06c157964fd3e91efcba8f57d16ccdf6503f1af0a5e7c3d9
Instruction ID: 84f4f8db21540c6cedafb7981f8c39caa806e096b7e0fd66422fa9dc7fbaecc6
Opcode Fuzzy Hash: 4b44d29195917dfb06c157964fd3e91efcba8f57d16ccdf6503f1af0a5e7c3d9
Instruction Fuzzy Hash: 5C219A31E40108FFEF10CFA4C945BEEBBB8EF41391F08405AE454A7241DB34AA0AEB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F60B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F60B2E

Part of subcall function 00F45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FA793F,?,?,00000000), ref: 00F45B8C
Part of subcall function 00F45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FA793F,?,?,00000000,?,?), ref: 00F45BB0

_fprintf.LIBCMT ref: 00F60B65
OutputDebugStringW.KERNEL32(?), ref: 00F96111

Part of subcall function 00F64C1A: _flsall.LIBCMT ref: 00F64C33

__setmode.LIBCMT ref: 00F60B9A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 302dcae2cedbe98965ca17436600f1f7551abf5ee27643edfaf41e33f5ca0c7e
Instruction ID: 8c98b3bca5d55a862803707a0b21af6e021cf99f8e2274cdda30272e2a46aa46
Opcode Fuzzy Hash: 302dcae2cedbe98965ca17436600f1f7551abf5ee27643edfaf41e33f5ca0c7e
Instruction Fuzzy Hash: B4110A329042047EDB05B7B49C43DBE7B6DDF81320F24411AF51497292DE69584677A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DFD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9F3CE: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F9DFE5,?,?,?,00F9EDD8,00000000,000000EF,00000119,?,?), ref: 00F9F3DD
Part of subcall function 00F9F3CE: lstrcpyW.KERNEL32(00000000,?), ref: 00F9F403
Part of subcall function 00F9F3CE: lstrcmpiW.KERNEL32(00000000,?,00F9DFE5,?,?,?,00F9EDD8,00000000,000000EF,00000119,?,?), ref: 00F9F434

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F9EDD8,00000000,000000EF,00000119,?,?,00000000), ref: 00F9DFFE
lstrcpyW.KERNEL32(00000000,?), ref: 00F9E024
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F9EDD8,00000000,000000EF,00000119,?,?,00000000), ref: 00F9E058

Strings

cdecl, xrefs: 00F9E04F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 56ebde0d2320be0fd58a1cfc3b1897309efcc27b279c4c8d1a1210cf6599e8ec
Instruction ID: 10822ddbfeb12fc33e2c0c81a69cf6005d119b5ce264055121cc114da9235030
Opcode Fuzzy Hash: 56ebde0d2320be0fd58a1cfc3b1897309efcc27b279c4c8d1a1210cf6599e8ec
Instruction Fuzzy Hash: 7711D036100305EFEF25AF24DC45E7A77A9FF85360B40902AF806CB260EBB59855E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F75262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F75281

Part of subcall function 00F6588C: __FF_MSGBANNER.LIBCMT ref: 00F658A3
Part of subcall function 00F6588C: __NMSG_WRITE.LIBCMT ref: 00F658AA
Part of subcall function 00F6588C: RtlAllocateHeap.NTDLL(01730000,00000000,00000001), ref: 00F658CF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 45ac11bbb097c6943bb8b1e2ca1c6afb72572ca6b80560903c01a6ec54569611
Instruction ID: d3ff0db2570a2b442defe6d006538bcaf3d10cbdb94202b10f23ebf31af2bed9
Opcode Fuzzy Hash: 45ac11bbb097c6943bb8b1e2ca1c6afb72572ca6b80560903c01a6ec54569611
Instruction Fuzzy Hash: D011EB32905A156FCB212F70AC0565D3B94AB017B0B10863AF90D9B152DE798D41F762

Uniqueness

Uniqueness Score: -1.00%

Function 00F988D9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F9890A
OpenProcessToken.ADVAPI32(00000000), ref: 00F98911
CloseHandle.KERNEL32(00000004), ref: 00F9892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9895A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 6902970e0f82ce40b8f8a44ae5363c45f34b88477a97ac47306905e723a52205
Instruction ID: db2fc2d3feb31ea4f300f851004a35fc2c6867651f66ffe483e0537e39a38eaf
Opcode Fuzzy Hash: 6902970e0f82ce40b8f8a44ae5363c45f34b88477a97ac47306905e723a52205
Instruction Fuzzy Hash: C8115C7290020DBBEF018FA4DD49FEEBBA9FF49758F044065FE05A2160C7728D65AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3EB6 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00FA3ED6
_memset.LIBCMT ref: 00FA3EF7
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00FA3F49
CloseHandle.KERNEL32(00000000), ref: 00FA3F52

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 59d020aafbd7018f79e3da7a17823e556614b24d2f4ea92462a3df7237743f49
Instruction ID: d3a6971e7c881ed60e1a3787d72e79a538037bf49cc03f0e7d690182f16e2f73
Opcode Fuzzy Hash: 59d020aafbd7018f79e3da7a17823e556614b24d2f4ea92462a3df7237743f49
Instruction Fuzzy Hash: A811A7B5D0122CBAD7309BA5AC4DFABBB7CEF45760F1041AAF908D7180D6744F849BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F98E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F98E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F98E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F98E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F98E66

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4efbf056cd442a43caa5bb49842eaa1057707a15494656ee4c528be56331f93f
Instruction ID: add094f43d212b14b021352b6e27a447a8a2e148830cfd0348f97fda5069d179
Opcode Fuzzy Hash: 4efbf056cd442a43caa5bb49842eaa1057707a15494656ee4c528be56331f93f
Instruction Fuzzy Hash: 4B114C7A900218FFEF10EFA5CC85E9DBB74FB08750F204095E904B7250DA716E11EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F41D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F41D73
GetStockObject.GDI32(00000011), ref: 00F41D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F41D91

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 28276328dd9082923752820560dee3c92a34dc8f1c9b16bc226f7b3f3cfeb7c4
Instruction ID: dbdee17eb9a2cb0641ec26e1053adc18906c0d6a0e0d29d788e8e31d274a0b94
Opcode Fuzzy Hash: 28276328dd9082923752820560dee3c92a34dc8f1c9b16bc226f7b3f3cfeb7c4
Instruction Fuzzy Hash: F31139B2901618BFDB128F90DD45EEABF6AFF093A4F044215FE0496120C7319CA4ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FA1490
Sleep.KERNEL32(00000000), ref: 00FA14B5
QueryPerformanceCounter.KERNEL32(?), ref: 00FA14BF
Sleep.KERNEL32(?), ref: 00FA14F2

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7b0edadf8c242707ca770e861c85a2d54b68227985f20d17dfd4ae0f7c09dfbc
Instruction ID: 68b4ae1a2fe9a60adaaae488186c4078f314a16dc55f06af17308aa80517d7c8
Opcode Fuzzy Hash: 7b0edadf8c242707ca770e861c85a2d54b68227985f20d17dfd4ae0f7c09dfbc
Instruction Fuzzy Hash: 1A112A72C0052DDBCF00DFA9D989AEEBB78FF0AB11F464156ED40B6240CB349550EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F9DB5C
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F9DB73
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F9DB88
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F9DBA6

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 47508032008a6de7eda6968601c7ba2ef10c06ee46e968ee4ae572967bb856ed
Instruction ID: fe21547808b240dc0bb5dc5832262f13d3a99446ea9009e0b5d351c41cd647e9
Opcode Fuzzy Hash: 47508032008a6de7eda6968601c7ba2ef10c06ee46e968ee4ae572967bb856ed
Instruction Fuzzy Hash: 6B11A1B1201308DBFB20CF10DD49F97BBBCEB40B00F208569A656C7080D7B0E918AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F77137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F7715B

Part of subcall function 00F77842: __fltout2.LIBCMT ref: 00F7786B

__cftog_l.LIBCMT ref: 00F77181
__cftoe_l.LIBCMT ref: 00F771B3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 9807da426c10c3052b129cbf83289262d52ff151d392b87827821229ab6f2e17
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 11014E3246824ABBCF126E84CC05CEE3F26BF18354B998416FE5C58531D376C9B1BB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FCB318
ScreenToClient.USER32(?,?), ref: 00FCB330
ScreenToClient.USER32(?,?), ref: 00FCB354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 00FCB36F

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: df75f97d3f5985e67b75dbbb754874fea93c70127f7d33cd622b476c0f4e4379
Instruction ID: 41dc822021499970bec9c4851662a9c47b5a91750f76eb2a825edfe0623a714a
Opcode Fuzzy Hash: df75f97d3f5985e67b75dbbb754874fea93c70127f7d33cd622b476c0f4e4379
Instruction Fuzzy Hash: B6114679D0024DEFDB41CF98C545AEEFBB5FB08310F104166E914E3220D735AA559F50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCB678
_memset.LIBCMT ref: 00FCB687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01006F20,01006F64), ref: 00FCB6B6
CloseHandle.KERNEL32 ref: 00FCB6C8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 03a3d00ffde6913701b5e396ebc3cbffea6c71568fb4d9c4698f1b70a7e1ceb7
Instruction ID: 717f95265dd89563ae8e3540cd6cbf69b8d3566dacbdb3559205885b8d74f2b9
Opcode Fuzzy Hash: 03a3d00ffde6913701b5e396ebc3cbffea6c71568fb4d9c4698f1b70a7e1ceb7
Instruction Fuzzy Hash: C9F089B16403047AF2112761EC06F777A9EFB04354F404029BA48D6195DB7B5C20A7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00FA6C8F

Part of subcall function 00FA776D: _memset.LIBCMT ref: 00FA77A2

_memmove.LIBCMT ref: 00FA6CB2
_memset.LIBCMT ref: 00FA6CBF
RtlLeaveCriticalSection.NTDLL(?), ref: 00FA6CCF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a86b71c939f3920540b1d2a5eb363ea1fcff7867cb5399bad4c3a0efb4800e96
Instruction ID: a09ae310c07b8deee4022a2c250a5217d4f7105f81ffb731c2e4a022c8a8cfd9
Opcode Fuzzy Hash: a86b71c939f3920540b1d2a5eb363ea1fcff7867cb5399bad4c3a0efb4800e96
Instruction Fuzzy Hash: B7F0547A200104ABCF016F55DC85E8ABB2AFF45320F148065FE095F21AC775A811EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00FCBD86 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F4134D
Part of subcall function 00F412F3: SelectObject.GDI32(?,00000000), ref: 00F4135C
Part of subcall function 00F412F3: BeginPath.GDI32(?), ref: 00F41373
Part of subcall function 00F412F3: SelectObject.GDI32(?,00000000), ref: 00F4139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FCBDAA
LineTo.GDI32(00000000,?,?), ref: 00FCBDB7
EndPath.GDI32(00000000), ref: 00FCBDC7
StrokePath.GDI32(00000000), ref: 00FCBDD5

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4fd9d927c38bd742bc0842563e938ede562ad026504e7327c07039910c83feda
Instruction ID: 3c8cb9a9e885d40ecbd9459d777a91111751945fd6d5799954c9ab92edddcb0c
Opcode Fuzzy Hash: 4fd9d927c38bd742bc0842563e938ede562ad026504e7327c07039910c83feda
Instruction Fuzzy Hash: 0FF0BE3104021DBADB122F50AD0BFCE3F5AAF05720F084000FA51620E287B90654EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F9A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9A18C
GetCurrentThreadId.KERNEL32 ref: 00F9A193
AttachThreadInput.USER32(00000000), ref: 00F9A19A

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d52f74eda529d8d0d649c6756957733c05fce64bc1a6a342153adccb68aea9ef
Instruction ID: 6c4da2b4a70568b8ad2e56bd5656b5c76689e613d08d17c18dfa8df8c2ed2a3f
Opcode Fuzzy Hash: d52f74eda529d8d0d649c6756957733c05fce64bc1a6a342153adccb68aea9ef
Instruction Fuzzy Hash: 24E0393154122CBAEB205BA2DD0EED7BF1DEF267A1F008025F50886060C6718584EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F42231
SetTextColor.GDI32(?,000000FF), ref: 00F4223B
SetBkMode.GDI32(?,00000001), ref: 00F42250
GetStockObject.GDI32(00000005), ref: 00F42258
GetWindowDC.USER32(?,00000000), ref: 00F7C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F7C010
GetPixel.GDI32(00000000,?,00000000), ref: 00F7C029
GetPixel.GDI32(00000000,00000000,?), ref: 00F7C042
GetPixel.GDI32(00000000,?,?), ref: 00F7C062
ReleaseDC.USER32(?,00000000), ref: 00F7C06D

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: cfbc03b0f833f9b77f44e018aa4d1a623892f37d57416fca9d7c73c639569e2a
Instruction ID: 58b8af3246bf02d63e3d856c1a5fa2ad1c8bb12f030fa0e6bd89c4c459ee7d6c
Opcode Fuzzy Hash: cfbc03b0f833f9b77f44e018aa4d1a623892f37d57416fca9d7c73c639569e2a
Instruction Fuzzy Hash: 64E06531500548EBEB215F74FD0EBD87B11EB45332F04C376FA69880E187714594EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00F98A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F98A43
OpenThreadToken.ADVAPI32(00000000), ref: 00F98A4A
GetCurrentProcess.KERNEL32(00000028,?), ref: 00F98A57
OpenProcessToken.ADVAPI32(00000000), ref: 00F98A5E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bcc4b067d504428222d090d0cb489382ca9f3f9890e2f3c41ebdfcf7d370caa2
Instruction ID: 1158aaa362d5ec25e6ebf18dd3dc9c00b53872fe6f5e6c9fcb1ea04f2d5e0384
Opcode Fuzzy Hash: bcc4b067d504428222d090d0cb489382ca9f3f9890e2f3c41ebdfcf7d370caa2
Instruction Fuzzy Hash: DFE08676E41215EFEB205FB06E0EF96BBADEF51BE2F044828B645CB040DA34944AE750

Uniqueness

Uniqueness Score: -1.00%

Function 00F820B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F820B6
GetDC.USER32(00000000), ref: 00F820C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F820E0
ReleaseDC.USER32(?), ref: 00F82101

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7fa29cf62071de4a258052147d8b11abda93464d9a2122ca1739041b2bfa4da7
Instruction ID: a991a968809ee7317c447543b0e9eabe1a6460c61b4e5d40adb156bcefa5adf8
Opcode Fuzzy Hash: 7fa29cf62071de4a258052147d8b11abda93464d9a2122ca1739041b2bfa4da7
Instruction Fuzzy Hash: 06E0E5B5800208EFCB41AF60C909A9EBFB2EB4C350F108025FC5AD7220CB789145BF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F820CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F820CA
GetDC.USER32(00000000), ref: 00F820D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F820E0
ReleaseDC.USER32(?), ref: 00F82101

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0b150fa1e2c8e033f0f00b3220c9177e0bb2af41810991be852600fd189cf2f1
Instruction ID: bdf7b6679a7e59bb2c624a1358b6e3e2fdfe239049fcd19b6901c25af10f2e45
Opcode Fuzzy Hash: 0b150fa1e2c8e033f0f00b3220c9177e0bb2af41810991be852600fd189cf2f1
Instruction Fuzzy Hash: 3FE0E5B5800208AFCB019F60C909A9DBFA2AB4C310F108025FD5AD7220CB789145BF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(0000000C,00000001), ref: 00F9B780

Strings

Container, xrefs: 00F9B6FD
AutoIt3GUI, xrefs: 00F9B6F8

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d84e799df48b2cc86d2cc1c8fcdad6db690e440088a42dba79371dabbb3b7d3f
Instruction ID: b6fd7c3f922aa9482bf350fcd6719530aea742074e4f9c330f77b53251f7de37
Opcode Fuzzy Hash: d84e799df48b2cc86d2cc1c8fcdad6db690e440088a42dba79371dabbb3b7d3f
Instruction Fuzzy Hash: 11915C716002019FEB54DF64D984B66BBF9FF49710F14856DF909CB2A1DBB0E841DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5FE06: _wcscpy.LIBCMT ref: 00F5FE29

Part of subcall function 00F49997: __itow.LIBCMT ref: 00F499C2
Part of subcall function 00F49997: __swprintf.LIBCMT ref: 00F49A0C

__wcsnicmp.LIBCMT ref: 00FAB0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FAB182

Strings

LPT, xrefs: 00FAB0B3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: cc508eae5da66f87f5e540db3dc4f45e161f729a8ff6c8425613ea8180884b78
Instruction ID: a9b28f0c739af96f69c8eb90dae056a9fe1a8821ae8e8e83a092f7e0859a0ec4
Opcode Fuzzy Hash: cc508eae5da66f87f5e540db3dc4f45e161f729a8ff6c8425613ea8180884b78
Instruction Fuzzy Hash: 6A61A5B6E00215AFCB14DF94C891EAEB7F4EF09310F10405AF956AB352DB74AE44EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F52AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F52AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F52AE1

Strings

@, xrefs: 00F52AD5

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3c08c9710f05953463c839095ac1261697993a24ad023a59dd9ce12e18b43d57
Instruction ID: 6eef8dcc542433bb8d120762971f2e92980ab98614967e974d7308aa3514a657
Opcode Fuzzy Hash: 3c08c9710f05953463c839095ac1261697993a24ad023a59dd9ce12e18b43d57
Instruction Fuzzy Hash: B35199715187489BD320AF10DC86BAFBBE8FF84310F42884DF5D8511A2DB788568EB66

Uniqueness

Uniqueness Score: -1.00%

Function 00FA97DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F4506B: __fread_nolock.LIBCMT ref: 00F45089

_wcscmp.LIBCMT ref: 00FA98CD
_wcscmp.LIBCMT ref: 00FA98E0

Strings

FILE, xrefs: 00FA9819

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 648e0a0b3eff45918dc70991ef6ec676ee9315f21b10a5500082cf3a681314b3
Instruction ID: f9da97c1cb3066f0d768b2ca0b703d1c61bf04168037d01d25c3bcb5e7f48127
Opcode Fuzzy Hash: 648e0a0b3eff45918dc70991ef6ec676ee9315f21b10a5500082cf3a681314b3
Instruction Fuzzy Hash: 4441D971A0460ABBDF21AEA4CC85FEF7BBDDF4A710F000479F900B7181DAB5990597A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FC7B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC7BA8

Strings

', xrefs: 00FC7AFC

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: fbc67d756692ebdc1e4bfb202aedf4668c0ac30d348322151171f6ffa7389cee
Instruction ID: 66cbde30f8991ee8e6676b9a89bda25340a1f7912081b9c73de7bec978ca3da2
Opcode Fuzzy Hash: fbc67d756692ebdc1e4bfb202aedf4668c0ac30d348322151171f6ffa7389cee
Instruction Fuzzy Hash: A141F875A0530A9FDB14DF65C981FDABBB5FB49300F10016AE904AB395D731A941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA2C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA2C44

Strings

0, xrefs: 00FA2C02

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2f7f6eb66250a0aff8b1afcd1155c9d336727cbbae974683e030a7f077bda60f
Instruction ID: 30f8e5278b8ddd9b746dfb2b5deeec77c593c524558f3ec7af77090ea6872c6b
Opcode Fuzzy Hash: 2f7f6eb66250a0aff8b1afcd1155c9d336727cbbae974683e030a7f077bda60f
Instruction Fuzzy Hash: B331E3B1B002099BEB758F4CCD85BAEBBB9FB06370F144019EC85A61A0E7709A40EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00FB3B7C

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Strings

, $, xrefs: 00FB3BBC
AUTOITCALLVARIABLE%d, xrefs: 00FB3B6E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: c1ebfd03224f4cef32892d1fcfacdaf4e0d01ff9289fcd101afe3cb382b6161f
Instruction ID: d9d9f67fb989bece0c3d4bce39db986be17fd670e4ef5ca689ee03447a8a02e7
Opcode Fuzzy Hash: c1ebfd03224f4cef32892d1fcfacdaf4e0d01ff9289fcd101afe3cb382b6161f
Instruction Fuzzy Hash: 3A216535640229ABCF14EF65CC82EEE7BA5FF84700F404495F905A7245DB34EE46EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FC6793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC679E

Strings

Combobox, xrefs: 00FC6760

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1f259eb40b2d3df3f0d5fadc7e729e2b7fc16d83a07bab01e9cf8ec1839a229f
Instruction ID: d9ffee5471b41a31d2f7159810116861c8d702d526ac0d7806c125ed4ea454c9
Opcode Fuzzy Hash: 1f259eb40b2d3df3f0d5fadc7e729e2b7fc16d83a07bab01e9cf8ec1839a229f
Instruction Fuzzy Hash: 0E11B6756041096FEF218F14CD82FBB376AEF88378F104528F918D7290DA359C51A760

Uniqueness

Uniqueness Score: -1.00%

Function 00FA2CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA2D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FA2D39

Strings

0, xrefs: 00FA2D10

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 709fa0e6c51f325b577f2871af466f538d230be9c2c12572de623f82837b29d9
Instruction ID: 51f5dabfbee62256fb5c68c6cacf62f9bac5d5526238d4af89f644cefd36e47f
Opcode Fuzzy Hash: 709fa0e6c51f325b577f2871af466f538d230be9c2c12572de623f82837b29d9
Instruction Fuzzy Hash: A51104B2F01214ABDB61DB5CDC84BAD77BAAB07330F140021EC55AB2A1D770EE05EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F990C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F99135

Strings

ComboBox, xrefs: 00F990D4
ListBox, xrefs: 00F990FF

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3016785e340b85c00807f9bf0592284f3ea543bdb4004d789b7058b9d7d44852
Instruction ID: cc82a6cc33d2443f0c7f95018dc97af25f89dcb8ece54c4eb637a11aca44ee02
Opcode Fuzzy Hash: 3016785e340b85c00807f9bf0592284f3ea543bdb4004d789b7058b9d7d44852
Instruction Fuzzy Hash: C501F531A09219ABDF04FBA9CC958FE7769FF06320B140619F872573D2DA39584CF650

Uniqueness

Uniqueness Score: -1.00%

Function 00F98FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F9902D

Strings

ComboBox, xrefs: 00F98FCC
ListBox, xrefs: 00F98FF7

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f0a9873195c4f31a727503347ad27b682707879c8c228fdbf47840dfb43a6e43
Instruction ID: 29c42b02db7729518edf9bfccc22f30c5f931a827d728b4529040db6c085ea74
Opcode Fuzzy Hash: f0a9873195c4f31a727503347ad27b682707879c8c228fdbf47840dfb43a6e43
Instruction Fuzzy Hash: 0701F771A452086BDF14F7A5CC92EFEB7A8DF05750F240019B81263292DE295E0CF2B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F99044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F47F41: _memmove.LIBCMT ref: 00F47F82

Part of subcall function 00F9AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00F9AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F990B0

Strings

ComboBox, xrefs: 00F99051
ListBox, xrefs: 00F9907C

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5e52f9fa94c376fab97e8b53533b990dc0c47d118727ed215bfe0511a6f33fb0
Instruction ID: 1b53a8b925bda18270f263f1fd0f04634197d44e6f2bcf5378c1dbacba2ce3d3
Opcode Fuzzy Hash: 5e52f9fa94c376fab97e8b53533b990dc0c47d118727ed215bfe0511a6f33fb0
Instruction Fuzzy Hash: 9B012B71A4520867EF00F7B8CD42EFEB7AC8F10750F2400197C1263392DA295E0CB2B2

Uniqueness

Uniqueness Score: -1.00%

Function 00FA4FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FA4FED
_wcscmp.LIBCMT ref: 00FA4FFF

Strings

#32770, xrefs: 00FA4FF9

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 06c7506af1573bc0462ee7627708ef408850248f9a1488b75067e1f981b369cc
Instruction ID: 9e799bb47e3c6f5e949a37eab7d0441c4e358ea1d018b8bf8e0df2a19431d85a
Opcode Fuzzy Hash: 06c7506af1573bc0462ee7627708ef408850248f9a1488b75067e1f981b369cc
Instruction Fuzzy Hash: 3DE02232A0022D2BD7209B99AC0AFA7FBACEF01B70F000026BD00D3050EA619A0597E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F7B494: _memset.LIBCMT ref: 00F7B4A1

Part of subcall function 00F60AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(01004158,00000000,01004144,00F7B470,?,?,?,00F4100A), ref: 00F60AC5

IsDebuggerPresent.KERNEL32(?,?,?,00F4100A), ref: 00F7B474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F4100A), ref: 00F7B483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F7B47E

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: fd936bd7c127823c3217c63be5559b2f2e73fcf244ba528aa36e209d614a2b3a
Instruction ID: fc24a27f0f32349d76c804684425337fb278eb1ba5c4d4e40c58b9de5f8fd3cd
Opcode Fuzzy Hash: fd936bd7c127823c3217c63be5559b2f2e73fcf244ba528aa36e209d614a2b3a
Instruction Fuzzy Hash: 9AE092702007518FD370DF69E908742BBE4AF01304F01C92EE48AC3342EBB8E448EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F97F9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F97FAA

Part of subcall function 00F634D8: _doexit.LIBCMT ref: 00F634E2

Strings

AutoIt, xrefs: 00F97F9E
Error allocating memory., xrefs: 00F97FA3

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a1d508c2c18a7c137b9c6632bd5306f53ef2618734a708c7d5ec42e900ae38db
Instruction ID: e264df38ee2faf74a14f5835af6b6dac392f813943def618d609e63d4a26cbe0
Opcode Fuzzy Hash: a1d508c2c18a7c137b9c6632bd5306f53ef2618734a708c7d5ec42e900ae38db
Instruction Fuzzy Hash: 1ED05B3339C31C32D21532A96C07FDAB9484F05B55F140426FF08665D34ED99991B1E9

Uniqueness

Uniqueness Score: -1.00%

Function 00F81C8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F81ACE

Part of subcall function 00FBC104: LoadLibraryA.KERNEL32(kernel32.dll,?,00F81CB7,?), ref: 00FBC112
Part of subcall function 00FBC104: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FBC124

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F81CC6

Strings

WIN_XPe, xrefs: 00F81AE1

Memory Dump Source

Source File: 00000000.00000002.1644925783.0000000000F41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1644866940.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.0000000000FFE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000100B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1644925783.000000000110B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645653172.0000000001111000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1645732984.0000000001112000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_SecuriteInfo.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 47959155c11c54517021782a54771d0d2b68bf1fffdab34001c500e80018f6ff
Instruction ID: 3c2221d8ac8e6a0031975f5c8a58d5b1ad6c47faae871703c35570d08d902331
Opcode Fuzzy Hash: 47959155c11c54517021782a54771d0d2b68bf1fffdab34001c500e80018f6ff
Instruction Fuzzy Hash: FEF0C971802109DFDB59EB95CA85BEDBBF9FB08314F540195E102B2451CB794F45EF60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MP3SoundRecorder.exePID: 4908, Parent PID: 6936COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	51.9%
Signature Coverage:	1.9%
Total number of Nodes:	462
Total number of Limit Nodes:	15

Executed Functions

Function 008C764C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 008C766F
LoadLibraryA.KERNELBASE(?), ref: 008C76A2
GetLocaleInfoA.KERNELBASE(00000800,00000003,00000800,00000004), ref: 008C76B2

Strings

LOC, xrefs: 008C7669

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: 519dad58efb05fdd1bbc4c8e9e9c2f31d2e8818640d42660d53ff8de231b941a
Instruction ID: cb52bd52f5ff8eec08c8d3ef4ce014dd9da7072b5dde599b6c709f60556fdc77
Opcode Fuzzy Hash: 519dad58efb05fdd1bbc4c8e9e9c2f31d2e8818640d42660d53ff8de231b941a
Instruction Fuzzy Hash: 11014F7190860CBBDF14AB68DC49FDA377CFB10324F108566FA15D2190DB30DA449FA5

Uniqueness

Uniqueness Score: -1.00%

Function 008C76E1 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 008C7704
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 008C770F
ConvertDefaultLocale.KERNELBASE(?), ref: 008C7740
ConvertDefaultLocale.KERNELBASE(?), ref: 008C7748
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 008C7755
ConvertDefaultLocale.KERNEL32(?), ref: 008C776F
ConvertDefaultLocale.KERNEL32(000003FF), ref: 008C7775
GetVersion.KERNEL32 ref: 008C7783
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 008C77A8
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 008C77CE
ConvertDefaultLocale.KERNEL32(?), ref: 008C781A
ConvertDefaultLocale.KERNEL32(74DF0A60), ref: 008C7820
RegCloseKey.ADVAPI32(?), ref: 008C782B

Strings

kernel32.dll, xrefs: 008C76F7
ntdll.dll, xrefs: 008C7833
GetUserDefaultUILanguage, xrefs: 008C7706
Control Panel\Desktop\ResourceLocale, xrefs: 008C779B
GetSystemDefaultUILanguage, xrefs: 008C774A

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: c8b3f3a19490beb4f806511d41d7399dd5386a4e85f85f72d1581911b76cdb5e
Instruction ID: 75e2fe1a8c564271e478248eb279d5df151b39933245103ee57fdd6accad526c
Opcode Fuzzy Hash: c8b3f3a19490beb4f806511d41d7399dd5386a4e85f85f72d1581911b76cdb5e
Instruction Fuzzy Hash: 50515F71E4021DAEDF149FE5DC8AFAEBBB9FB48314F14443AE605E2240D678C9419FA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C8B78 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 008C8BB9
PathFindExtensionA.KERNELBASE(?), ref: 008C8BD3
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 008C8C6D
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 008C8C9A

Strings

.INI, xrefs: 008C8C8E
.CHM, xrefs: 008C8C5E
.HLP, xrefs: 008C8C65

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: c1545603efcff7fc70fdbdd3169013cdeeb739022420cfde61bcdf68c860c8fc
Instruction ID: d0dafb1b3717ba670f63af74303e55229ea3c23d13e3ac6555023d7b662e5e6f
Opcode Fuzzy Hash: c1545603efcff7fc70fdbdd3169013cdeeb739022420cfde61bcdf68c860c8fc
Instruction Fuzzy Hash: CF410571541748DFCBA1EFA9D984FDA77F8FB48314F10482EE98AC6251EB34E9408B21

Uniqueness

Uniqueness Score: -1.00%

Function 008C8CC6 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000,00000000,008B4336,?,00000000,008CB1F8,00000000,00000000,?,?,?,008B675F,?,?,?,?), ref: 008C8CCF
SetErrorMode.KERNELBASE(00000000,?,008B675F,?,?,?,?,?,?,008CC918,0000000C), ref: 008C8CD7
GetModuleHandleA.KERNEL32(user32.dll,008B675F,?,?,?,?,?,?,008CC918,0000000C), ref: 008C8D22
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 008C8D32

Part of subcall function 008C8B78: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 008C8BB9
Part of subcall function 008C8B78: PathFindExtensionA.KERNELBASE(?), ref: 008C8BD3
Part of subcall function 008C8B78: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 008C8C6D
Part of subcall function 008C8B78: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 008C8C9A

Strings

user32.dll, xrefs: 008C8D1D
NotifyWinEvent, xrefs: 008C8D2C

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: 51a6dd399502296762dd9c365d8bed732ea1012a4f89fd7bfc8cd904654f6ef7
Instruction ID: 788c407b0222b05d094562f63d6663867e0aa2349e099201ede9def8eba32e72
Opcode Fuzzy Hash: 51a6dd399502296762dd9c365d8bed732ea1012a4f89fd7bfc8cd904654f6ef7
Instruction Fuzzy Hash: 99012870A852208FCB14AF29A805F1A3BB8FF54711F05885EF546D72A2DB34C800CF67

Uniqueness

Uniqueness Score: -1.00%

Function 008C8105 Relevance: 9.1, APIs: 6, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000002), ref: 008C810D
GlobalHandle.KERNEL32(?), ref: 008C8146
GlobalLock.KERNEL32(00000000), ref: 008C814D
LeaveCriticalSection.KERNEL32(?), ref: 008C8156
GlobalLock.KERNEL32(00000000), ref: 008C8162
LeaveCriticalSection.KERNEL32(?,?,?,008D455C,008D455C,?,008C8641,00000000,00000000,?,008C8ADF,008C6C78,008C1FA9,00000000,00000000), ref: 008C81AA

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: Global$CriticalLeaveLockSection$AllocHandle
String ID:
API String ID: 932788031-0
Opcode ID: b339ddbbfaa23dbf1e393c2adacf13e52bb4d3654281b8b85cc34d8a0a27f6eb
Instruction ID: fc1040101a88a0e276c0bc9bc2969d2ff7e40b2c17f6a0a0ca4bd2499c71d08e
Opcode Fuzzy Hash: b339ddbbfaa23dbf1e393c2adacf13e52bb4d3654281b8b85cc34d8a0a27f6eb
Instruction Fuzzy Hash: 70112A31A00618EFC715DF64D848E5ABBF5FB44308F04892EE556D3610D730EA14CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008C79C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 008C79E9
PathFindExtensionA.SHLWAPI(?), ref: 008C7A00
lstrcpyA.KERNEL32(00000000,?), ref: 008C7A2A

Part of subcall function 008C76E1: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 008C7704
Part of subcall function 008C76E1: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 008C770F
Part of subcall function 008C76E1: ConvertDefaultLocale.KERNELBASE(?), ref: 008C7740
Part of subcall function 008C76E1: ConvertDefaultLocale.KERNELBASE(?), ref: 008C7748
Part of subcall function 008C76E1: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 008C7755
Part of subcall function 008C76E1: ConvertDefaultLocale.KERNEL32(?), ref: 008C776F
Part of subcall function 008C76E1: ConvertDefaultLocale.KERNEL32(000003FF), ref: 008C7775

Strings

%s.dll, xrefs: 008C7A06

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: d347919b92af79d348327f8209332ba22d7fa2d50c90a08d9b913a50ec13145b
Instruction ID: 171d30363ca21b1b8ed72dd7aaf7220e7c7a0b298eb4f03ea43b759a2278f6eb
Opcode Fuzzy Hash: d347919b92af79d348327f8209332ba22d7fa2d50c90a08d9b913a50ec13145b
Instruction Fuzzy Hash: A9017171A0411CABCF19DFA8DC95EEEB7BDFB48304F1404AEE616D3100E670DA858B91

Uniqueness

Uniqueness Score: -1.00%

Function 022A4FDE Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,022A4FD9), ref: 022A5055
GetProcessVersion.KERNELBASE(00000000,?,?,?,022A4FD9), ref: 022A5092
LoadCursorA.USER32(00000000,00007F02), ref: 022A50C0
LoadCursorA.USER32(00000000,00007F00), ref: 022A50CB

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 43b2eb1218d785f256376040d0d91d8a9425efb9f40d1899bb2db2ddfe5aed02
Instruction ID: 29670f7242ad5ab3a5bbed30d9738aeebeb79ab099daf3d41bf33ed3e68b9bb4
Opcode Fuzzy Hash: 43b2eb1218d785f256376040d0d91d8a9425efb9f40d1899bb2db2ddfe5aed02
Instruction Fuzzy Hash: 93118CB1A507108FDB249F7A989462BBBE9FB587047400E3EE18BC6B84D7B4E440CF90

Uniqueness

Uniqueness Score: -1.00%

Function 008C7C8A Relevance: 4.6, APIs: 3, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008C7C8F

Part of subcall function 008C8046: __EH_prolog.LIBCMT ref: 008C804B

GetCurrentThread.KERNEL32 ref: 008C7CDD
GetCurrentThreadId.KERNEL32 ref: 008C7CE6

Part of subcall function 008B730D: _strlen.LIBCMT ref: 008B7317
Part of subcall function 008B730D: _strcat.LIBCMT ref: 008B732B

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: CurrentH_prologThread$_strcat_strlen
String ID:
API String ID: 268772951-0
Opcode ID: 30213fbbcd21e6c9524868036dd226a179b1482473d391284c1ba34b2e7dfcb6
Instruction ID: 945f906cd2edb52a841a8959588910ac89ead2619e16437b1812235d939d81b1
Opcode Fuzzy Hash: 30213fbbcd21e6c9524868036dd226a179b1482473d391284c1ba34b2e7dfcb6
Instruction Fuzzy Hash: 2421ABB0800B508FD3219F2AD545A9AFBF8FFA4304F00891FE5AAC2B21CBB4A441DF41

Uniqueness

Uniqueness Score: -1.00%

Function 022A488D Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000,00000000,022941C2,?,00000000,022A65A4,00000000,?,?,?,?,022959A9,?,?,?,?), ref: 022A4896
SetErrorMode.KERNELBASE(00000000,?,022959A9,?,?,?,?,?,?), ref: 022A489D

Part of subcall function 022A48F0: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 022A4921
Part of subcall function 022A48F0: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 022A49C2
Part of subcall function 022A48F0: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 022A49EF

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 9652c7c6c37f792793cfa4d66115761b4bbe4432c95b797e5e902c33ed4d2905
Instruction ID: e681b646ec93e4a7052763414a4e40bc8cc20079bd4420a23be64e1edb24d9b5
Opcode Fuzzy Hash: 9652c7c6c37f792793cfa4d66115761b4bbe4432c95b797e5e902c33ed4d2905
Instruction Fuzzy Hash: A6F04F74D243558FC714FFA4E854B597BE9AF45710F05844BE4448B7A6CBB0D840CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02299A9E Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0229589F,00000001), ref: 02299AAF

Part of subcall function 02299956: GetVersionExA.KERNEL32 ref: 02299975

HeapDestroy.KERNEL32 ref: 02299AEE

Part of subcall function 02299D4A: HeapAlloc.KERNEL32(00000000,00000140,02299AD7,000003F8), ref: 02299D57

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 89c5ee45244d618ab86bb3857867a937747d1174aedaf64700018fde764febee
Instruction ID: 1de9570bc4b4cbd147b464a57cd4de80cb06029acf3268f5e6141bf3236354da
Opcode Fuzzy Hash: 89c5ee45244d618ab86bb3857867a937747d1174aedaf64700018fde764febee
Instruction Fuzzy Hash: 8AF06571EB43039AEF6357F4A88D7363599EB44761F10482EF405C81D8EBA591D0C511

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,100015DF,00000001), ref: 100021E1

Part of subcall function 10002088: GetVersionExA.KERNEL32 ref: 100020A7

HeapDestroy.KERNEL32 ref: 10002220

Part of subcall function 1000354F: HeapAlloc.KERNEL32(00000000,00000140,10002209,000003F8), ref: 1000355C

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: cc71d59542a17e02dcd5e6b02ad3a319c673ef04acf9188a0d93956b349610cc
Instruction ID: d60402c581ec4884e96902e994b0f8fdba7d9ff7f594678adad563b4eb089489
Opcode Fuzzy Hash: cc71d59542a17e02dcd5e6b02ad3a319c673ef04acf9188a0d93956b349610cc
Instruction Fuzzy Hash: 8CF09274A40302FAFB12DBB05DC672A36D9EB057C2F318826F505C80ADEF6194C9A621

Uniqueness

Uniqueness Score: -1.00%

Function 008BA5EF Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,008B65E9,00000001,?,?,?,008B674B,?,?,?,008CC918,0000000C), ref: 008BA600

Part of subcall function 008BA6BF: HeapAlloc.KERNEL32(00000000,00000140,008BA628,000003F8,?,?,?,008B674B,?,?,?,008CC918,0000000C), ref: 008BA6CC

HeapDestroy.KERNEL32(?,?,?,008B674B,?,?,?,008CC918,0000000C), ref: 008BA633

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 7a5c5866933c18bd407dc9a6b7958ea5344fae76c9794dd87acf3d1d973b4d0c
Instruction ID: af4769e4c491ebe2e845aeee43a91095ba9835a29fc0aad01d8e98ca4d448781
Opcode Fuzzy Hash: 7a5c5866933c18bd407dc9a6b7958ea5344fae76c9794dd87acf3d1d973b4d0c
Instruction Fuzzy Hash: F1E012B5A51200AADB186FB4AC0575637E4F755755F044425B445C51A1FFB0C500AF03

Uniqueness

Uniqueness Score: -1.00%

Function 02295A67 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-00000093,?,?,?,?,-00000084), ref: 02295B4E

Part of subcall function 0229AFF3: InitializeCriticalSection.KERNEL32(00000000,?,?,?,02295BE2,00000009,?,-00000084,?,?,0229132D,?,?,?,?), ref: 0229B030
Part of subcall function 0229AFF3: EnterCriticalSection.KERNEL32(?,?,?,02295BE2,00000009,?,-00000084,?,?,0229132D,?,?,?,?), ref: 0229B04B

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 20d3182b6f144a0d842cd898335723c76501f4ffd1e009eae718eec6730c20e4
Instruction ID: 2d0b34cb9cff3cb0a721ce99f3cbc7a208d38c7256fc9d2465fc44c1543b4eae
Opcode Fuzzy Hash: 20d3182b6f144a0d842cd898335723c76501f4ffd1e009eae718eec6730c20e4
Instruction Fuzzy Hash: DF21F572B60306ABDF22DFE8EC41B9EB7A4FB00724F504615F420EB1C8D774A9558A64

Uniqueness

Uniqueness Score: -1.00%

Function 100027D0 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?), ref: 100028B7

Part of subcall function 100024F6: InitializeCriticalSection.KERNEL32(00000000,?,?,?,10002728,00000009,?,?,?), ref: 10002533
Part of subcall function 100024F6: EnterCriticalSection.KERNEL32(?,?,?,10002728,00000009,?,?,?), ref: 1000254E

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 429068cd8081ea0bd593f185bbb5a4b2d0f1cd7a7167ea7ace8d94117b011d81
Instruction ID: c4b79089c5474ed678212c5420f6e05564da313013c3f3ca2e7ca7eda9503515
Opcode Fuzzy Hash: 429068cd8081ea0bd593f185bbb5a4b2d0f1cd7a7167ea7ace8d94117b011d81
Instruction Fuzzy Hash: E821CB39901215ABF710DF64CC81B9E77A4FB007E0F25C525F920EB1D8DF74A9819B55

Uniqueness

Uniqueness Score: -1.00%

Function 008C8601 Relevance: 1.5, APIs: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 008C8606

Part of subcall function 008C834B: TlsAlloc.KERNEL32(?,008C8630,00000000,00000000,?,008C8ADF,008C6C78,008C1FA9,00000000,00000000), ref: 008C836D

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 69820adcf58b7ed2c76865323a1189400b9f309509e3ac12fb5ebf9dc8fee811
Instruction ID: c338e1cd42d0c84eb594e5fb1272a65be2f7e4a9d75004cb1c678c962b1ca811
Opcode Fuzzy Hash: 69820adcf58b7ed2c76865323a1189400b9f309509e3ac12fb5ebf9dc8fee811
Instruction Fuzzy Hash: B4012835641580DBC729AF6CD815F6A7BB1FBA0320F11166EE4A2D3391DF748901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008B33A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000006), ref: 008B33B7

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 4b1e83fa9f80ed431545b426592e72b83abde90c0437711c0979876a898f6060
Instruction ID: 06850e72d52c095fd1e4a38ce2e14923b9ee3b7807acaa61948ee1952fe7052e
Opcode Fuzzy Hash: 4b1e83fa9f80ed431545b426592e72b83abde90c0437711c0979876a898f6060
Instruction Fuzzy Hash: 94D02E263001203AE150670EBC84EFBB3ECEFC5A35F05402AF881E6340D630AC43A1F2

Uniqueness

Uniqueness Score: -1.00%

Function 008C7C52 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(008D4D14,?), ref: 008C7C7E

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2b19d8b20c0dd8579d05ed3523892603e0b0e8ada09297b11cf492c00e7809ba
Instruction ID: 37c6c824728050410fa94bbdd3b83ae71fbdc5477926ac4da7b47ddf4bc2e2f3
Opcode Fuzzy Hash: 2b19d8b20c0dd8579d05ed3523892603e0b0e8ada09297b11cf492c00e7809ba
Instruction Fuzzy Hash: 88E04F35104A118FD3119F69D408D5AB7F5FF88320716055EE462C7330CB35C8418F52

Uniqueness

Uniqueness Score: -1.00%

Function 022A045C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,00000100,00000100,00000100), ref: 022A0473

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 35717b6d9e507d91a0696695a31f89e40c61be098d7b4c105c1b1d84c3148851
Instruction ID: 9c8d37efaf920f95a6a43c7d48a9bc9655747b34609837ec941a072fd1f8b4be
Opcode Fuzzy Hash: 35717b6d9e507d91a0696695a31f89e40c61be098d7b4c105c1b1d84c3148851
Instruction Fuzzy Hash: 8FD0A7725183A29BCB11DFE09808D9FBFB9BF55310B040C0DF48043504C320D524CF62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022922D9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 405windowCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022923CF
PostMessageA.USER32(00000000,000004C8,00000000,00000000), ref: 022923ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0229240F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02292434
PostMessageA.USER32(00000000,000004C8,00000000,00000000), ref: 02292453
mmioWrite.WINMM(?,?,?,?,00000100,00000000,00000000,00000000,00000002,00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 02292481
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0229258E
PostMessageA.USER32(00000000,000004C8,00000000,00000000), ref: 022925AC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022925CE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 022925F3
PostMessageA.USER32(00000000,000004C8,00000000,00000000), ref: 02292612

Strings

Output file write error, xrefs: 022927C3
beEncodeChunk() failed (%lu), xrefs: 02292781

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$MessagePost$Writemmio
String ID: Output file write error$beEncodeChunk() failed (%lu)
API String ID: 1899146633-3644353559
Opcode ID: 326aa34dfb1bc767cea92a1ae6eeb85176f31ab0327db27bb48ede5707b39d32
Instruction ID: 88c9c714c60000f4f1af3da631adff9638707ba4a9abcc47a4d0dc32bac6e653
Opcode Fuzzy Hash: 326aa34dfb1bc767cea92a1ae6eeb85176f31ab0327db27bb48ede5707b39d32
Instruction Fuzzy Hash: 6902F6B4E10219EFDB14DFD8D984EAEB7B6BF88304F148258E509AB345D731A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022A24FF Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 022A050B: GetWindowLongA.USER32(?,000000F0), ref: 022A0517

GetKeyState.USER32(00000010), ref: 022A2523
GetKeyState.USER32(00000011), ref: 022A252C
GetKeyState.USER32(00000012), ref: 022A2535
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 022A254B

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 4f4135be7d4690a4e34adf7adf95a3efff6a8222f6e418cccd51143f33cb399c
Instruction ID: a5999a4e20934f65508971c86b753a048cf018b9309007f3506c8690e9598bfc
Opcode Fuzzy Hash: 4f4135be7d4690a4e34adf7adf95a3efff6a8222f6e418cccd51143f33cb399c
Instruction Fuzzy Hash: 0FF0A776B603C6A7ED3836F86C71FA9532D7F40FD4F440624AF016E9C98A91C5039674

Uniqueness

Uniqueness Score: -1.00%

Function 022A0DBE Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022A435F: TlsGetValue.KERNEL32(022AEAA8,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?,?,?,?,?), ref: 022A439E

CallNextHookEx.USER32(?,00000003,?,?), ref: 022A0DE8
GetClassLongA.USER32(?,000000E6), ref: 022A0E2F
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 022A0E5B
lstrcmpiA.KERNEL32(?,ime), ref: 022A0E6A
GetWindowLongA.USER32(?,000000FC), ref: 022A0EDD
SetWindowLongA.USER32(?,000000FC,00000000), ref: 022A0EFE

Strings

AfxOldWndProc423, xrefs: 022A0F3F, 022A0F44, 022A0F4F, 022A0F57, 022A0F60
ime, xrefs: 022A0E64

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 2231ad1ce41505990659d176d8fa282d38dc79b61ce30cb1b9c2824f5bd78582
Instruction ID: d820429e8c1e21b94e829fa47313b488d3df9c6a75cac425337132fd6f04089d
Opcode Fuzzy Hash: 2231ad1ce41505990659d176d8fa282d38dc79b61ce30cb1b9c2824f5bd78582
Instruction Fuzzy Hash: E151B031910216ABCF219FE0EC68BAE7BA8FF08764F144914F916E7984DF70DA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100011B0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 190libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(mp3decdll.dll), ref: 100011CB
GetProcAddress.KERNEL32(00000000,mp3dec), ref: 100011EA
ResetEvent.KERNEL32(00000000), ref: 100013D7
WaitForSingleObject.KERNEL32(00000000,000001F4), ref: 100013EB

Strings

mp3dec, xrefs: 100011E4
mp3decdll.dll, xrefs: 100011C6

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressEventLibraryLoadObjectProcResetSingleWait
String ID: mp3dec$mp3decdll.dll
API String ID: 1508426576-564155274
Opcode ID: 1e82ea77b168bcc8952e2c4146b13994baa76a71d6f192f6c3ae678e89f588a0
Instruction ID: a28ec7be8a2e9e11b942e71fde37afca6a33c463a08cf143f6eabfdbe8638f4e
Opcode Fuzzy Hash: 1e82ea77b168bcc8952e2c4146b13994baa76a71d6f192f6c3ae678e89f588a0
Instruction Fuzzy Hash: 5E716AB66002219FE300DF15DCC4A86BBB5FB493E0F54851AF949CB368C7769841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292940 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

mmioOpenA.WINMM(00000000,00000000,00000000,00010012), ref: 02292984

Strings

WAVE, xrefs: 022929E3
data, xrefs: 02292AD1

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Openmmio
String ID: WAVE$data
API String ID: 3887944524-2993363083
Opcode ID: aae99feccec4862dcacaa0dc5ec04b5d84786d1cb0db210de4a9adfb311367cc
Instruction ID: 9278cf728883857e09ef3c6afbebd4ac42f46f9aab9012bdf2afa6f443297959
Opcode Fuzzy Hash: aae99feccec4862dcacaa0dc5ec04b5d84786d1cb0db210de4a9adfb311367cc
Instruction Fuzzy Hash: E9712774E40208FFDB14DF94D899BAE7BB5BF48708F148588E501AB386C775AA92CF40

Uniqueness

Uniqueness Score: -1.00%

Function 008C20CA Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C439C: GetWindowLongA.USER32(?,000000F0), ref: 008C43A7

GetParent.USER32(?), ref: 008C20F5
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 008C2118
GetWindowRect.USER32(?,?), ref: 008C2131
GetWindowLongA.USER32(00000000,000000F0), ref: 008C2144
CopyRect.USER32(?,?), ref: 008C2191
CopyRect.USER32(?,?), ref: 008C219B
GetWindowRect.USER32(00000000,?), ref: 008C21A4
CopyRect.USER32(?,?), ref: 008C21C0

Strings

(, xrefs: 008C215C
@, xrefs: 008C2133

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: bd6c39de687c07a32f376e346966125d3d71f06916195ca89ed49b2a0a08adc7
Instruction ID: 03f84580aa84b0d60fe686cf923cc61f699c312bc5e9e84c59e588c2dd42efcb
Opcode Fuzzy Hash: bd6c39de687c07a32f376e346966125d3d71f06916195ca89ed49b2a0a08adc7
Instruction Fuzzy Hash: 55515C7290021DABCB15DBB8CC89FEEBBB9FB48714F194119FA01F3291DA30E9458B54

Uniqueness

Uniqueness Score: -1.00%

Function 02292DAA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(lame_enc.dll), ref: 02292DD5
GetProcAddress.KERNEL32(00000000,beInitStream), ref: 02292E06
GetProcAddress.KERNEL32(00000000,beEncodeChunk), ref: 02292E27
GetProcAddress.KERNEL32(00000000,beDeinitStream), ref: 02292E48
GetProcAddress.KERNEL32(00000000,beCloseStream), ref: 02292E69
GetProcAddress.KERNEL32(00000000,beVersion), ref: 02292E8A
GetProcAddress.KERNEL32(00000000,beWriteVBRHeader), ref: 02292EAB

Strings

beInitStream, xrefs: 02292DF7
beWriteVBRHeader, xrefs: 02292E9C
lame_enc.dll, xrefs: 02292DD0
beVersion, xrefs: 02292E7B
beEncodeChunk, xrefs: 02292E18
beDeinitStream, xrefs: 02292E39
beCloseStream, xrefs: 02292E5A

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: beCloseStream$beDeinitStream$beEncodeChunk$beInitStream$beVersion$beWriteVBRHeader$lame_enc.dll
API String ID: 2238633743-2903746224
Opcode ID: b090ca20e7ce6d07ea7544e8a1b854242633f75bc6b81cdf72bdfb66e80c155c
Instruction ID: f2481eb6a29b0507029d35f507961bb23739b72119fb4d9a08b65445417104f7
Opcode Fuzzy Hash: b090ca20e7ce6d07ea7544e8a1b854242633f75bc6b81cdf72bdfb66e80c155c
Instruction Fuzzy Hash: 1A414B74A10218DFDB28CF64CA4ABE5BBB1BB45705F4403E8E9095B796C7709D81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0229479F Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,022948D8), ref: 022947C1
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 022947D9
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 022947EA
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 022947FB
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0229480C
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0229481D
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0229482E

Strings

MonitorFromRect, xrefs: 022947F5
MonitorFromWindow, xrefs: 022947E4
MonitorFromPoint, xrefs: 02294806
USER32, xrefs: 022947BC
GetMonitorInfoA, xrefs: 02294828
EnumDisplayMonitors, xrefs: 02294817
GetSystemMetrics, xrefs: 022947D3

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 9474af578e623aa52961654bade112d02a1b8d916c88297d1137a7d5fd42595e
Instruction ID: 0860c71cf035e4c295b45297850c83138ba600b7c00dd39794b340be82d91bcc
Opcode Fuzzy Hash: 9474af578e623aa52961654bade112d02a1b8d916c88297d1137a7d5fd42595e
Instruction Fuzzy Hash: 97113070E912929B9F13AFE5BCD952BBBE4B7087447D40A3ED009E2548D7704392CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02292B8B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

mmioOpenA.WINMM(00000000,00000000,00000000,00000000), ref: 02292BC3

Strings

WAVE, xrefs: 02292BEC
data, xrefs: 02292D25

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Openmmio
String ID: WAVE$data
API String ID: 3887944524-2993363083
Opcode ID: e07b59c6d30dcb5da1bff28e9fe2d947d70a7fe953638e39f52ba7b95a0c914e
Instruction ID: 50228b22d8d5552d8b1bdcf014d3202cf56c5bae6184f3a3b8193c55d5056a38
Opcode Fuzzy Hash: e07b59c6d30dcb5da1bff28e9fe2d947d70a7fe953638e39f52ba7b95a0c914e
Instruction Fuzzy Hash: 4161C474E10208FFDB04DF94C599BAEB7B9EF48704F10858AE9216B385C775E646CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02291F75 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 216fileCOMMON

Download Yara Rule

APIs

mmioAscend.WINMM(00000000,?,00000000), ref: 02291FC6
mmioAscend.WINMM(00000000,?,00000000), ref: 02291FE2
mmioSeek.WINMM(00000000,02291ED9,00000000), ref: 0229200A
mmioWrite.WINMM(00000000,?,00000004), ref: 02292026
mmioClose.WINMM(00000000,00000000), ref: 02292038
OpenFile.KERNEL32(00000000,?,00000002), ref: 0229226C
GetFileSize.KERNEL32(00000000,?), ref: 0229228F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 022922B5
SetEndOfFile.KERNEL32(00000000), ref: 022922C2
CloseHandle.KERNEL32(00000000), ref: 022922CF

Strings

Output file write error, xrefs: 022921B6
beExitStream failed (%lu), xrefs: 0229216D

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: mmio$File$AscendClose$HandleOpenPointerSeekSizeWrite
String ID: Output file write error$beExitStream failed (%lu)
API String ID: 1116113629-618699330
Opcode ID: 5be0a0c9d9dca317af31bf2f77e093784658c8dd1a767f96dfef9172204d5a16
Instruction ID: 58992bf7aeb9d50e0b0df294153059e73e9b3796838f16d9498d5c226f102210
Opcode Fuzzy Hash: 5be0a0c9d9dca317af31bf2f77e093784658c8dd1a767f96dfef9172204d5a16
Instruction Fuzzy Hash: 62A13A74A01118DFDB14DB94D888F9AB3B9BF49300F2482E9E9499B345CB31AE81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 022A26DD Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 022A050B: GetWindowLongA.USER32(?,000000F0), ref: 022A0517

GetParent.USER32(?), ref: 022A2708
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 022A272B
GetWindowRect.USER32(?,?), ref: 022A2744
GetWindowLongA.USER32(00000000,000000F0), ref: 022A2757
CopyRect.USER32(?,?), ref: 022A27A4
CopyRect.USER32(?,?), ref: 022A27AE
GetWindowRect.USER32(00000000,?), ref: 022A27B7
CopyRect.USER32(?,?), ref: 022A27D3

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 3dc3470a40438201f28e8ecac4d67ff2082b3ae7feec4350ed7d8bbe3ae3592b
Instruction ID: 40ac7b0b190a4ff9987c4bb4589f78c07f7272534a5b2d374be947b3669c8a2c
Opcode Fuzzy Hash: 3dc3470a40438201f28e8ecac4d67ff2082b3ae7feec4350ed7d8bbe3ae3592b
Instruction Fuzzy Hash: 75516072910219AFDF10DBE8DC98EEEBBBDAF44314F094255E911F3584D770A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02293280 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

waveInUnprepareHeader.WINMM(?,?,00000020), ref: 022932F0
waveInPrepareHeader.WINMM(?,?,00000020), ref: 022933D1
waveInAddBuffer.WINMM(?,?,00000020), ref: 02293403
DefWindowProcA.USER32(?,000003C0,?,?), ref: 02293475

Strings

in OnWIM_DATA(), xrefs: 02293412
Free WIM_DATA %4d, xrefs: 02293359
Recording WIM_DATA %4d, xrefs: 02293338
Still %d buffers in waveIn queue!, xrefs: 022932B9
in OnWIM_DATA(), xrefs: 022932FF
in OnWIM_DATA(), xrefs: 022933E0

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: wave$Header$BufferPrepareProcUnprepareWindow
String ID: Free WIM_DATA %4d$Recording WIM_DATA %4d$Still %d buffers in waveIn queue!$in OnWIM_DATA()$in OnWIM_DATA()$in OnWIM_DATA()
API String ID: 1220347966-3052867491
Opcode ID: 620d063a93a0dd114645c2473a1b52e7f4035cf3b28c2ad2877e675cd60dfe07
Instruction ID: 90cde032357cc40533a81635a35b536daa64b476496367e44af8435deb182a7b
Opcode Fuzzy Hash: 620d063a93a0dd114645c2473a1b52e7f4035cf3b28c2ad2877e675cd60dfe07
Instruction Fuzzy Hash: AA51AFB1E203069FDF04DFD4D958AAEB3B5BB48304F148A98E516AB388D771D911CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0229F603 Relevance: 16.6, APIs: 11, Instructions: 88synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0229F635
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0229F63F
CloseHandle.KERNEL32(?), ref: 0229F6D0

Part of subcall function 0229659D: CreateThread.KERNEL32(?,?,02296608,00000000,?,0229F675), ref: 022965DE
Part of subcall function 0229659D: GetLastError.KERNEL32(?,0229F675,?,?,0229F38C,?,?,?), ref: 022965E8

ResumeThread.KERNEL32(00000000), ref: 0229F680
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0229F68B
CloseHandle.KERNEL32(?), ref: 0229F694
SuspendThread.KERNEL32(?), ref: 0229F69F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0229F6AF
CloseHandle.KERNEL32(?), ref: 0229F6B8
SetEvent.KERNEL32(00000004), ref: 0229F6C2
CloseHandle.KERNEL32(?), ref: 0229F6DA

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CloseHandle$CreateEventThread$ObjectSingleWait$ErrorLastResumeSuspend
String ID:
API String ID: 1793282574-0
Opcode ID: 4cd00df0fd192596687c4316ca4607f695784207d132471aa11ab972b07964c4
Instruction ID: 96e493127d10531563692885ac1851f17d76ef4ead61be7400bcb86d5a1a66dc
Opcode Fuzzy Hash: 4cd00df0fd192596687c4316ca4607f695784207d132471aa11ab972b07964c4
Instruction Fuzzy Hash: 77318772C10209BFDF10AFE5DC889AEBFB9EF04354F14462AE121E29A4D7729951DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02293549 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

waveInUnprepareHeader.WINMM(?,?,00000020), ref: 022935C8
waveInPrepareHeader.WINMM(?,?,00000020), ref: 022936A7
waveInAddBuffer.WINMM(?,?,00000020), ref: 022936D9

Strings

Recording WIM_DATA %4d, xrefs: 0229360E
Free WIM_DATA %4d, xrefs: 0229362F
in OnWIM_DATA(), xrefs: 022935D7
in OnWIM_DATA(), xrefs: 022936E8
Still %d buffers in waveIn queue!, xrefs: 02293582
in OnWIM_DATA(), xrefs: 022936B6

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: wave$Header$BufferPrepareUnprepare
String ID: Free WIM_DATA %4d$Recording WIM_DATA %4d$Still %d buffers in waveIn queue!$in OnWIM_DATA()$in OnWIM_DATA()$in OnWIM_DATA()
API String ID: 509263736-3052867491
Opcode ID: f091e59b8785ef4dc6e42e6a604280475cb1ebeeea4d3ed5acb12174f60ed5b1
Instruction ID: 84a0b12084497163bec9712a834074c7e67e21decfcf36e7fcb033e83dcf8921
Opcode Fuzzy Hash: f091e59b8785ef4dc6e42e6a604280475cb1ebeeea4d3ed5acb12174f60ed5b1
Instruction Fuzzy Hash: 8151BEB4E10306DBDB04DFD4E965ABA73B6BB48304F148A69E505AB388C771A911CF61

Uniqueness

Uniqueness Score: -1.00%

Function 022A0BE3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 022A0BE8
GetPropA.USER32(?,AfxOldWndProc423), ref: 022A0C00
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 022A0C5E

Part of subcall function 022A07F0: GetWindowRect.USER32(?,022A09E8), ref: 022A0815
Part of subcall function 022A07F0: GetWindow.USER32(?,00000004), ref: 022A0832

SetWindowLongA.USER32(?,000000FC,?), ref: 022A0C8E
RemovePropA.USER32(?,AfxOldWndProc423), ref: 022A0C96
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 022A0C9D
GlobalDeleteAtom.KERNEL32(00000000), ref: 022A0CA4

Part of subcall function 022A07CD: GetWindowRect.USER32(?,?), ref: 022A07D9

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 022A0CF8

Strings

AfxOldWndProc423, xrefs: 022A0BF6, 022A0BFE, 022A0C94, 022A0C9C

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: c3a4c52788e71436f632fb33b216d322793649918912b669064c110292ea3b47
Instruction ID: 50cb487b893e5f2c69a20e2c22f48a8352a20e4e8cc1e35de989adce52118a35
Opcode Fuzzy Hash: c3a4c52788e71436f632fb33b216d322793649918912b669064c110292ea3b47
Instruction Fuzzy Hash: 7031AE3282120AABCF01AFE4DD59EBF7B7EFF45310F040919F501A2954D7798A24CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 022A3FB7 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(022AEAC4,022AEAE0,?,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9), ref: 022A3FC6
GlobalAlloc.KERNEL32(00002002,00000000,?,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9), ref: 022A401B
GlobalHandle.KERNEL32(005B2660), ref: 022A4024
GlobalUnlock.KERNEL32(00000000,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?), ref: 022A402D
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 022A403F
GlobalHandle.KERNEL32(005B2660), ref: 022A4056
GlobalLock.KERNEL32(00000000,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?), ref: 022A405D
LeaveCriticalSection.KERNEL32(?,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?), ref: 022A4063
GlobalLock.KERNEL32(?,?,022AEAA8,022AEAA8,022A4393,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?), ref: 022A4072
LeaveCriticalSection.KERNEL32(?), ref: 022A40BB

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 0092e24e7bb184fb6b5cd793e5ed7366467fee83d9e16c421a988716a1ec4472
Instruction ID: fb7ec279667b73f992a11176db747bd55a2429841860f882fa925708894d7776
Opcode Fuzzy Hash: 0092e24e7bb184fb6b5cd793e5ed7366467fee83d9e16c421a988716a1ec4472
Instruction Fuzzy Hash: 43318371A103069FDB249FA8EC99A2ABBE9FB44305B05492EF952C3B55D7B1E814CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0229D0FE Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,02299D00,?,Microsoft Visual C++ Runtime Library,00012010,?,022A78E4,?,022A7934,?,?,?,Runtime Error!Program: ), ref: 0229D110
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0229D128
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0229D139
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0229D146

Strings

GetLastActivePopup, xrefs: 0229D13B
user32.dll, xrefs: 0229D10B
GetActiveWindow, xrefs: 0229D133
MessageBoxA, xrefs: 0229D122

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: aa5bc5af25f0cd21007523c81d5ebe55b547bc8846f3d2aa7b169ddb37e51032
Instruction ID: 22e33bc02550b58be42a7a68ec79e80a671ac073e3dee697d759fff5a5c05e9d
Opcode Fuzzy Hash: aa5bc5af25f0cd21007523c81d5ebe55b547bc8846f3d2aa7b169ddb37e51032
Instruction Fuzzy Hash: 45018833F94302AF9F13AFF5AC8891B7FE9974C7817040829B101C2126DB74C5159F50

Uniqueness

Uniqueness Score: -1.00%

Function 100043C4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,10002432,?,Microsoft Visual C++ Runtime Library,00012010,?,1000638C,?,100063DC,?,?,?,Runtime Error!Program: ), ref: 100043D6
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 100043EE
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 100043FF
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1000440C

Strings

GetActiveWindow, xrefs: 100043F9
GetLastActivePopup, xrefs: 10004401
MessageBoxA, xrefs: 100043E8
user32.dll, xrefs: 100043D1

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 375020853bede58c3c251c2185d3c8e7116c51c4190c28ceda91ecdb1f41f3e3
Instruction ID: f696ae9e20698edd18431ee22b8d82c53d8be45b4b34f13347cb5b1863d479f1
Opcode Fuzzy Hash: 375020853bede58c3c251c2185d3c8e7116c51c4190c28ceda91ecdb1f41f3e3
Instruction Fuzzy Hash: 1F014871A402259FF740DFB5CCC4F5B3AE9EB8C5D13620429FA04C212ADB70D841EB65

Uniqueness

Uniqueness Score: -1.00%

Function 022A2902 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,022A2BFC,?,00020000), ref: 022A290B
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 022A2914
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 022A2928
#17.COMCTL32 ref: 022A2943
#17.COMCTL32 ref: 022A295F
FreeLibrary.KERNEL32(00000000), ref: 022A296B

Strings

InitCommonControlsEx, xrefs: 022A2920
COMCTL32.DLL, xrefs: 022A2904, 022A290A, 022A2911

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 9fd8e1dccfb183e267f7ece4f9f4f33d0fdefa20be154fcc95071dce5cf5d42b
Instruction ID: 1b3981e13b92cd552cdbeba80284ff0038c7151dca0345389a36d0af51b0e7ab
Opcode Fuzzy Hash: 9fd8e1dccfb183e267f7ece4f9f4f33d0fdefa20be154fcc95071dce5cf5d42b
Instruction Fuzzy Hash: B1F0A432F60213CB9A219BE4EC5C76B76ECFB84B617190924F945E3A14DB20C8159775

Uniqueness

Uniqueness Score: -1.00%

Function 0229B25A Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,022A7974,00000001,00000000,00000000,74DEE860,022B0D54,?,00000003,00000000,00000001,00000000,?,?,0229E0A1), ref: 0229B29C
LCMapStringA.KERNEL32(00000000,00000100,022A7970,00000001,00000000,00000000,?,?,0229E0A1,?), ref: 0229B2B8
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,022B0D54,?,00000003,00000000,00000001,00000000,?,?,0229E0A1), ref: 0229B301
MultiByteToWideChar.KERNEL32(?,022B0D55,00000000,00000001,00000000,00000000,74DEE860,022B0D54,?,00000003,00000000,00000001,00000000,?,?,0229E0A1), ref: 0229B339
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 0229B391
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0229B3A7
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 0229B3DA
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 0229B442

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: ff87fd9bac95d4a6c52e3ba7a3e04f5259657e007eb543e9f1a7297546bee8eb
Instruction ID: 8214f893a8776c1b6f1a085c6cf3071dc64e96bab0e435c0b61f924c880468f8
Opcode Fuzzy Hash: ff87fd9bac95d4a6c52e3ba7a3e04f5259657e007eb543e9f1a7297546bee8eb
Instruction Fuzzy Hash: CD518F3196020AEBCF22CFD4EC88AAF7FB9FB49748F14461AF911A5164D3318920DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10004798 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,100064A0,00000001,00000000,00000000,74DEE860,10029EAC,?,00000003,00000000,00000001,00000000,?,?,10004B8A), ref: 100047DA
LCMapStringA.KERNEL32(00000000,00000100,1000649C,00000001,00000000,00000000,?,?,10004B8A,?), ref: 100047F6
LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,10029EAC,?,00000003,00000000,00000001,00000000,?,?,10004B8A), ref: 1000483F
MultiByteToWideChar.KERNEL32(?,10029EAD,00000000,00000001,00000000,00000000,74DEE860,10029EAC,?,00000003,00000000,00000001,00000000,?,?,10004B8A), ref: 10004877
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 100048CF
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 100048E5
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 10004918
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10004980

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6e79cf704868082f465c83b20217580c2780ce51287ceda751df04d762e4ae0f
Instruction ID: 7573705fe79db24963a6fccdd73e94b26cd9bed835fc2046df37affde9a9b5b2
Opcode Fuzzy Hash: 6e79cf704868082f465c83b20217580c2780ce51287ceda751df04d762e4ae0f
Instruction Fuzzy Hash: B6516BB1800259BBEF12CF94CD84A9F3FB9FB497D0F224129F914A2168D7319D50DB64

Uniqueness

Uniqueness Score: -1.00%

Function 02293E6C Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 02293EA7

Part of subcall function 0229411F: waveOutGetErrorTextA.WINMM(?,?,00000064), ref: 0229412F

Strings

waveOutClose(), xrefs: 02294022
WOM_DONE : remove buffer, xrefs: 02293FC5
in OnWOM_DONE(), xrefs: 02293EB6
in stop(), xrefs: 02294006
WOM_DONE : refill buffer, xrefs: 02293F47

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: wave$ErrorHeaderTextUnprepare
String ID: WOM_DONE : refill buffer$WOM_DONE : remove buffer$in OnWOM_DONE()$in stop()$waveOutClose()
API String ID: 2621689760-1050461170
Opcode ID: 210e4247dc55b676a02982aa539cbd07d2c1eed14f11cf0952f054c70f064fb1
Instruction ID: d1d61594cae068ac2595504656f63a535ef0bce14a648e5fb246298e09e87f71
Opcode Fuzzy Hash: 210e4247dc55b676a02982aa539cbd07d2c1eed14f11cf0952f054c70f064fb1
Instruction Fuzzy Hash: 3E5170B1E10209DBDF04EFE4D954BAEB7B6BF48304F244268E815AB389DB319E01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02299BDC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 02299C49
GetStdHandle.KERNEL32(000000F4,022A78E4,00000000,-00000084,00000000,?), ref: 02299D1F
WriteFile.KERNEL32(00000000), ref: 02299D26

Strings

<program name unknown>, xrefs: 02299C59
Runtime Error!Program: , xrefs: 02299CAF
..., xrefs: 02299C9B
Microsoft Visual C++ Runtime Library, xrefs: 02299CF5

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 6c1fdc8108fa4af13d1f3a11522f1ba6a054963df89ce4c492f11821cd9fbde7
Instruction ID: 1e528bed924cbb3297fd603f89bbc21b55ed235068c9c917f3d9fc9b087e07b6
Opcode Fuzzy Hash: 6c1fdc8108fa4af13d1f3a11522f1ba6a054963df89ce4c492f11821cd9fbde7
Instruction Fuzzy Hash: BD312432A60219AFEF20E7F0DC85FAE73ADFB49704F50045AF145D6048E670A580CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000230E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 1000237B
GetStdHandle.KERNEL32(000000F4,1000638C,00000000,?,00000000,?), ref: 10002451
WriteFile.KERNEL32(00000000), ref: 10002458

Strings

..., xrefs: 100023CD
<program name unknown>, xrefs: 1000238B
Microsoft Visual C++ Runtime Library, xrefs: 10002427
Runtime Error!Program: , xrefs: 100023E1

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 0e608abac0daa09c0d90eeb2ed9539d72679ecee03bce020b3329cb3d8bec2cc
Instruction ID: 5d6278bb98759dd3960867cb00fcf3a79a186b4f8f9c3fceca374fccf01d975a
Opcode Fuzzy Hash: 0e608abac0daa09c0d90eeb2ed9539d72679ecee03bce020b3329cb3d8bec2cc
Instruction Fuzzy Hash: 55319376A00218AFFF10DB60CC85FDA73ADEB453C0F604566F585E6089DB74AB858B61

Uniqueness

Uniqueness Score: -1.00%

Function 02293893 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

waveInReset.WINMM(?), ref: 022938E1

Strings

in Stop(), xrefs: 02293931
RESET START, xrefs: 022938CD
in Stop(), xrefs: 02293908
Still %d buffers in waveIn queue!, xrefs: 02293954
RESET END, xrefs: 022938F5

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Resetwave
String ID: RESET END$RESET START$Still %d buffers in waveIn queue!$in Stop()$in Stop()
API String ID: 1343075140-1422117316
Opcode ID: f108eebd594d8055d77baa23735b2159f12a7913c18866d02804e4dd911e2b44
Instruction ID: dd0b565b187d2d69125229b7a0e5d0fa79fac20996fc8db37d0802c9285a0a2a
Opcode Fuzzy Hash: f108eebd594d8055d77baa23735b2159f12a7913c18866d02804e4dd911e2b44
Instruction Fuzzy Hash: A4219DB4A24304EBEF10DBE4D925BAD7BB5AB04708F1041E8D806AB348D7B5DA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 022997F7 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,022958F4), ref: 02299812
GetEnvironmentStrings.KERNEL32(?,?,?,?,022958F4), ref: 02299826
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,022958F4), ref: 02299852
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,022958F4), ref: 0229988A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,022958F4), ref: 022998AC
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,022958F4), ref: 022998C5
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,022958F4), ref: 022998D8
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 02299916

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 993f352970ee2aebcebf519f579c0f9a857339dbe15fd960e9cc5de95c363458
Instruction ID: 89f98d52ff97d082d002d31e7e91bd78a92652e1de9b0065d1d1357a6c9cef86
Opcode Fuzzy Hash: 993f352970ee2aebcebf519f579c0f9a857339dbe15fd960e9cc5de95c363458
Instruction Fuzzy Hash: 1431E2B29242166FEF313FF56CC893F7A9CFA49268755082DE546C3208E7218CC0C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 10001F29 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10001634), ref: 10001F44
GetEnvironmentStrings.KERNEL32(?,?,?,?,10001634), ref: 10001F58
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10001634), ref: 10001F84
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,10001634), ref: 10001FBC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10001634), ref: 10001FDE
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10001634), ref: 10001FF7
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,10001634), ref: 1000200A
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10002048

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 44540d2bdb51f5bf5685bce54bbbb92edd388ff410dfa3fcce8658efe0c8eaa6
Instruction ID: 42156f4e84948f61d2559e7f3a62ef5261145b8db335ea27c56a2ea678eb9357
Opcode Fuzzy Hash: 44540d2bdb51f5bf5685bce54bbbb92edd388ff410dfa3fcce8658efe0c8eaa6
Instruction Fuzzy Hash: 7D31F4B25083666FF720FF748CC487F76DDEB492D47220539F995C310AEA229C46C661

Uniqueness

Uniqueness Score: -1.00%

Function 0229F2DF Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0229F2FF
lstrcmpA.KERNEL32(?,?), ref: 0229F30B
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0229F31D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0229F340
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0229F348
GlobalLock.KERNEL32(00000000), ref: 0229F355
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0229F362
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0229F380

Part of subcall function 022A34AE: GlobalFlags.KERNEL32(?), ref: 022A34B8
Part of subcall function 022A34AE: GlobalUnlock.KERNEL32(?,?,?,022A3B2C,?,?,?,?,02291AFF,022AE920,?,02291A5E), ref: 022A34CF
Part of subcall function 022A34AE: GlobalFree.KERNEL32(?), ref: 022A34DA

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: e60b50c9411f3268d221527c95459c41ea82d670870bec3b1e5573b2fb1c0496
Instruction ID: 577658c93e4f3c34c056206990fa1fe147a6f6b2dc46a412c2b33446960bf0af
Opcode Fuzzy Hash: e60b50c9411f3268d221527c95459c41ea82d670870bec3b1e5573b2fb1c0496
Instruction Fuzzy Hash: 4E119A71910205BFEF21AFF6CD49EAFBABEEB89740F040419F608C5915E7399D509B20

Uniqueness

Uniqueness Score: -1.00%

Function 0229CC13 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,02292FFC,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 0229CDC6
GetLastError.KERNEL32 ref: 0229CDD2
GetFileType.KERNEL32(00000000), ref: 0229CDE7
CloseHandle.KERNEL32(00000000), ref: 0229CDF2

Strings

@, xrefs: 0229CDFF
H, xrefs: 0229CE39

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 418f5be19287c398c32d0711ec2814c13916ee6081dc539cf3a442a3040a8223
Instruction ID: 5503aeb3e0fbafefbc03613b2dfc2911cb9c1a4b8f256d55ecedd702029509df
Opcode Fuzzy Hash: 418f5be19287c398c32d0711ec2814c13916ee6081dc539cf3a442a3040a8223
Instruction Fuzzy Hash: B5814871C3424A5AEF248BECC8447BE7F68AF0D368F14452BF9A26B1D8C7B58544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02293749 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

mixerGetNumDevs.WINMM ref: 022937B4
waveInOpen.WINMM(?,000000FF,?,Function_00003549,?,00030000), ref: 022937E0
waveInOpen.WINMM(?,00000000,?,Function_00003549,?,00030000), ref: 0229380E
waveInStart.WINMM(?), ref: 02293860

Strings

in Start(), xrefs: 0229386F
in Start(), xrefs: 0229381D

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: wave$Open$DevsStartmixer
String ID: in Start()$in Start()
API String ID: 3843998963-2585876436
Opcode ID: 16141985fa6a87d2d217405c1760bb1cf9c038f1ba43db7c051dff9cc2685af3
Instruction ID: 2c071d9505ffbdae0ebdda74b97e5038b19f3f7090067fabed0cece1e068ad58
Opcode Fuzzy Hash: 16141985fa6a87d2d217405c1760bb1cf9c038f1ba43db7c051dff9cc2685af3
Instruction Fuzzy Hash: 884128B4D10209EBDF04DFD4D898BADB7B5FB48708F5486D9E426AB345C3719A86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 022A4DE6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000,?,?,?,?,?,?,?,022A3C20), ref: 022A4E14
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 022A4E37
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 022A4E56
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?,022A3C20), ref: 022A4E66
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?,022A3C20), ref: 022A4E70

Strings

software, xrefs: 022A4DFE

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 10759c2b6f6ce84f2c9051d4464db78bdaec06da73a3f76ef5048a08b04632a7
Instruction ID: d2624543939a9df79a501ae359526ff838a06b4c473fd953a0570c6f4b67b091
Opcode Fuzzy Hash: 10759c2b6f6ce84f2c9051d4464db78bdaec06da73a3f76ef5048a08b04632a7
Instruction Fuzzy Hash: 6C110272D00159FBCB21DBDADD89DAFFFBCEF85700F1500AAA600A2121D3709A10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02294938 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 02294976
GetSystemMetrics.USER32(00000000), ref: 0229498E
GetSystemMetrics.USER32(00000001), ref: 02294995
lstrcpyA.KERNEL32(?,DISPLAY), ref: 022949B9

Strings

DISPLAY, xrefs: 022949B3
B, xrefs: 02294957

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: b414b5902e84c618c18a6f7d625f951a03f8c5293274230365e953f418d131f7
Instruction ID: 88d98abc152a4289b33375b9e5c897a9067448dbe0d1de8069ae1a2bcad25cd9
Opcode Fuzzy Hash: b414b5902e84c618c18a6f7d625f951a03f8c5293274230365e953f418d131f7
Instruction Fuzzy Hash: 8311A371A20224DFDF21AFA4DC84A9BBFA8FF09751B044452EC099E149D3B1D611CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 022A2C5E Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 022A2C6A
GetSysColor.USER32(00000010), ref: 022A2C71
GetSysColor.USER32(00000014), ref: 022A2C78
GetSysColor.USER32(00000012), ref: 022A2C7F
GetSysColor.USER32(00000006), ref: 022A2C86
GetSysColorBrush.USER32(0000000F), ref: 022A2C93
GetSysColorBrush.USER32(00000006), ref: 022A2C9A

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 04c8fe959fe915b246080c59a157dba92e98ab362ed211b64c3a7469250b7643
Instruction ID: 6dd3eea40909d2d6b206776e4c0f9c63fcf61c691d22feae9d3599fab6860914
Opcode Fuzzy Hash: 04c8fe959fe915b246080c59a157dba92e98ab362ed211b64c3a7469250b7643
Instruction Fuzzy Hash: 58F0FE71A417445BDB20ABB29909B47BAD4EFC4B10F02092AD1458BA90E6F6A4009F40

Uniqueness

Uniqueness Score: -1.00%

Function 008BD0BB Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,008CCD8C,00000001,?,008CD348,0000001C,008BCEDD,00000001,?,00000001,?,?,?,00000001,?,?), ref: 008BD0DF
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,008BED2A,?), ref: 008BD0F1
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008CD348,0000001C,008BCEDD,00000001,?,00000001,?,?,?,00000001), ref: 008BD153
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 008BD1D1
GetStringTypeW.KERNEL32(?,?,00000000,?), ref: 008BD1E3

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 5a610330f252a1b08cbe9462980dacb1b34589f3636baed34368b8e04dff8777
Instruction ID: aac2b7ea8ea1743ad5f02784453a0acbe8cc22f8b9025b1a10fa69a066c0fec3
Opcode Fuzzy Hash: 5a610330f252a1b08cbe9462980dacb1b34589f3636baed34368b8e04dff8777
Instruction Fuzzy Hash: 0F419E31801319BBDF229FA8EC45AEE7B75FB58760F140206F810E63A0E735D951DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0229B6BD Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,022A7974,00000001,?,74DEE860,022B0D54,?,?,00000002,00000000,?,?,0229E0A1,?), ref: 0229B6FC
GetStringTypeA.KERNEL32(00000000,00000001,022A7970,00000001,?,?,?,0229E0A1,?), ref: 0229B716
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,022B0D54,?,?,00000002,00000000,?,?,0229E0A1,?), ref: 0229B74A
MultiByteToWideChar.KERNEL32(?,022B0D55,?,00000000,00000000,00000000,74DEE860,022B0D54,?,?,00000002,00000000,?,?,0229E0A1,?), ref: 0229B782
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0229B7D8
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 0229B7EA

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 8f037899cdf9d65074a6fa70b888a205782f3e361fd3ecea6a7f017c92c3b822
Instruction ID: 373d72d8d75fea115e22af2ed093e8f619f5d25591cefdc14106ccca9a82bd67
Opcode Fuzzy Hash: 8f037899cdf9d65074a6fa70b888a205782f3e361fd3ecea6a7f017c92c3b822
Instruction Fuzzy Hash: 3E419F72A5021AAFDF21CFD4EC89EEE7F69FB08758F144529F912D2250D3318960CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100049E7 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,100064A0,00000001,?,74DEE860,10029EAC,?,?,00000002,00000000,?,?,10004B8A,?), ref: 10004A26
GetStringTypeA.KERNEL32(00000000,00000001,1000649C,00000001,?,?,?,10004B8A,?), ref: 10004A40
GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,10029EAC,?,?,00000002,00000000,?,?,10004B8A,?), ref: 10004A74
MultiByteToWideChar.KERNEL32(?,10029EAD,?,00000000,00000000,00000000,74DEE860,10029EAC,?,?,00000002,00000000,?,?,10004B8A,?), ref: 10004AAC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 10004B02
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 10004B14

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7cea2681337ed785ef0074e1592847e87d43e0f4fd9a142211319e42d6d50b99
Instruction ID: 1631983e9f1fd08067bcdd0b9bce4c40db3497d35acda80434a1b6e860f4f5a5
Opcode Fuzzy Hash: 7cea2681337ed785ef0074e1592847e87d43e0f4fd9a142211319e42d6d50b99
Instruction Fuzzy Hash: F4418CB264016AAFEB10DF94CC85EDF3FB9EB092D0F224525F91192164C731D950CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 022A4126 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(022AEAA8,022AEAE0,00000000,?,022AEAA8,?,022A43CF,022AEAE0,00000000,?,022959A9,?,?,?,?,?), ref: 022A4131
EnterCriticalSection.KERNEL32(022AEAC4,00000010,?,022A43CF,022AEAE0,00000000,?,022959A9,?,?,?,?,?,?), ref: 022A4180
LeaveCriticalSection.KERNEL32(022AEAC4,00000000,?,022A43CF,022AEAE0,00000000,?,022959A9,?,?,?,?,?,?), ref: 022A4193
LocalAlloc.KERNEL32(00000000,00000003,?,022A43CF,022AEAE0,00000000,?,022959A9,?,?,?,?,?,?), ref: 022A41A9
LocalReAlloc.KERNEL32(?,00000003,00000002,?,022A43CF,022AEAE0,00000000,?,022959A9,?,?,?,?,?,?), ref: 022A41BB
TlsSetValue.KERNEL32(022AEAA8,00000000), ref: 022A41F7

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 1117ddf5b0e3504e2db96faa327c803b9cc7fbbd885582ceb6bfc74275885c47
Instruction ID: 302a2055f4ed6c7a85cf5d61d0b081d43dae94b3fc7b3af6ebe22cd76b09bfd1
Opcode Fuzzy Hash: 1117ddf5b0e3504e2db96faa327c803b9cc7fbbd885582ceb6bfc74275885c47
Instruction Fuzzy Hash: 36319F31610705EFDB24EF94D858F66B7E9FB44354F008A19E46687A54D7B0E815CF50

Uniqueness

Uniqueness Score: -1.00%

Function 022A1724 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 022A1729
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 022A1776
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 022A1798
GetCapture.USER32 ref: 022A17AA
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 022A17B9
WinHelpA.USER32(?,?,?,?), ref: 022A17CD

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 7d06113d5816a8cbcff5e9665e0ab986b0338fd7fa7266d7ce86c85c2969c8a7
Instruction ID: 5bcbaa0ee01c84947fb3dfc5b116741f678b85f85939963853a4cf59398520ac
Opcode Fuzzy Hash: 7d06113d5816a8cbcff5e9665e0ab986b0338fd7fa7266d7ce86c85c2969c8a7
Instruction Fuzzy Hash: 7A217171610309AFEB206BA0DC99FBE7BAEEB44754F144528B145979E5CBB18C109B10

Uniqueness

Uniqueness Score: -1.00%

Function 022A37E5 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 022A3818
GetLastActivePopup.USER32(?), ref: 022A3827
IsWindowEnabled.USER32(?), ref: 022A383C
EnableWindow.USER32(?,00000000), ref: 022A384F
GetWindowLongA.USER32(?,000000F0), ref: 022A3861
GetParent.USER32(?), ref: 022A386F

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 54ce59310d0d9815f96b672cfc7a818ef24ef151bdd0c7f143dafc7d72ac0fd9
Instruction ID: bfaa14c67f5321a106749fa36b1cecabfff4f98d36a2483815a80b2fcaa55ed9
Opcode Fuzzy Hash: 54ce59310d0d9815f96b672cfc7a818ef24ef151bdd0c7f143dafc7d72ac0fd9
Instruction Fuzzy Hash: 5911AC33A21323AFCB31DAE95898B3BB29D9F45F55F9901A9EC10D7A0CDB60D80186D1

Uniqueness

Uniqueness Score: -1.00%

Function 02299AFB Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,02295945,02295999,?,?,?), ref: 02299B33
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,02295945,02295999,?,?,?), ref: 02299B3E
HeapFree.KERNEL32(00000000,?,?,?,?,?,02295945,02295999,?,?,?), ref: 02299B4B
HeapFree.KERNEL32(00000000,?,?,?,?,02295945,02295999,?,?,?), ref: 02299B67
VirtualFree.KERNEL32(?,00000000,00008000,?,?,02295945,02295999,?,?,?), ref: 02299B88
HeapDestroy.KERNEL32(?,?,02295945,02295999,?,?,?), ref: 02299B9A

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: e43106ad45a685817c021b541921d7f9d3db95f571a9fa104098dab762d5af00
Instruction ID: b1bc965483f1fc89bfb6b4cc5af25af8a06e3fc6953ba04745a72d86e4d49bd5
Opcode Fuzzy Hash: e43106ad45a685817c021b541921d7f9d3db95f571a9fa104098dab762d5af00
Instruction Fuzzy Hash: 6A118231A90606ABDE339EE0FC59F16B765E744721F210915F68063194C7727960CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000222D Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000,?,?,?,?,10001685,100016D9,?,?,?), ref: 10002265
VirtualFree.KERNEL32(0000000C,00000000,00008000,?,?,?,?,10001685,100016D9,?,?,?), ref: 10002270
HeapFree.KERNEL32(00000000,?,?,?,?,?,10001685,100016D9,?,?,?), ref: 1000227D
HeapFree.KERNEL32(00000000,?,?,?,?,10001685,100016D9,?,?,?), ref: 10002299
VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,10001685,100016D9,?,?,?), ref: 100022BA
HeapDestroy.KERNEL32(?,?,10001685,100016D9,?,?,?), ref: 100022CC

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: Free$HeapVirtual$Destroy
String ID:
API String ID: 716807051-0
Opcode ID: 8f2847e680ba6053ea6eb8634f58bf00da5fda4ea9ebe9eba04f68c7885b0a7d
Instruction ID: 51772ec87824a4f06a302b418cfe28c21f89814428a2ee5e93c2ef4158a3be6f
Opcode Fuzzy Hash: 8f2847e680ba6053ea6eb8634f58bf00da5fda4ea9ebe9eba04f68c7885b0a7d
Instruction Fuzzy Hash: FF118E31240221FBFB21CB60CCC1F0577A6FB457D0F324814F689621A8C662BC46DB64

Uniqueness

Uniqueness Score: -1.00%

Function 022A33C8 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 022A33D7
GetWindow.USER32(?,00000005), ref: 022A33E8
GetDlgCtrlID.USER32(00000000), ref: 022A33F1
GetWindowLongA.USER32(00000000,000000F0), ref: 022A3400
GetWindowRect.USER32(00000000,?), ref: 022A3412
PtInRect.USER32(?,?,?), ref: 022A3422

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: d9a4e9b62880aab6184d3fe384d8c2c5905af395c0d8edd5117ffaac2aa7dbe4
Instruction ID: a9520edf843b4b91a4878f2813b4146fe2812c05f0313695ddb7e4163561e668
Opcode Fuzzy Hash: d9a4e9b62880aab6184d3fe384d8c2c5905af395c0d8edd5117ffaac2aa7dbe4
Instruction Fuzzy Hash: 6E018F31540116ABDF12AFE4AC0CEBE7B6DEF45700F448460F911A6494E7B0C5268B90

Uniqueness

Uniqueness Score: -1.00%

Function 022A2CA2 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 022A2CAF
GetSystemMetrics.USER32(0000000C), ref: 022A2CB6
GetDC.USER32(00000000), ref: 022A2CCF
GetDeviceCaps.GDI32(00000000,00000058), ref: 022A2CE0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 022A2CE8
ReleaseDC.USER32(00000000,00000000), ref: 022A2CF0

Part of subcall function 022A4FFE: GetSystemMetrics.USER32(00000002), ref: 022A5010
Part of subcall function 022A4FFE: GetSystemMetrics.USER32(00000003), ref: 022A501A

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 595d4aa4631acf38ecc926123496c5e82defd675f09aab53b7b344a57079c20a
Instruction ID: d04cde625b01f78cf5b95dc4a671797d083698262fba65759b6b55a088644e8f
Opcode Fuzzy Hash: 595d4aa4631acf38ecc926123496c5e82defd675f09aab53b7b344a57079c20a
Instruction Fuzzy Hash: 03F03030A807009BE6206BA19C49B2BB7A9EB85752F05491AE60186A90DBB49810CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02299956 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 02299975
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 022999AA
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02299A0A

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 022999E4
__MSVCRT_HEAP_SELECT, xrefs: 022999A5

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: fe9e4beee221395dd02183fb9d5b020983aa0fcd8677b1943162a16fb440a7c8
Instruction ID: ddf9c10e2205c3a5632fac7fa0bd3e037aa42869f9a3d2a217f943f95154f9ca
Opcode Fuzzy Hash: fe9e4beee221395dd02183fb9d5b020983aa0fcd8677b1943162a16fb440a7c8
Instruction Fuzzy Hash: A0310071D612496EFF3186F8AC95BED376CDB02728F2804DEE145D614AE7348AC9CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10002088 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 100020A7
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 100020DC
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000213C

Strings

__MSVCRT_HEAP_SELECT, xrefs: 100020D7
__GLOBAL_HEAP_SELECTED, xrefs: 10002116

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 70c829189e6450b5d007cf780ae83044668b46e0e8b27331d8da5cf16c97d74f
Instruction ID: c23f05ca34e3419fda006b482e4dcd45b64e0b809d6c281fbf9fea31d14a4bbf
Opcode Fuzzy Hash: 70c829189e6450b5d007cf780ae83044668b46e0e8b27331d8da5cf16c97d74f
Instruction Fuzzy Hash: FF313775D452986DFB22C7705C92BDE37ACDB263C4F2040E5E285D604AE6319ECACB21

Uniqueness

Uniqueness Score: -1.00%

Function 022A120E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 022A12C7
GetWindowLongA.USER32(?,000000FC), ref: 022A12D8
GetWindowLongA.USER32(?,000000FC), ref: 022A12E8
SetWindowLongA.USER32(?,000000FC,?), ref: 022A1304

Strings

(, xrefs: 022A12B2

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 244376d455d404dec96b282d0460f9f58cc414be7af092f4a7eda10a91301efc
Instruction ID: 7019ba21939ba021a6d26c137d72ad87232421bd55abb23c3691a0833b8146be
Opcode Fuzzy Hash: 244376d455d404dec96b282d0460f9f58cc414be7af092f4a7eda10a91301efc
Instruction Fuzzy Hash: BF31D0306103159FDB20AFE4D8A8B6EBBF5BF44324F144229E546D7A94DBB0E825CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022A48F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 022A4921

Part of subcall function 022A4A0D: lstrlenA.KERNEL32(?,00000000,?), ref: 022A4A44

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 022A49C2
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 022A49EF

Strings

.HLP, xrefs: 022A49BC
.INI, xrefs: 022A49E9

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 56917c45099f6d0186ee9adadda13bcc20787b966dca637a6ef9a95784d98fd2
Instruction ID: 7ed04cf0ce1a2fae191925f756446135fe537c4990c958b07b81a4f1cf45ffd9
Opcode Fuzzy Hash: 56917c45099f6d0186ee9adadda13bcc20787b966dca637a6ef9a95784d98fd2
Instruction Fuzzy Hash: 6C318FB2914719AFEB21EBF0D894BD6B7FCBB04300F10496AE19AD2555DBB0E984CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02298020 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0229807E
GetFileType.KERNEL32(00000480), ref: 02298129
GetStdHandle.KERNEL32(-000000F6), ref: 0229818C
GetFileType.KERNEL32(00000000), ref: 0229819A
SetHandleCount.KERNEL32 ref: 022981D1

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: e2f72f1991773dbf78b7c9889ec3451b51ce61e2290259b15bbb96c0e8143aaa
Instruction ID: e896f829980c84dfb9cda68a2ce12e433dd2d41ba8f5a225e9db5b22426d564f
Opcode Fuzzy Hash: e2f72f1991773dbf78b7c9889ec3451b51ce61e2290259b15bbb96c0e8143aaa
Instruction Fuzzy Hash: AB5119319203028FCF218BE8D8887667BE5FB02728F1D4A68D592D72E4D731E555CB56

Uniqueness

Uniqueness Score: -1.00%

Function 10001A13 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 10001A71
GetFileType.KERNEL32(00000480), ref: 10001B1C
GetStdHandle.KERNEL32(-000000F6), ref: 10001B7F
GetFileType.KERNEL32(00000000), ref: 10001B8D
SetHandleCount.KERNEL32 ref: 10001BC4

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: e5a97587cd4d9fc0a7a8c68c09fab9c6af19d8e059a43e7f7c07d4a3aa988e4d
Instruction ID: ebf72a500c60fad78670904dacb7c80c3eaa1dd0e6de184ce7cd3665094f03d3
Opcode Fuzzy Hash: e5a97587cd4d9fc0a7a8c68c09fab9c6af19d8e059a43e7f7c07d4a3aa988e4d
Instruction Fuzzy Hash: 4E511731A086518BF710CB68CCC479A7BE4FB163E8F258668D8A68B2E5EB30D845C751

Uniqueness

Uniqueness Score: -1.00%

Function 022A163D Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 022A1642
GetClassInfoA.USER32(?,?,?), ref: 022A165D
RegisterClassA.USER32(00000004), ref: 022A1668
lstrcatA.KERNEL32(00000034,?,00000001), ref: 022A169F
lstrcatA.KERNEL32(00000034,?), ref: 022A16AD

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 0d3b249e68912848071ea942620896bfa68d641d6579b4730b0585a29f6b0e46
Instruction ID: c15dd3685abf0ad4c28ce52cf5dd21747d6383313e53cf5167a9d9106c09337a
Opcode Fuzzy Hash: 0d3b249e68912848071ea942620896bfa68d641d6579b4730b0585a29f6b0e46
Instruction Fuzzy Hash: 95112132A60344BFCB00AFE89850AEE7BB8AF05710F044519E906A7988C7B0D210CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02297791 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000100,00000000,02296E8D,0229BFF3,00000100,00000000,0229CE15,00000000,00000000), ref: 02297793
TlsGetValue.KERNEL32 ref: 022977A1
SetLastError.KERNEL32(00000000), ref: 022977ED

Part of subcall function 0229B990: HeapAlloc.KERNEL32(00000008,022977B6,00000000,00000000,00000000,022A79A0,000000FF,?,022977B6,00000001,00000074), ref: 0229BA86

TlsSetValue.KERNEL32(00000000), ref: 022977C5
GetCurrentThreadId.KERNEL32 ref: 022977D6

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 4f64ed510d4e0f6bc9563d2b84ae720b3a6403abe3e33f6d436a0ac9fb5667b1
Instruction ID: a0da35e6b093328d6cd0e02036b0cec803fb633e07407d626c7398c2e958961a
Opcode Fuzzy Hash: 4f64ed510d4e0f6bc9563d2b84ae720b3a6403abe3e33f6d436a0ac9fb5667b1
Instruction Fuzzy Hash: CCF02B32E603119FDE312BF4B80C6EA7B59AF007757040914F551DA5E4CF6188518B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000190C Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,10004B35,10003333,00000000,?,?,00000000,00000001), ref: 1000190E
TlsGetValue.KERNEL32 ref: 1000191C
SetLastError.KERNEL32(00000000), ref: 10001968

Part of subcall function 1000256C: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,100046C0,10006418,000000FF,?,10001931,00000001,00000074), ref: 10002662

TlsSetValue.KERNEL32(00000000), ref: 10001940
GetCurrentThreadId.KERNEL32 ref: 10001951

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 61b21b863bee55c65071b68a9dfa959f7e16219e5b99125746284950892fedb6
Instruction ID: a4b9296e5d9004c075684ef8d48910d57da0249250180360d04515b1c608e5ea
Opcode Fuzzy Hash: 61b21b863bee55c65071b68a9dfa959f7e16219e5b99125746284950892fedb6
Instruction Fuzzy Hash: 6FF0BB355406319BF7315B74AC5D69B3B96EF057F1B210129F646A61ACCF2488015771

Uniqueness

Uniqueness Score: -1.00%

Function 022A3F60 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,022A44F8,00000000,00000001), ref: 022A3F6C
GlobalHandle.KERNEL32(005B2660), ref: 022A3F94
GlobalUnlock.KERNEL32(00000000,?,?,022A44F8,00000000,00000001), ref: 022A3F9D
GlobalFree.KERNEL32(00000000), ref: 022A3FA4
DeleteCriticalSection.KERNEL32(022AEA8C,?,?,022A44F8,00000000,00000001), ref: 022A3FAE

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 9dcfdc030ec9be0b5f59fa26a11a8554a58a8d164eff600ea460c96a293f3f55
Instruction ID: 947ac8a82e3d068b90dbc09c1243e8c6a45e6426f1cc92f88aa7b7e4da42fcf4
Opcode Fuzzy Hash: 9dcfdc030ec9be0b5f59fa26a11a8554a58a8d164eff600ea460c96a293f3f55
Instruction Fuzzy Hash: 93F05431A506119FCA219BF8BC0CA3ABABDAF85755719094AF811D3B65CBB0D8128A60

Uniqueness

Uniqueness Score: -1.00%

Function 0229AF87 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,02297765,02295940,02295999,?,?,?), ref: 0229AFBB

Part of subcall function 02295B63: HeapFree.KERNEL32(00000000,?,?,-00000084,?,?,0229132D,?,?,?,?), ref: 02295C37

DeleteCriticalSection.KERNEL32(?,?,02297765,02295940,02295999,?,?,?), ref: 0229AFD6
DeleteCriticalSection.KERNEL32 ref: 0229AFDE
DeleteCriticalSection.KERNEL32 ref: 0229AFE6
DeleteCriticalSection.KERNEL32 ref: 0229AFEE

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: d0bdd825c68d027dd8bd15135b0e80ca66901608132ba0d9c6beca60e1c7077f
Instruction ID: 82b0059d47ad1616812bd33f9853aced9573a40e9c145aeebfd6ec3157cdd6f3
Opcode Fuzzy Hash: d0bdd825c68d027dd8bd15135b0e80ca66901608132ba0d9c6beca60e1c7077f
Instruction Fuzzy Hash: BFF05473C60221DB8E3136DBFC9EA8B7A759F943143174436DC647287CCA124C6299B0

Uniqueness

Uniqueness Score: -1.00%

Function 1000248A Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,?,?,100018E0,10001680,100016D9,?,?,?), ref: 100024BE

Part of subcall function 100026A9: HeapFree.KERNEL32(00000000,?,?,?,?), ref: 1000277D

DeleteCriticalSection.KERNEL32(?,?,100018E0,10001680,100016D9,?,?,?), ref: 100024D9
DeleteCriticalSection.KERNEL32 ref: 100024E1
DeleteCriticalSection.KERNEL32 ref: 100024E9
DeleteCriticalSection.KERNEL32 ref: 100024F1

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalDeleteSection$FreeHeap
String ID:
API String ID: 447823528-0
Opcode ID: 859a5321d9a64c3ad4e28da868c147939a692f03546d74754d889652830e4d2e
Instruction ID: e2c06194f1f98c8e9fe7b71c48b70265901a98a4b77888f88b7cab68e077d7bd
Opcode Fuzzy Hash: 859a5321d9a64c3ad4e28da868c147939a692f03546d74754d889652830e4d2e
Instruction Fuzzy Hash: 87F0F431C0226176FBA1BF1EEC888D96A65FB833D03624075E49D620BCC51D4C51C9F1

Uniqueness

Uniqueness Score: -1.00%

Function 02292F2D Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 02292FBB

Strings

Error opening encoding stream (%lu), xrefs: 02293173
rb+, xrefs: 02292F4A
wb+, xrefs: 02292FE3

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: __ftol
String ID: Error opening encoding stream (%lu)$rb+$wb+
API String ID: 495808979-1905959079
Opcode ID: ebcebecef6974a0a8bee6427ac435d8b45e8354370b76ee4335d16bddc8b0db6
Instruction ID: 6ab6ea94b6ab7c18639282b5dbdf9b60517902bf182ff5b5a5c38bc9b2d95486
Opcode Fuzzy Hash: ebcebecef6974a0a8bee6427ac435d8b45e8354370b76ee4335d16bddc8b0db6
Instruction Fuzzy Hash: B88112B0E143298BDB24EF54DD88BA9B7B5BB88304F1041E8D44DAB245D776AEC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02293965 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000000,00000020), ref: 022939FA

Strings

in AddInputBufferToQueue(), xrefs: 02293A53
in AddInputBufferToQueue(), xrefs: 02293A09

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: HeaderPreparewave
String ID: in AddInputBufferToQueue()$in AddInputBufferToQueue()
API String ID: 1973936016-4017236734
Opcode ID: 277e910d65d2a63a2e25f8e44060e1cfb344e43ee00c57696df236232d71dbcb
Instruction ID: acdc1be633a0431cee575bfb71dd55713fbca1ba762897f151060d527f8380b9
Opcode Fuzzy Hash: 277e910d65d2a63a2e25f8e44060e1cfb344e43ee00c57696df236232d71dbcb
Instruction Fuzzy Hash: E841E4B5E10209ABCB04DFE4D994AADBBB5BB48310F208658E815BB384D776A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 022A3DB3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 022A3DBF
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 022A3E6E
LoadBitmapA.USER32(00000000,00007FE3), ref: 022A3E86

Strings

, xrefs: 022A3DCE

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: f2607e04b44246bfc39d74b0d98a1300da5dee2aeccbda34e542543cc47dc285
Instruction ID: 9d20e5ddd9d3dbdd439c925fab3403750488100e9f5cda084f37c042d85b1e0d
Opcode Fuzzy Hash: f2607e04b44246bfc39d74b0d98a1300da5dee2aeccbda34e542543cc47dc285
Instruction Fuzzy Hash: 73212571E00316AFEF10CBB8DD89BAE7BB9EB44710F0445A6E405EB285D7709A44CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0229403F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

waveOutPrepareHeader.WINMM(?,00000000,00000020), ref: 022940A0

Strings

in AddOutputBufferToQueue(), xrefs: 022940EA
in AddOutputBufferToQueue(), xrefs: 022940AF

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: HeaderPreparewave
String ID: in AddOutputBufferToQueue()$in AddOutputBufferToQueue()
API String ID: 1973936016-2955184339
Opcode ID: bb12ed180db6591b54ae8d5b28e1128c9bd3e9ff2f273729652103abadba1a99
Instruction ID: 87233705a6b69f9b65ab6097f531be74134626ade6fcc4b536fd3d0644a4834f
Opcode Fuzzy Hash: bb12ed180db6591b54ae8d5b28e1128c9bd3e9ff2f273729652103abadba1a99
Instruction Fuzzy Hash: 7231FFB4E10209EFCB04DFE4D895BAEBBB1BB48304F1485A8D9196B345D771AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 022A337E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 022A338F
GetClassNameA.USER32(00000000,?,0000000A), ref: 022A33AA
lstrcmpiA.KERNEL32(?,combobox), ref: 022A33B9

Strings

combobox, xrefs: 022A33B3

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: c6bd0fb3f8f752963e6449c10c2afc052e7ddf1d991b08307b2c045ea8aa590a
Instruction ID: faee50e8fd73446621acbe6e9f1aecfc821d2af0088fb2f68915850544180a3e
Opcode Fuzzy Hash: c6bd0fb3f8f752963e6449c10c2afc052e7ddf1d991b08307b2c045ea8aa590a
Instruction Fuzzy Hash: 50E06531D64209BBDF019FA0DC4EE6D7BACE740305F048520B922D9494DB71D159C790

Uniqueness

Uniqueness Score: -1.00%

Function 02298E6A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,02295714), ref: 02298E6F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 02298E7F

Strings

KERNEL32, xrefs: 02298E6A
IsProcessorFeaturePresent, xrefs: 02298E79

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 3a10a9d3524122ad3bd2875b35bf590a0ba56fe7de64914699cdcfa72aad08c7
Instruction ID: 5a38661b21861953f2eb2c6b9e1302695d225ed430c552cbdcff746a6b7d680e
Opcode Fuzzy Hash: 3a10a9d3524122ad3bd2875b35bf590a0ba56fe7de64914699cdcfa72aad08c7
Instruction Fuzzy Hash: 96C01230BA120757FD1017F45D2DB2E665C2B01E02F0C09407046D048CCB50C0008427

Uniqueness

Uniqueness Score: -1.00%

Function 0229794F Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b295ef2d1fc9ce95b0feb6c02cae23c40e19997b6706df9dfd18030a34839011
Instruction ID: 42b6d46d9c9a0743183687206dd03fb8475151889ab42c3f28fc802a493d15c4
Opcode Fuzzy Hash: b295ef2d1fc9ce95b0feb6c02cae23c40e19997b6706df9dfd18030a34839011
Instruction Fuzzy Hash: F491E6B1D31615AFDF22AFE8DC84ADEFAB9EB44760F240515F814B6288D7318E50CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0229A891 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,0229AD5D,?,00000010,?,00000009,00000009,?,02295B13,00000010,?), ref: 0229A8B2
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,0229AD5D,?,00000010,?,00000009,00000009,?,02295B13,00000010,?), ref: 0229A8D6
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,0229AD5D,?,00000010,?,00000009,00000009,?,02295B13,00000010,?), ref: 0229A8F0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0229AD5D,?,00000010,?,00000009,00000009,?,02295B13,00000010,?,?), ref: 0229A9B1
HeapFree.KERNEL32(00000000,00000000,?,?,0229AD5D,?,00000010,?,00000009,00000009,?,02295B13,00000010,?,?), ref: 0229A9C8

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 094c1e0517ea27d16c2bad830e3f076de33c0c4a54d1fa8a7b218166fbb11f38
Instruction ID: 416da01bb4967f84f5784d661124ed2d62309c96bf87ac7b17298482c1223357
Opcode Fuzzy Hash: 094c1e0517ea27d16c2bad830e3f076de33c0c4a54d1fa8a7b218166fbb11f38
Instruction Fuzzy Hash: 89312670A90702DFEB318FA4EC4AB22BBE4F744798F014A2AE195977C4E770A454DB54

Uniqueness

Uniqueness Score: -1.00%

Function 10003DA0 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,100073C0,100073C0,?,?,1000426C,?,00000010,?,00000009,00000009,?,1000287C,00000010,?), ref: 10003DC1
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,1000426C,?,00000010,?,00000009,00000009,?,1000287C,00000010,?), ref: 10003DE5
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,1000426C,?,00000010,?,00000009,00000009,?,1000287C,00000010,?), ref: 10003DFF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,1000426C,?,00000010,?,00000009,00000009,?,1000287C,00000010,?,?), ref: 10003EC0
HeapFree.KERNEL32(00000000,00000000,?,?,1000426C,?,00000010,?,00000009,00000009,?,1000287C,00000010,?,?,?), ref: 10003ED7

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: ca4ebd3bf41db11c489ac71e7885e3e5fbf96afc160371669c2d3a49ea980450
Instruction ID: 85c748c0bafa8236aa2fa6bf59248fc0cf93c7195ac51e05481f67ba939f845c
Opcode Fuzzy Hash: ca4ebd3bf41db11c489ac71e7885e3e5fbf96afc160371669c2d3a49ea980450
Instruction Fuzzy Hash: 6D310170A40791EBF322CF24CC84B17BBE9FB44BD0F118629E559A73D8EB74A8449B54

Uniqueness

Uniqueness Score: -1.00%

Function 0229DE77 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 0229DEF1
GetLastError.KERNEL32 ref: 0229DEFB
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 0229DFC1
GetLastError.KERNEL32 ref: 0229DFCB

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: ce1687a98dd571459335d7596ee6b32768edcf9be598e6f0d5619a146f867b07
Instruction ID: eac932a2c3cfd73f31937d3591086ab77a43074a947d9f6a361ff5904a03af1f
Opcode Fuzzy Hash: ce1687a98dd571459335d7596ee6b32768edcf9be598e6f0d5619a146f867b07
Instruction Fuzzy Hash: 93512530A24386DFDF21CFE8C885BA97BF4BF02308F19449AE8A59B259D775D541CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02298C8F Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,0229CEA2,00000000,00001000), ref: 02298D56

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bbb0527079bb23da0f304d871eb1b7d3318695f91669d404172efdb3908303c7
Instruction ID: 04d8ef3b8be42faf6cbe28a816f1621baafdb9c11104453ca336964c42f01629
Opcode Fuzzy Hash: bbb0527079bb23da0f304d871eb1b7d3318695f91669d404172efdb3908303c7
Instruction Fuzzy Hash: 9A516971920209EFCF15CFA8C884AAD7BF9FF46344F1885A5F8159B259DB70DA40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0229BE68 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 0229AFF3: InitializeCriticalSection.KERNEL32(00000000,?,?,?,02295BE2,00000009,?,-00000084,?,?,0229132D,?,?,?,?), ref: 0229B030
Part of subcall function 0229AFF3: EnterCriticalSection.KERNEL32(?,?,?,02295BE2,00000009,?,-00000084,?,?,0229132D,?,?,?,?), ref: 0229B04B

InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,0229CD90,00000001,00000000,00000000), ref: 0229BEBB
EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,00000000,00000000,0229CD90,00000001,00000000,00000000), ref: 0229BED0
LeaveCriticalSection.KERNEL32(00000068,?,00000000,00000000,00000000,0229CD90,00000001,00000000,00000000), ref: 0229BEDD

Strings

, xrefs: 0229BF11

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-3916222277
Opcode ID: c54e413d73d7743e1d877b6f8763c139a97ccbfe8e63ac4c6166e68cdbd98d1a
Instruction ID: d94248abceac68ba22791cd796cf80bd52a276f2e5860632d7ca3e4380ade13a
Opcode Fuzzy Hash: c54e413d73d7743e1d877b6f8763c139a97ccbfe8e63ac4c6166e68cdbd98d1a
Instruction Fuzzy Hash: 843126725253068FDB10CFA4F88875ABB99EF4032CF148A2DF665472D5CBB0E8488B55

Uniqueness

Uniqueness Score: -1.00%

Function 022A366D Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 022A37E5: GetParent.USER32(?), ref: 022A3818
Part of subcall function 022A37E5: GetLastActivePopup.USER32(?), ref: 022A3827
Part of subcall function 022A37E5: IsWindowEnabled.USER32(?), ref: 022A383C
Part of subcall function 022A37E5: EnableWindow.USER32(?,00000000), ref: 022A384F

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 022A36A3
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 022A3711
MessageBoxA.USER32(00000000,?,?,00000000), ref: 022A371F
EnableWindow.USER32(00000000,00000001), ref: 022A373B

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 15203a596a23d06eb859cee024d14cad6c18f12c7cbedefd6a04204f6c73077c
Instruction ID: a30fe95a0149f328c4cb5a3d17adef1e91bc176984ca1a7ddf270227d8d66880
Opcode Fuzzy Hash: 15203a596a23d06eb859cee024d14cad6c18f12c7cbedefd6a04204f6c73077c
Instruction Fuzzy Hash: 832191B2A50209AFDB20DFD8CCD6AEEB7B9EB04B54F1444A9E610E7A84C7719D448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0229F38C Relevance: 6.1, APIs: 4, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0229F391

Part of subcall function 022A435F: TlsGetValue.KERNEL32(022AEAA8,?,?,022A47E2,022A3D1F,022A47FE,022A00DE,0229424B,?,022959A9,?,?,?,?,?,?), ref: 022A439E

Part of subcall function 0229F514: GetCurrentThreadId.KERNEL32 ref: 0229F527
Part of subcall function 0229F514: SetWindowsHookExA.USER32(000000FF,0229F9DB,00000000,00000000), ref: 0229F537

SetEvent.KERNEL32(?,Function_00013C5D), ref: 0229F44D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0229F456
CloseHandle.KERNEL32(?), ref: 0229F45D

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CloseCurrentEventH_prologHandleHookObjectSingleThreadValueWaitWindows
String ID:
API String ID: 3726718227-0
Opcode ID: 1e2621406f4235182963fe10658f798467ad3a549c5899e1f886ef2f92b93bf1
Instruction ID: 9a08fc2f0e8ef401d406c7cc78a808c6f93405d59bf2ec32b053941931cddad5
Opcode Fuzzy Hash: 1e2621406f4235182963fe10658f798467ad3a549c5899e1f886ef2f92b93bf1
Instruction Fuzzy Hash: 5F31B330A20306DFCF14EFE4DA94AADBBB2FF05714B108569D10697A99DB70EA05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008C78BD Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,008D1728,00000000,00000001,?), ref: 008C7900
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 008C7920
RegCloseKey.ADVAPI32(?), ref: 008C7964
RegCloseKey.ADVAPI32(00000000), ref: 008C797A

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 1317cd4c92d9bbca145b29c248833a20a94452d0243fa5ce7b6fff19c16ab802
Instruction ID: 37cdef5136747f411b02a77f9894370eb74a3286bb988bec176f56240d072bef
Opcode Fuzzy Hash: 1317cd4c92d9bbca145b29c248833a20a94452d0243fa5ce7b6fff19c16ab802
Instruction Fuzzy Hash: E32134B1D14208EBDB14CF9AD888EAEBBF8FF94354F1040AEE505E6220D7749A04CF21

Uniqueness

Uniqueness Score: -1.00%

Function 022A201E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 022A2029
GetTopWindow.USER32(00000000), ref: 022A203C
GetTopWindow.USER32(?), ref: 022A206C
GetWindow.USER32(00000000,00000002), ref: 022A2087

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9a872e6937712532acd999b898524ee1679e47690ada8ca342645abcabef97e8
Instruction ID: 934c9c483eb8b260a3b213f7ccc689b4c8ab27df9845ec979f4569fb80603c61
Opcode Fuzzy Hash: 9a872e6937712532acd999b898524ee1679e47690ada8ca342645abcabef97e8
Instruction Fuzzy Hash: EB01843262222AEBCF322FF19C16FAEB659AF70750F044610FD00A181CE7B1C511DA90

Uniqueness

Uniqueness Score: -1.00%

Function 022A2097 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 022A20A5
SendMessageA.USER32(00000000,?,?,?), ref: 022A20DB
GetTopWindow.USER32(00000000), ref: 022A20E8
GetWindow.USER32(00000000,00000002), ref: 022A2106

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 1df56dd90eb868916329c13062baaa041df275497e5d5cfd8bd3b70d88063e82
Instruction ID: dec2ecddf37988619f5cce89b3cfeb913d53420931516090157b24760ea19356
Opcode Fuzzy Hash: 1df56dd90eb868916329c13062baaa041df275497e5d5cfd8bd3b70d88063e82
Instruction Fuzzy Hash: 5E010C3201121AFBCF225FD1EC15EAE7B6AAF55354F048114FE1065828C776C671DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0229FF3A Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 0229FF62
GetFocus.USER32 ref: 0229FF75
GetParent.USER32(?), ref: 0229FF83
GetNextDlgTabItem.USER32(?,?,00000000), ref: 0229FF9F

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 9a6c0d294982d28d9118401e7b8e0a9e02ae5a32da16189f7cac15874dfd44c7
Instruction ID: cfac08ba001b123faf2de4d7e5ef40b019e7142833bd33b08130686a95066394
Opcode Fuzzy Hash: 9a6c0d294982d28d9118401e7b8e0a9e02ae5a32da16189f7cac15874dfd44c7
Instruction Fuzzy Hash: 921179316207019BCF289FA0E918B2AB7B9BF40715F148A1DF15686DE4CB71E895CB10

Uniqueness

Uniqueness Score: -1.00%

Function 022A388D Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,022A3C20,00000000,00000004,?,00000004,?,?), ref: 022A38B9
RegCloseKey.ADVAPI32(00000000,?,?), ref: 022A38C2
wsprintfA.USER32 ref: 022A38DE
WritePrivateProfileStringA.KERNEL32(?,022A3C20,?,?), ref: 022A38F7

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: f9f8ee78ac9ea7d4138469d009295185939fc094396256a2c2791a0ce3fb87a9
Instruction ID: 4a06bb97a1efa80e074b5924e19fcfaf47b15a86ab381879dd58398dd8b18508
Opcode Fuzzy Hash: f9f8ee78ac9ea7d4138469d009295185939fc094396256a2c2791a0ce3fb87a9
Instruction Fuzzy Hash: 5B018F3245031AABCF119FE4EC09FAA3BADFF04714F094425BA1596498D7B0D524CB90

Uniqueness

Uniqueness Score: -1.00%

Function 022A2668 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 022A26A6
SetBkColor.GDI32(00000000,00000000), ref: 022A26B2
GetSysColor.USER32(00000008), ref: 022A26C2
SetTextColor.GDI32(00000000,?), ref: 022A26CC

Part of subcall function 022A337E: GetWindowLongA.USER32(00000000,000000F0), ref: 022A338F

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 8784b975e08f853844e546c28b15a5bd991f5eed94693e86297281914acc159b
Instruction ID: 25d8beea8080dc55b20db801ddac699b9338e84b2127877d02b99e9c0ffe37a8
Opcode Fuzzy Hash: 8784b975e08f853844e546c28b15a5bd991f5eed94693e86297281914acc159b
Instruction Fuzzy Hash: 0A014F3155120EEBDF225ED9E859BAA3B69EB00705F144610FE01D48E4D772CCE0DB62

Uniqueness

Uniqueness Score: -1.00%

Function 022A343D Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 022A344A
GetWindowTextA.USER32(?,?,00000100), ref: 022A3466
lstrcmpA.KERNEL32(?,?), ref: 022A347A
SetWindowTextA.USER32(?,?), ref: 022A348A

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 80900e6a7c056100273320e99dd7ab366cc8fb9e52d58d38223557900b5987eb
Instruction ID: e37930c51b088d7e3dc1817f48807f789c61a824dbc18e378cc2a90962c91b63
Opcode Fuzzy Hash: 80900e6a7c056100273320e99dd7ab366cc8fb9e52d58d38223557900b5987eb
Instruction Fuzzy Hash: 52F01C3180011ABBDF22AFB4EC0CAED7F6DFB08394F048565F949D1664E771DAA48B90

Uniqueness

Uniqueness Score: -1.00%

Function 02296C74 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 02296C88

Strings

, xrefs: 02296CD1
, xrefs: 02296CAD

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: d3e5ec15135e5376dd664ef4f50f39165b58886788ce32c3d70de7578c1fc8a1
Instruction ID: 5e31bb0153d541bec853af06c0b70fb155f5dd88f1ec208782ec1a4cb9b1694f
Opcode Fuzzy Hash: d3e5ec15135e5376dd664ef4f50f39165b58886788ce32c3d70de7578c1fc8a1
Instruction Fuzzy Hash: E64127314242985EEF1786E8DD6DBF63FEDEB02704F0804E5E559CA186C3A14A54CB72

Uniqueness

Uniqueness Score: -1.00%

Function 10002C8E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 10002CA2

Strings

, xrefs: 10002CC7
, xrefs: 10002CEB

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 30b1c6507d7678deae8f375486a40f2c20231ec71d03004fb37f5481de7b0e52
Instruction ID: a24e0700dd4dd96fb15bab0300884ab4ca0721a4443ff2ab8346e855e10058cd
Opcode Fuzzy Hash: 30b1c6507d7678deae8f375486a40f2c20231ec71d03004fb37f5481de7b0e52
Instruction Fuzzy Hash: 684159311042A81AFF16CA14CD89FEA7FA9DB067C4F2104F7DA85CB062C2B24D45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02291220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

FindWindowA.USER32(TMP3SoundRecord,00000000), ref: 0229126E
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 022912A2

Strings

TMP3SoundRecord, xrefs: 02291269

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::FindRootRoot::Window
String ID: TMP3SoundRecord
API String ID: 1274676553-2735625632
Opcode ID: 140f120f1949cfaa95daee48c913b024d4090411b902fbd648346bb9655b8cd1
Instruction ID: fb501f99d2e89f58ac1f78849343ec2674ecb04ca163e8eb85cb4398f46757ef
Opcode Fuzzy Hash: 140f120f1949cfaa95daee48c913b024d4090411b902fbd648346bb9655b8cd1
Instruction Fuzzy Hash: 754151B4E41306DFDBA4DF98E494B69B7B1FB48310F118529E80987784C730AA66CF91

Uniqueness

Uniqueness Score: -1.00%

Function 008BB8A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 008BB8B5
GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe,00000104,00000000,?,?,?,?,?,008B662D,?,?,?,008B674B,?,?), ref: 008BB8CD

Strings

C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe, xrefs: 008BB8BF, 008BB8C4

Memory Dump Source

Source File: 00000001.00000002.2867017111.00000000008B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000001.00000002.2866949407.00000000008B0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867126691.00000000008D1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867159897.00000000008D4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.2867196251.00000000008D7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8b0000_MP3SoundRecorder.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe
API String ID: 767393020-4098183904
Opcode ID: f4fc17ecbddf08686ac031cd236a650fecc37f0643f05a5f67b43b511bf57edd
Instruction ID: 81cd1e20a1ac27abba0654a6fdfbf0eff600fea13123b6a6016c1a91c4f91001
Opcode Fuzzy Hash: f4fc17ecbddf08686ac031cd236a650fecc37f0643f05a5f67b43b511bf57edd
Instruction Fuzzy Hash: E011E372A04158ABEB10DBA9AC419DA7BF8FB85360F10026BF911E3341E7B49E04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02293DFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

waveOutReset.WINMM(?), ref: 02293E30

Part of subcall function 0229411F: waveOutGetErrorTextA.WINMM(?,?,00000064), ref: 0229412F

Strings

waveOutReset(), xrefs: 02293E5B
in stop(), xrefs: 02293E3F

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: wave$ErrorResetText
String ID: in stop()$waveOutReset()
API String ID: 1940559181-1814647923
Opcode ID: 3f1d2715ba58803b4a3c8ff8cd3d6d684f71ddc355d23915ba3f3e95ca44314b
Instruction ID: 792a0e665e483156646a0f19a00632b414f5a4a58def837bdae9c475bf750779
Opcode Fuzzy Hash: 3f1d2715ba58803b4a3c8ff8cd3d6d684f71ddc355d23915ba3f3e95ca44314b
Instruction Fuzzy Hash: 81F0C275A10308EBEF04DBE4D425BAEBBB4AF08708F1480E8E845AB345D7719A04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 022A426D Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(022AEAC4,?,022AEAA8,022AEAC4,022AEAA8,?,022A434C,005C4508,00000000,00000000,?,?,0229425A,?,000000FF), ref: 022A42CA
LeaveCriticalSection.KERNEL32(022AEAC4,?,?,022A434C,005C4508,00000000,00000000,?,?,0229425A,?,000000FF,?,022959A9,?,?), ref: 022A42DA
LocalFree.KERNEL32(00000003,?,022A434C,005C4508,00000000,00000000,?,?,0229425A,?,000000FF,?,022959A9,?,?,?), ref: 022A42E3
TlsSetValue.KERNEL32(022AEAA8,00000000,?,022A434C,005C4508,00000000,00000000,?,?,0229425A,?,000000FF,?,022959A9,?,?), ref: 022A42F9

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 0a2594d3e041082f94739c54eb19b9cac17013a4e3b4cc45c9075d1d7e1b09d3
Instruction ID: 3adb8a0a404c4cb3fe048e765c9aad870caaf4f145846f3ae3a18fe1beea1ccd
Opcode Fuzzy Hash: 0a2594d3e041082f94739c54eb19b9cac17013a4e3b4cc45c9075d1d7e1b09d3
Instruction Fuzzy Hash: 8721AC31A10202EFDB24EFD8D858B6A77A9FF45705F04846AE5028BA95C7F1E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0229A3EF Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,0229A1B7,?,-00000084,?,02295AB5,-00000084,?,?,?,?,-00000084), ref: 0229A417
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0229A1B7,?,-00000084,?,02295AB5,-00000084,?,?,?,?,-00000084), ref: 0229A44B
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,02295AB5,-00000084,?,?,?,?,-00000084), ref: 0229A465
HeapFree.KERNEL32(00000000,?,?,02295AB5,-00000084,?,?,?,?,-00000084), ref: 0229A47C

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 4cb15ed6784eba23515212d21b6e2e38a4607602320f9798e513cb8ed4355098
Instruction ID: d5a8eb96f66758df8a793bb9b410f89df7070135f5ff5962606051203e07f08e
Opcode Fuzzy Hash: 4cb15ed6784eba23515212d21b6e2e38a4607602320f9798e513cb8ed4355098
Instruction Fuzzy Hash: 9A113730A803029BCB738FE9FC499227BB6FB86750B504A19F552C65E0C372AA65CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10003BF4 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,100039BC,?,?,?,1000281E,?,?,?,?,?,?), ref: 10003C1C
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,100039BC,?,?,?,1000281E,?,?,?,?,?,?), ref: 10003C50
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10003C6A
HeapFree.KERNEL32(00000000,?), ref: 10003C81

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 03c026a301bb0cc2380d6ab5240a8afbfa39764c513a9c82cdfbf83712968e73
Instruction ID: 5c70b8ccfa7445e9249b66518ea03612715f146f51876a9b68da7e194af5dbcf
Opcode Fuzzy Hash: 03c026a301bb0cc2380d6ab5240a8afbfa39764c513a9c82cdfbf83712968e73
Instruction Fuzzy Hash: CF113A302002219FFB21CF19CCC5D227BBAFB857957218A1EE196D61B4D7B2A946DB10

Uniqueness

Uniqueness Score: -1.00%

Function 022A4AF6 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(022AEB28,?,00000000,?,?,022A4442,00000010,?,?,?,?,?,022A47F8,022A4845,022A3D1F,022A47FE), ref: 022A4B31
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,022A4442,00000010,?,?,?,?,?,022A47F8,022A4845,022A3D1F,022A47FE), ref: 022A4B43
LeaveCriticalSection.KERNEL32(022AEB28,?,00000000,?,?,022A4442,00000010,?,?,?,?,?,022A47F8,022A4845,022A3D1F,022A47FE), ref: 022A4B4C
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,022A4442,00000010,?,?,?,?,?,022A47F8,022A4845,022A3D1F,022A47FE,022A00DE), ref: 022A4B5E

Part of subcall function 022A4A63: GetVersion.KERNEL32(?,022A4B06,?,022A4442,00000010,?,?,?,?,?,022A47F8,022A4845,022A3D1F,022A47FE,022A00DE,0229424B), ref: 022A4A76

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 631e17cbdb14d6e1791b832385aeb816ba35ec560a4e0333494ed590a357289d
Instruction ID: e2ad4d6a568ba3007d98257e9b588e453c692672e500ec9b1d7b427910c95cc5
Opcode Fuzzy Hash: 631e17cbdb14d6e1791b832385aeb816ba35ec560a4e0333494ed590a357289d
Instruction Fuzzy Hash: 45F08735C4221ADFCB10AED4F8E8A56F3ADFB5031AB450C37E64282906D734A026CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0229AF5E Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,02297712,?,022958D7), ref: 0229AF6B
InitializeCriticalSection.KERNEL32 ref: 0229AF73
InitializeCriticalSection.KERNEL32 ref: 0229AF7B
InitializeCriticalSection.KERNEL32 ref: 0229AF83

Memory Dump Source

Source File: 00000001.00000002.2867397928.0000000002291000.00000020.00000001.01000000.00000007.sdmp, Offset: 02290000, based on PE: true

Associated: 00000001.00000002.2867372627.0000000002290000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867433009.00000000022A6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867489217.00000000022AB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867514455.00000000022AE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867533986.00000000022B0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2867556176.00000000022B3000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2290000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 11c23398fb381638b0888a28cba2018a4252bb8b0d7b240c41d7eadafcf59a66
Instruction ID: 813ff1fbfb00618ec77e1c4dd2fcacf88c53ccc2d23796672db754234896cb82
Opcode Fuzzy Hash: 11c23398fb381638b0888a28cba2018a4252bb8b0d7b240c41d7eadafcf59a66
Instruction Fuzzy Hash: 85C00231D84034DBCF112BE5FC4E8453F65EB042A03178873E9046193086611C32EFF0

Uniqueness

Uniqueness Score: -1.00%

Function 10002461 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,1000188D,?,10001617), ref: 1000246E
InitializeCriticalSection.KERNEL32 ref: 10002476
InitializeCriticalSection.KERNEL32 ref: 1000247E
InitializeCriticalSection.KERNEL32 ref: 10002486

Memory Dump Source

Source File: 00000001.00000002.2867990843.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2867967871.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868015784.0000000010006000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868039729.0000000010007000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868064205.0000000010009000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868087376.0000000010029000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2868106967.000000001002B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_MP3SoundRecorder.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 59401af47d23134e9f9d8d6ba6c7e5bbfb0d2d958c8524695e20d76249b0a8a4
Instruction ID: 77f266cca1e1268c95e015309a624f028c9d49f19bcdca1394e85df896d2aaa9
Opcode Fuzzy Hash: 59401af47d23134e9f9d8d6ba6c7e5bbfb0d2d958c8524695e20d76249b0a8a4
Instruction Fuzzy Hash: 7EC00231C55034AAFB112F69FC848C63F26FB062E03218063E10C51078C62A1C11EFF0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MP3SoundRecorder\Help.chm

C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe

C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll

C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll

C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll

C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll

C:\Program Files (x86)\MP3SoundRecorder\readme.txt

C:\Program Files (x86)\MP3SoundRecorder\record.dll

C:\Program Files (x86)\MP3SoundRecorder\set.ini

C:\Program Files (x86)\MP3SoundRecorder\ti.ico

C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico

C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico

C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico

C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico

C:\Users\user\AppData\Local\Temp\aut3EF2.tmp

C:\Users\user\AppData\Local\Temp\aut3F51.tmp

C:\Users\user\AppData\Local\Temp\aut3F90.tmp

C:\Users\user\AppData\Local\Temp\aut3FE0.tmp

C:\Users\user\AppData\Local\Temp\aut404E.tmp

C:\Users\user\AppData\Local\Temp\aut408D.tmp

C:\Users\user\AppData\Local\Temp\aut40DD.tmp

C:\Users\user\AppData\Local\Temp\aut410C.tmp

Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Function 00F43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 00F44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F44FE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Function 01111B00 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Function 00FA91FE Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F43778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00F4FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264
comCOMMON

Function 00F43019 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 69
registrywindowclipboardCOMMON

Function 00F43041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 00F473E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Function 00F69C66 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 00F439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON