Edit tour

Windows Analysis Report
uddisrw.exe

Overview

General Information

Sample name:	uddisrw.exe
Analysis ID:	1428519
MD5:	15b03679ef8ddd85d6af560205265ac9
SHA1:	10edae785656a023cc73b8de403bbf969d4d1c3b
SHA256:	9be8ed92ccdf8f8c499cfe6ba1d6981ec38a076d8de2a1f25a9a484a4ff1c52a
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

uddisrw.exe (PID: 5568 cmdline: "C:\Users\user\Desktop\uddisrw.exe" MD5: 15B03679EF8DDD85D6AF560205265AC9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: uddisrw.exe	ReversingLabs: Detection: 75%
Source: uddisrw.exe	Virustotal: Detection: 62%			Perma Link

Machine Learning detection for sample

Source: uddisrw.exe

Joe Sandbox ML: detected

Source: uddisrw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

0_2_00404F50

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,

0_2_00426ACC

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00426ACC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,

0_2_00426ACC

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00420564 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

0_2_00420564

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00433E78 GetKeyboardState,

0_2_00433E78

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: uddisrw.exe	Binary or memory string: vssadmin delete shadows /for=c: /all
Source: uddisrw.exe	Binary or memory string: vssadmin delete shadows /for=f: /all
Source: uddisrw.exe	Binary or memory string: vssadmin delete shadows /for=d: /all
Source: uddisrw.exe	Binary or memory string: vssadmin delete shadows /for=e: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin delete shadows /for=d: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin delete shadows /for=e: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin delete shadows /for=f: /all
Source: uddisrw.exe, 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /allvssadmin delete shadows /for=d: /allvssadmin delete shadows /for=e: /allvssadmin delete shadows /for=f: /allRDP Admin RestoreSystem Restore Points cleared!Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.comU

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00436DF4 NtdllDefWindowProc_A,GetCapture,	0_2_00436DF4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004514F4 NtdllDefWindowProc_A,	0_2_004514F4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0042842C NtdllDefWindowProc_A,	0_2_0042842C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00446820 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_00446820
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00451C9C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00451D4C

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00446820		0_2_00446820
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0044B9EC		0_2_0044B9EC

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: String function: 00403E4C appears 68 times
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: String function: 00405F08 appears 61 times

Source: uddisrw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: uddisrw.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9916666666666667

Source: classification engine

Classification label: mal60.rans.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0041D9EC GetLastError,FormatMessageA,

0_2_0041D9EC

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_004082EA GetDiskFreeSpaceA,

0_2_004082EA

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00413670 FindResourceA,

0_2_00413670

Source: C:\Users\user\Desktop\uddisrw.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\uddisrw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uddisrw.exe	ReversingLabs: Detection: 75%
Source: uddisrw.exe	Virustotal: Detection: 62%

Source: C:\Users\user\Desktop\uddisrw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uddisrw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uddisrw.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00425A1C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00425A1C

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0043E388 push 0043E415h; ret	0_2_0043E40D
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004261A8 push 004261F7h; ret	0_2_004261EF
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426250 push 0042627Ch; ret	0_2_00426274
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426218 push 00426244h; ret	0_2_0042623C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004262C8 push 004262F4h; ret	0_2_004262EC
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004242EC push 00424318h; ret	0_2_00424310
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426290 push 004262BCh; ret	0_2_004262B4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004242AC push 004242D8h; ret	0_2_004242D0
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426300 push 0042632Ch; ret	0_2_00426324
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0043E320 push 0043E386h; ret	0_2_0043E37E
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426338 push 00426364h; ret	0_2_0042635C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004263F0 push 0042641Ch; ret	0_2_00426414
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00426380 push 004263ACh; ret	0_2_004263A4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004263B8 push 004263E4h; ret	0_2_004263DC
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004105D2 push 0041064Ah; ret	0_2_00410642
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004105D4 push 0041064Ah; ret	0_2_00410642
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041064C push 004106F4h; ret	0_2_004106EC
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041A686 push 0041A733h; ret	0_2_0041A72B
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041A688 push 0041A733h; ret	0_2_0041A72B
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041A738 push 0041A7C8h; ret	0_2_0041A7C0
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004107E0 push 0041080Ch; ret	0_2_00410804
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004067F4 push ecx; mov dword ptr [esp], eax	0_2_004067F5
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0042886C push 004288AFh; ret	0_2_004288A7
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004288E4 push 00428910h; ret	0_2_00428908
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0042891C push 00428954h; ret	0_2_0042894C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00412938 push ecx; mov dword ptr [esp], edx	0_2_0041293D
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004069D8 push 00406A04h; ret	0_2_004069FC
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004289B0 push 004289DCh; ret	0_2_004289D4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041AA50 push 0041AA80h; ret	0_2_0041AA78
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0041AA54 push 0041AA80h; ret	0_2_0041AA78
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00406A10 push 00406A3Ch; ret	0_2_00406A34

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0045157C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_0045157C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00438518 IsIconic,GetCapture,	0_2_00438518
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_0044E5A4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_0044E5A4
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00438DCC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_00438DCC
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_004396F0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_004396F0
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00451C9C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00451C9C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00451D4C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00451D4C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: 0_2_00423D64 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00423D64

Source: C:\Users\user\Desktop\uddisrw.exe

0_2_00425A1C

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0042D70C

0_2_0042D70C

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_00450AEC

Source: C:\Users\user\Desktop\uddisrw.exe

API coverage: 5.9 %

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0042D70C

0_2_0042D70C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_00404F50 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

0_2_00404F50

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0041DF7C GetSystemInfo,

0_2_0041DF7C

Source: C:\Users\user\Desktop\uddisrw.exe

0_2_00425A1C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405108
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040C228
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetLocaleInfoA,	0_2_0040ABC0
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetLocaleInfoA,	0_2_0040AC0C
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetLocaleInfoA,	0_2_004059FE
Source: C:\Users\user\Desktop\uddisrw.exe	Code function: GetLocaleInfoA,	0_2_00405A00

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0040965C GetLocalTime,

0_2_0040965C

Source: C:\Users\user\Desktop\uddisrw.exe

Code function: 0_2_0043E388 GetVersion,

0_2_0043E388

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Obfuscated Files or Information	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Software Packing	Security Account Manager	11 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
uddisrw.exe	75%	ReversingLabs	Win32.Trojan.RDPAdminRestore
uddisrw.exe	63%	Virustotal		Browse
uddisrw.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428519
Start date and time:	2024-04-19 05:20:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uddisrw.exe
Detection:	MAL
Classification:	mal60.rans.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 29 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.607167615324382
TrID:	Win32 Executable (generic) a (10002005/4) 99.37% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	uddisrw.exe
File size:	188'416 bytes
MD5:	15b03679ef8ddd85d6af560205265ac9
SHA1:	10edae785656a023cc73b8de403bbf969d4d1c3b
SHA256:	9be8ed92ccdf8f8c499cfe6ba1d6981ec38a076d8de2a1f25a9a484a4ff1c52a
SHA512:	b6abc10e6354ee97b86e273721ac496aedf00c7eb6939a4f05fcebf0f8cac2b6d395b051ac195ee339ed21bd1e7c386b01fd5cb2caeb37b8eb987e37c11271c4
SSDEEP:	3072:5b4n6sCXsSn2FUyrrE9CWoEyNzEubORHOhYHg+JBHEADZ4G0XKjITBI:9GIG0VyNovHHGASGU
TLSH:	D004D012B3EA4542F5FA5B74587B07A40A76FC52B8B6CE0E5150BD4F2C30A40AEB2777
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	8d8db280a28080a0

Static PE Info

General

Entrypoint:	0x46e5e0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c70d1b73499e57495a114d2449dd6bf7

Entrypoint Preview

Instruction
pushad
mov esi, 00449000h
lea edi, dword ptr [esi-00048000h]
mov dword ptr [edi+0005409Ch], E486D0DCh
push edi
or ebp, FFFFFFFFh
jmp 00007F288DA13720h
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F288DA136FFh
mov eax, 00000001h
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F288DA1371Dh
jne 00007F288DA1373Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F288DA13731h
dec eax
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F288DA136E6h
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F288DA13764h
xor ecx, ecx
sub eax, 03h
jc 00007F288DA13723h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F288DA13787h
sar eax, 1
mov ebp, eax
jmp 00007F288DA1371Dh
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F288DA136DEh
inc ecx
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F288DA136D0h
add ebx, ebx
jne 00007F288DA13719h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F288DA13701h
jne 00007F288DA1371Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F288DA136F6h
add ecx, 02h
cmp ebp, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76fc0	0x254	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6f000	0x7fc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6e798	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x48000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x49000	0x26000	0x25800	ae0ce72c135a8980724195d15068a33e	False	0.9916666666666667	data	7.921188737893131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6f000	0x9000	0x8400	f064885f40ad42f0f51177e0d97124ee	False	0.3166133996212121	data	4.6643193231062625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x6fadc	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x6fc14	0x134	data			0.4642857142857143
RT_CURSOR	0x6fd4c	0x134	data			0.4805194805194805
RT_CURSOR	0x6fe84	0x134	data			0.38311688311688313
RT_CURSOR	0x6ffbc	0x134	data			0.36038961038961037
RT_CURSOR	0x700f4	0x134	data			0.4090909090909091
RT_CURSOR	0x7022c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x70364	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x70538	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x70720	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x708f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x70ac8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x70c9c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x70e70	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x71044	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x71218	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x713ec	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x715c0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0x716ac	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Russian	Russia	0.1586021505376344
RT_ICON	0x71998	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Russian	Russia	0.3310810810810811
RT_DIALOG	0x71ac4	0x52	data			0.7682926829268293
RT_STRING	0x71b1c	0x1d4	AmigaOS bitmap font "n", fc_YSize 27392, 18688 elements, 2nd "S", 3rd			0.43162393162393164
RT_STRING	0x71cf4	0x1c8	data			0.4298245614035088
RT_STRING	0x71ec0	0xe8	data			0.603448275862069
RT_STRING	0x71fac	0x31c	data			0.43844221105527637
RT_STRING	0x722cc	0xd4	data			0.6037735849056604
RT_STRING	0x723a4	0x110	data			0.5882352941176471
RT_STRING	0x724b8	0x24c	data			0.4846938775510204
RT_STRING	0x72708	0x3f8	data			0.37401574803149606
RT_STRING	0x72b04	0x384	data			0.39444444444444443
RT_STRING	0x72e8c	0x440	data			0.34650735294117646
RT_STRING	0x732d0	0x160	data			0.48011363636363635
RT_STRING	0x73434	0xec	data			0.538135593220339
RT_STRING	0x73524	0x20c	data			0.5076335877862596
RT_STRING	0x73734	0x3d0	data			0.3176229508196721
RT_STRING	0x73b08	0x374	data			0.39705882352941174
RT_STRING	0x73e80	0x2c4	data			0.4166666666666667
RT_RCDATA	0x74148	0x10	data			1.5
RT_RCDATA	0x7415c	0x264	data			0.7450980392156863
RT_RCDATA	0x743c4	0x2b2b	Delphi compiled form 'TForm1'			0.3548095195004977
RT_GROUP_CURSOR	0x76ef4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x76f0c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x76f24	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x76f3c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x76f54	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x76f6c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x76f84	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x76f9c	0x22	data	Russian	Russia	1.0

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll	RegCloseKey
comctl32.dll	ImageList_Add
gdi32.dll	SaveDC
ole32.dll	CoTaskMemFree
oleaut32.dll	VariantCopy
shell32.dll	ShellExecuteA
user32.dll	GetDC
version.dll	VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Target ID:	0
Start time:	05:20:58
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\uddisrw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uddisrw.exe"
Imagebase:	0x400000
File size:	188'416 bytes
MD5 hash:	15B03679EF8DDD85D6AF560205265AC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.6%
Total number of Nodes:	716
Total number of Limit Nodes:	42

Executed Functions

Function 00405108 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405124
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405142
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405160
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040517E
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040520D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004051C7
RegQueryValueExA.ADVAPI32(?,00405374,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040520D,?,80000001), ref: 004051E5
RegCloseKey.ADVAPI32(?,00405214,00000000,00000000,00000005,00000000,0040520D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405207
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405224
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405231
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405237
lstrlen.KERNEL32(00000000), ref: 00405262
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004052A9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004052B9
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004052E1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004052F1
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405317
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00405327

Strings

Software\Borland\Delphi\Locales, xrefs: 00405174
., xrefs: 00405274
Software\Borland\Locales, xrefs: 00405138, 00405156

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: a96ba6f3d57858a31642be91c2c1660e2566413ffa2324dc1f5ed153a5c36293
Instruction ID: f39e2658e630fc983f2e356cc4e51d520bdebfd9d9cba258cf95575af5e6b52e
Opcode Fuzzy Hash: a96ba6f3d57858a31642be91c2c1660e2566413ffa2324dc1f5ed153a5c36293
Instruction Fuzzy Hash: 28513675A4065C7AEB21D6A49C46FEF77ACDB04744F4001FABA04F61C2D6BC9A448FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045157C Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RegisterAutomation, xrefs: 00451980
<{E, xrefs: 00451BCF
vcltest3.dll, xrefs: 0045195F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID:
String ID: <{E$RegisterAutomation$vcltest3.dll
API String ID: 0-1603752472
Opcode ID: 347ced46e12611a09298e37c1193e6f9c6ead222187cce7752a62d8540588f59
Instruction ID: b88bb157845385af098c6dfddcc3ac8cf4832e5f2524dcb4476ef96b31299d50
Opcode Fuzzy Hash: 347ced46e12611a09298e37c1193e6f9c6ead222187cce7752a62d8540588f59
Instruction Fuzzy Hash: 35E16E34A00204EFD711EB69C585B9EB7B1AF08312F1885A6EC559B363C739EE49DB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00436DF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCapture.USER32 ref: 00436F18

Strings

, xrefs: 00436E6A

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 07c41cdc35437ce162e86322c0d51968cb14c4815cb58b7b6ffbb32da317c318
Instruction ID: 554812eb1dae3392a82452ce206b10fbd2ba2e02b10e8cfea73f80493650c722
Opcode Fuzzy Hash: 07c41cdc35437ce162e86322c0d51968cb14c4815cb58b7b6ffbb32da317c318
Instruction Fuzzy Hash: 2531927130020267C6209A3DE98AB1B62969B4C318F12E97FF95AC7796DA3CDC09874D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E388 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0043E40E), ref: 0043E3A2

Part of subcall function 0043E154: GetCurrentProcessId.KERNEL32(?,00000000,0043E2CC), ref: 0043E175
Part of subcall function 0043E154: GlobalAddAtomA.KERNEL32(00000000), ref: 0043E1A8
Part of subcall function 0043E154: GetCurrentThreadId.KERNEL32 ref: 0043E1C3
Part of subcall function 0043E154: GlobalAddAtomA.KERNEL32(00000000), ref: 0043E1F9
Part of subcall function 0043E154: RegisterClipboardFormatA.USER32(00000000), ref: 0043E20F
Part of subcall function 0043E154: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0043E2CC), ref: 0043E293
Part of subcall function 0043E154: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043E2A4

Strings

pB, xrefs: 0043E3BC, 0043E3C6, 0043E3D0, 0043E3E0, 0043E3F0
dC, xrefs: 0043E3E6

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: dC$pB
API String ID: 3775504709-249962129
Opcode ID: 19d89e689092043ce1489251b45bcd79277814a2984b4c0b6d5fe934b3eff3aa
Instruction ID: 4e3c793b71e5f5dd87916ac53aa81f21ee996455f42a11da73aec5289c8e53e5
Opcode Fuzzy Hash: 19d89e689092043ce1489251b45bcd79277814a2984b4c0b6d5fe934b3eff3aa
Instruction Fuzzy Hash: E1F087752062409BDA21AF67ED4292877E5E78E7093905437E800876B2CA3DAC82CA1E

Uniqueness

Uniqueness Score: -1.00%

Function 00433E78 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00433FAD

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: KeyboardState
String ID:
API String ID: 1724228437-0
Opcode ID: 5b50e5dddf23abd1af27664baab8fe48e233c7832484fa6403225e376df905c6
Instruction ID: dd2d9c4184fe1fe8c051bfea4c191e6a93290c365499a4c21227d04fdb2ddd14
Opcode Fuzzy Hash: 5b50e5dddf23abd1af27664baab8fe48e233c7832484fa6403225e376df905c6
Instruction Fuzzy Hash: 3B41D335A002458BCB24CF28C5897AAB7B0FF0D706F9451ABE406D7391C778DE81CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413670 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 00413692

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: af64b7274bdfc717c57d1347c2e11009f3a843c81ef647ff9d3472dfa5c6db4a
Instruction ID: 58c8ebf466a5e2a4c2c8ed80f9096650ecd981e0c89ab2eab555b394c5652303
Opcode Fuzzy Hash: af64b7274bdfc717c57d1347c2e11009f3a843c81ef647ff9d3472dfa5c6db4a
Instruction Fuzzy Hash: 6A014231304700BFE310DF6AEC82DABB7EDEB89358751407AF90093381DA3A9D018268

Uniqueness

Uniqueness Score: -1.00%

Function 004514F4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0045151E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b32ebc1d6237c860dae1a55d69654799d2a833a100e58c7b0d16655b954f0a80
Instruction ID: bd16abde2db3fb653f2c583f866146c42fe2942542061f9507577dc58bb8ac38
Opcode Fuzzy Hash: b32ebc1d6237c860dae1a55d69654799d2a833a100e58c7b0d16655b954f0a80
Instruction Fuzzy Hash: 4EF0C579205608AFCB40DF9DC588D4AFBE8BB4C360B058195BD88CB322C234FD808F90

Uniqueness

Uniqueness Score: -1.00%

Function 0043E154 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0043E2CC), ref: 0043E175
GlobalAddAtomA.KERNEL32(00000000), ref: 0043E1A8
GetCurrentThreadId.KERNEL32 ref: 0043E1C3
GlobalAddAtomA.KERNEL32(00000000), ref: 0043E1F9
RegisterClipboardFormatA.USER32(00000000), ref: 0043E20F

Part of subcall function 00413CD4: RtlInitializeCriticalSection.NTDLL(00411810), ref: 00413CF3

Part of subcall function 0043DD58: SetErrorMode.KERNEL32(00008000), ref: 0043DD71
Part of subcall function 0043DD58: GetModuleHandleA.KERNEL32(USER32,00000000,0043DEBE,?,00008000), ref: 0043DD95
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043DDA2
Part of subcall function 0043DD58: LoadLibraryA.KERNEL32(imm32.dll,00000000,0043DEBE,?,00008000), ref: 0043DDBE
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043DDE0
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043DDF5
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043DE0A
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043DE1F
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043DE34
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043DE49
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043DE5E
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043DE73
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043DE88
Part of subcall function 0043DD58: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043DE9D
Part of subcall function 0043DD58: SetErrorMode.KERNEL32(?,0043DEC5,00008000), ref: 0043DEB8

Part of subcall function 0044FC10: GetKeyboardLayout.USER32(00000000), ref: 0044FC55

Part of subcall function 00450CF4: LoadIconA.USER32(00400000,MAINICON), ref: 00450DD9
Part of subcall function 00450CF4: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,0043E264,00000000,00000000,?,?,00000000,0043E2CC), ref: 00450E0B
Part of subcall function 00450CF4: OemToCharA.USER32(?,?), ref: 00450E1E
Part of subcall function 00450CF4: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,0043E264,00000000,00000000,?,?,00000000,0043E2CC), ref: 00450E5E

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,0043E2CC), ref: 0043E293
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043E2A4

Strings

AnimateWindow, xrefs: 0043E29E
Delphi%.8X, xrefs: 0043E186
{E, xrefs: 0043E24E
USER32, xrefs: 0043E28E
ControlOfs%.8X%.8X, xrefs: 0043E1D7

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32${E
API String ID: 4060921093-4086590436
Opcode ID: 6c3ece6ce0b5074ceffad0ee257d3876fa7edf604c8ffbf1a10c5e346894de3b
Instruction ID: c7dd393140008b957a32242479e46f18357502d5fb7d4021e294ecd5359a9ed4
Opcode Fuzzy Hash: 6c3ece6ce0b5074ceffad0ee257d3876fa7edf604c8ffbf1a10c5e346894de3b
Instruction Fuzzy Hash: 684153706043059BC700EFB6EC41A9E77A9EB49309B50557BF504E7392DB3CA9048F9C

Uniqueness

Uniqueness Score: -1.00%

Function 00450FFC Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A4F0: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A50E

GetClassInfoA.USER32(00400000,00450CE4,?), ref: 0045105B
RegisterClassA.USER32(00455D90), ref: 00451073

Part of subcall function 004059A8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004059D9

SetWindowLongA.USER32(0000000E,000000FC,10940000), ref: 0045110F
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 00451131
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00451144
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,004490E4), ref: 0045114F
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004490E4), ref: 0045115E
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004490E4), ref: 0045116B
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,004490E4), ref: 00451182

Strings

HpE, xrefs: 00451025
@{E, xrefs: 00451114, 00451170

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: @{E$HpE
API String ID: 2103932818-1354868932
Opcode ID: 4abbe94da188854a3975917ea57042f9d34f2a31a5084c9916c742c163426a69
Instruction ID: 6a0a22d6e1fa7804b16bdb6940df3865478dc4194053cda8d262482591844620
Opcode Fuzzy Hash: 4abbe94da188854a3975917ea57042f9d34f2a31a5084c9916c742c163426a69
Instruction Fuzzy Hash: CC418D716007406FE710EB69DC92F6A37A8AB08705F54457AFE00EB2E3D679AC448B2C

Uniqueness

Uniqueness Score: -1.00%

Function 00436398 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(?,?,?), ref: 0043645C
UnregisterClassA.USER32(?,?), ref: 00436484
RegisterClassA.USER32(?), ref: 0043649A
GetWindowLongA.USER32(00000000,000000F0), ref: 004364D6
GetWindowLongA.USER32(00000000,000000F4), ref: 004364EB
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 004364FE

Strings

@, xrefs: 004363D1

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 9d41f88d78ae07b292a5db163ba29e7f9bde713654d9c0a1859c5e72553215cc
Instruction ID: 4296d43c3148fcb51ebbad4fe7a53b0e5fccd305e52e79590bc99f5e139ffeb6
Opcode Fuzzy Hash: 9d41f88d78ae07b292a5db163ba29e7f9bde713654d9c0a1859c5e72553215cc
Instruction Fuzzy Hash: 46519470A00755ABDB20DF69CC41B9A77E8AB08308F51867EF845E7392DB38AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00450CF4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 00450DD9
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,0043E264,00000000,00000000,?,?,00000000,0043E2CC), ref: 00450E0B
OemToCharA.USER32(?,?), ref: 00450E1E
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,0043E264,00000000,00000000,?,?,00000000,0043E2CC), ref: 00450E5E

Strings

,pE, xrefs: 00450DD1, 00450E03
4pE, xrefs: 00450E79
MAINICON, xrefs: 00450DCC

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: ,pE$4pE$MAINICON
API String ID: 3935243913-1334955646
Opcode ID: 8c1f4943065310d99cae21c39aaea1722175e661cd09995e554d317816210388
Instruction ID: 193c8e7524abc82f34fd93deeb3206cf4df592068f72f6e6ac474e9293ca7284
Opcode Fuzzy Hash: 8c1f4943065310d99cae21c39aaea1722175e661cd09995e554d317816210388
Instruction Fuzzy Hash: 57516E706042449FDB10DF29C8C5B853BE4AB15309F4484BAEC48DF397DBBAD988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004503EC Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00450440
CreateFontIndirectA.GDI32(?), ref: 0045044D
GetStockObject.GDI32(0000000D), ref: 00450463

Part of subcall function 0041CA9C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041CAA9

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0045048C
CreateFontIndirectA.GDI32(?), ref: 0045049C
CreateFontIndirectA.GDI32(?), ref: 004504B5
GetStockObject.GDI32(0000000D), ref: 004504DB

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: ad41d8092ca48c4981d37cf6ca9ba28f30a9f4910c0603dbb32acb65ca7139c3
Instruction ID: a628e6160f79baa54a51fc7ba6408d02271e89fe82e949b845d254c86157f910
Opcode Fuzzy Hash: ad41d8092ca48c4981d37cf6ca9ba28f30a9f4910c0603dbb32acb65ca7139c3
Instruction Fuzzy Hash: BC319430644344AFD750EB69DC82BDA33E4AB05309F448077B948EB3D7DA78A849CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 004019FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(004575C8), ref: 00401A12
RtlEnterCriticalSection.NTDLL(004575C8), ref: 00401A25
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401AB2), ref: 00401A4F
RtlLeaveCriticalSection.NTDLL(004575C8), ref: 00401AAC

Strings

$fT, xrefs: 00401A2A

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: $fT
API String ID: 730355536-2678353634
Opcode ID: 688a74191adbd4945856128e2e41dd901a7c4e7e6ba2938a945e01d5e641732d
Instruction ID: b230f1932cda428b8260cbae10276f21d1a3b3272c4d895e69353b5cd3ab0692
Opcode Fuzzy Hash: 688a74191adbd4945856128e2e41dd901a7c4e7e6ba2938a945e01d5e641732d
Instruction Fuzzy Hash: 4B01D2B034C7806EE319AB6DB806B193AC5E74971AF40847BF901A6AF3D77C98448B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0044B134 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0044B1F3
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044B26F
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044B29E
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044B2CD
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044B2F0

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff56948b75102b2e80e7556844d65bd8fdcdb1231d0562fde3b5e5c82b6e0c7
Instruction ID: 33cc6e31086da4e56aed25d9d1255d91e9a888dda6e866561224b6b03eea3de1
Opcode Fuzzy Hash: 3ff56948b75102b2e80e7556844d65bd8fdcdb1231d0562fde3b5e5c82b6e0c7
Instruction Fuzzy Hash: 1F71C434A04204EFDB44DBA9C589AAEB7F5FF48304F2541F6E808DB362D779AE419B44

Uniqueness

Uniqueness Score: -1.00%

Function 0044C68C Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetMenu.USER32(00000000), ref: 0044C7B0
SetMenu.USER32(00000000,00000000), ref: 0044C7CD
SetMenu.USER32(00000000,00000000), ref: 0044C802
SetMenu.USER32(00000000,00000000), ref: 0044C81E

Part of subcall function 004059A8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004059D9

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: a2e5e0b89e530da24886f40fe45cdb062893a23d31f7ff79b50e9f1078e0baa3
Instruction ID: 5ca13b8030b52ac30ea9c87479a86cb73ed16ed427c8110f87ed8e9fbe7240d2
Opcode Fuzzy Hash: a2e5e0b89e530da24886f40fe45cdb062893a23d31f7ff79b50e9f1078e0baa3
Instruction Fuzzy Hash: BE51CF31A062025BEB90AF7A88C575A7794AF08308F1D557BAC04DB397CB7CDC458B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00423C4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(?), ref: 00423CAE

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

KiUserCallbackDispatcher.NTDLL(?), ref: 00423C74

Strings

GetSystemMetrics, xrefs: 00423C5C

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 051c793e55aa9cb20c5bdfec64bbba10a9f07d0f0052bcdc44b092a2488ce68c
Instruction ID: c93a458202d15a70f1552a38c32cf454053aac7a36a6548499e2b65510db751f
Opcode Fuzzy Hash: 051c793e55aa9cb20c5bdfec64bbba10a9f07d0f0052bcdc44b092a2488ce68c
Instruction Fuzzy Hash: F3F0F6327187306BC7101F3ABC882223966D786337FE08B33E522662D6C23CCA80925C

Uniqueness

Uniqueness Score: -1.00%

Function 00401514 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0040181D), ref: 00401543
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0040181D), ref: 0040156A

Strings

$fT, xrefs: 00401552

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: $fT
API String ID: 2087232378-2678353634
Opcode ID: 55ad27b4d9be78aaded14158e98809db540f20d495c412bcff766984091452c0
Instruction ID: ecd54b832418f8b547674ed0810c5eac96f77702ef0ad0a1f87835ef73e5f5c2
Opcode Fuzzy Hash: 55ad27b4d9be78aaded14158e98809db540f20d495c412bcff766984091452c0
Instruction Fuzzy Hash: C8F08272F0062027EB605AAA5C81B535A849B857A0F1540B6FE09FF3E9D6B58C0142AD

Uniqueness

Uniqueness Score: -1.00%

Function 004020E8 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 004019FC: RtlInitializeCriticalSection.NTDLL(004575C8), ref: 00401A12
Part of subcall function 004019FC: RtlEnterCriticalSection.NTDLL(004575C8), ref: 00401A25
Part of subcall function 004019FC: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,00401AB2), ref: 00401A4F
Part of subcall function 004019FC: RtlLeaveCriticalSection.NTDLL(004575C8), ref: 00401AAC

RtlEnterCriticalSection.NTDLL(004575C8), ref: 00402133
RtlLeaveCriticalSection.NTDLL(004575C8), ref: 0040225E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 512bae4e56b6d948be3375ffe5907b21c3443cf355e0a3ae2a46fd843fb0ae5c
Instruction ID: 6e3522476744b8091debb4a1f8ccbd30798f8b1ed913e5f96cfb48642d89c3db
Opcode Fuzzy Hash: 512bae4e56b6d948be3375ffe5907b21c3443cf355e0a3ae2a46fd843fb0ae5c
Instruction Fuzzy Hash: 084103B2A08B059FD714CF69ED8922977E0FB45329B2541BFD405E77E2E2789901CB0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040173C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,004019A3), ref: 00401796

Strings

$fT, xrefs: 0040176B, 004017AB

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FreeVirtual
String ID: $fT
API String ID: 1263568516-2678353634
Opcode ID: 35ff8af073e1aa1b0eda225f0ca734fe8a36c63184a5147fd2c964975d1f05aa
Instruction ID: 5347538302289b39a87cc1cbf9147b4efb0275ef4e1199c83e105687328eea09
Opcode Fuzzy Hash: 35ff8af073e1aa1b0eda225f0ca734fe8a36c63184a5147fd2c964975d1f05aa
Instruction Fuzzy Hash: 9601FC7A6483045FC3109E19ECC0E2677E8E7C4324F15057EDE8467791D23A7C0187D8

Uniqueness

Uniqueness Score: -1.00%

Function 0044FFCC Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 0044FFD9
LoadCursorA.USER32(00000000,00000000), ref: 00450008

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: c90d29dfdef8e3a9b86e636cd5345329ba546c4c78376db4b6e43d579b86f580
Instruction ID: 89c2db2620ae318e77c9e771658941828715bcb9550915bfc688f32212b20cb9
Opcode Fuzzy Hash: c90d29dfdef8e3a9b86e636cd5345329ba546c4c78376db4b6e43d579b86f580
Instruction Fuzzy Hash: F8F0825260460517A660153E6CD1E7A72549F87735B71033BFE3AD72D2C6396C094269

Uniqueness

Uniqueness Score: -1.00%

Function 004067A8 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 004067AA
GlobalFix.KERNEL32(00000000), ref: 004067B0

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: d0913a57199ed994952fa2cb2aa43fc8775aa1ebc4189e77b53c8f1b771751b3
Instruction ID: 2b8c684d91631cc22b0dedc1caa53351a7ec1879717826d0b172dfe36e651fef
Opcode Fuzzy Hash: d0913a57199ed994952fa2cb2aa43fc8775aa1ebc4189e77b53c8f1b771751b3
Instruction Fuzzy Hash: 7E9002C4C44A4624DC0032B20C0EC2B011CD8D07893D0486E3204B30C2883C8408087C

Uniqueness

Uniqueness Score: -1.00%

Function 0044FC10 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0044FC55

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: ba0b02a276916dbdd5c152d5463b2df572eca4c2c341af2344cd164962cde73e
Instruction ID: 737a5da957d1acb7e065ac84cb52e1c5cfec85c016efc306f8133949f664d230
Opcode Fuzzy Hash: ba0b02a276916dbdd5c152d5463b2df572eca4c2c341af2344cd164962cde73e
Instruction Fuzzy Hash: 0131E8706012409FD780EF2AD8C6B897BE4FB05319F44947AF908DF3A7D77A98498B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040682E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040686F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 28153b03f0b743c6ac317ed098dba2bcb2724b2b2579fcfeeb562e3b3203a486
Instruction ID: 9fd04c6d1ea8a1780bd450825aeba36e2f4b0b62bb765e54a42d2b59d4750e2c
Opcode Fuzzy Hash: 28153b03f0b743c6ac317ed098dba2bcb2724b2b2579fcfeeb562e3b3203a486
Instruction Fuzzy Hash: 94F07FB2700118BF9B80DE9DDD85E9B77ECEB4D2A4B05412AFA18E3241D674ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406830 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040686F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d374a84ff4e1095332f22a99f92893de7b78e9ea6f6785a7d78b78e664dcd412
Instruction ID: 24c2384f2444b5c54ef6e7bda58e69125ec0c6dd7685a054b927d8c168e1b2c3
Opcode Fuzzy Hash: d374a84ff4e1095332f22a99f92893de7b78e9ea6f6785a7d78b78e664dcd412
Instruction Fuzzy Hash: FEF07FB2700118AF8B80DE9DDD85E9B77ECEB4D2A4B05412AFA18E3241D674ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406888 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004068C5

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2c052e2bd1e4ce88e616795498bdfba176ef8adfd9fde8c5d18966ffe642fe8f
Instruction ID: f278d5f4e63813ecd907300d4262c72ee52343325b9a7d8943214d9be143a385
Opcode Fuzzy Hash: 2c052e2bd1e4ce88e616795498bdfba176ef8adfd9fde8c5d18966ffe642fe8f
Instruction Fuzzy Hash: B5F097B2704118BFDB80DE9DDD85E9B77ECEB4D264B014129BA1CE7241D574ED1087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00432A90 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00432ACB

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction ID: 2b489bd349fd00ef9accd65a6c2d7a08998cef0b38985eff922cf8e7109b24d4
Opcode Fuzzy Hash: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction Fuzzy Hash: CDF0D4362042019FC704DF5CC8C498ABBE5FF89255F0446A8FA89CB356DA32E814CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00404ECC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00404EEA

Part of subcall function 00405108: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405124
Part of subcall function 00405108: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405142
Part of subcall function 00405108: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405160
Part of subcall function 00405108: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0040517E
Part of subcall function 00405108: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0040520D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 004051C7
Part of subcall function 00405108: RegQueryValueExA.ADVAPI32(?,00405374,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0040520D,?,80000001), ref: 004051E5
Part of subcall function 00405108: RegCloseKey.ADVAPI32(?,00405214,00000000,00000000,00000005,00000000,0040520D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405207

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 2858df2f5e5b77bb82a75d1197f3d6663a494ab9f4d08f3414ad2a21b15d5c57
Instruction ID: dba90c1b99b310cad43317f1c0836f1190acbd56573604c4e15555bb5ae98e0e
Opcode Fuzzy Hash: 2858df2f5e5b77bb82a75d1197f3d6663a494ab9f4d08f3414ad2a21b15d5c57
Instruction Fuzzy Hash: 12E0EDB1A003159BCB10EE58C8C1A5737D8AB48758F0445A6FE58EF386D3B5ED608BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00407BC0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407C07,?,?,00407F91), ref: 00407BED

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: dad0a5d31053c25a3cf0bd7ddc20ff34365a25b4b458eed28a27a79f89e83d58
Instruction ID: ccae3585221b49fd4c4947cfdd0b9e4901731bfddc0e91782e881af572125946
Opcode Fuzzy Hash: dad0a5d31053c25a3cf0bd7ddc20ff34365a25b4b458eed28a27a79f89e83d58
Instruction Fuzzy Hash: 93D09EE13006202AD254B6BE0D86F5B068C4B89659B00223AB708FA2C3D5BC8D4106A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4F0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041A50E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a574a89de168bff3fd1518c50328dde15f8b69414dd3669ae5aebb63fbe92bf8
Instruction ID: 812526bd8acb628dcf6a9e70366d764634fdf92a5a301b47736cea111e049d81
Opcode Fuzzy Hash: a574a89de168bff3fd1518c50328dde15f8b69414dd3669ae5aebb63fbe92bf8
Instruction Fuzzy Hash: 35115E342443059BD710EF19C880B86F7E5EF48390F10C53AE9599B386D3B8E954CBA9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00425A1C Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00425DCF), ref: 00425A52
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00425A6A
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00425A7C
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00425A8E
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00425AA0
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00425AB2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00425AC4
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00425AD6
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00425AE8
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00425AFA
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00425B0C
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00425B1E
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00425B30
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00425B42
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00425B54
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00425B66
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00425B78
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00425B8A
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00425B9C
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00425BAE
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00425BC0
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00425BD2
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00425BE4
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 00425BF6
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00425C08
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00425C1A
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00425C2C
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00425C3E
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00425C50
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00425C62
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00425C74
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00425C86
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00425C98
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00425CAA
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00425CBC
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00425CCE
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00425CE0
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00425CF2
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00425D04
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00425D16
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00425D28
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00425D3A
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00425D4C
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00425D5E
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00425D70
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00425D82
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00425D94
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00425DA6

Strings

IsThemeDialogTextureEnabled, xrefs: 00425D32
CloseThemeData, xrefs: 00425A74
GetCurrentThemeName, xrefs: 00425D68
GetThemeIntList, xrefs: 00425C24
GetThemeDocumentationProperty, xrefs: 00425D7A
GetThemeBackgroundContentRect, xrefs: 00425AAA, 00425ABC
SetWindowTheme, xrefs: 00425C48
OpenThemeData, xrefs: 00425A62
GetWindowTheme, xrefs: 00425D0E
GetThemeSysColor, xrefs: 00425C6C
DrawThemeText, xrefs: 00425A98
EnableThemeDialogTexture, xrefs: 00425D20
DrawThemeIcon, xrefs: 00425B3A
GetThemePosition, xrefs: 00425BDC
DrawThemeBackground, xrefs: 00425A86
GetThemeFont, xrefs: 00425BEE
GetThemeTextExtent, xrefs: 00425AE0
IsAppThemed, xrefs: 00425CFC
SetThemeAppProperties, xrefs: 00425D56
DrawThemeEdge, xrefs: 00425B28
IsThemeBackgroundPartiallyTransparent, xrefs: 00425B5E
GetThemeSysInt, xrefs: 00425CD8
EnableTheming, xrefs: 00425D9E
GetThemeSysSize, xrefs: 00425CA2
GetThemeSysString, xrefs: 00425CC6
GetThemeAppProperties, xrefs: 00425D44
DrawThemeParentBackground, xrefs: 00425D8C
GetThemeBackgroundRegion, xrefs: 00425B04
GetThemeSysColorBrush, xrefs: 00425C7E
GetThemeRect, xrefs: 00425C00
GetThemeSysFont, xrefs: 00425CB4
GetThemeEnumValue, xrefs: 00425BCA
GetThemeInt, xrefs: 00425BB8
uxtheme.dll, xrefs: 00425A4D
IsThemePartDefined, xrefs: 00425B4C
GetThemePropertyOrigin, xrefs: 00425C36
GetThemeMargins, xrefs: 00425C12
GetThemePartSize, xrefs: 00425ACE
GetThemeColor, xrefs: 00425B70
GetThemeFilename, xrefs: 00425C5A
HitTestThemeBackground, xrefs: 00425B16
GetThemeString, xrefs: 00425B94
IsThemeActive, xrefs: 00425CEA
GetThemeBool, xrefs: 00425BA6
GetThemeMetric, xrefs: 00425B82
GetThemeSysBool, xrefs: 00425C90
GetThemeTextMetrics, xrefs: 00425AF2

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 22f4c76e0803b4d923048600b928fa4cd91449509120d1191a2d7553c661315c
Instruction ID: bd5090f81b60532549820495f2fa86bf30e49feafedaef8f993c8a2ddfcf9ebf
Opcode Fuzzy Hash: 22f4c76e0803b4d923048600b928fa4cd91449509120d1191a2d7553c661315c
Instruction Fuzzy Hash: DDA101B0615B21AFDB00EB65FC86E2A3BA8EB06745395157AF500EF296D67CD8008F1D

Uniqueness

Uniqueness Score: -1.00%

Function 0044E5A4 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 0044E925

Part of subcall function 004059A8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004059D9

Strings

8}D, xrefs: 0044E787

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: LoadMessageSendString
String ID: 8}D
API String ID: 1946433856-1041886984
Opcode ID: ff3644b480524692cee3e5686968b9ee7a25bc1eb3f7c7b6973aa6c2aad53d3c
Instruction ID: 6bccd7b398b97fb16638bdf0b6ad2e10a9cdb7fcab2b6cb6b4f2bdd645e9c0fc
Opcode Fuzzy Hash: ff3644b480524692cee3e5686968b9ee7a25bc1eb3f7c7b6973aa6c2aad53d3c
Instruction Fuzzy Hash: 06F13F35A04244EFEB00DBAAD985F9D77F5BB08304F6541B6E500AB3A2D779EE01DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404F50 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00404F6D
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00404F7E
lstrcpyn.KERNEL32(?,?,?), ref: 00404FAE
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 00405012
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00405047
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 0040505A
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405067
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405073
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 004050A7
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 004050B3
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 004050D5

Strings

GetLongPathNameA, xrefs: 00404F78
\, xrefs: 00405085

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\
API String ID: 3245196872-4249726303
Opcode ID: 59f0c618696c4269c427f5e7a8cc709a4342357792f0c769baedbcdeb0766d29
Instruction ID: 92747c62fd01fc1dee8a3665c625e053df72a10481a45a63a7d15ceb378c8f26
Opcode Fuzzy Hash: 59f0c618696c4269c427f5e7a8cc709a4342357792f0c769baedbcdeb0766d29
Instruction Fuzzy Hash: FC418772A00559ABDB10EAE8CD85ADFB7ECDF44304F1401FBA548F7291D638DE458B98

Uniqueness

Uniqueness Score: -1.00%

Function 004396F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004396FF
GetWindowPlacement.USER32(?,0000002C), ref: 0043971C
GetWindowRect.USER32(?), ref: 00439735
GetWindowLongA.USER32(?,000000F0), ref: 00439743
GetWindowLongA.USER32(?,000000F8), ref: 00439758
ScreenToClient.USER32(00000000), ref: 00439765
ScreenToClient.USER32(00000000,?), ref: 00439770

Strings

,, xrefs: 00439708

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: a79e1b92fdb795bea0bf22f2d23b1397af8b13a7ac990aec67006bd1b8867246
Instruction ID: 86cb3c204941eeb861939deb0675454b10eb0414b3297a3d6a62749057409133
Opcode Fuzzy Hash: a79e1b92fdb795bea0bf22f2d23b1397af8b13a7ac990aec67006bd1b8867246
Instruction Fuzzy Hash: 4C117C71500210AFCB01EF6DC885A9B77E8AF4D314F144A3EFD58DB286E779E9008B66

Uniqueness

Uniqueness Score: -1.00%

Function 00446820 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 405nativeCOMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00446AEF
RestoreDC.GDI32(?,?), ref: 00446B63
SaveDC.GDI32(?), ref: 00446C14
RestoreDC.GDI32(?,?), ref: 00446C81
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00446D53), ref: 00446D35

Strings

{E, xrefs: 00446A24, 00446A3B, 00446A46, 00446B13, 00446C35

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: RestoreSave$NtdllProc_Window
String ID: {E
API String ID: 2725519021-776765886
Opcode ID: 68c8f161b04f0de4c7fe0c095ca5562bff61f9fee91437f879a0e0ad49bf257c
Instruction ID: e466d979a7d1fa6bfd9315b7080516fee60c29f69038ac50f7fedb3c40e818d4
Opcode Fuzzy Hash: 68c8f161b04f0de4c7fe0c095ca5562bff61f9fee91437f879a0e0ad49bf257c
Instruction Fuzzy Hash: BDE18F74B006099FEB10DF69C58199EF7F5FF4A304B26866AE401A7326C738ED41CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00451D4C Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00451D54
SetActiveWindow.USER32(?,?,?,?,00451775,00000000,00451C36), ref: 00451D65
IsWindowEnabled.USER32(00000000), ref: 00451D88
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,?,00451775,00000000,00451C36), ref: 00451DA1
SetWindowPos.USER32(?,00000000,00000000,?,?,00451775,00000000,00451C36), ref: 00451DE7
SetFocus.USER32(00000000,?,00000000,00000000,?,?,00451775,00000000,00451C36), ref: 00451E2C

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: b9db25fbcfe5300affea559f64e2e6d7d849f0539d2258f8b0f69e812f03ed1d
Instruction ID: 3c75bb5076b89d6e308809c7ad46d997d52c73d04d09560fb9662a92cf67a0d9
Opcode Fuzzy Hash: b9db25fbcfe5300affea559f64e2e6d7d849f0539d2258f8b0f69e812f03ed1d
Instruction Fuzzy Hash: EA31FF717102009BEB11EB69CD86F6637A86F04706F0804AABD00DF2E7D67DEC588718

Uniqueness

Uniqueness Score: -1.00%

Function 00426ACC Relevance: 9.1, APIs: 6, Instructions: 82clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 00426AF0
GlobalAlloc.KERNEL32(00002002,00000001,00000000,00426BC6,?,00000000,00426BFA), ref: 00426B1A
GlobalFix.KERNEL32(?), ref: 00426B34
EmptyClipboard.USER32 ref: 00426B63
SetClipboardData.USER32(00000001,?), ref: 00426B6E
GlobalUnWire.KERNEL32(?), ref: 00426B84

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ClipboardGlobal$AllocDataEmptyOpenWire
String ID:
API String ID: 461592451-0
Opcode ID: 56eb834722fa277e390ee1ae3830b0ef071fa61167701e9cee93adb7d6202445
Instruction ID: 6a28fab9fe25a4926a6e2012038929a8959de73aca813dd87fca4eaaf7de0d6a
Opcode Fuzzy Hash: 56eb834722fa277e390ee1ae3830b0ef071fa61167701e9cee93adb7d6202445
Instruction Fuzzy Hash: D921B770300614BFD711EFA5DC52D5DBBACEB49704BA2047AF804E36D1DA79AD10D928

Uniqueness

Uniqueness Score: -1.00%

Function 00438DCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00438E0B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00438E29
GetWindowPlacement.USER32(?,0000002C), ref: 00438E5F
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00438E83

Strings

,, xrefs: 00438E4D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: da6a912853dbb6eea017058d9f386d69dbb688778675e16be8ecb0c20593248d
Instruction ID: c299f115a983d2a627696a77f13b88b722c7d81b64ca34f3b33357dbd7a9beb9
Opcode Fuzzy Hash: da6a912853dbb6eea017058d9f386d69dbb688778675e16be8ecb0c20593248d
Instruction Fuzzy Hash: 30213231A00208ABCF14DEADC88199EB7A9AF0D314F04546BFD14EF346DA79DD058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00423D64 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 00423D7B
d=B, xrefs: 00423D80, 00423D8D, 00423D94

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow$d=B
API String ID: 190572456-863645062
Opcode ID: dd4f021b0dd2ed2846414bb0fa4cb8b98f43f6541947596d7003f92a5887b4de
Instruction ID: e045f92e4d54634dea15c85c2fb73423f12b0f174c6375320a7d667797c6d762
Opcode Fuzzy Hash: dd4f021b0dd2ed2846414bb0fa4cb8b98f43f6541947596d7003f92a5887b4de
Instruction Fuzzy Hash: 69014F627282286A9700EE55BC45AEF737CAE05316F844437F911A7242D73CEB0187AD

Uniqueness

Uniqueness Score: -1.00%

Function 0044B9EC Relevance: 7.8, APIs: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0044BAAA
SaveDC.GDI32(?), ref: 0044BBD1
RestoreDC.GDI32(?,?), ref: 0044BC42
SaveDC.GDI32(?), ref: 0044BCE5
RestoreDC.GDI32(?,?), ref: 0044BD49

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: RestoreSave$Focus
String ID:
API String ID: 1675357626-0
Opcode ID: 130285ac1c2c9da531094fb71f965a37a395f50d3dca739c0bd7ff73dd710d24
Instruction ID: 28dde32ecda87b18c9c131661b1d687da8cafead35aecd91ace7fb2b432a567a
Opcode Fuzzy Hash: 130285ac1c2c9da531094fb71f965a37a395f50d3dca739c0bd7ff73dd710d24
Instruction Fuzzy Hash: 82B19535A00504EFDB14DF69C986AAEB7F5EB49304F6540A6F400AB761C738EE41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00451C9C Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00451CA4
SetActiveWindow.USER32(?,?,?,?,00451768,00000000,00451C36), ref: 00451CBC
IsWindowEnabled.USER32(00000000), ref: 00451CDF
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,00451768,00000000,00451C36), ref: 00451D08
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?), ref: 00451D1D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: 6f7088e5e4b187c2aeb4670173d2ee360a9bc5c07015ffe667a4e43799c635b3
Instruction ID: d88d7f204a03cefd04b539be1aa1a9598ab832427648ac9e4d8c0313e5e399c9
Opcode Fuzzy Hash: 6f7088e5e4b187c2aeb4670173d2ee360a9bc5c07015ffe667a4e43799c635b3
Instruction Fuzzy Hash: 76111271600204ABDB54EF6AC9C6F9A37ECAF08305F0404AABE05DF297D679EC48C718

Uniqueness

Uniqueness Score: -1.00%

Function 0042D70C Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D16C: WinHelpA.USER32(00000000,0042D184,00000002,00000000), ref: 0042D17B

GetTickCount.KERNEL32 ref: 0042D72A
Sleep.KERNEL32(00000000,00000000,0042D789,?,?,00000000,00000000,?,0042D702), ref: 0042D733
GetTickCount.KERNEL32 ref: 0042D738
WinHelpA.USER32(00000000,?,?,00000000), ref: 0042D76E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 3b37bb46d71cad630b3a2424da26e5f252bc33779961b1e9248b4b7629c2e77e
Instruction ID: d9ee8ac0399ff3a52a28c59ee35b7e8a24d770c9992848953fe4256612c820dd
Opcode Fuzzy Hash: 3b37bb46d71cad630b3a2424da26e5f252bc33779961b1e9248b4b7629c2e77e
Instruction Fuzzy Hash: E101A230B10614AFE311EBA6DC52B5EB7ACDB88B08FA14577F400E31C1DA7C9E008569

Uniqueness

Uniqueness Score: -1.00%

Function 00420564 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 00420571
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00420593
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 004205A5

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: 38bc527a9afa950ba7342874b894af69953dddefd4bd7d1afe6ddc248af366bb
Instruction ID: 97ff353573cbd70a5e31d6c3412dfaeaeed32466db538e646bc829a6cc00a440
Opcode Fuzzy Hash: 38bc527a9afa950ba7342874b894af69953dddefd4bd7d1afe6ddc248af366bb
Instruction Fuzzy Hash: BE117C716003058FC710DF6AD881A9ABBF8AF05310F11467AE909DB252DA74EC45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00450AEC Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00450AF8
GetCursorPos.USER32(?), ref: 00450B15
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00450B35

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 8c371bf6a7f93da941bc330bb5314dd272f77a13d417afbdff54108d71461653
Instruction ID: 4704e93e10c23aef9cd25801f58607d5338663f957a23ea090da395bb144b516
Opcode Fuzzy Hash: 8c371bf6a7f93da941bc330bb5314dd272f77a13d417afbdff54108d71461653
Instruction Fuzzy Hash: 37F054755083099BDB10E795E8C6B5A33E8AB0431AF400077E9109A2E7D779F844CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00438518 Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00438550
GetCapture.USER32 ref: 00438559

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: f8b3c68e170c2c5d9bda2f58435973382db4f3b102135243bde18463dfbdfb54
Instruction ID: 6ea9a3f3c9a7b6ba64e32fcc5f3db20d284757a2c46f4d3fdd111917239fcea8
Opcode Fuzzy Hash: f8b3c68e170c2c5d9bda2f58435973382db4f3b102135243bde18463dfbdfb54
Instruction Fuzzy Hash: 65115B32600315ABDB20DB59C98596AB3E8AF0C314F25947AF904DB352DA3CED009758

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9EC Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0041DA88), ref: 0041DA0C
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041DA88), ref: 0041DA32

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0e7ddfbd2e774316c660b2e5fae89f7748a898ca603d5bb878d391fc30fcd8f3
Instruction ID: e2a572dc6e5f3737ebf86aa1512cf6dbfa50fa412a15462da1caf4fa50521bb7
Opcode Fuzzy Hash: 0e7ddfbd2e774316c660b2e5fae89f7748a898ca603d5bb878d391fc30fcd8f3
Instruction Fuzzy Hash: 1501FCB16482049FD711EB61CC92BE6739CDB18744F9000BABF44A21C1DAF85EC0895D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C228 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040C28C), ref: 0040C24E
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040C28C), ref: 0040C267

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b130faf204895f6577c542847f2b823a459e5ce6c8f6d67680ac47c8238b8038
Instruction ID: baea47419d8d6b2b6ec4e726650ddd6d998e4fb2af1a913181e5ba9b87afc6d3
Opcode Fuzzy Hash: b130faf204895f6577c542847f2b823a459e5ce6c8f6d67680ac47c8238b8038
Instruction Fuzzy Hash: 29F0FC31E08604BBD700DFF2C84195E73AED7C8714F50C57AB110B35C1DA7C66004798

Uniqueness

Uniqueness Score: -1.00%

Function 004082EA Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040830D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 4907c8d48cac47c9d1f08667f175fda6f9e26b4eb06ac176dee4e5eb58c487ac
Instruction ID: ae347befabab82848eeea2d61a5ae71d134ef5356aed14867f9b96b20c4be1cd
Opcode Fuzzy Hash: 4907c8d48cac47c9d1f08667f175fda6f9e26b4eb06ac176dee4e5eb58c487ac
Instruction Fuzzy Hash: 3711D2B5E01209AFDB04CF99C981DAFF7F9EFC8304F14C569A505E7255E6319E018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042842C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00428491

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 8d264edcb8ab9c59ad88502bd1c06888897a1e58a92bce3253fbc1ff7fe1719c
Instruction ID: 0fc1e9391b849d956db2c6971a767104bf7e63e70a7d6d12a16cba2453373a6a
Opcode Fuzzy Hash: 8d264edcb8ab9c59ad88502bd1c06888897a1e58a92bce3253fbc1ff7fe1719c
Instruction Fuzzy Hash: E0F0F676705214AFD700DF9EE881C5ABBECEB0932035140BBF904D7641E634AD009B74

Uniqueness

Uniqueness Score: -1.00%

Function 004059FE Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405A66), ref: 00405A26

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4e7894aac9dd5075328a3359a2912b60d4a0cbd47ecb3bbd0d6b48176307be24
Instruction ID: 59e4a080a0b4ccf7934c9565367c65c5731ee18c76f22e35014114b7af20c7a9
Opcode Fuzzy Hash: 4e7894aac9dd5075328a3359a2912b60d4a0cbd47ecb3bbd0d6b48176307be24
Instruction Fuzzy Hash: E0F0A930A04609AFE714EEA1CC81AAEB375F784714F50857AB110B35C0E6782A048A88

Uniqueness

Uniqueness Score: -1.00%

Function 00405A00 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405A66), ref: 00405A26

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 170b9b7a9b272e120eaeb09cf774b40d1547a56a0bb31e8cd8cba46e533cf7bc
Instruction ID: 07f00156ddb7686dcf6c8f79403a71c33cf36be57d5827d29dfe16b025e2361e
Opcode Fuzzy Hash: 170b9b7a9b272e120eaeb09cf774b40d1547a56a0bb31e8cd8cba46e533cf7bc
Instruction Fuzzy Hash: 38F06830A04609AFE715EEA1CC86AEFB37AF7C4714F50857AA110775D0E7B82744CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF7C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 0041DF8C

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6b8e052c6bede3cb08bcb3cf97360bd64ed1316616d990e2155c5adb0822f991
Instruction ID: 3ec2cba4a878046c1c9776304eb5b71f2b40e26c4ae6c7f8e98e8c3f4b196121
Opcode Fuzzy Hash: 6b8e052c6bede3cb08bcb3cf97360bd64ed1316616d990e2155c5adb0822f991
Instruction Fuzzy Hash: F6F096B1D051099FCB10DF98C488CDDFBB4FB56305751429AD409D7382EB38A696CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABC0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040ABDE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fdc320ea28f9f75c62efff8e2d9cd8f713ef10177de8fcbeeb0c5faebbe2dcda
Instruction ID: 8a38aaf31e287f4e02cc8341b73ec8b44d73ebb2d4739023af4de17ed3051a6e
Opcode Fuzzy Hash: fdc320ea28f9f75c62efff8e2d9cd8f713ef10177de8fcbeeb0c5faebbe2dcda
Instruction Fuzzy Hash: 08E0927170421417D710AA599C86AE7725D9758310F40427FBA45E73C2EEB8AE9046EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC0C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040C53A,00000000,0040C753,?,?,00000000,00000000), ref: 0040AC1F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 656a2a71fe8a9a347b97d171e82230d5793d39cb43fb22f67fa0352798af2eea
Instruction ID: b581d9f878e9bef064658ced9945c2b6e005c2316ac77ad6fa721ce3983ac154
Opcode Fuzzy Hash: 656a2a71fe8a9a347b97d171e82230d5793d39cb43fb22f67fa0352798af2eea
Instruction Fuzzy Hash: EED05E7630D2502AF210615A6D85DBB4AACCAC97A4F11443EB689D6242E2248C16A3B6

Uniqueness

Uniqueness Score: -1.00%

Function 0040965C Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00409664

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 0a00292afb7379954fea3f68ccac95558c17b35c2e697fc130e1df29d578561f
Instruction ID: 809a77b0509ff9e97abdbe3471728ccd2ed67c682f4af258cc35362fa1d29df0
Opcode Fuzzy Hash: 0a00292afb7379954fea3f68ccac95558c17b35c2e697fc130e1df29d578561f
Instruction Fuzzy Hash: 6FE0A568408602A1C200FF55C4414AFF7A5EE99B40F408C5DF8E452392EA358999C76B

Uniqueness

Uniqueness Score: -1.00%

Function 0043DD58 Relevance: 50.8, APIs: 15, Strings: 14, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0043DD71
GetModuleHandleA.KERNEL32(USER32,00000000,0043DEBE,?,00008000), ref: 0043DD95
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043DDA2
LoadLibraryA.KERNEL32(imm32.dll,00000000,0043DEBE,?,00008000), ref: 0043DDBE
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043DDE0
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043DDF5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043DE0A
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043DE1F
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043DE34
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043DE49
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043DE5E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043DE73
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043DE88
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043DE9D
SetErrorMode.KERNEL32(?,0043DEC5,00008000), ref: 0043DEB8

Strings

WINNLSEnableIME, xrefs: 0043DD9C
ImmReleaseContext, xrefs: 0043DDEA
ImmIsIME, xrefs: 0043DE7D
USER32, xrefs: 0043DD90
ImmGetContext, xrefs: 0043DDD5
ImmSetCompositionWindow, xrefs: 0043DE3E
ImmSetCompositionFontA, xrefs: 0043DE53
ImmGetConversionStatus, xrefs: 0043DDFF
ImmNotifyIME, xrefs: 0043DE92
imm32.dll, xrefs: 0043DDB9
ImmSetConversionStatus, xrefs: 0043DE14
@wE, xrefs: 0043DD5D
ImmGetCompositionStringA, xrefs: 0043DE68
ImmSetOpenStatus, xrefs: 0043DE29

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: @wE$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-890834701
Opcode ID: ead52cc09ac20e8a380d26f92b28419de46a6bff040be02b2cf283c5b78764df
Instruction ID: 3c0394bd07d305ea2d188a8f5ebb8bb4e7f9742114a58d902b58ba48a7cd74b5
Opcode Fuzzy Hash: ead52cc09ac20e8a380d26f92b28419de46a6bff040be02b2cf283c5b78764df
Instruction Fuzzy Hash: 8731E2B1954B01AFD700EBB5BC5AA2B3AA8E709759F54643BF504AB1D3D67CE8008F1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D968 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040D971

Part of subcall function 0040D93C: GetProcAddress.KERNEL32(00000000), ref: 0040D955

Strings

VarNeg, xrefs: 0040D995
VarI4FromStr, xrefs: 0040DA9D
VarDateFromStr, xrefs: 0040DADF
VarMod, xrefs: 0040DA2F
VarAnd, xrefs: 0040DA45
VarR4FromStr, xrefs: 0040DAB3
VarBstrFromBool, xrefs: 0040DB4D
VarBstrFromCy, xrefs: 0040DB21
VarSub, xrefs: 0040D9D7
VarR8FromStr, xrefs: 0040DAC9
VariantChangeTypeEx, xrefs: 0040D97F
VarAdd, xrefs: 0040D9C1
oleaut32.dll, xrefs: 0040D96C
VarBoolFromStr, xrefs: 0040DB0B
VarDiv, xrefs: 0040DA03
VarOr, xrefs: 0040DA5B
VarMul, xrefs: 0040D9ED
VarCmp, xrefs: 0040DA87
VarBstrFromDate, xrefs: 0040DB37
VarXor, xrefs: 0040DA71
VarCyFromStr, xrefs: 0040DAF5
VarIdiv, xrefs: 0040DA19
VarNot, xrefs: 0040D9AB

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: b82e32c28f640bf2d64024a4eaf3dc84201cb1ebf4e1472b3d107dd72980b475
Instruction ID: c51dace41a67f0ce80140b97d9f650fa39da1d801abef46ec8eb81cf9ce0b25d
Opcode Fuzzy Hash: b82e32c28f640bf2d64024a4eaf3dc84201cb1ebf4e1472b3d107dd72980b475
Instruction Fuzzy Hash: 84414DA5D087056BD3046BEAB8014277AD9D6487193A1D03BB404BB7E6DB3CF849CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00426EA8 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 454windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004269D0: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00426A0D
Part of subcall function 004269D0: CreateFontIndirectA.GDI32(?), ref: 00426A1A

Part of subcall function 00426804: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 0042683F

MulDiv.KERNEL32(00000008,?,00000004), ref: 00426F55
MulDiv.KERNEL32(00000008,?,00000008), ref: 00426F65
MulDiv.KERNEL32(0000000A,?,00000004), ref: 00426F72
MulDiv.KERNEL32(0000000A,?,00000008), ref: 00426F7F
MulDiv.KERNEL32(00000032,?,00000004), ref: 00426F8C
DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 00426FFF
MulDiv.KERNEL32(0000000E,?,00000008), ref: 00427032
MulDiv.KERNEL32(00000004,?,00000004), ref: 00427042
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 00427068
DrawTextA.USER32(00000000,00000000,00000001,?,00000000), ref: 004270A0
LoadIconA.USER32(00000000), ref: 004271FC

Part of subcall function 00451E88: GetWindowTextA.USER32(?,?,00000100), ref: 00451EAB

Strings

{E, xrefs: 0042704C, 00427132, 0042715E
Image, xrefs: 004271E1
, xrefs: 004270CC
Message, xrefs: 00427245
PWE, xrefs: 0042734C, 00426FDE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Text$Draw$CreateExtentFontIconIndirectInfoLoadParametersPointRectSystemWindow
String ID: $Image$Message$PWE${E
API String ID: 4220236395-4227156669
Opcode ID: 16386283bd2f1e2f92c484253766b58a99c2f8515468f076a7cdb2bb22c4234c
Instruction ID: 4bad27db37094b2377632972f8109ebf4dee37b00dda34076c131864de6f10ef
Opcode Fuzzy Hash: 16386283bd2f1e2f92c484253766b58a99c2f8515468f076a7cdb2bb22c4234c
Instruction Fuzzy Hash: 44023D74E002189FDB00EFA9D885A9EB7F5FF49308F54816AE904EB352C778AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045406C Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00457C00,000000FF,00000000,00454161,?,?,00000000,00000000), ref: 004540BF
ShellExecuteA.SHELL32(00000000,open,bin/reset/cl_ev_log.vbs,00000000,00000000,00000001), ref: 004540DC
WinExec.KERNEL32(wevtutil clear-log Application,00000000), ref: 004540E8
WinExec.KERNEL32(wevtutil clear-log Security,00000000), ref: 004540F4
WinExec.KERNEL32(wevtutil clear-log Setup,00000000), ref: 00454100
WinExec.KERNEL32(wevtutil clear-log System,00000000), ref: 0045410C

Part of subcall function 004524EC: GetActiveWindow.USER32 ref: 004524FF
Part of subcall function 004524EC: GetWindowRect.USER32(?,?), ref: 00452559
Part of subcall function 004524EC: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00452591
Part of subcall function 004524EC: MessageBoxA.USER32(?,?,?,?), ref: 004525D2

Strings

RDP Admin Restore, xrefs: 00454113, 0045412D
bin/reset/cl_ev_log.vbs, xrefs: 004540CA
wevtutil clear-log Security, xrefs: 004540EF
open, xrefs: 004540CF
wevtutil clear-log System, xrefs: 00454107
Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00454132
wevtutil clear-log Setup, xrefs: 004540FB
wevtutil clear-log Application, xrefs: 004540E3
Event logs cleared!, xrefs: 00454118

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Exec$Window$ActiveDirectoryExecuteMessageRectShellWindows
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$Event logs cleared!$RDP Admin Restore$bin/reset/cl_ev_log.vbs$open$wevtutil clear-log Application$wevtutil clear-log Security$wevtutil clear-log Setup$wevtutil clear-log System
API String ID: 2810476808-3379520493
Opcode ID: 4e3d62e041db6ef29d5643350b7e0520f0f582ca870a864ee9c014b17f5b8c63
Instruction ID: e643672b57c938a69b7163dc0899881a26ec3fee7f1cbd1c04083b942c6722f0
Opcode Fuzzy Hash: 4e3d62e041db6ef29d5643350b7e0520f0f582ca870a864ee9c014b17f5b8c63
Instruction Fuzzy Hash: EB21843438470076D710E7A1DC47F5D3694DB99B0AF618477B900BF6C3CABCA988851C

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC38 Relevance: 24.2, APIs: 16, Instructions: 248windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041DC90
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041DD0B,?,?), ref: 0041DCDF
SelectObject.GDI32(?,?), ref: 0041DCF9
DeleteObject.GDI32(?), ref: 0041DD05
SelectObject.GDI32(?,?), ref: 0041DD4F
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041DDCE
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041DDF0
SetTextColor.GDI32(?,00000000), ref: 0041DDF8
SetBkColor.GDI32(?,00FFFFFF), ref: 0041DE06
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041DE32
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041DE57
SetTextColor.GDI32(?,?), ref: 0041DE61
SetBkColor.GDI32(?,?), ref: 0041DE6B
SelectObject.GDI32(?,00000000), ref: 0041DE7E
DeleteObject.GDI32(?), ref: 0041DE87
DeleteDC.GDI32(?), ref: 0041DEB2

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Object$ColorSelectStretch$Delete$Text$Mask
String ID:
API String ID: 326492243-0
Opcode ID: 80bfbcc1b7410ce4b15a6938d5177bd53c135f4a2953d7d383517b1cd2c5af8c
Instruction ID: 6ecaa9e48ec0e5a52f4bd97a0b46cd54fc0edc45eba9e57bcd0a50f4264b02c5
Opcode Fuzzy Hash: 80bfbcc1b7410ce4b15a6938d5177bd53c135f4a2953d7d383517b1cd2c5af8c
Instruction Fuzzy Hash: BB8194B1A00209AFDB50EEA9CC81FAF77ECAB0D714F110569F618E7281C679ED508B65

Uniqueness

Uniqueness Score: -1.00%

Function 004068E0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004068F8
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00406904
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00406913
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 0040691F
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00406937
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0040695B

Strings

MSWHEEL_ROLLMSG, xrefs: 004068FF
MSH_SCROLL_LINES_MSG, xrefs: 0040691A
MouseZ, xrefs: 004068F3
MSH_WHEELSUPPORT_MSG, xrefs: 0040690E
Magellan MSWHEEL, xrefs: 004068EE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: f316442aa48e1397d0e7d3288d8daaa475903184c982927fc3bf3143f7dbc2d2
Instruction ID: 0cb6d9865656eb2df6f1f7c997331099a50e3287529ef4739601f8d4298a2375
Opcode Fuzzy Hash: f316442aa48e1397d0e7d3288d8daaa475903184c982927fc3bf3143f7dbc2d2
Instruction Fuzzy Hash: 47115EB0200301AFE7109F69C841F6BB7A8EF44714F22443AB842AB6C0D6B95D618BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0045448C Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 59processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(vssadmin delete shadows /for=c: /all,00000000), ref: 004544D9
WinExec.KERNEL32(vssadmin delete shadows /for=d: /all,00000000), ref: 004544E5
WinExec.KERNEL32(vssadmin delete shadows /for=e: /all,00000000), ref: 004544F1
WinExec.KERNEL32(vssadmin delete shadows /for=f: /all,00000000), ref: 004544FD

Part of subcall function 004524EC: GetActiveWindow.USER32 ref: 004524FF
Part of subcall function 004524EC: GetWindowRect.USER32(?,?), ref: 00452559
Part of subcall function 004524EC: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00452591
Part of subcall function 004524EC: MessageBoxA.USER32(?,?,?,?), ref: 004525D2

Strings

RDP Admin Restore, xrefs: 00454504, 0045451E
Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00454523
vssadmin delete shadows /for=d: /all, xrefs: 004544E0
vssadmin delete shadows /for=f: /all, xrefs: 004544F8
vssadmin delete shadows /for=e: /all, xrefs: 004544EC
vssadmin delete shadows /for=c: /all, xrefs: 004544D4
System Restore Points cleared!, xrefs: 00454509

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Exec$Window$ActiveMessageRect
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$RDP Admin Restore$System Restore Points cleared!$vssadmin delete shadows /for=c: /all$vssadmin delete shadows /for=d: /all$vssadmin delete shadows /for=e: /all$vssadmin delete shadows /for=f: /all
API String ID: 2349831513-943649847
Opcode ID: c40f8cb566c54b36797eb2a3c41f3be0dfece1beb89f9ba2562258e1bc85b312
Instruction ID: 76b89012cad719edd9d44c9814af8d10bfacbb30f3102c8f75673a0c72d5e72a
Opcode Fuzzy Hash: c40f8cb566c54b36797eb2a3c41f3be0dfece1beb89f9ba2562258e1bc85b312
Instruction Fuzzy Hash: 91118634380304BBD710EB55DC52F5977A4DB85B0AF618077BA016F2D3DA7CAA4D864D

Uniqueness

Uniqueness Score: -1.00%

Function 00424110 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00424149
GetSystemMetrics.USER32(00000000), ref: 0042416E
GetSystemMetrics.USER32(00000001), ref: 00424179
GetClipBox.GDI32(?,?), ref: 0042418B
GetDCOrgEx.GDI32(?,?), ref: 00424198
OffsetRect.USER32(?,?,?), ref: 004241B1
IntersectRect.USER32(?,?,?), ref: 004241C2
IntersectRect.USER32(?,?,?), ref: 004241D8

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

EnumDisplayMonitors, xrefs: 00424128

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: e148aa5210d83d308e65a9c77509402ce6ba8f886d161cb7430358443943099d
Instruction ID: f134eb326fd37c1a8e3e34a301d86646f323bf33116a2f2cf18adc8f1ef52cee
Opcode Fuzzy Hash: e148aa5210d83d308e65a9c77509402ce6ba8f886d161cb7430358443943099d
Instruction Fuzzy Hash: 27315EB1A00219AADB00DFE5EC44AFF77BCEB49341F41417AF915E3241E638DA508BB9

Uniqueness

Uniqueness Score: -1.00%

Function 00454870 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 106processfileCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(wbadmin delete systemstatebackup -keepVersions:0,00000000), ref: 004548FC

Part of subcall function 00453BCC: SHGetSpecialFolderLocation.SHELL32(00000000,?,?,00000000,00453C80,?,00000000,00453CA2,?,?,?,00000000,00000000,00000000), ref: 00453C0A
Part of subcall function 00453BCC: SHGetPathFromIDList.SHELL32(?,00000000), ref: 00453C2B

GetWindowsDirectoryA.KERNEL32(?,00000104,wbadmin delete systemstatebackup -keepVersions:0,00000000,00000000,00454A23), ref: 0045491A
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0045499E

Part of subcall function 004524EC: GetActiveWindow.USER32 ref: 004524FF
Part of subcall function 004524EC: GetWindowRect.USER32(?,?), ref: 00452559
Part of subcall function 004524EC: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00452591
Part of subcall function 004524EC: MessageBoxA.USER32(?,?,?,?), ref: 004525D2

Part of subcall function 004524EC: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00452648), ref: 00452622
Part of subcall function 004524EC: SetActiveWindow.USER32(?,00452648), ref: 00452633

Strings

[Windows Server 2008] System Restore Points cleared!, xrefs: 004549AA
Clear Restore Points.bat, xrefs: 00454966
RDP Admin Restore, xrefs: 004549A5, 004549BD, 004549D7
[Windows Vista / Windows 7] Execute "Clear Restore Points.bat" from your Desktop!, xrefs: 004549C2
wbadmin delete systemstatebackup -keepVersions:0, xrefs: 004548F7
Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 004549DC
bin\reset\del_sys_rest.bat, xrefs: 00454985

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$Active$CopyDirectoryExecFileFolderFromListLocationMessagePathRectSpecialWindows
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$Clear Restore Points.bat$RDP Admin Restore$[Windows Server 2008] System Restore Points cleared!$[Windows Vista / Windows 7] Execute "Clear Restore Points.bat" from your Desktop!$bin\reset\del_sys_rest.bat$wbadmin delete systemstatebackup -keepVersions:0
API String ID: 4229488978-2116179880
Opcode ID: 9e27526e67c77316096611c689706fb9831d7d21e65b58ecda99516510624667
Instruction ID: c1560f67667fcca884b710c43bd2f25be0a7f16ccbd5394f72e811811d3d109d
Opcode Fuzzy Hash: 9e27526e67c77316096611c689706fb9831d7d21e65b58ecda99516510624667
Instruction Fuzzy Hash: F5419670A402089BD754EB55DC42BCE73B5EB88305F0041FBB904AB382CA789F858F4C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A1D4 Relevance: 16.7, APIs: 11, Instructions: 224COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 0043A22B
GetWindowRect.USER32(00000000,?), ref: 0043A23D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0043A253
OffsetRect.USER32(?,?,?), ref: 0043A268
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0043A43A), ref: 0043A281
InflateRect.USER32(?,00000000,00000000), ref: 0043A29F
GetWindowLongA.USER32(00000000,000000F0), ref: 0043A2F5
DrawEdge.USER32(?,?,00000000,00000008), ref: 0043A3C1
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043A3DA
OffsetRect.USER32(?,?,?), ref: 0043A3F9
FillRect.USER32(?,?,00000000), ref: 0043A415

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 1573515177-0
Opcode ID: 54826c443f72ea8bbef09743bc7b90c906e0d2177bdbb5413b56371ebf561e3e
Instruction ID: e200f8c1b69cfc0785ba44f4f9ef66d306ebaf7aec32b4c247beff20b7ce5f8d
Opcode Fuzzy Hash: 54826c443f72ea8bbef09743bc7b90c906e0d2177bdbb5413b56371ebf561e3e
Instruction Fuzzy Hash: 8A91FA71E04648AFDB01DBA9C885FEEB7F9AF09304F1540A5F954E7292C779AE10CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00421270 Relevance: 16.7, APIs: 11, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 00421293
SelectObject.GDI32(?,00000000), ref: 00421307
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00421329
SelectObject.GDI32(?), ref: 0042137F
SetBkColor.GDI32(?), ref: 004213BA
SetBkColor.GDI32(?,00000000), ref: 004213E8
SelectObject.GDI32(?,00000000), ref: 004213FB
DeleteObject.GDI32 ref: 00421407
DeleteDC.GDI32(?), ref: 0042141D
SelectObject.GDI32(?,00000000), ref: 00421438
DeleteDC.GDI32(00000000), ref: 00421454

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Object$Select$Delete$Color
String ID:
API String ID: 1817384775-0
Opcode ID: 6e4ad2ed427ff5c7ecdb7de93b688aa7a573b109bb5ac3d9bcf0e4092acecdb9
Instruction ID: fd1de590d11a8c113539ad9edf9763831ff515767437cd21f901c75386431d27
Opcode Fuzzy Hash: 6e4ad2ed427ff5c7ecdb7de93b688aa7a573b109bb5ac3d9bcf0e4092acecdb9
Instruction Fuzzy Hash: 1C514D71F00214ABDB10EBE9DC45FAFB7BCAB08704F51446AF605FB292D6789950CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004546A0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00457C00,000000FF,00000000,00454782,?,?,00000000,00000000), ref: 004546F3
ShellExecuteA.SHELL32(00000000,open,bin/reset/del_sys_rest.vbs,00000000,00000000,00000001), ref: 00454710
ShellExecuteA.SHELL32(00000000,open,bin/reset/del_sys_rest2.vbs,00000000,00000000,00000001), ref: 0045472D

Part of subcall function 004524EC: GetActiveWindow.USER32 ref: 004524FF
Part of subcall function 004524EC: GetWindowRect.USER32(?,?), ref: 00452559
Part of subcall function 004524EC: SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00452591
Part of subcall function 004524EC: MessageBoxA.USER32(?,?,?,?), ref: 004525D2

Strings

Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00454753
open, xrefs: 00454703, 00454720
System Restore Points cleared!, xrefs: 00454739
RDP Admin Restore, xrefs: 00454734, 0045474E
bin/reset/del_sys_rest2.vbs, xrefs: 0045471B
bin/reset/del_sys_rest.vbs, xrefs: 004546FE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$ExecuteShell$ActiveDirectoryMessageRectWindows
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$RDP Admin Restore$System Restore Points cleared!$bin/reset/del_sys_rest.vbs$bin/reset/del_sys_rest2.vbs$open
API String ID: 3947522788-3178753808
Opcode ID: a3a817e5f308bcf0b0c5dda2d7190bafecf6ac3fa2098a2f0214a1ebdd0f661a
Instruction ID: bfd5c4811938aeca417bb9740aec2fa9140fc7553a3349661bb309c8614c61b7
Opcode Fuzzy Hash: a3a817e5f308bcf0b0c5dda2d7190bafecf6ac3fa2098a2f0214a1ebdd0f661a
Instruction Fuzzy Hash: 98219034780300BBD710EB61DC83F5972A8978AB0AF614177B900AF2C3CBBCA948861C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2B4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B12C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B149
Part of subcall function 0040B12C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B16D
Part of subcall function 0040B12C: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B188
Part of subcall function 0040B12C: LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0040B21E

CharToOemA.USER32(?,?), ref: 0040B2EB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040B308
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B30E
GetStdHandle.KERNEL32(000000F4,0040B378,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B323
WriteFile.KERNEL32(00000000,000000F4,0040B378,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040B329
LoadStringA.USER32(00000000,0000FFEB,?,00000040), ref: 0040B34B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040B361

Strings

HpE, xrefs: 0040B2C8
k@, xrefs: 0040B337

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: k@$HpE
API String ID: 185507032-272722378
Opcode ID: 6b4e80015a87073a770a1d94cc6ddb8ecc2dde4a4c8a9caf8b3638b51126786e
Instruction ID: bb2448d251cef649c289dc31d0f63b9f3d52a60cf7425af0d3ff7c61de9185c2
Opcode Fuzzy Hash: 6b4e80015a87073a770a1d94cc6ddb8ecc2dde4a4c8a9caf8b3638b51126786e
Instruction Fuzzy Hash: E8119EB21183007ED200E7A5CC86F9B77ACAB40704F80053AB745E60E2DA78E904876E

Uniqueness

Uniqueness Score: -1.00%

Function 004371EC Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 004372A5
SaveDC.GDI32(?), ref: 004372BB
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004372DE
RestoreDC.GDI32(?,?), ref: 004372F9
CreateSolidBrush.GDI32(00000000), ref: 0043737A
FrameRect.USER32(?,?,?), ref: 004373AD
DeleteObject.GDI32(?), ref: 004373B7
CreateSolidBrush.GDI32(00000000), ref: 004373C7
FrameRect.USER32(?,?,00000000), ref: 004373FA
DeleteObject.GDI32(00000000), ref: 00437404

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 188ec844819f1839dca67db3c63056a8a11a2de2247bd05f7a852052a94c2e91
Instruction ID: f1b7c919c40b3a2f1d2d9fe28c57e24a1ecde5085e168e389b4f09467b312a64
Opcode Fuzzy Hash: 188ec844819f1839dca67db3c63056a8a11a2de2247bd05f7a852052a94c2e91
Instruction Fuzzy Hash: 3E5170B12082059BDB24EF69C8C4B5B7BD8AF49304F04549EFD89CB387D639E844C758

Uniqueness

Uniqueness Score: -1.00%

Function 0042969C Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 004296B7
GetWindowRect.USER32(00000000,?), ref: 004296D2
OffsetRect.USER32(?,?,?), ref: 004296E7
GetWindowLongA.USER32(00000000,000000F0), ref: 00429726
GetSystemMetrics.USER32(00000002), ref: 0042973B
GetSystemMetrics.USER32(00000003), ref: 00429744
InflateRect.USER32(?,000000FE,000000FE), ref: 00429753
GetSysColorBrush.USER32(0000000F), ref: 00429780
FillRect.USER32(?,?,00000000), ref: 0042978E
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004297F7,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 004297B3

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 239630386-0
Opcode ID: dd572b06ce6a9f1711ab6a73a3964b784ffdebf45be05d8fe4be52217e9dbe02
Instruction ID: 3162c11f20d75f6f6db625e5813a0a8015ffed40dc51e8e9557ea00dbddcd5de
Opcode Fuzzy Hash: dd572b06ce6a9f1711ab6a73a3964b784ffdebf45be05d8fe4be52217e9dbe02
Instruction Fuzzy Hash: A0414271A00119ABDB00EFA9DD82EDFB7BDEF49314F500566F905F7281DA78AE018768

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB68 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0044DBB3
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0044DBD1
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044DBDE
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044DBEB
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044DBF8
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0044DC05
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0044DC12
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0044DC1F
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0044DC3D
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0044DC59

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 857ede4785eb586bb4da2094b121b9ce82dfb63515eda980b3039d4b124bb0cd
Instruction ID: 318aefb341a55fe53f3c3406a87999ac208ab219f0a119b387e4ee8a82761a1e
Opcode Fuzzy Hash: 857ede4785eb586bb4da2094b121b9ce82dfb63515eda980b3039d4b124bb0cd
Instruction Fuzzy Hash: E5214F70780305BAE320AB24CDCEF59BBD95B04B19F0540B9B6097F2D3C6FDA990965C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A9F4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043ABCD), ref: 0043AAD9
GetTickCount.KERNEL32 ref: 0043AADE
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043AB19
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043AB31
AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043AB77
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043ABCD), ref: 0043AB9A

Part of subcall function 0043DC48: GetCursorPos.USER32(?), ref: 0043DC4C

GetTickCount.KERNEL32 ref: 0043ABB4

Strings

{E, xrefs: 0043AA0B

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID: {E
API String ID: 3024527889-776765886
Opcode ID: 4fe03de71e497a7c8ca6216ab142ad7a6d114a98204c32252e005005192b0a78
Instruction ID: dbb8ebc3a79dc56fd023673be05ef07d8d74f8cfda69ca1242e829bef8b525b9
Opcode Fuzzy Hash: 4fe03de71e497a7c8ca6216ab142ad7a6d114a98204c32252e005005192b0a78
Instruction Fuzzy Hash: 26513D34A00209DFEB10DF99C986E9EB3F5AF08304F605566F640E7296D779AE40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00432820 Relevance: 13.6, APIs: 9, Instructions: 150COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00432859
MulDiv.KERNEL32(?,?,?), ref: 00432873
MulDiv.KERNEL32(?,?,?), ref: 004328A1
MulDiv.KERNEL32(?,?,?), ref: 004328B7
MulDiv.KERNEL32(?,?,?), ref: 004328EF
MulDiv.KERNEL32(?,?,?), ref: 00432907
MulDiv.KERNEL32(?,?,0000001F), ref: 00432951
MulDiv.KERNEL32(?,?,0000001F), ref: 0043297A
MulDiv.KERNEL32(00000000,?,0000001F), ref: 004329A0

Part of subcall function 0041CA9C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041CAA9

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5e69e532f2e07cb6d886cd83b8ef4f40cac6cbecc40e4ccdd7a65bec582168
Instruction ID: f0fd280cefe1609448eaaefd454efffafb907274aa9c324a4bd8e59a5c194d0e
Opcode Fuzzy Hash: 4c5e69e532f2e07cb6d886cd83b8ef4f40cac6cbecc40e4ccdd7a65bec582168
Instruction Fuzzy Hash: 8E5150B0604751AFC320EB69CA45B6BBBFCAF49304F045C2EB9D5C7352C679E8458B29

Uniqueness

Uniqueness Score: -1.00%

Function 00421F8C Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 351COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 0042227A
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00422333,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004222E8
SelectObject.GDI32(?,?), ref: 00422327
DeleteObject.GDI32(00000000), ref: 0042232D

Strings

BM, xrefs: 004220B0
(, xrefs: 00422145

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Object$Select$DeleteErrorLast
String ID: ($BM
API String ID: 1836871137-2980357723
Opcode ID: 04ebc68d6699112633888544662c9a462209f96f807f1260892732bd397b10f7
Instruction ID: db2386229a475589866876d62050c28099ec3528d6e503763828d2fe6fa40b0d
Opcode Fuzzy Hash: 04ebc68d6699112633888544662c9a462209f96f807f1260892732bd397b10f7
Instruction Fuzzy Hash: 67D16170A00218AFDF04DFA9D985BAEBBB5FF49304F40446AF904EB395D7789840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C488 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0040C753,?,?,00000000,00000000), ref: 0040C4BE

Part of subcall function 0040ABC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040ABDE

Strings

m/d/yy, xrefs: 0040C58D
mmmm d, yyyy, xrefs: 0040C5BA
AMPM, xrefs: 0040C6D2
:mm, xrefs: 0040C6F1
AMPM , xrefs: 0040C6E1
:mm:ss, xrefs: 0040C70E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 2a22105aa6e2776fa71f81704e31afcd89186a1d81a0e4baf2d25428db8d3324
Instruction ID: 4b79ce0a30f2bc440bb24c65e156b4dc74505418b3a4bd76f24e32f1ce4d3ef0
Opcode Fuzzy Hash: 2a22105aa6e2776fa71f81704e31afcd89186a1d81a0e4baf2d25428db8d3324
Instruction Fuzzy Hash: 30614F347142099BD700FBA9D891A9E77AA9B88304F50953BB100BB3C6CB3DED059B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EAE8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040EB81
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040EB9D
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040EBD6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040EC53
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040EC6C
VariantCopy.OLEAUT32(?), ref: 0040ECA1

Strings

, xrefs: 0040EB02

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
Instruction ID: eb195dc6667f6abb3566a693631532629aaf4efcc67e1a21f18182354eb04d37
Opcode Fuzzy Hash: e097b3cb944edf1d61b756a614b49b7133427e9fd4d59051032893853cdbf4c2
Instruction Fuzzy Hash: 42512D759006199BCB22DB5AC881BD9B3BCAF4C304F0045EAF509F7242D639AF948F69

Uniqueness

Uniqueness Score: -1.00%

Function 004524EC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004524FF
GetWindowRect.USER32(?,?), ref: 00452559
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00452591
MessageBoxA.USER32(?,?,?,?), ref: 004525D2
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00452648), ref: 00452622
SetActiveWindow.USER32(?,00452648), ref: 00452633

Strings

(, xrefs: 00452536

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 47d486c30f2b8ff16540ad982366f7e6148b7a0c01582ca0c5af630856615258
Instruction ID: c78b8b9a0a1657b64d5cad885165de1530d4f2b9d7957e0d2a555d423ca10d53
Opcode Fuzzy Hash: 47d486c30f2b8ff16540ad982366f7e6148b7a0c01582ca0c5af630856615258
Instruction Fuzzy Hash: AC413C75E00208AFDB04DBA9CD96FAEB7F9EB49305F14446AF901E7392D674AD008B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE68 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FF0A
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0041FF27
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FF53
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0041FF73
DeleteEnhMetaFile.GDI32(00000016), ref: 0041FF94
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0041FFA7

Strings

`, xrefs: 0041FEEF

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: a2a3d0aaf4859e9b17caa47c6a3bf4fdb9641faef6f86bafd949e8266d41b928
Instruction ID: 5fd62f6ef73f8f00fe9145718f3398c2ff119db9b1dd46570dfaa351c284069e
Opcode Fuzzy Hash: a2a3d0aaf4859e9b17caa47c6a3bf4fdb9641faef6f86bafd949e8266d41b928
Instruction Fuzzy Hash: 1B410EB5D00208AFDB00DFA5C485AEEB7F9EF48710F10846AF904E7241D7799D45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004192C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004192CB
GetCurrentThreadId.KERNEL32 ref: 004192DA

Part of subcall function 00419298: ResetEvent.KERNEL32(000001C8,00419315), ref: 0041929E

RtlEnterCriticalSection.NTDLL(00457868), ref: 0041931F
InterlockedExchange.KERNEL32(004553E8,?), ref: 0041933B
RtlLeaveCriticalSection.NTDLL(00457868), ref: 00419394
RtlEnterCriticalSection.NTDLL(00457868), ref: 004193F3

Strings

0pE, xrefs: 004192D0

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: 0pE
API String ID: 2189153385-4070830187
Opcode ID: 24f99b26aed5fb6cda52047c8d281c2c45e257d240362127c655606001ec30e0
Instruction ID: f47ebbe8574f06b454dd58c2a075ee2126a28584cda1feb7fc91c45abda870a0
Opcode Fuzzy Hash: 24f99b26aed5fb6cda52047c8d281c2c45e257d240362127c655606001ec30e0
Instruction Fuzzy Hash: 0631F930A04708AFD701DF65D862AAEB7F8EB49704F6584B7F810D3692D73C9D41CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0042403C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00424094
GetSystemMetrics.USER32(00000000), ref: 004240A9
GetSystemMetrics.USER32(00000001), ref: 004240B4
lstrcpy.KERNEL32(?,DISPLAY), ref: 004240DE

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

<@B, xrefs: 00424059, 00424066, 0042406D
GetMonitorInfoW, xrefs: 00424054
DISPLAY, xrefs: 004240D5

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: <@B$DISPLAY$GetMonitorInfoW
API String ID: 2545840971-4104206284
Opcode ID: 3f895af619b30e13130e0cdc8f0a2a2bc577794c23255151521575782870c592
Instruction ID: 85b6e27fae4a6a28760b1a05f16f2310ab3ec7201f05fdc20dd3408ffdff8636
Opcode Fuzzy Hash: 3f895af619b30e13130e0cdc8f0a2a2bc577794c23255151521575782870c592
Instruction Fuzzy Hash: 281136717053205FD720CF64AC047ABB7E8EB45311F40893FEE1597281D7B5AA90C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00423E94 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00423EC5
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423EEC
GetSystemMetrics.USER32(00000000), ref: 00423F01
GetSystemMetrics.USER32(00000001), ref: 00423F0C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00423F36

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

DISPLAY, xrefs: 00423F2D
GetMonitorInfo, xrefs: 00423EAC

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: fe1a97b85135e1dc889cde56dfdffca43858571e180c0134b544ea247fbf4660
Instruction ID: 3d4906fac2e28319e77036b7699f1fe43c6c878890191fbc21946bcf31dbf4d4
Opcode Fuzzy Hash: fe1a97b85135e1dc889cde56dfdffca43858571e180c0134b544ea247fbf4660
Instruction Fuzzy Hash: 1A112172B113649FE3209F24BC44BA7B7F8EB05712F41443FF85597281C378A9408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00423F68 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423FC0
GetSystemMetrics.USER32(00000000), ref: 00423FD5
GetSystemMetrics.USER32(00000001), ref: 00423FE0
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042400A

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

h?B, xrefs: 00423F85, 00423F92, 00423F99
GetMonitorInfoA, xrefs: 00423F80
DISPLAY, xrefs: 00424001

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA$h?B
API String ID: 2545840971-960080885
Opcode ID: 2e60abdc80bcbeb838f7c912902b5d9f7c71767d6da0460b0bd41ba0bc634e03
Instruction ID: 82b1db52922ee95fca7250ba542f93181c3cec3f8cdd39d6bc826861ec7d018a
Opcode Fuzzy Hash: 2e60abdc80bcbeb838f7c912902b5d9f7c71767d6da0460b0bd41ba0bc634e03
Instruction Fuzzy Hash: E211E4717013249FD720DF25AC44BA7B7E8EB49311F40443FEE099B281D674A880CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004575C8), ref: 00401AED
LocalFree.KERNEL32(00544FF0,00000000,00401B96), ref: 00401AFF
VirtualFree.KERNEL32(?,00000000,00008000,00544FF0,00000000,00401B96), ref: 00401B1E
LocalFree.KERNEL32(00545FF0,?,00000000,00008000,00544FF0,00000000,00401B96), ref: 00401B5D
RtlLeaveCriticalSection.NTDLL(004575C8), ref: 00401B86
RtlDeleteCriticalSection.NTDLL(004575C8), ref: 00401B90

Strings

$fT, xrefs: 00401B0B, 00401B25, 00401B2D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: $fT
API String ID: 3782394904-2678353634
Opcode ID: d687a1042bb5589a19c8275a1315c79636e40e1ff3b915422276dff362cd546d
Instruction ID: a2b8fae74a7601290724da3be73f4de4e5c79cc36bdac2d19bb199357ab56970
Opcode Fuzzy Hash: d687a1042bb5589a19c8275a1315c79636e40e1ff3b915422276dff362cd546d
Instruction Fuzzy Hash: 22118E706087486AE715AB69BC45B1A3BE8A745715F9040BBF804A6AF3F77CE844871C

Uniqueness

Uniqueness Score: -1.00%

Function 00403CD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D9E,?,?,?,?,?,?,?,00403E3E,004027CB), ref: 00403D09
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D9E,?,?,?,?,?,?,?,00403E3E), ref: 00403D0F
GetStdHandle.KERNEL32(000000F5,00403D58,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D9E), ref: 00403D24
WriteFile.KERNEL32(00000000,000000F5,00403D58,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,00403D9E), ref: 00403D2A
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D48

Strings

Error, xrefs: 00403D3C
Runtime error at 00000000, xrefs: 00403D02, 00403D41

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 8cddfe5b814e4c6bfe7b809da2effd6c90d921feeab10e1aef6de1231959619c
Instruction ID: 3c0037c8f9f06badeb06386af506387736f5f72454abbfe5cc63cecaca823efe
Opcode Fuzzy Hash: 8cddfe5b814e4c6bfe7b809da2effd6c90d921feeab10e1aef6de1231959619c
Instruction Fuzzy Hash: EEF096616C938078EA20B7946C17F6E264C5744F27F244ABFB614B80E387BC89C4D66D

Uniqueness

Uniqueness Score: -1.00%

Function 00421774 Relevance: 12.2, APIs: 8, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00421D04: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042093B,00000000,004209C7), ref: 00421D9D

GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00421819
SetStretchBltMode.GDI32(?,00000004), ref: 00421827
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0042183F
SetStretchBltMode.GDI32(00000000,00000003), ref: 0042185C
SelectObject.GDI32(?,?), ref: 004218D1
SelectObject.GDI32(?,00000000), ref: 00421930
DeleteDC.GDI32(00000000), ref: 0042193F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: BrushModeObjectSelectStretch$CreateDeleteHalftonePalette
String ID:
API String ID: 2197772979-0
Opcode ID: b310130bea0fc90bd593b8538faf18fd4db419661ce05483e878f22b327837d5
Instruction ID: ff95ec8975555167c15d770c9bb0aa272268bd28cc4777121a81b5f7a5d60943
Opcode Fuzzy Hash: b310130bea0fc90bd593b8538faf18fd4db419661ce05483e878f22b327837d5
Instruction Fuzzy Hash: 38715DB5B00205AFDB50EFA9C985F9AB7F8AF08304F51456AF508E7392D638ED40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044EE8C Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0044EEFD
GetCapture.USER32 ref: 0044EF0C
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0044EF12
ReleaseCapture.USER32 ref: 0044EF17
GetActiveWindow.USER32 ref: 0044EF3E
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0044EFD4
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0044F041
GetActiveWindow.USER32 ref: 0044F050

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 7349f2ee1fde79b81b89f41f8dc902fd5878b36bae0c06892f1a879cc491673c
Instruction ID: b6ca87acf413b6ad07b14532af5c2bdb4d8811002945c753866550132c649da0
Opcode Fuzzy Hash: 7349f2ee1fde79b81b89f41f8dc902fd5878b36bae0c06892f1a879cc491673c
Instruction Fuzzy Hash: 26512D74A04244EFE710EF66D946B5A77F5EB48704F6540BAF804AB3A2D779AD00CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041DAA4 Relevance: 12.1, APIs: 8, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041DAE5
SelectObject.GDI32(?,?), ref: 0041DB76
SelectObject.GDI32(?,00000000), ref: 0041DB85
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041DBB1
SelectObject.GDI32(?,00000000), ref: 0041DBBF
SelectObject.GDI32(?,00000000), ref: 0041DBCD
DeleteDC.GDI32(?), ref: 0041DBE3
DeleteDC.GDI32(?), ref: 0041DBEC

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Object$Select$Delete$Stretch
String ID:
API String ID: 3399755780-0
Opcode ID: 88fccc4a4e4401c4ebd0333dcfee4e3e0c2dee9169e125c52cb9cad83764bd9f
Instruction ID: 42e2982d0c07ac33cc1702a0dd27c7263410dd2fa205875626944bac87ef29c3
Opcode Fuzzy Hash: 88fccc4a4e4401c4ebd0333dcfee4e3e0c2dee9169e125c52cb9cad83764bd9f
Instruction Fuzzy Hash: 924101B1E44209AFDB10DBE9CC42FAFB7BCEB08704F124426F606F7281D679A9508764

Uniqueness

Uniqueness Score: -1.00%

Function 0043741C Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

SaveDC.GDI32 ref: 00437432

Part of subcall function 00431540: GetWindowOrgEx.GDI32(?), ref: 0043154E
Part of subcall function 00431540: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00431564

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00437453
GetWindowLongA.USER32(00000000,000000EC), ref: 00437469
GetWindowLongA.USER32(00000000,000000F0), ref: 0043748B
SetRect.USER32(?,00000000,00000000,?,?), ref: 004374B7
DrawEdge.USER32(?,?,?,00000000), ref: 004374C6
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004374EB
RestoreDC.GDI32(?,?), ref: 0043755C

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: f32056339b0e1c640e7c5039370f2d44db3778bc1e8333b48252d8c381be545f
Instruction ID: 713033029dacc1d78700b31d9ee16028be0ebefc679cb614dc46180a946b9f15
Opcode Fuzzy Hash: f32056339b0e1c640e7c5039370f2d44db3778bc1e8333b48252d8c381be545f
Instruction Fuzzy Hash: 07416471B041146BDB10EF99CC81FAF77A9AF48314F10516AFA05EB392D678DD018798

Uniqueness

Uniqueness Score: -1.00%

Function 00442740 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON

Download Yara Rule

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004428EC
GetVersion.KERNEL32(00000000,0044299B), ref: 004427DC

Part of subcall function 00442C50: CreatePopupMenu.USER32 ref: 00442C6B

Strings

,, xrefs: 004427F0
?, xrefs: 004427F7

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 0714b415deceada31faf78fc51aaf16f8d3627f386dbe3a6e41ea405b20bf1cd
Instruction ID: 1b7fdc2b096c9fb67c38d85349ea91abe738cd6c9633c7d2a7b0fd753e4872e7
Opcode Fuzzy Hash: 0714b415deceada31faf78fc51aaf16f8d3627f386dbe3a6e41ea405b20bf1cd
Instruction Fuzzy Hash: 80612030A003449BEB11EF6ACD816AE7BE5BF49300F8445BAF840E7396E778D845CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004500AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00450257,?,020F12E8,?,004502B9,00000000,?,004351AF), ref: 00450102
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,?,00000040,?,00000000,00450257,?,020F12E8,?,004502B9,00000000,?,004351AF), ref: 0045016A
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,?,00000000,00450213,?,80000002,00000000,00000000,00020019,?,00000040,?), ref: 004501A4
RegCloseKey.ADVAPI32(?,0045021A,00000000,?,?,00000000,00450213,?,80000002,00000000,00000000,00020019,?,00000040,?,00000000), ref: 0045020D

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00450154
layout text, xrefs: 0045019B

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 28b526f8ab4202f5437280ef027efee10a78b3975ee8f338ec9cea4e33ee96bb
Instruction ID: 69fca651711efc1f59fa06064c3af1e9cc0b741d16560d07d2c151e71b18603d
Opcode Fuzzy Hash: 28b526f8ab4202f5437280ef027efee10a78b3975ee8f338ec9cea4e33ee96bb
Instruction Fuzzy Hash: BC416978A046099FDB10DF95C985B9EB7F8EB48305F5040E6E904E7392D778AE04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004336B4 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004336EB
SelectObject.GDI32(?,00000000), ref: 00433721
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00433747
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00433769
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00433788
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004337A2
SelectObject.GDI32(?,?), ref: 004337AF

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ObjectSelect$DesktopWindow
String ID:
API String ID: 2666862715-0
Opcode ID: f786a857da8f479830cb9f5fe9ea4d51fa701163b64f14dc77fbbb6e96b5aacb
Instruction ID: c18c82f711aa2c11210e670bea90b027893c0057e945c1f42dd73251a943b1c6
Opcode Fuzzy Hash: f786a857da8f479830cb9f5fe9ea4d51fa701163b64f14dc77fbbb6e96b5aacb
Instruction Fuzzy Hash: AB312DB6A00219BFDB40DEEDCC85DAFBBBCEF09704B414569B504F7281C679AD048B64

Uniqueness

Uniqueness Score: -1.00%

Function 00454298 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00451E88: GetWindowTextA.USER32(?,?,00000100), ref: 00451EAB

GetTickCount.KERNEL32 ref: 004542CC

Part of subcall function 0040965C: GetLocalTime.KERNEL32(?), ref: 00409664

Part of subcall function 00451ED4: SetWindowTextA.USER32(?,00000000), ref: 00451F21

Strings

RDP Admin Restore, xrefs: 00454302
"Windows started on "dddd, d mmmm, yyyy, "at" hh:nn:ss AM/PM, xrefs: 00454315
Uptime: , xrefs: 00454327
days,, xrefs: 00454341
h "hours," n "minutes," s "seconds", xrefs: 0045434F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: TextWindow$CountLocalTickTime
String ID: days,$ h "hours," n "minutes," s "seconds"$"Windows started on "dddd, d mmmm, yyyy, "at" hh:nn:ss AM/PM$RDP Admin Restore$Uptime:
API String ID: 1223478798-4145212424
Opcode ID: 3e2bcd335c642750c67e70741a147f9949c60f6ee505a5f3ccb5b14e3d95b04b
Instruction ID: 248153d36d15b584174674eca7047f2696d25306f2b452e597def70220bcab9e
Opcode Fuzzy Hash: 3e2bcd335c642750c67e70741a147f9949c60f6ee505a5f3ccb5b14e3d95b04b
Instruction Fuzzy Hash: 6221BD30A00309AFCF00EF91D8429DEBBB5FF88709F50446AF800B62A2C7395964DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045035C Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00450377
WindowFromPoint.USER32(?,?), ref: 00450384
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00450392
GetCurrentThreadId.KERNEL32 ref: 00450399
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 004503B2
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004503C9
SetCursor.USER32(00000000), ref: 004503DB

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 3619f4bbe49fd4f845677722e6f93317df3ee6c307d023c7f5abb0abf3bd53be
Instruction ID: 51f00424ca2c0897c08ea7d86530c20efe3c9efc25d5adc6e5c55696d2a05744
Opcode Fuzzy Hash: 3619f4bbe49fd4f845677722e6f93317df3ee6c307d023c7f5abb0abf3bd53be
Instruction Fuzzy Hash: 9801DF262013003BD6203A361C86F7F2568CB81B5AF51053FBD06BB2C3EA7E9C1592BD

Uniqueness

Uniqueness Score: -1.00%

Function 0044BEB0 Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 0044BF29
GetClientRect.USER32(00000000,?), ref: 0044BF54
FillRect.USER32(?,?,00000000), ref: 0044BF73

Part of subcall function 0044BE24: CallWindowProcA.USER32(?,?,?,?,?), ref: 0044BE5E

BeginPaint.USER32(?,?), ref: 0044BFEB
GetWindowRect.USER32(?,?), ref: 0044C018
EndPaint.USER32(?,?,0044C08C), ref: 0044C078

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 6d6fd959c51a2c6519b49bc8cb121a686568313aac4915b393d99989b15f6060
Instruction ID: a77825f4bebf325d8837fe48c0a9f01247ada9d930b319b46d7a0813df43a50a
Opcode Fuzzy Hash: 6d6fd959c51a2c6519b49bc8cb121a686568313aac4915b393d99989b15f6060
Instruction Fuzzy Hash: 4951F930900108EFDB50DBE9C989A9EB7F8EB49314F1581A6E508EB352C738EE45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00437570 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 00437601
BeginPaint.USER32(00000000,?,00000000,004376C2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00437623
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 00437690
SelectObject.GDI32(00000000,?), ref: 004376AA
DeleteDC.GDI32(00000000), ref: 004376B3
DeleteObject.GDI32(?), ref: 004376BC

Part of subcall function 00437094: BeginPaint.USER32(00000000,?), ref: 004370BA
Part of subcall function 00437094: EndPaint.USER32(00000000,?,004371BB), ref: 004371AE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Paint$Object$BeginDeleteSelect
String ID:
API String ID: 1227948915-0
Opcode ID: 5153a285081d699170f1bed451637ec3ae07b5a207a543d86c83ce1c7f6d680b
Instruction ID: 5ee0010d2563e0273e015c08181a35bfdcaaf2fa8081ab52920779d5e56e3496
Opcode Fuzzy Hash: 5153a285081d699170f1bed451637ec3ae07b5a207a543d86c83ce1c7f6d680b
Instruction Fuzzy Hash: F9414F71B04204AFC710EBA9CC86F9EB7F8AB4C304F10447AF906EB291DA79DD058B54

Uniqueness

Uniqueness Score: -1.00%

Function 0042F9F8 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 0042FA20
GetWindowLongA.USER32(?,000000F0), ref: 0042FA2B
GetWindowLongA.USER32(?,000000F4), ref: 0042FA3D
SetWindowLongA.USER32(?,000000F4,?), ref: 0042FA50
SetPropA.USER32(?,00000000,00000000), ref: 0042FA67
SetPropA.USER32(?,00000000,00000000), ref: 0042FA7E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: a941c5b60c362f6c4be1762bfcc6f3123e8300ce076865673a55bd8d90d4aac1
Instruction ID: 11647139e794d98a95748cfd39ddfe1def9ddcb375a1d7fb6c6698d14ed6be96
Opcode Fuzzy Hash: a941c5b60c362f6c4be1762bfcc6f3123e8300ce076865673a55bd8d90d4aac1
Instruction Fuzzy Hash: 34110D75504208BFCB00DF99DC84EAA37A8BB08365F144635F919DB2A2D735EA50DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D868 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041CFFC: CreateBrushIndirect.GDI32(?), ref: 0041D0A6

UnrealizeObject.GDI32(00000000), ref: 0041D874
SelectObject.GDI32(?,00000000), ref: 0041D886
SetBkColor.GDI32(?,00000000), ref: 0041D8A9
SetBkMode.GDI32(?,00000002), ref: 0041D8B4
SetBkColor.GDI32(?,00000000), ref: 0041D8CF
SetBkMode.GDI32(?,00000001), ref: 0041D8DA

Part of subcall function 0041C33C: GetSysColor.USER32(?), ref: 0041C346

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: e8f072ecde125f76ea8caef5a2bc52dc88cdb36245a126bcec2d07e1d9e5ddca
Instruction ID: d22a2bb22f29350ec6586fe9e90c27ba5bc9873044935b3c4b7315c373256def
Opcode Fuzzy Hash: e8f072ecde125f76ea8caef5a2bc52dc88cdb36245a126bcec2d07e1d9e5ddca
Instruction Fuzzy Hash: 93F0CDB16401009BDA00FFAADDC6E4B3B9C9F0830970040AAB905EF287CA7CE8615739

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC9 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00402F44: GetKeyboardType.USER32(00000000), ref: 00402F49
Part of subcall function 00402F44: GetKeyboardType.USER32(00000001), ref: 00402F55

GetCommandLineA.KERNEL32 ref: 00405B2F
GetVersion.KERNEL32 ref: 00405B43
GetVersion.KERNEL32 ref: 00405B54
GetCurrentThreadId.KERNEL32 ref: 00405B90

Part of subcall function 00402F74: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F96
Part of subcall function 00402F74: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FC9
Part of subcall function 00402F74: RegCloseKey.ADVAPI32(?,00402FEC,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FDF

GetThreadLocale.KERNEL32 ref: 00405B70

Part of subcall function 00405A00: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00405A66), ref: 00405A26

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 182c47c6635438d3bd51823ec064eda802c9569e1df5ffcbb88f0d824f82f8cc
Instruction ID: 1cd44a7518bbc24a9db302624f405e445d8d6538355202b659b039828fecc3eb
Opcode Fuzzy Hash: 182c47c6635438d3bd51823ec064eda802c9569e1df5ffcbb88f0d824f82f8cc
Instruction Fuzzy Hash: 2401C0A440874599E710BFB2BC0A35A3AB0AB0134AF5040BFE400B62F3E73C91449FAE

Uniqueness

Uniqueness Score: -1.00%

Function 0043D798 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 287COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0043D9D8
SetCursor.USER32(00000000,?,00000000,0043DB70), ref: 0043DA6A

Strings

8}D, xrefs: 0043D99E
{E, xrefs: 0043DA5D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Cursor
String ID: 8}D${E
API String ID: 3268636600-2158138060
Opcode ID: e4233da1c8f60a74aca8865c079ebf9c3c5ebc7db4ee7924cdab32f126f3f54b
Instruction ID: c8850904b4a6a0e48fa97016291804e536ef60362ca76e45bbf6604309cf21be
Opcode Fuzzy Hash: e4233da1c8f60a74aca8865c079ebf9c3c5ebc7db4ee7924cdab32f126f3f54b
Instruction Fuzzy Hash: 80C12831E00609CBCB10DFA9D98599EF7F1BF48304F2595AAE811AB255DB38FE41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00430B14 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00430B88
GetDesktopWindow.USER32 ref: 00430CAD
SetCursor.USER32(00000000), ref: 00430D02

Part of subcall function 0043AFB8: ShowCursor.USER32(000000FF,00000000,?,00430CDD), ref: 0043AFEF

SetCursor.USER32(00000000), ref: 00430CED

Strings

{E, xrefs: 00430CE0, 00430CF5

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Cursor$DesktopWindow$Show
String ID: {E
API String ID: 110329033-776765886
Opcode ID: 5036b034ddc76329156a08097d90d14b5bceeb956c790d2b9da71b21a4d1a403
Instruction ID: 2ed0da0086b02ed93d2aeadec3a4c765b71e8b23af19b84055746b9266284bd1
Opcode Fuzzy Hash: 5036b034ddc76329156a08097d90d14b5bceeb956c790d2b9da71b21a4d1a403
Instruction Fuzzy Hash: 3A916D346093418FD704DF69E894A56B7E6BB48309F14D67AE8448B3A3D738FC45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00430754 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0043077B
IsWindowVisible.USER32(00000000), ref: 004307F9

Part of subcall function 00430710: IsChild.USER32(00000000,00000000), ref: 00430740

PtInRect.USER32(?,?,?), ref: 00430854

Strings

*C, xrefs: 00430891
*C, xrefs: 004308A3

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ChildRectStateVisibleWindow
String ID: *C$*C
API String ID: 2086824273-1205451692
Opcode ID: c1487effff5de6ef65eed8443085cc5e446a1a83fef5c574e46c4b0ad7e871ff
Instruction ID: 423fa200bf08109c8dbdcd22230082c6c8e9eee69892bd83a2a93c0e14f11c31
Opcode Fuzzy Hash: c1487effff5de6ef65eed8443085cc5e446a1a83fef5c574e46c4b0ad7e871ff
Instruction Fuzzy Hash: 5F419F30A0020A9FDB04EF99D891AEFB7B5EF08315F155676E500A7392C738AD41CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B790 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040B94B), ref: 0040B7FB
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040B94B), ref: 0040B81D

Part of subcall function 004059A8: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004059D9

Strings

Hk@, xrefs: 0040B7E4
@k@, xrefs: 0040B7D5
k@, xrefs: 0040B8A0

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: @k@$Hk@$k@
API String ID: 902310565-2583435964
Opcode ID: 9e3c44bb3c3c4172c56d9baf35feaf8e9538a1f18f64abf41aadebd31a16759a
Instruction ID: 1750e83cb31a5f49cd91596b3b5ed3704ac0f94e9066e0d42fbe53bd43043e20
Opcode Fuzzy Hash: 9e3c44bb3c3c4172c56d9baf35feaf8e9538a1f18f64abf41aadebd31a16759a
Instruction Fuzzy Hash: 8441E770900658DFDB61DF64CC81BDAB7B8EB49305F5040EAE508AB391D778AE84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042041C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 0042046E
MulDiv.KERNEL32(?,?,000009EC), ref: 00420485
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00420557,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004204C0
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00420537,?,?,00000000,00000000,00000008,?,00000000,00420557), ref: 004204F3

Strings

`, xrefs: 00420454

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: eb31e49c0132f188e72fce5420c31cf0d650a354ca3d8765f98a47176691f4e1
Instruction ID: d1f1dc225d96761a7e07da76bb0f3940da6c33bf51489f83b789e6018a568944
Opcode Fuzzy Hash: eb31e49c0132f188e72fce5420c31cf0d650a354ca3d8765f98a47176691f4e1
Instruction Fuzzy Hash: 0C315875A00208ABDB00DFD5D881AFEB7F8EF08714F514466F904FB282D6789E40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00440BA4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00440BD8
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 00440BE9

Strings

comctl32.dll, xrefs: 00440BD3
ImageList_WriteEx, xrefs: 00440BE3
comctl32.dll, xrefs: 00440BB8

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 1646373207-3125200627
Opcode ID: 09678f9343b06abf08508fee3447bff0a95a45bc3f91c1fbb6427fd460f65397
Instruction ID: 87988ad361dc96410b918e49b58f97fa8ec7d9d8a0905b6934ff17ed4f64c80a
Opcode Fuzzy Hash: 09678f9343b06abf08508fee3447bff0a95a45bc3f91c1fbb6427fd460f65397
Instruction Fuzzy Hash: 17219031604701DBE714AF35AD95B2A3AACEB45749B50417AFA04E72A2DA7CED10872C

Uniqueness

Uniqueness Score: -1.00%

Function 004192BE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004192CB
GetCurrentThreadId.KERNEL32 ref: 004192DA
RtlEnterCriticalSection.NTDLL(00457868), ref: 0041931F
InterlockedExchange.KERNEL32(004553E8,?), ref: 0041933B

Strings

0pE, xrefs: 004192D0

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CurrentThread$CriticalEnterExchangeInterlockedSection
String ID: 0pE
API String ID: 2380408948-4070830187
Opcode ID: 20a45da9d323f001b65ec0d886a15f586ac5a8f1d4d900f55b23bf1306a076b7
Instruction ID: 6c3067d1ff0e785511c39e3c35fa28d3dbe6915327d64716a6bf89d7d94444fc
Opcode Fuzzy Hash: 20a45da9d323f001b65ec0d886a15f586ac5a8f1d4d900f55b23bf1306a076b7
Instruction Fuzzy Hash: C8219530A04708AFD700DB65C866BAFB7F8EB09704F558476F810A32A2D77C9E85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00445F30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00445F7E
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00445FD0
DrawMenuBar.USER32(00000000), ref: 00445FDD

Strings

P, xrefs: 00445F70
@wE, xrefs: 00445F37

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: @wE$P
API String ID: 3227129158-2230044680
Opcode ID: cd408e7d32d1b55614ca48af7e913c6d73e7eccd917e963b9385095b68ac7024
Instruction ID: 56c2b4eb451c91bf0dc9e66df738c6e09bccd7601095876377227ae6f906b0e3
Opcode Fuzzy Hash: cd408e7d32d1b55614ca48af7e913c6d73e7eccd917e963b9385095b68ac7024
Instruction Fuzzy Hash: 77119D302056006BE7109F28CC81B4E7AD8AB85314F24866AF494CB3D6D679C888C78A

Uniqueness

Uniqueness Score: -1.00%

Function 00453CB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000001), ref: 00453D11

Strings

Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00453D1F
cmd.exe, xrefs: 00453CFF
open, xrefs: 00453D04
RDP Admin Restore, xrefs: 00453D1A

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ExecuteShell
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$RDP Admin Restore$cmd.exe$open
API String ID: 587946157-933121242
Opcode ID: 98ea000fdd276799e0274148750296b20fcd98a6c107847516bd1f26e1df8566
Instruction ID: 4db17eff587d3421142c3f81c85f98a03ffe13709aeb4c4fc4ac0424dada730b
Opcode Fuzzy Hash: 98ea000fdd276799e0274148750296b20fcd98a6c107847516bd1f26e1df8566
Instruction Fuzzy Hash: 7D015B30740304BBD710EE65DC52F9A77B8DB48B46F614577B901A7292CABCEE08865C

Uniqueness

Uniqueness Score: -1.00%

Function 00453DEC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,taskmgr.exe,00000000,00000000,00000001), ref: 00453E4D

Strings

RDP Admin Restore, xrefs: 00453E56
Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00453E5B
open, xrefs: 00453E40
taskmgr.exe, xrefs: 00453E3B

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ExecuteShell
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$RDP Admin Restore$open$taskmgr.exe
API String ID: 587946157-2043593862
Opcode ID: d4f5cda00bce105efb1beb87bc7dc81ccd1130b8fe901381ac0e43abeae6f254
Instruction ID: 6e42046e11c2595e5ae1113d5c3678ec9e52c4cc2be42100e83ab1bdc43e5fc7
Opcode Fuzzy Hash: d4f5cda00bce105efb1beb87bc7dc81ccd1130b8fe901381ac0e43abeae6f254
Instruction Fuzzy Hash: 76015E31740304ABD710EE61DC53F5A77E8D748B47F614576B900A7292CAB8EE08864C

Uniqueness

Uniqueness Score: -1.00%

Function 00453F2C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,lusrmgr.msc,00000000,00000000,00000001), ref: 00453F8D

Strings

lusrmgr.msc, xrefs: 00453F7B
open, xrefs: 00453F80
Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com, xrefs: 00453F9B
RDP Admin Restore, xrefs: 00453F96

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ExecuteShell
String ID: Bad Password! If you want to buy "RPD Admin Restore" write to official developer! E-mail: sllrdp@yahoo.com$RDP Admin Restore$lusrmgr.msc$open
API String ID: 587946157-2325833819
Opcode ID: 6ee5fd389fd7803c3736113ecbed8e4349dda0d017ef510150492d32b55778f5
Instruction ID: 12ebc486f294e42bb6c50b0e9269d527caf9eb6e3cc0e33b05ab867baf255090
Opcode Fuzzy Hash: 6ee5fd389fd7803c3736113ecbed8e4349dda0d017ef510150492d32b55778f5
Instruction Fuzzy Hash: 7D015E32B44304BBD710EE61DC52F5A77A8E748B4AF614577F900A72D2DABCEA04865C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F74 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402F96
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FC9
RegCloseKey.ADVAPI32(?,00402FEC,00000000,?,00000004,00000000,00402FE5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402FDF

Strings

FPUMaskValue, xrefs: 00402FC0
SOFTWARE\Borland\Delphi\RTL, xrefs: 00402F8C

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 20564dede97b4254f3f2801c7953b15dfdb44dc3439c9a0b6e15dd72165f089b
Instruction ID: 08033cc5f34645b339690b0924f746be98f0c3d12c8297cdba6718cf65266f08
Opcode Fuzzy Hash: 20564dede97b4254f3f2801c7953b15dfdb44dc3439c9a0b6e15dd72165f089b
Instruction Fuzzy Hash: E6019279A00309BADB11DB90DC52FBE77BCEB08B01F5001B6B900F65D1E6789A10D75C

Uniqueness

Uniqueness Score: -1.00%

Function 00442CE0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00442DAF
OffsetRect.USER32(?,00000001,00000001), ref: 00442E00
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00442E35
OffsetRect.USER32(?,000000FF,000000FF), ref: 00442E42
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00442EA9

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: cc20478ed3c651e2fab5e437044963fdcc09f3383fc53349638dbcb130a17623
Instruction ID: e909588104d126fefd4cfcc0db25118ba83d24f84fa8747c0b9b48ddaa4bfe02
Opcode Fuzzy Hash: cc20478ed3c651e2fab5e437044963fdcc09f3383fc53349638dbcb130a17623
Instruction Fuzzy Hash: 1A51A2B0E00604AFEB10EBA9C981B9F77A5AF45314F648167F910A7396C7BCDD40875C

Uniqueness

Uniqueness Score: -1.00%

Function 0042B554 Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042B5EE
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B626
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042B630
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B668
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B68F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: 62ea00ac947afae7d4b5afa9c771e1063f09dd33cfbb504f1fccafdef2a04ffd
Instruction ID: f5f004cfdde6f6e0baa86955137b68a9834e10f28b0423c79b533fcd1dedbf93
Opcode Fuzzy Hash: 62ea00ac947afae7d4b5afa9c771e1063f09dd33cfbb504f1fccafdef2a04ffd
Instruction Fuzzy Hash: 43318270600114AFDB15FB69CC85B8B7BA9EF49314F5501BAB808EB296CB799D4087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00437094 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004370BA
SaveDC.GDI32(?), ref: 004370EE
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00437150
RestoreDC.GDI32(?,?), ref: 0043717A
EndPaint.USER32(00000000,?,004371BB), ref: 004371AE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 0416a2f0bf98edf925749da828e1b04f8f963ff3682d75bca4bd3a59bf172f9a
Instruction ID: a1a8aaae436b6a845ac31da97be01534733138528a9352a2b7d8427b56bd8c0d
Opcode Fuzzy Hash: 0416a2f0bf98edf925749da828e1b04f8f963ff3682d75bca4bd3a59bf172f9a
Instruction Fuzzy Hash: 4C4182B1A042049FCB24DF99C885F9EB7F9EF4C304F1590AAE9449B362D7399D44CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00442B20 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c778ba4f1800a2a6a12381bf609e66e495d784d739c13becbe2ff6d526c13b
Instruction ID: 369c368e7f73a5f5abfd835cae3ea3aaad058148dd59f4bd10f4966f2147a881
Opcode Fuzzy Hash: 69c778ba4f1800a2a6a12381bf609e66e495d784d739c13becbe2ff6d526c13b
Instruction Fuzzy Hash: 391175616057995AFA50AE7B8F06B5B2788DF41748F84042FBD41EB343CABCEC46825C

Uniqueness

Uniqueness Score: -1.00%

Function 00451FD8 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00451FFB
SendMessageA.USER32(00000000,-0000BBEE,020F16DC,?), ref: 0045204F
GetWindowLongA.USER32(00000000,000000FA), ref: 0045205F
SendMessageA.USER32(00000000,-0000BBEE,020F16DC,?), ref: 0045207E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 2630f96726cb244c48aa72069459a317769050622a64d6ca18e1417105932ed6
Instruction ID: 1ba5f68cb27503eb419cdf83ad837b6ca15a3af0790e434d1e732bcc968c8227
Opcode Fuzzy Hash: 2630f96726cb244c48aa72069459a317769050622a64d6ca18e1417105932ed6
Instruction Fuzzy Hash: 0811667120520A5FD630B659CA80E6773DC9B16755B11043FFE5AD3383D6A9EC04C36C

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE48 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040AEDF,?,?,00000000), ref: 0040AE60

Part of subcall function 0040ABC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040ABDE

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040AEDF,?,?,00000000), ref: 0040AE90
EnumCalendarInfoA.KERNEL32(Function_0000AD94,00000000,00000000,00000004), ref: 0040AE9B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040AEDF,?,?,00000000), ref: 0040AEB9
EnumCalendarInfoA.KERNEL32(Function_0000ADD0,00000000,00000000,00000003), ref: 0040AEC4

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 5b08fbe3fcfe4489b245582bd9dd472a98239f52eb3caad738fe6c76193d088e
Instruction ID: 82b5099d8f30e70ed2ccec9d0cd361a0d2ee61b8163339243b91a3854cdcb59c
Opcode Fuzzy Hash: 5b08fbe3fcfe4489b245582bd9dd472a98239f52eb3caad738fe6c76193d088e
Instruction Fuzzy Hash: 1B01F271248B087AE701A765DC12F5F325CDB5AB28F600576F400B6AC1D67CAE1086EE

Uniqueness

Uniqueness Score: -1.00%

Function 00450C00 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 00450C0F
SetEvent.KERNEL32(00000000,0045300E), ref: 00450C2A
GetCurrentThreadId.KERNEL32 ref: 00450C2F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045300E), ref: 00450C44
CloseHandle.KERNEL32(00000000,00000000,0045300E), ref: 00450C4F

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 256b04b3201bdd8e82b2542074506909d7baf6534546d015680858a648e91365
Instruction ID: 54ecc7cab79b3cf8be8b58b6ce8b5fc495c5604d89e00f53f89fb7f74f7ff2bd
Opcode Fuzzy Hash: 256b04b3201bdd8e82b2542074506909d7baf6534546d015680858a648e91365
Instruction Fuzzy Hash: 42F015759083129AC718EBB9FC89A0632A8A70470FB11057AF425D72E3C638F480CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEF8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040B0C2,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040AF27

Part of subcall function 0040ABC0: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040ABDE

Strings

yyyy, xrefs: 0040B019
ggg, xrefs: 0040B00C
eeee, xrefs: 0040B032

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: be119ef64c390b22c9107aa0d4a3611acc39163741e9c14b2ce3be6acbf228cb
Instruction ID: 3b1c1903871a270816e107e0e5b1780e5a0e97539e3e96dd8992b316af2ac79a
Opcode Fuzzy Hash: be119ef64c390b22c9107aa0d4a3611acc39163741e9c14b2ce3be6acbf228cb
Instruction Fuzzy Hash: 6F4128703002024BC711AB7588826BFB796DB95308B50453BE661FB3D2E73D9D0286AE

Uniqueness

Uniqueness Score: -1.00%

Function 00452A98 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00452A20: GetCursorPos.USER32 ref: 00452A29

GetCurrentThreadId.KERNEL32 ref: 00452B64
WaitMessage.USER32(00000000,00452BA8,?,?,?,020F16DC), ref: 00452B88

Strings

!E, xrefs: 00452ABA, 00452AC4, 00452B15, 00452B3D, 00452B25, 00452B28, 00452AD0, 00452AD9
0pE, xrefs: 00452B69

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CurrentCursorMessageThreadWait
String ID: 0pE$!E
API String ID: 535285469-1180474223
Opcode ID: 01ce03b05b8d2b55314e7241e12ab7e0a5e4398c9032d6dd741d0bf7a1be9d97
Instruction ID: 7badf717a46e212a760f9e7bdc20b82b0d8576be2bce572cf04e8f812481cd70
Opcode Fuzzy Hash: 01ce03b05b8d2b55314e7241e12ab7e0a5e4398c9032d6dd741d0bf7a1be9d97
Instruction Fuzzy Hash: F631D330A04244AFDB11DF64C986A9EB7F1EB06305F5144BBEC0097393D7B86E48DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004235A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(3C080DD9), ref: 00423618
RtlDeleteCriticalSection.NTDLL(004578A8), ref: 00423622
RtlDeleteCriticalSection.NTDLL(004578C0), ref: 0042362C

Strings

D&A, xrefs: 0042363B, 00423650

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Delete$CriticalSection$Object
String ID: D&A
API String ID: 378701848-1255607852
Opcode ID: 2024b5616315cb791f91c85a44a629acf57050446162219a5cddd4dd77d2db91
Instruction ID: 542ef08e023030a3228a7b52d047d3429b967515c7b6dff4f6e0ba75dff701e5
Opcode Fuzzy Hash: 2024b5616315cb791f91c85a44a629acf57050446162219a5cddd4dd77d2db91
Instruction Fuzzy Hash: F201F7702096849FD205FF2AFC57A1937A8E74134A790843AB500AB6B7CA3DED01EB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041064C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00457824), ref: 004106DA

Strings

|@, xrefs: 0041067F
|@, xrefs: 0041068F
T@, xrefs: 00410675

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: T@$|@$|@
API String ID: 32694325-2678655271
Opcode ID: 8e537de69d9d1ff10ccd7f2c823bf28e783eed1af36ccb29ae709522def74557
Instruction ID: 8e7094830db6b5242115e9049d1c9e89a3479ff221c11d58e4d885613a453ad3
Opcode Fuzzy Hash: 8e537de69d9d1ff10ccd7f2c823bf28e783eed1af36ccb29ae709522def74557
Instruction Fuzzy Hash: A2011A742047018FC341EF2AE8115157BE4E78A701361C876E808EB7A2E378D895CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E0CC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32(1258C0CD), ref: 0043E118
GlobalDeleteAtom.KERNEL32(C0CDC0CC), ref: 0043E12E
FreeLibrary.KERNEL32(00000000,C0CDC0CC,1258C0CD,0043E348,00000000,0043E37F), ref: 0043E14C

Strings

{E, xrefs: 0043E0E1, 0043E0ED

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AtomDeleteGlobal$FreeLibrary
String ID: {E
API String ID: 4091199252-776765886
Opcode ID: a2eeb70a10809560e8fe23cc07a8f4f1f0364087d6ca81b7854c4b1bbf424a23
Instruction ID: 0e73d0c928255c837511febe78bcd6b2d0bfbb208347ad481361667f6a3e7989
Opcode Fuzzy Hash: a2eeb70a10809560e8fe23cc07a8f4f1f0364087d6ca81b7854c4b1bbf424a23
Instruction Fuzzy Hash: F201B6746057008FD740EFAAEC4651977E9AF4870A7918176B504DB2F7DA38E9408F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA24 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040D48D,00000000,0040D4A0), ref: 0040CA2A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040CA3B

Strings

kernel32.dll, xrefs: 0040CA25
GetDiskFreeSpaceExA, xrefs: 0040CA35

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a36407c4afa467878f9837d803831bd6a3747f673a8249b1ec100b4b5cf80e4e
Instruction ID: ba856fa049a497c22240c92f9962b2f2e1d752346def3688dfda96e8c96e168e
Opcode Fuzzy Hash: a36407c4afa467878f9837d803831bd6a3747f673a8249b1ec100b4b5cf80e4e
Instruction Fuzzy Hash: 64D09E70B50F09DADB00EBB558E57272998A704719F95623BB541752D2DB7C98004F5C

Uniqueness

Uniqueness Score: -1.00%

Function 0043FE10 Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,00FFFFFF), ref: 0043FF5D
SetBkColor.GDI32(00000000,00000000), ref: 0043FF65

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Color$Text
String ID:
API String ID: 657580467-0
Opcode ID: b0d9bd7e349f2b0b52ae903cfd8e9dfeb0805c3b06272b2b0bd7b1ac161d45b3
Instruction ID: 94fb5f61ba5f7d7ef73cf1728f9c317b546c68bfd5eb6cba61cb843274d0a934
Opcode Fuzzy Hash: b0d9bd7e349f2b0b52ae903cfd8e9dfeb0805c3b06272b2b0bd7b1ac161d45b3
Instruction Fuzzy Hash: CE5116B1740214AFCB44FF69DD82F9E37ACAF08314F50106AF904EB296CA78EC458769

Uniqueness

Uniqueness Score: -1.00%

Function 00430578 Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004309C8: WindowFromPoint.USER32(004307A2,00457B80,00000000,00430592,?,-0000000C,?), ref: 004309CE
Part of subcall function 004309C8: GetParent.USER32(00000000), ref: 004309E5

GetWindow.USER32(00000000,00000004), ref: 0043059A
GetCurrentThreadId.KERNEL32 ref: 0043066E
GetWindowRect.USER32(00000000,?), ref: 0043068B
IntersectRect.USER32(?,?,?), ref: 004306F9

Part of subcall function 0042FAE4: GetWindowThreadProcessId.USER32(?), ref: 0042FAF1
Part of subcall function 0042FAE4: GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,004305B4,?,-0000000C,?), ref: 0042FAFA
Part of subcall function 0042FAE4: GlobalFindAtomA.KERNEL32(00000000), ref: 0042FB0F
Part of subcall function 0042FAE4: GetPropA.USER32(?,00000000), ref: 0042FB26

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
String ID:
API String ID: 2049660638-0
Opcode ID: 6737b9fcaafe852281c441256b5b228c8030723bc4ddee748f1c6d86925a5437
Instruction ID: cfcd19ab2531f9446a8c0dbc09ec040cd6b42b1155571b65bc0e2e42532f87db
Opcode Fuzzy Hash: 6737b9fcaafe852281c441256b5b228c8030723bc4ddee748f1c6d86925a5437
Instruction Fuzzy Hash: 35515E71A00205AFCB10DFA9C891B9FB7E4AF08354F54526AF815EB391D738ED01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E848 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040E8F7
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040E913
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040E98A
VariantClear.OLEAUT32(?), ref: 0040E9B3

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
Instruction ID: 880a77d076ff2559a85a570a5d041e0afd299646354701697571ec35871a1da1
Opcode Fuzzy Hash: 222dfd55f4586741cf6c642e18797c671bdcc356e7018be82b80e885789c82a2
Instruction Fuzzy Hash: F94150B5A012198FCB61DB5ACC80BD9B3BCAF48304F0045EAE548F7352D638AF948F64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B12C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B149
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B16D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B188
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0040B21E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: d7f6da49ea1d3231d6e89fa0807acdd67146fa2f2165762611005d3cc3a6622d
Instruction ID: 30c9221d8446111a9a9825c18773efa2fa6e26a43059d9a116e71a77dbb3d2b0
Opcode Fuzzy Hash: d7f6da49ea1d3231d6e89fa0807acdd67146fa2f2165762611005d3cc3a6622d
Instruction Fuzzy Hash: CC412171A006589BDB21DB69CD85BDEB7BCAB48344F0040FAA548F7292D7789F84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B12A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040B149
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040B16D
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040B188
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0040B21E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9e3d1a47619e2ec7cb4295f0929dc9289b3b1a04dfe5a1409d5b3de425416d03
Instruction ID: 0c14c5ec99d75990a6b7b24754675218d58f26a8142b32abc838881af5cd044c
Opcode Fuzzy Hash: 9e3d1a47619e2ec7cb4295f0929dc9289b3b1a04dfe5a1409d5b3de425416d03
Instruction Fuzzy Hash: FC413271A006589BDB21DB69CD85B9AB7BC9B48344F0040FAA548F7292D7789F84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C314 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0040C408
GetThreadLocale.KERNEL32 ref: 0040C33E

Part of subcall function 0040C29C: GetCPInfo.KERNEL32(00000000,?), ref: 0040C2B5

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 676da243ebb743117c385c04bab188b8470d7683f746a1d6a1965e6baa2cd61e
Instruction ID: 0cc87e9551880bd0ecaf8a327d9d3b20b1b9b383c6bf3dcd0e603f559dc037ac
Opcode Fuzzy Hash: 676da243ebb743117c385c04bab188b8470d7683f746a1d6a1965e6baa2cd61e
Instruction Fuzzy Hash: 39316920588364CAE3209765BC9137B3796F745306F4481BBEA84AB3D3D73C9849C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00446588 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 004465AB
GetSubMenu.USER32(?,?), ref: 004465B6
GetMenuItemID.USER32(?,?), ref: 004465CF
GetMenuStringA.USER32(?,?,?,?,?), ref: 00446622

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 836dfd5875b5573cfc87d58e5bb473d48d47bba99fcbeeefc0c20d6a50ffb795
Instruction ID: 753bc62a6ad3079b19147cd124159895c4ed650a91c4d1c50795149b12c45449
Opcode Fuzzy Hash: 836dfd5875b5573cfc87d58e5bb473d48d47bba99fcbeeefc0c20d6a50ffb795
Instruction Fuzzy Hash: CC114271601214AFDB00EF6DDC85DAF77E8AF4A354B11442AF805D7382D638DD1197A9

Uniqueness

Uniqueness Score: -1.00%

Function 00420AA0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0041E228: GetObjectA.GDI32(?,00000004), ref: 0041E23F

SelectObject.GDI32(?), ref: 00420AF7
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,00420B4F,?,?,?,?,00000000), ref: 00420B1B
SelectObject.GDI32(?,?), ref: 00420B35
DeleteDC.GDI32(?), ref: 00420B3E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Object$Select$ColorDeleteTable
String ID:
API String ID: 3648526112-0
Opcode ID: ad0e0ae128628bdbe5014755591f98cb6bdaa2ed0cad7916b83a514bd13457e1
Instruction ID: 73907e891476ba9e825d5c8bbccffa07fab05bc264061c4f2b787f57b6362eaa
Opcode Fuzzy Hash: ad0e0ae128628bdbe5014755591f98cb6bdaa2ed0cad7916b83a514bd13457e1
Instruction Fuzzy Hash: 48117571E002196BDB10EBE99C51AAFB7ECEB08304F4144AAF904E7282D679DD508758

Uniqueness

Uniqueness Score: -1.00%

Function 0044F5D0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 0044F604
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0044F636
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0044D1C4), ref: 0044F670
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 0044F689

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 52e3854140e2837061844a6ce7dc2d16fc477158ccc1f5fcebdd3a6b05c047de
Instruction ID: e9ce1ccac30035fe773f9f8851220d7c4d3452886b8f295b7af576382be4f076
Opcode Fuzzy Hash: 52e3854140e2837061844a6ce7dc2d16fc477158ccc1f5fcebdd3a6b05c047de
Instruction Fuzzy Hash: DC11EB61E0438026DB10AF798CC9B9B29480F09355F15197ABC45EB2E3C9BCCC59C75C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5AC Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041A59C,?), ref: 0041A5CD
UnregisterClassA.USER32(0041A59C,00400000), ref: 0041A5F6
RegisterClassA.USER32(004553F0), ref: 0041A600
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041A64B

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 7f0ff4a924000919642125befcd8f469bbfbb684d3de711ef14fb37e57240d88
Instruction ID: bb8a1fc929a91507ee41707495bd5fcf2ad37253950fc3ac8bec49f0593c0c4a
Opcode Fuzzy Hash: 7f0ff4a924000919642125befcd8f469bbfbb684d3de711ef14fb37e57240d88
Instruction Fuzzy Hash: A301A171204600ABC700EB6CDD81FAA339CA719316F108136F905EB3D3D639E9A0C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045127C Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_0005120C), ref: 004512B1
GetWindow.USER32(?,00000003), ref: 004512C9
GetWindowLongA.USER32(00000000,000000EC), ref: 004512D6
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_0005120C), ref: 00451315

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 22d8c666ead98a0d51e55fb1dc76b308a3fde8fcfb4ee5a61e6550ef28d4e66b
Instruction ID: d6b79fe083d60ad9125728ad65d40da08eb81705d09a9ede4042ecbea9e01393
Opcode Fuzzy Hash: 22d8c666ead98a0d51e55fb1dc76b308a3fde8fcfb4ee5a61e6550ef28d4e66b
Instruction Fuzzy Hash: EF115E30604210AFE710AA28CC85F9A73D4AB05769F5502BAFD69AB2E3C3789C45C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041E184 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,00000000), ref: 0041E1A6
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00421D4F,?,?,?,?,0042093B), ref: 0041E1BA
SelectObject.GDI32(00000000,00000000), ref: 0041E1C6
DeleteDC.GDI32(00000000), ref: 0041E1CC

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ObjectSelect$ColorDeleteTable
String ID:
API String ID: 3862836420-0
Opcode ID: 4605046732850572e91ee3d3202d429c5bfb52793a290e3981da7e5d20f1214f
Instruction ID: 97a1f943ff323abb1912245a52e08ff68d8efb37055bad91de39ab70e77c2a5d
Opcode Fuzzy Hash: 4605046732850572e91ee3d3202d429c5bfb52793a290e3981da7e5d20f1214f
Instruction Fuzzy Hash: ED01847520431062E610A76B8C47B9B71AC9FC0758F05C92FF985AB2C2E67DC994836A

Uniqueness

Uniqueness Score: -1.00%

Function 00416058 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041606F
LoadResource.KERNEL32(?,004160FC,?,?,?,00411F2C,?,00000001,00000000,?,00415FC8,?), ref: 00416089
SizeofResource.KERNEL32(?,004160FC,?,004160FC,?,?,?,00411F2C,?,00000001,00000000,?,00415FC8,?), ref: 004160A3
LockResource.KERNEL32(00415DC0,00000000,?,004160FC,?,004160FC,?,?,?,00411F2C,?,00000001,00000000,?,00415FC8,?), ref: 004160AD

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: c965b22852f6ec80c96105a9b843c4a68cb3de35a57f497f17dba6acfaef6299
Instruction ID: 2e58c947a1d9cea2e1134bd376d0f1acf0f1bd1b22b0b35eb6180cb75cf8f231
Opcode Fuzzy Hash: c965b22852f6ec80c96105a9b843c4a68cb3de35a57f497f17dba6acfaef6299
Instruction Fuzzy Hash: 29F06DB2605604AF9704EE6DA881EAB77DCDE88264311012FF90CD7346DA38DD5147B8

Uniqueness

Uniqueness Score: -1.00%

Function 00401578 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,004575F8,?,?,?,004018E4), ref: 00401596
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,004575F8,?,?,?,004018E4), ref: 004015BB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,004575F8,?,?,?,004018E4), ref: 004015E1

Strings

$fT, xrefs: 004015C9

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Virtual$Alloc$Free
String ID: $fT
API String ID: 3668210933-2678353634
Opcode ID: d8bbf83d9e84a155370780825e2536c196101ce0e12870bd00f10d62a760bd39
Instruction ID: 9f01dd48c3aec626b257d7619b36ba77bbef45783528102b9bb09263bc853b7d
Opcode Fuzzy Hash: d8bbf83d9e84a155370780825e2536c196101ce0e12870bd00f10d62a760bd39
Instruction Fuzzy Hash: 12F068B17403206BE7315AA94C85F533AD4DB85755F1440B5BE09FF3DAD679A80087AC

Uniqueness

Uniqueness Score: -1.00%

Function 00430968 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00430975
GetCurrentProcessId.KERNEL32(?,-0000000C,00000000,004309E0,004307A2,00457B80,00000000,00430592,?,-0000000C,?), ref: 0043097E
GlobalFindAtomA.KERNEL32(00000000), ref: 00430993
GetPropA.USER32(00000000,00000000), ref: 004309AA

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 262fe56b8b3d1ec7547b8fda1a8aeaf1283fa0c05e10842a2b4da085fdd54173
Instruction ID: 18ab0d8e6a811196effcf3cdeeb79c0cd703e253cfa669e1bd7b8aabc6945012
Opcode Fuzzy Hash: 262fe56b8b3d1ec7547b8fda1a8aeaf1283fa0c05e10842a2b4da085fdd54173
Instruction Fuzzy Hash: 7CF0A7E170772257A610F7766C5166F518D9D04759B40523BFE40D5293D62CDC4141BD

Uniqueness

Uniqueness Score: -1.00%

Function 0042FAE4 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?), ref: 0042FAF1
GetCurrentProcessId.KERNEL32(?,?,?,00000000,00000000,004305B4,?,-0000000C,?), ref: 0042FAFA
GlobalFindAtomA.KERNEL32(00000000), ref: 0042FB0F
GetPropA.USER32(?,00000000), ref: 0042FB26

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 2bfc4d6cc9e8e01adc0abaf716b4368d66cec178448b7a893f586e462c687dcd
Instruction ID: d4e42c3b55b898ce814979c817f9e6793363eb62aa755c5b76658f8e790d3406
Opcode Fuzzy Hash: 2bfc4d6cc9e8e01adc0abaf716b4368d66cec178448b7a893f586e462c687dcd
Instruction Fuzzy Hash: B3F0A79334433166C92077B6FC91C2B56AC8A007A93C0153BF901E7242D53CEC0643BD

Uniqueness

Uniqueness Score: -1.00%

Function 00450B8C Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00450BA4
SetWindowsHookExA.USER32(00000003,00450B48,00000000,00000000), ref: 00450BB4
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00450BCF
CreateThread.KERNEL32(00000000,000003E8,00450AEC,00000000,00000000), ref: 00450BF3

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 8bf0b65abc09d898258917fcd214628db6abe2c8427761cf14d2130e4a5058dc
Instruction ID: 35dcb6909e74e7012915a396645faa56145bc40d45f97d41ce2dac9538df18a5
Opcode Fuzzy Hash: 8bf0b65abc09d898258917fcd214628db6abe2c8427761cf14d2130e4a5058dc
Instruction Fuzzy Hash: A1F0DA74A88705BEF710ABA1EC46F1736959310F1FF10007AF6146A1E3C7B8F5848A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004067B8 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 004067BB
GlobalUnWire.KERNEL32(00000000), ref: 004067C2
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 004067C7
GlobalFix.KERNEL32(00000000), ref: 004067CD

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 1d5ada0bccfe12d83d0a306ece47396a9e73e475e1776d9b20b1924602c76c9a
Instruction ID: 614874d605ef86ce66d558347c88263ca636e111e7e5bb6d955f38a734330a37
Opcode Fuzzy Hash: 1d5ada0bccfe12d83d0a306ece47396a9e73e475e1776d9b20b1924602c76c9a
Instruction Fuzzy Hash: 88B009D8A58E063CEC1433B24C0FD3F001CD8A078D3C04A6EB840B20CADC7CA844087E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C810 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 0041BB54: RtlEnterCriticalSection.NTDLL(?), ref: 0041BB58

CreateFontIndirectA.GDI32(?), ref: 0041C94E

Strings

MS Sans Serif, xrefs: 0041C8ED
Default, xrefs: 0041C8DC

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: e0a637e225fab96e3e5d2d20a69948054123e0f3fcd0a9e337b8de41854cf3a6
Instruction ID: b366d8d1a10450c429f3dc26a0e3bd8e8be57d460975a9dd1f8dad64175bfe2a
Opcode Fuzzy Hash: e0a637e225fab96e3e5d2d20a69948054123e0f3fcd0a9e337b8de41854cf3a6
Instruction Fuzzy Hash: 82515C70A54248DFDB01DFA8C981BCDBBF6EF49304F6580AAD804A7352D7389E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00445E0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00445E30
GetKeyState.USER32(00000011), ref: 00445E42

Strings

, xrefs: 00445E52

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: cb28de85b167ef5ed10375796280a4da1b9bccd9f64bdf296107dec95f9c52c2
Instruction ID: 71bd300f61262a01d1485a46d4b8b4a299210da14eb67372017ec5ed0c33d7f0
Opcode Fuzzy Hash: cb28de85b167ef5ed10375796280a4da1b9bccd9f64bdf296107dec95f9c52c2
Instruction Fuzzy Hash: B931EA75A08708AFEF01DF95E85179DB7F5EB45304FA180BAE80067293E77C5B00C619

Uniqueness

Uniqueness Score: -1.00%

Function 0042D020 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

WinHelpA.USER32(00000000), ref: 0042D0F0

Strings

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")"), xrefs: 0042D088
dvE, xrefs: 0042D049

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Help
String ID: IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")$dvE
API String ID: 2830496658-932126354
Opcode ID: 23a5b1772225cbd62cc986f2442db9ae00aeab48bca356d6327fef6111aa4b21
Instruction ID: 5fe52377de73e2b7975fdf016599325295d930a8f9eded402df8d4cbc1259920
Opcode Fuzzy Hash: 23a5b1772225cbd62cc986f2442db9ae00aeab48bca356d6327fef6111aa4b21
Instruction Fuzzy Hash: B4312370F002149BDB14EF65E89269EBBB5AF48308F90457AA804A7392DB789E058799

Uniqueness

Uniqueness Score: -1.00%

Function 0040997C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00409A5A), ref: 00409A02
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00409A5A), ref: 00409A08

Strings

yyyy, xrefs: 004099DD

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 24c1c31382e0670fdba265928a592db7cc6005e0e2be0905db63e57e58e6e803
Instruction ID: 970415b2cf946be1311ddc9c9adf97f9c57793b96109e9c4a0289375bf74726f
Opcode Fuzzy Hash: 24c1c31382e0670fdba265928a592db7cc6005e0e2be0905db63e57e58e6e803
Instruction Fuzzy Hash: C0213075704248ABDB01EBA5C942AAEB7E8EF48700F50407BF905F77D2D6789E00CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00403D54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,?,?,?,?,00403E3E,004027CB,004039E8), ref: 00403DE1
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00403E3E,004027CB,004039E8), ref: 00403E16

Strings

|y@, xrefs: 00403D6A

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ExitFreeLibraryProcess
String ID: |y@
API String ID: 1404682716-713804553
Opcode ID: 2ef35c5b2530d2187c16c2a7955a711ac557cd635653e8c4dce7ad89e6481c83
Instruction ID: a271b0d60cc5806993aa8b97552a5722b7aed7bc15c44349e6ec802f861d87b4
Opcode Fuzzy Hash: 2ef35c5b2530d2187c16c2a7955a711ac557cd635653e8c4dce7ad89e6481c83
Instruction Fuzzy Hash: 99218D709046418FEB20AF65C4843967FD9AF0A316F2444BBE844AB2D6D77CDD80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403D5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,?,?,?,?,00403E3E,004027CB,004039E8), ref: 00403DE1
ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,00403E3E,004027CB,004039E8), ref: 00403E16

Strings

|y@, xrefs: 00403D6A

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ExitFreeLibraryProcess
String ID: |y@
API String ID: 1404682716-713804553
Opcode ID: b3f4ea2471de539f29a0b8bfc9a3e252a6ccb5160bceb1c01eaefefbea0df077
Instruction ID: a528c5556b1788d0ea9e93cc2f5b507bfb7013af1529314a162c342046c4b315
Opcode Fuzzy Hash: b3f4ea2471de539f29a0b8bfc9a3e252a6ccb5160bceb1c01eaefefbea0df077
Instruction Fuzzy Hash: B9218C709046418BEB20AF25C484797BED9AF09316F2441BBE844AB2D6D77CDEC0CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00437B64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00407BC0: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407C07,?,?,00407F91), ref: 00407BED

Part of subcall function 004500AC: GetKeyboardLayoutList.USER32(00000040,?,00000000,00450257,?,020F12E8,?,004502B9,00000000,?,004351AF), ref: 00450102
Part of subcall function 004500AC: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,?,00000040,?,00000000,00450257,?,020F12E8,?,004502B9,00000000,?,004351AF), ref: 0045016A
Part of subcall function 004500AC: RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,?,00000000,00450213,?,80000002,00000000,00000000,00020019,?,00000040,?), ref: 004501A4

ActivateKeyboardLayout.USER32(?,00000001), ref: 00437C16

Part of subcall function 004500AC: RegCloseKey.ADVAPI32(?,0045021A,00000000,?,?,00000000,00450213,?,80000002,00000000,00000000,00020019,?,00000040,?,00000000), ref: 0045020D

Strings

@wE, xrefs: 00437B7C
{E, xrefs: 00437B9B, 00437BB9, 00437BCE, 00437BE1, 00437BFE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: KeyboardLayout$ActivateCloseCompareListOpenQueryStringValue
String ID: @wE${E
API String ID: 3260357897-4235125885
Opcode ID: a2232453bd3e3d23d669929634f8a2e493a8d4db20d5645663605b18ecf4cccd
Instruction ID: d0b0ab8b2520c768015089189bc8c05371e5149aa85b4d40907e6ff9d880cb3a
Opcode Fuzzy Hash: a2232453bd3e3d23d669929634f8a2e493a8d4db20d5645663605b18ecf4cccd
Instruction Fuzzy Hash: 16217A342046009FD721EF25C881A9537E5AF49705F6550B5F8008F3A3CF78ED44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(?), ref: 0040ECDD

Part of subcall function 0040E9C4: VariantClear.OLEAUT32(?), ref: 0040E9D3

Strings

|@, xrefs: 0040ED19

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Variant$ClearCopy
String ID: |@
API String ID: 274517740-2645132277
Opcode ID: ee0b3bbfee92b5c78544bd5c09e0c3681fe08e6ced7c72197cb8bc8b71ae11a7
Instruction ID: 577eaa6948231cbe1d02c0c8bc319235ffba4feb49b9c92a9690ab99a0772217
Opcode Fuzzy Hash: ee0b3bbfee92b5c78544bd5c09e0c3681fe08e6ced7c72197cb8bc8b71ae11a7
Instruction Fuzzy Hash: 0A11A02070420186DB24AF2BD8C56672795EF857507148C7BF44AAB3E6DA3DDC51C2AA

Uniqueness

Uniqueness Score: -1.00%

Function 00432FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 00433020
EqualRect.USER32(?,?), ref: 00433030

Strings

@, xrefs: 00433001

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 729288b463f4e3b769507f09916038e772bac31ee99353aaf19d800dd7503a86
Instruction ID: 606af6fbf3886211de614473dd293fb17bcf842164c53f0bf48e15f15d337e58
Opcode Fuzzy Hash: 729288b463f4e3b769507f09916038e772bac31ee99353aaf19d800dd7503a86
Instruction Fuzzy Hash: A6119E316042886BC701DE6DC885BDF7BE89F49368F040296FD44EB382D779EE058794

Uniqueness

Uniqueness Score: -1.00%

Function 00437C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00407BC0: CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00407C07,?,?,00407F91), ref: 00407BED

ActivateKeyboardLayout.USER32(?,00000001), ref: 00437CA8

Strings

@wE, xrefs: 00437C66
{E, xrefs: 00437C7D, 00437C9D

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ActivateCompareKeyboardLayoutString
String ID: @wE${E
API String ID: 1445940216-4235125885
Opcode ID: dd124f88dd014514b8e250a40a62fc3e1a48ebf6576625a0884fab2d1d55d154
Instruction ID: 6e10fe0cbf54b71ff632e0b7573bdc4083a1265331ffff9a6275874b74f49192
Opcode Fuzzy Hash: dd124f88dd014514b8e250a40a62fc3e1a48ebf6576625a0884fab2d1d55d154
Instruction Fuzzy Hash: 1301B570608300AFD721EB25C981B9537E4EB0D304F91A4B6F8009B393CB78ED04DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0040E9D3

Strings

|@, xrefs: 0040E9FE

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: ClearVariant
String ID: |@
API String ID: 1473721057-2645132277
Opcode ID: 56c5534a345511e4538614bbc9232e06ae6dd49f82dc3da54e984e641605cc4f
Instruction ID: fb6e44f11d6894204172b89b1d28fbb751f34b4bbf1e0df4e7a861869115469e
Opcode Fuzzy Hash: 56c5534a345511e4538614bbc9232e06ae6dd49f82dc3da54e984e641605cc4f
Instruction Fuzzy Hash: A1F0AF60704220CBC6207B7BD9851A52294AF497087205C7BF086BB2C6CA3D8C668A6F

Uniqueness

Uniqueness Score: -1.00%

Function 00423DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00423E4A
GetSystemMetrics.USER32(00000001), ref: 00423E5C

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

MonitorFromPoint, xrefs: 00423E0E

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 398fb8932d80f66837e628e84cff3840c3b125091bf99529c4f9f122ca02df83
Instruction ID: 070afe3cae5d64cb81b129369353c8cfd45e4d63a2aa5a3c671e3106731092a9
Opcode Fuzzy Hash: 398fb8932d80f66837e628e84cff3840c3b125091bf99529c4f9f122ca02df83
Instruction Fuzzy Hash: 56018F71305328ABEB105F59FC44B5ABBA5E740756F81403AE9148B262C27CEE458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00423CD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00423D25
GetSystemMetrics.USER32(00000001), ref: 00423D31

Part of subcall function 00423B64: GetProcAddress.KERNEL32(75BD0000,00000000), ref: 00423BE4

Strings

MonitorFromRect, xrefs: 00423CE9

Memory Dump Source

Source File: 00000000.00000002.2925737417.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2925725130.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925737417.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2925801325.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_uddisrw.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 8a9e22db04685f91e7ea5fd45224c15a2140518ec10800d3dedb195b0ccf388d
Instruction ID: 303870b88fc3daf28c0398546fce0e97ce6cb8c6e718b8a48d7cf4ffa0f48675
Opcode Fuzzy Hash: 8a9e22db04685f91e7ea5fd45224c15a2140518ec10800d3dedb195b0ccf388d
Instruction Fuzzy Hash: 2A017C313142249BDB109F48F885B16BB74E740753F848062EA049B203C27CED818BB8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uddisrw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: uddisrw.exePID: 5568, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: uddisrw.exePID: 5568, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00405108 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON

Control-flow Graph

Windows Analysis Report
uddisrw.exe

Function 00405108 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Function 0045157C Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 401
COMMON

Function 00436DF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 0043E388 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Function 0043E154 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103
registrylibraryloaderCOMMON

Function 00450FFC Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132
windowregistryCOMMON

Function 00436398 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Function 00450CF4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
windowCOMMON

Function 004503EC Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 004019FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
memoryCOMMON

Function 0044B134 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Function 0044C68C Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Function 00423C4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 00401514 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON