Edit tour

Windows Analysis Report
Wt3pGldAnr.exe

Overview

General Information

Sample name:	Wt3pGldAnr.exe renamed because original name is a hash value
Original sample name:	0707cfd47743293d37378ee4465baf5c.exe
Analysis ID:	1428524
MD5:	0707cfd47743293d37378ee4465baf5c
SHA1:	3ec3e1da7ca748292eb3d0990a763d58e04ebb09
SHA256:	fb65c9da76587966b0fd53c34119aedd57e771899531146943b79bbb2cc129c3
Tags:	32exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Wt3pGldAnr.exe (PID: 5332 cmdline: "C:\Users\user\Desktop\Wt3pGldAnr.exe" MD5: 0707CFD47743293D37378EE4465BAF5C)

StartMenuExperienceHos.exe (PID: 6636 cmdline: "C:\ProgramData\StartMenuExperienceHos.exe" MD5: 0707CFD47743293D37378EE4465BAF5C)

Wt3pGldAnr.exe (PID: 6880 cmdline: C:\Users\user\Desktop\Wt3pGldAnr.exe MD5: 0707CFD47743293D37378EE4465BAF5C)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\StartMenuExperienceHos.exe	ReversingLabs: Detection: 15%
Source: C:\ProgramData\StartMenuExperienceHos.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%			Perma Link

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 156.255.0.191:1386

Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191
Source: unknown	TCP traffic detected without corresponding DNS query: 156.255.0.191

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA2B1A select,recv,

0_2_00DA2B1A

Source: Wt3pGldAnr.exe	String found in binary or memory: https://zh-hans.ipshu.com/my_info
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zh-hans.ipshu.com/my_infoInternetOpenUrl

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CB0D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: [esc]	0_2_0349CD43

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00E1250F __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_00E1250F

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349CB0D _memset,Sleep,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,_memmove,wsprintfW,_memset,GlobalUnlock,CloseClipboard,GetKeyState,wsprintfW,lstrlenW,wsprintfW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_0349CB0D

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,

0_2_00E222CB

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349C71F SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_0349C71F

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	0_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	0_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	0_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	0_2_00DB297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061C51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	1_2_0061C51E
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00690863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	1_2_00690863
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_0062688A
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005F297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_005F297D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006609E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_006609E6
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006249CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_006249CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDC51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	3_2_00DDC51E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE688A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E50863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	3_2_00E50863
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E209E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_00E209E6
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE49CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_00DE49CC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DB297D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	3_2_00DB297D

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349156A ExitWindowsEx,

0_2_0349156A

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E3E67D	0_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DEC708	0_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA6F6B	0_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DC91C5	0_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA98A3	0_2_00EA98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A0360	0_2_034A0360
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B21F5	0_2_034B21F5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B643A	0_2_034B643A
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B6B16	0_2_034B6B16
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0932	0_2_034B0932
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B0DC7	0_2_034B0DC7
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034B1165	0_2_034B1165
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0067E67D	1_2_0067E67D
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0062C708	1_2_0062C708
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E6F6B	1_2_006E6F6B
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006091C5	1_2_006091C5
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E98A3	1_2_006E98A3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E3E67D	3_2_00E3E67D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DEC708	3_2_00DEC708
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA6F6B	3_2_00EA6F6B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DC91C5	3_2_00DC91C5
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA98A3	3_2_00EA98A3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 005E6349 appears 41 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5EB4 appears 112 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E7E appears 48 times
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: String function: 006E5E4B appears 388 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DAEC08 appears 42 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349A1C8 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6304 appears 34 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 034A8AC0 appears 32 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA63B0 appears 62 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA6349 appears 82 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E7E appears 96 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5E4B appears 784 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 0349B72C appears 35 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00DA4EB5 appears 56 times
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: String function: 00EA5EB4 appears 235 times

Source: Wt3pGldAnr.exe, 00000000.00000000.1662960524.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000000.00000003.1757233623.00000000043CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe, 00000003.00000000.1774367678.0000000001093000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe
Source: Wt3pGldAnr.exe	Binary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs Wt3pGldAnr.exe

Source: Wt3pGldAnr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.spyw.evad.winEXE@4/2@0/1

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A244 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,ImpersonateLoggedOnUser,CloseHandle,CloseHandle,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLengthSid,SetTokenInformation,TerminateProcess,AdjustTokenPrivileges,CloseHandle,CloseHandle,CloseHandle,	0_2_0349A244
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A701 AdjustTokenPrivileges,	0_2_0349A701
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B72C OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_0349B72C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B671 LookupPrivilegeValueW,GetLastError,_wprintf,AdjustTokenPrivileges,GetLastError,_wprintf,GetLastError,_wprintf,	0_2_0349B671
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A3FD GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	0_2_0348A3FD
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349A1C8 LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0349A1C8
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348A520 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0348A520
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0348AA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_0348AA41

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0349A036 CreateToolhelp32Snapshot,Process32FirstW,__wcsicoll,Process32NextW,FindCloseChangeNotification,

0_2_0349A036

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DBA66C CoInitialize,CoCreateInstance,

0_2_00DBA66C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DAA4D3 FindResourceW,LoadResource,LockResource,FreeResource,

0_2_00DAA4D3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Mutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName

Source: Wt3pGldAnr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wt3pGldAnr.exe	ReversingLabs: Detection: 15%
Source: Wt3pGldAnr.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File read: C:\Users\user\Desktop\Wt3pGldAnr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe "C:\Users\user\Desktop\Wt3pGldAnr.exe"
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"
Source: unknown	Process created: C:\Users\user\Desktop\Wt3pGldAnr.exe C:\Users\user\Desktop\Wt3pGldAnr.exe
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process created: C:\ProgramData\StartMenuExperienceHos.exe "C:\ProgramData\StartMenuExperienceHos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\StartMenuExperienceHos.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: Wt3pGldAnr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Wt3pGldAnr.exe

Static file information: File size 3218944 > 1048576

Source: Wt3pGldAnr.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: Wt3pGldAnr.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x173a00

Source: Wt3pGldAnr.exe

Static PE information: More than 200 imports for USER32.dll

Source: Wt3pGldAnr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wt3pGldAnr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Unpacked PE file: 0.2.Wt3pGldAnr.exe.3480000.4.unpack

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

Source: Wt3pGldAnr.exe	Static PE information: real checksum: 0x314ee0 should be: 0x31a429
Source: StartMenuExperienceHos.exe.0.dr	Static PE information: real checksum: 0x314ee0 should be: 0x31a429

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA63F5 push ecx; ret	0_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA5F23 push ecx; ret	0_2_00EA5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A8B05 push ecx; ret	0_2_034A8B18
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A2AF4 push ecx; ret	0_2_034A2B07
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034BA854 push ebp; retf	0_2_034BA858
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E63F5 push ecx; ret	1_2_006E6408
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E5F23 push ecx; ret	1_2_006E5F36
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA63F5 push ecx; ret	3_2_00EA6408
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA5F23 push ecx; ret	3_2_00EA5F36

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

File created: C:\ProgramData\StartMenuExperienceHos.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE2018 IsIconic,	0_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	0_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDCD1F IsWindowVisible,IsIconic,	0_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E22E90 IsIconic,PostMessageW,	0_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	0_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	0_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	0_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DE1F74 SetForegroundWindow,IsIconic,	0_2_00DE1F74
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00622018 IsIconic,	1_2_00622018
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006622CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	1_2_006622CB
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0060CC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	1_2_0060CC9C
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061CD1F IsWindowVisible,IsIconic,	1_2_0061CD1F
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00662E90 IsIconic,PostMessageW,	1_2_00662E90
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00660FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	1_2_00660FB1
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_005E5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	1_2_005E5516
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_00661A40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00661D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	1_2_00661D40
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00637DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	1_2_00637DE2
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_00621F74 SetForegroundWindow,IsIconic,	1_2_00621F74
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE2018 IsIconic,	3_2_00DE2018
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E222CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	3_2_00E222CB
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DCCC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_00DCCC9C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDCD1F IsWindowVisible,IsIconic,	3_2_00DDCD1F
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E22E90 IsIconic,PostMessageW,	3_2_00E22E90
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E20FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_00E20FB1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DA5516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,	3_2_00DA5516
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_00E21A40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DF7DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	3_2_00DF7DE2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00E21D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	3_2_00E21D40
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DE1F74 SetForegroundWindow,IsIconic,	3_2_00DE1F74

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DBB770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DBB770

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-78745

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-78000

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_0-78388
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_0-78246

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\StartMenuExperienceHos.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-78546

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 5.4 %
Source: C:\ProgramData\StartMenuExperienceHos.exe	API coverage: 2.9 %
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API coverage: 2.8 %

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 2316	Thread sleep count: 106 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe TID: 5448	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	0_2_00DDA6C3
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_0061A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_0061A6C3
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00DDA6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_00DDA6C3

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348B0A5 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcatW,lstrcpyW,

0_2_0348B0A5

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00EA9C8B

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: StartMenuExperienceHos.exe, 00000001.00000003.1759281721.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_=b
Source: Wt3pGldAnr.exe, 00000000.00000002.1787519096.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000003.00000003.1775405931.000000000145C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	API call chain: ExitProcess graph end node			graph_0-78936
Source: C:\ProgramData\StartMenuExperienceHos.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00EA47AC

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03495A55 CreateWindowExW,GetLastError,OutputDebugStringW,OutputDebugStringW,

0_2_03495A55

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EA9C8B VirtualProtect ?,-00000001,00000104,?

0_2_00EA9C8B

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00DA10BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,

0_2_00DA10BE

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_03494CEC _free,_free,GetProcessHeap,HeapFree,

0_2_03494CEC

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EABBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349B9E1 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,SetConsoleCtrlHandler,CreateThread,Sleep,CloseHandle,SetUnhandledExceptionFilter,CloseHandle,Sleep,Sleep,Sleep,RegOpenKeyExW,RegQueryValueExW,Sleep,WaitForSingleObject,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,	0_2_0349B9E1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_034A66AE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_034A66AE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 0_2_0349F3F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0349F3F0
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006E47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006E47AC
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: 1_2_006EBBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006EBBA1
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EA47AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00EA47AC
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: 3_2_00EABBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EABBA1

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_0348A5F4 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_0348A5F4

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_0348A5F4

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		0_2_0348A5F4
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		0_2_0348A5F4

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	0_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	0_2_00DFDD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_034B030B
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_034B03B2
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_034B0216
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _memset,_memset,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,lstrlenW,lstrlenW,wsprintfW,GetCurrentProcessId,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	0_2_03488189
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_034B0741
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B0705
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_034B069E
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_034B05DE
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_034B040D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_034B524D
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoA,	0_2_034A5648
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_034B3515
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_005E7502
Source: C:\ProgramData\StartMenuExperienceHos.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	1_2_0063DD6C
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	3_2_00DA7502
Source: C:\Users\user\Desktop\Wt3pGldAnr.exe	Code function: __EH_prolog3_GS,GetNumberFormatW,GetLocaleInfoW,lstrlenW,	3_2_00DFDD6C

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_00EAEFF7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00EAEFF7

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

Code function: 0_2_034AA394 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_034AA394

Source: C:\Users\user\Desktop\Wt3pGldAnr.exe

0_2_00DBB770

Source: Wt3pGldAnr.exe	Binary or memory string: acs.exe
Source: Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: q\KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: kxetray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avcenter.exe
Source: Wt3pGldAnr.exe	Binary or memory string: vsserv.exe
Source: Wt3pGldAnr.exe	Binary or memory string: KSafeTray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: cfp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Safe.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: rtvscan.exe
Source: Wt3pGldAnr.exe	Binary or memory string: TMBMSRV.exe
Source: Wt3pGldAnr.exe	Binary or memory string: ashDisp.exe
Source: Wt3pGldAnr.exe	Binary or memory string: 360Tray.exe
Source: Wt3pGldAnr.exe	Binary or memory string: avgwdsvc.exe
Source: Wt3pGldAnr.exe	Binary or memory string: AYAgent.aye
Source: Wt3pGldAnr.exe	Binary or memory string: QUHLPSVC.EXE
Source: Wt3pGldAnr.exe	Binary or memory string: RavMonD.exe
Source: Wt3pGldAnr.exe	Binary or memory string: Mcshield.exe
Source: Wt3pGldAnr.exe	Binary or memory string: K7TSecurity.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Native API	1 LSASS Driver	1 LSASS Driver	1 Disable or Modify Tools	141 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	141 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 Software Packing	NTDS	141 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Wt3pGldAnr.exe	16%	ReversingLabs	Win32.Trojan.Generic
Wt3pGldAnr.exe	24%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\StartMenuExperienceHos.exe	16%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\StartMenuExperienceHos.exe	24%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://zh-hans.ipshu.com/my_info	0%	Virustotal		Browse
https://zh-hans.ipshu.com/my_infoInternetOpenUrl	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://zh-hans.ipshu.com/my_infoInternetOpenUrl	Wt3pGldAnr.exe, 00000000.00000002.1788227901.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1787973230.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Wt3pGldAnr.exe, 00000000.00000002.1788120725.00000000031C0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://zh-hans.ipshu.com/my_info	Wt3pGldAnr.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.255.0.191	unknown	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428524
Start date and time:	2024-04-19 05:58:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Wt3pGldAnr.exe renamed because original name is a hash value
Original Sample Name:	0707cfd47743293d37378ee4465baf5c.exe
Detection:	MAL
Classification:	mal80.spyw.evad.winEXE@4/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 48 Number of non-executed functions: 356
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:59:11	Task Scheduler	Run new task: Wt3pGldAnr path: C:\Users\user\Desktop\Wt3pGldAnr.exe
05:59:09	API Interceptor	1x Sleep call for process: Wt3pGldAnr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DXTL-HKDXTLTseungKwanOServiceHK	SecuriteInfo.com.FileRepMalware.20155.16240.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.239.92.108
	kl7nWo7u71.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.235.229.60
	OPs5j7Yjb8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.235.142.141
	hYN45tzxwl.elf	Get hash	malicious	Mirai	Browse	154.93.171.8
	Ns1xkTsDQO.elf	Get hash	malicious	Mirai	Browse	154.221.154.74
	jklarm.elf	Get hash	malicious	Mirai	Browse	154.85.232.143
	5lrOsR7kdX.elf	Get hash	malicious	Mirai	Browse	154.214.177.58
	g6W1NW8Q8t.elf	Get hash	malicious	Unknown	Browse	154.214.141.80
	g5FxNXoqH7.elf	Get hash	malicious	Mirai	Browse	156.232.148.225
	UtN6hwRjZv.elf	Get hash	malicious	Mirai	Browse	156.245.160.232

Process:	C:\Users\user\Desktop\Wt3pGldAnr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3218944
Entropy (8bit):	7.319162531570145
Encrypted:	false
SSDEEP:	98304:zIYSSR0z8vvZpdmI6RSTSGcNoIv0kGX4g7O9P9LfetG25NJn:zIdy0ohgBGImO9P9LfeHJ
MD5:	0707CFD47743293D37378EE4465BAF5C
SHA1:	3EC3E1DA7CA748292EB3D0990A763D58E04EBB09
SHA-256:	FB65C9DA76587966B0FD53C34119AEDD57E771899531146943B79BBB2CC129C3
SHA-512:	B989B282D247B5F64B98D658524CC2AE9EC44B105B31B8654C6868C4A545FB6A59310CA6C3BB9613D4B02E64D6BDB5E322C0498BA8572EB58ADABE08D25F25C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 24%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..41.bg1.bg1.bg^..g..bg^..g..bg^..gI.bg8..g>.bg8..g..bg1.cg-.bg^..g?.bg^..g0.bg^..g0.bgRich1.bg........................PE..L....y f.....................(.......Z............@...........................1......N1...@.....................................\|........8...................P/.....................................pM..@............................................text............................... ..`.rdata...U.......V..................@..@.data...@........l..................@....rsrc....8.......:...P..............@..@.reloc..n....P/.....................@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\StartMenuExperienceHos.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Wt3pGldAnr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.319162531570145
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Wt3pGldAnr.exe
File size:	3'218'944 bytes
MD5:	0707cfd47743293d37378ee4465baf5c
SHA1:	3ec3e1da7ca748292eb3d0990a763d58e04ebb09
SHA256:	fb65c9da76587966b0fd53c34119aedd57e771899531146943b79bbb2cc129c3
SHA512:	b989b282d247b5f64b98d658524cc2ae9ec44b105b31b8654c6868c4a545fb6a59310ca6c3bb9613d4b02e64d6bdb5e322c0498ba8572eb58adabe08d25f25c0
SSDEEP:	98304:zIYSSR0z8vvZpdmI6RSTSGcNoIv0kGX4g7O9P9LfetG25NJn:zIdy0ohgBGImO9P9LfeHJ
TLSH:	B6E5D0313691D47BE53B36309259A3B9B2BEB9308E35024726A15F3D3E754938D2827F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..41.bg1.bg1.bg^..g..bg^..g..bg^..gI.bg8..g>.bg8..g..bg1.cg-.bg^..g?.bg^..g0.bg^..g0.bgRich1.bg........................PE..L..

File Icon


Icon Hash:	6b49e0c4612d0f55

Static PE Info

General

Entrypoint:	0x505a11
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x662079F4 [Thu Apr 18 01:40:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c7cd9a28c59d689112a5f72c9ae31817

Entrypoint Preview

Instruction
call 00007F73D090A506h
jmp 00007F73D0900DAEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 00550270h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F73D0900F2Eh
test byte ptr [eax], 00000008h
je 00007F73D0900F29h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0052A314h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 00505ACBh
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007F73D0917488h
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+00h], eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16c0bc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x181000	0x173817	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f5000	0x1ac8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x154d70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12a000	0x9e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12881f	0x128a00	08126d7c27e1de4a907093ca817d1234	False	0.565460552307206	data	6.5329102207493825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12a000	0x455dc	0x45600	4ccda5c669343a32a9a888ef12edd8fa	False	0.2671699042792793	data	5.002277513445981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x170000	0x10340	0x6c00	c950ad1efa5e8e9145d257df16dc1f6e	False	0.25983796296296297	data	4.538856989422253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x181000	0x173817	0x173a00	ea3ee13a03cd81d884876d55980cb98b	False	0.9375617536999664	data	7.904870488456657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f5000	0x2936e	0x29400	d5402f4b94d2ead2df238cc6f25d8e68	False	0.27293442234848486	data	5.0526509296469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x181558	0x14e059	PNG image data, 2338 x 1314, 8-bit colormap, non-interlaced			1.0002803802490234
RT_ICON	0x2cf5b4	0x5072	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9811110032048169
RT_ICON	0x2d4628	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 9600	English	United States	0.2892316337395008
RT_ICON	0x2e4e50	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 9600	English	United States	0.38946395563770797
RT_ICON	0x2ea2d8	0x39e0	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3254589632829374
RT_ICON	0x2edcb8	0x3004	Device independent bitmap graphic, 32 x 64 x 32, image size 9600	English	United States	0.2245362837617963
RT_ICON	0x2f0cbc	0x25a8	Device independent bitmap graphic, 16 x 32 x 32, image size 9600	English	United States	0.10487551867219917
RT_DIALOG	0x2f3264	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x2f3318	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x2f3438	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x2f3628	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x2f3720	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x2f37fc	0xa0	data	English	United States	0.6
RT_DIALOG	0x2f389c	0x10c	data	English	United States	0.5111940298507462
RT_DIALOG	0x2f39a8	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x2f3b98	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x2f3c7c	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x2f3d58	0xa4	data	English	United States	0.6158536585365854
RT_DIALOG	0x2f3dfc	0x110	data	English	United States	0.5183823529411765
RT_DIALOG	0x2f3f0c	0x1f2	data	English	United States	0.39759036144578314
RT_DIALOG	0x2f4100	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x2f41e8	0xde	data	English	United States	0.6486486486486487
RT_GROUP_ICON	0x2f42c8	0x84	data	English	United States	0.6893939393939394
RT_VERSION	0x2f434c	0x2b4	data	Chinese	China	0.546242774566474
RT_MANIFEST	0x2f4600	0x217	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.5570093457943925

Imports

DLL	Import
KERNEL32.dll	GlobalFree, FreeLibrary, lstrcmpW, MultiByteToWideChar, DeactivateActCtx, ActivateActCtx, GetLocaleInfoW, GlobalUnlock, ConvertDefaultLocale, GetUserDefaultUILanguage, GetCurrentThread, GlobalDeleteAtom, lstrcmpA, FreeResource, lstrcpyW, GetPrivateProfileIntW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetCurrentProcessId, SetThreadPriority, ResumeThread, GlobalAddAtomW, ReleaseActCtx, CompareStringW, GetVersionExW, GlobalFindAtomW, LocalAlloc, TlsGetValue, GlobalReAlloc, GlobalHandle, InitializeCriticalSection, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, GetCurrentDirectoryW, GlobalFlags, DeleteFileW, GlobalGetAtomNameW, lstrlenA, GetThreadLocale, FileTimeToSystemTime, lstrcmpiW, CreateFileW, ReadFile, WriteFile, SetFilePointer, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFileSize, DuplicateHandle, GetCurrentProcess, FindClose, FindFirstFileW, GetVolumeInformationW, GetFullPathNameW, CopyFileW, GetFileAttributesExW, FileTimeToLocalFileTime, GetFileAttributesW, GetFileSizeEx, GetFileTime, GetTempFileNameW, GetTempPathW, GetWindowsDirectoryW, GetNumberFormatW, GetProfileIntW, SearchPathW, VirtualProtect, FindResourceExW, DecodePointer, EncodePointer, ExitThread, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, ExitProcess, HeapReAlloc, HeapQueryInformation, HeapSize, GetSystemTimeAsFileTime, GetSystemInfo, VirtualQuery, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, QueryPerformanceCounter, GetStringTypeW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetTimeZoneInformation, LCMapStringW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, LocalFree, MulDiv, GlobalSize, GlobalAlloc, GlobalLock, GetExitCodeProcess, OpenProcess, WriteProcessMemory, VirtualAlloc, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, GetCommandLineA, CreateThread, GetConsoleWindow, CreateMutexW, GetTickCount, GetModuleFileNameW, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, lstrlenW, WideCharToMultiByte, ResetEvent, CancelIo, InterlockedExchange, CreateEventW, SetLastError, SwitchToThread, GetCurrentThreadId, GetLastError, FormatMessageW, SetEvent, Sleep, WaitForSingleObject, CloseHandle, CreateEventA, InterlockedDecrement, InterlockedIncrement, InterlockedCompareExchange, HeapDestroy, HeapCreate, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, HeapFree, HeapAlloc, LoadLibraryW, GetProcAddress, GetSystemDefaultUILanguage, VirtualFree
USER32.dll	SetTimer, KillTimer, SetRectEmpty, EnumDisplayMonitors, SetLayeredWindowAttributes, CharNextW, OffsetRect, CopyAcceleratorTableW, IsRectEmpty, SetRect, IntersectRect, InvalidateRgn, GetNextDlgGroupItem, MessageBeep, LoadMenuW, SetWindowRgn, RedrawWindow, NotifyWinEvent, GetAsyncKeyState, IsZoomed, CharUpperW, UnionRect, EnableScrollBar, UpdateLayeredWindow, MonitorFromPoint, IsMenu, CreatePopupMenu, SetMenuDefaultItem, GetMenuDefaultItem, DestroyIcon, TranslateAcceleratorW, BringWindowToTop, InsertMenuItemW, LoadAcceleratorsW, LoadImageW, ReuseDDElParam, UnpackDDElParam, SetParent, DestroyAcceleratorTable, SetClassLongW, DrawIconEx, DrawEdge, DrawFrameControl, DrawFocusRect, ToUnicodeEx, MapVirtualKeyW, GetKeyboardLayout, GetKeyboardState, CreateAcceleratorTableW, SetCursorPos, LockWindowUpdate, RegisterClipboardFormatW, InvertRect, HideCaret, GetIconInfo, CopyImage, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, FrameRect, CopyIcon, CharUpperBuffW, PostThreadMessageW, GetKeyNameTextW, DefFrameProcW, DefMDIChildProcW, DrawMenuBar, TranslateMDISysAccel, CreateMenu, IsClipboardFormatAvailable, GetUpdateRect, GetDoubleClickTime, IsCharLowerW, MapVirtualKeyExW, SubtractRect, DestroyCursor, GetWindowRgn, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, SetFocus, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, RealChildWindowFromPoint, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, SetWindowLongW, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, CopyRect, GetClassNameW, InvalidateRect, UpdateWindow, DrawStateW, ShowOwnedPopups, SetCursor, GetMessageW, IsWindowVisible, GetKeyState, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuW, EnableMenuItem, CheckMenuItem, SetWindowsHookExW, UnhookWindowsHookEx, GetCursorPos, CallNextHookEx, GetFocus, PtInRect, GetSysColor, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, GetWindowThreadProcessId, GetLastActivePopup, MessageBoxW, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamW, DestroyWindow, IsWindow, GetWindowLongW, GetDlgItem, IsWindowEnabled, GetNextDlgTabItem, EndDialog, RegisterWindowMessageW, GetWindow, SetWindowContextHelpId, GetParent, MapDialogRect, SetWindowPos, PostQuitMessage, PostMessageW, GetMenuState, GetMenuStringW, GetMenuItemID, InsertMenuW, GetMenuItemCount, GetSubMenu, RemoveMenu, PeekMessageW, TranslateMessage, DispatchMessageW, MsgWaitForMultipleObjects, ShowWindow, PostThreadMessageA, GetInputState, LoadIconW, GetSystemMenu, AppendMenuW, SendMessageW, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, GetWindowRect, ScreenToClient, GetDC, EnableWindow, DeleteMenu, WaitMessage, ReleaseCapture, WindowFromPoint, SetCapture, GetSysColorBrush, LoadCursorW, MoveWindow, SetWindowTextW, IsDialogMessageW, CheckDlgButton, SendDlgItemMessageW, SetScrollRange, SendDlgItemMessageA, GetWindowTextLengthW
GDI32.dll	GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, GetBkColor, GetTextColor, GetRgnBox, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateRoundRectRgn, CreateDIBSection, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, CopyMetaFileW, CreateDCW, SaveDC, RestoreDC, SetBkColor, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, CreateRectRgnIndirect, SetMapMode, GetClipBox, ExcludeClipRect, IntersectClipRect, LineTo, MoveToEx, SetTextAlign, SelectObject, CreateCompatibleBitmap, CreateDIBitmap, GetTextExtentPoint32W, CreateFontIndirectW, CreateHatchBrush, CreateSolidBrush, CreatePen, GetObjectType, SelectPalette, GetStockObject, CreateCompatibleDC, CreateBitmap, CreatePatternBrush, GetLayout, SetLayout, DeleteObject, SelectClipRgn, CreateRectRgn, GetObjectW, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, SetViewportOrgEx, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, GetDeviceCaps, SetPixelV, GetTextFaceW, GetBoundsRect, FrameRgn, FillRgn, PtInRegion, GetViewportOrgEx, GetWindowOrgEx, LPtoDP, SetPaletteEntries, ExtFloodFill, EnumFontFamiliesExW, Rectangle, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, StretchBlt, SetPixel, OffsetWindowOrgEx
ADVAPI32.dll	RegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegEnumKeyW, RegQueryValueW, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegCreateKeyW
MSIMG32.dll	AlphaBlend, TransparentBlt
COMCTL32.dll	ImageList_GetIconSize, InitCommonControlsEx
SHLWAPI.dll	PathIsUNCW, PathStripToRootW, PathFindFileNameW, PathFindExtensionW, PathRemoveFileSpecW
oledlg.dll	OleUIBusyW
WS2_32.dll	WSASetLastError, WSAEnumNetworkEvents, shutdown, WSACloseEvent, WSAResetEvent, WSAEventSelect, WSAWaitForMultipleEvents, WSAGetLastError, WSAStartup, WSACleanup, setsockopt, closesocket, socket, gethostbyname, htons, connect, WSAIoctl, select, recv, send, WSACreateEvent
gdiplus.dll	GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
WINMM.dll	PlaySoundW, timeGetTime
OLEACC.dll	LresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINSPOOL.DRV	DocumentPropertiesW, OpenPrinterW, ClosePrinter
COMDLG32.dll	GetFileTitleW
SHELL32.dll	SHGetDesktopFolder, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, DragFinish, DragQueryFileW, ShellExecuteW, SHAppBarMessage, SHGetSpecialFolderLocation
ole32.dll	OleTranslateAccelerator, IsAccelerator, OleLockRunning, CoRevokeClassObject, CoRegisterMessageFilter, OleGetClipboard, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, CLSIDFromProgID, OleDestroyMenuDescriptor, CoCreateGuid, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, OleCreateMenuDescriptor, CoTaskMemFree, CoInitializeEx, DoDragDrop, OleFlushClipboard, OleIsCurrentClipboard, CreateStreamOnHGlobal, OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoInitialize, CoCreateInstance, CoUninitialize, CLSIDFromString
OLEAUT32.dll	SysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, VariantCopy, SysAllocString, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate, OleCreateFontIndirect, SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 05:59:07.864543915 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.161119938 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.161276102 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.162348032 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.458818913 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.459402084 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.755805969 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759234905 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759254932 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759273052 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759289980 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759305954 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759324074 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759340048 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759355068 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759370089 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759386063 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759402037 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759417057 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:08.759450912 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.759450912 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.759450912 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.759450912 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:08.759546041 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056036949 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056070089 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056086063 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056113005 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056129932 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056139946 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056148052 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056165934 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056173086 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056184053 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056195021 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056200027 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056216955 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056231022 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056231022 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056247950 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056267023 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056267977 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056283951 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056284904 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056303024 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056318045 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056333065 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056334019 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056351900 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056351900 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056368113 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056384087 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.056400061 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.056418896 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353076935 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353143930 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353168011 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353188038 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353245974 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353266954 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353302956 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353341103 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353362083 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353384018 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353403091 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353421926 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353441000 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353460073 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353480101 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353498936 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353535891 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353570938 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353605986 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353641033 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353651047 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353651047 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353651047 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353676081 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353712082 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353722095 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353748083 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353786945 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353794098 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.353827000 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353863001 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353898048 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353931904 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.353965998 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354000092 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354036093 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354072094 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354105949 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354141951 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354176998 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354188919 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.354190111 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.354190111 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.354212046 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354247093 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354274035 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.354283094 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354319096 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.354343891 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.395570993 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650638103 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650667906 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650685072 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650701046 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650722027 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650738001 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650755882 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650774002 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650790930 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650809050 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650825977 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650841951 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650857925 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650875092 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650876999 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650876999 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650876999 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650876999 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650890112 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650911093 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650935888 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650954008 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650960922 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650960922 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650960922 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.650969982 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650988102 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.650994062 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651005983 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651022911 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651037931 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651057959 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651067972 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651067972 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651098013 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651115894 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651134968 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651149988 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651148081 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651168108 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651181936 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651186943 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651202917 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651205063 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651228905 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651232958 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651248932 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651264906 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651283026 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651299000 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651305914 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651324987 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651343107 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651345015 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651360035 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651365995 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651377916 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651397943 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651424885 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651432991 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651447058 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651452065 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651468992 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651487112 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651501894 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651508093 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651519060 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651535034 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651546955 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651560068 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651566982 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651577950 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651591063 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651596069 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651613951 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651631117 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651635885 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651648045 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651664972 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651675940 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651684046 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651696920 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651704073 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651721001 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651736975 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651750088 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651751995 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651768923 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651770115 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651784897 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651801109 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651808977 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651818991 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651829004 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651837111 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651853085 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651870012 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651885033 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651885986 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651901960 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651918888 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651930094 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651935101 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651951075 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651952982 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651971102 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.651973009 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.651992083 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.652007103 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.652049065 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.691909075 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.691927910 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.692133904 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.948379993 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948430061 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948467016 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948502064 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948538065 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948575974 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948626995 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948652983 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.948652983 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.948652983 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.948666096 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948703051 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948720932 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.948739052 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948774099 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948808908 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948843002 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948893070 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948926926 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948961973 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.948998928 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949018002 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949018002 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949018955 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949018955 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949038982 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949074984 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949110985 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949146032 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949181080 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949214935 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949249029 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949284077 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949316978 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949316978 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949316978 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949316978 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949340105 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949374914 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949409962 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949445009 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949455023 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949469090 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949491024 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949527025 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949562073 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949580908 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949598074 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949614048 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949635983 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949671984 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949709892 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949726105 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949745893 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949767113 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949781895 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949819088 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949855089 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949881077 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949891090 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949913025 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.949925900 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949960947 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.949995995 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950012922 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950031042 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950056076 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950066090 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950100899 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950135946 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950156927 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950170994 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950200081 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950206041 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950242043 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950277090 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950311899 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950310946 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950345039 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950349092 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950383902 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950402975 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950422049 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950457096 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950491905 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950510025 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950527906 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950547934 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950563908 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950599909 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950634956 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950655937 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950669050 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950685978 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950706005 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950742006 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950778008 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950794935 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950814009 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950830936 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950850964 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950886965 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950922966 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950942039 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950958967 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.950977087 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.950994015 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951029062 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951066017 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951081991 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951102018 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951122046 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951137066 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951172113 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951206923 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951229095 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951241970 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951260090 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951277018 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951312065 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951345921 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951365948 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951383114 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951419115 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951423883 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951463938 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951483011 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951499939 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951535940 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951571941 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951589108 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951607943 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951631069 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951642990 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951678991 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951713085 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951731920 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951747894 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951771975 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951785088 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951822042 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951855898 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951881886 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951890945 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951901913 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.951926947 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951961994 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.951996088 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952017069 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952032089 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952054977 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952066898 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952121019 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952157974 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952172041 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952193975 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952212095 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952229977 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952264071 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952299118 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952320099 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952334881 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952358961 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952369928 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952405930 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952441931 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952461004 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952478886 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952496052 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:09.952516079 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952550888 CEST	1386	49730	156.255.0.191	192.168.2.4
Apr 19, 2024 05:59:09.952615976 CEST	49730	1386	192.168.2.4	156.255.0.191
Apr 19, 2024 05:59:13.150151968 CEST	49730	1386	192.168.2.4	156.255.0.191

Target ID:	0
Start time:	05:59:00
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Wt3pGldAnr.exe"
Imagebase:	0xda0000
File size:	3'218'944 bytes
MD5 hash:	0707CFD47743293D37378EE4465BAF5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:59:09
Start date:	19/04/2024
Path:	C:\ProgramData\StartMenuExperienceHos.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\StartMenuExperienceHos.exe"
Imagebase:	0x5e0000
File size:	3'218'944 bytes
MD5 hash:	0707CFD47743293D37378EE4465BAF5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 16%, ReversingLabs Detection: 24%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:59:11
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Wt3pGldAnr.exe
Imagebase:	0xda0000
File size:	3'218'944 bytes
MD5 hash:	0707CFD47743293D37378EE4465BAF5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	34.9%
Signature Coverage:	23.5%
Total number of Nodes:	1041
Total number of Limit Nodes:	24

Executed Functions

Function 0349B9E1 Relevance: 177.3, APIs: 55, Strings: 46, Instructions: 560
sleepregistrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,C463F85C), ref: 0349BA15
OpenProcessToken.ADVAPI32(00000000), ref: 0349BA1C

Part of subcall function 0349B671: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0349B68A
Part of subcall function 0349B671: GetLastError.KERNEL32(?,?,?,0349BA34,?,SeDebugPrivilege,00000001), ref: 0349B694
Part of subcall function 0349B671: _wprintf.LIBCMT ref: 0349B6A0

GetCurrentProcess.KERNEL32(SeCreateTokenPrivilege), ref: 0349BA3C

Part of subcall function 0349B72C: OpenProcessToken.ADVAPI32(0349BA48,00000020,00000000), ref: 0349B768

GetCurrentProcess.KERNEL32(SeAssignPrimaryTokenPrivilege), ref: 0349BA4F

Part of subcall function 0349B72C: LookupPrivilegeValueW.ADVAPI32(00000000,?,00000000), ref: 0349B78E

GetCurrentProcess.KERNEL32(SeLockMemoryPrivilege), ref: 0349BA62

Part of subcall function 0349B72C: AdjustTokenPrivileges.KERNELBASE(00000000,00000000,00000001,00000000,00000000,00000000), ref: 0349B7D1

GetCurrentProcess.KERNEL32(SeIncreaseQuotaPrivilege), ref: 0349BA75
GetCurrentProcess.KERNEL32(SeUnsolicitedInputPrivilege), ref: 0349BA88
GetCurrentProcess.KERNEL32(SeMachineAccountPrivilege), ref: 0349BA9B
GetCurrentProcess.KERNEL32(SeTcbPrivilege), ref: 0349BAAE
GetCurrentProcess.KERNEL32(SeSecurityPrivilege), ref: 0349BAC1
GetCurrentProcess.KERNEL32(SeTakeOwnershipPrivilege), ref: 0349BAD4
GetCurrentProcess.KERNEL32(SeLoadDriverPrivilege), ref: 0349BAE7
GetCurrentProcess.KERNEL32(SeSystemProfilePrivilege), ref: 0349BAFA
GetCurrentProcess.KERNEL32(SeSystemtimePrivilege), ref: 0349BB0D
GetCurrentProcess.KERNEL32(SeProfileSingleProcessPrivilege), ref: 0349BB20
GetCurrentProcess.KERNEL32(SeIncreaseBasePriorityPrivilege), ref: 0349BB33
GetCurrentProcess.KERNEL32(SeCreatePagefilePrivilege), ref: 0349BB46
GetCurrentProcess.KERNEL32(SeCreatePermanentPrivilege), ref: 0349BB59
GetCurrentProcess.KERNEL32(SeBackupPrivilege), ref: 0349BB6C
GetCurrentProcess.KERNEL32(SeRestorePrivilege), ref: 0349BB7F
GetCurrentProcess.KERNEL32(SeShutdownPrivilege), ref: 0349BB92
GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0349BBA5
GetCurrentProcess.KERNEL32(SeAuditPrivilege), ref: 0349BBB8
GetCurrentProcess.KERNEL32(SeSystemEnvironmentPrivilege), ref: 0349BBCB
GetCurrentProcess.KERNEL32(SeChangeNotifyPrivilege), ref: 0349BBDE
GetCurrentProcess.KERNEL32(SeRemoteShutdownPrivilege), ref: 0349BBF1
GetCurrentProcess.KERNEL32(SeUndockPrivilege), ref: 0349BC04
GetCurrentProcess.KERNEL32(SeSyncAgentPrivilege), ref: 0349BC17
GetCurrentProcess.KERNEL32(SeEnableDelegationPrivilege), ref: 0349BC2A
GetCurrentProcess.KERNEL32(SeManageVolumePrivilege), ref: 0349BC3D
GetCurrentProcess.KERNEL32(SeImpersonatePrivilege), ref: 0349BC50
GetCurrentProcess.KERNEL32(SeCreateGlobalPrivilege), ref: 0349BC63
GetCurrentProcess.KERNEL32(SeTrustedCredManAccessPrivilege), ref: 0349BC76
GetCurrentProcess.KERNEL32(SeRelabelPrivilege), ref: 0349BC89
GetCurrentProcess.KERNEL32(SeIncreaseWorkingSetPrivilege), ref: 0349BC9C
GetCurrentProcess.KERNEL32(SeTimeZonePrivilege), ref: 0349BCAF
GetCurrentProcess.KERNEL32(SeCreateSymbolicLinkPrivilege), ref: 0349BCC2

Part of subcall function 0349B81E: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B849
Part of subcall function 0349B81E: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B85D
Part of subcall function 0349B81E: SetFileAttributesW.KERNEL32(?,00000007), ref: 0349B87A
Part of subcall function 0349B81E: CreateThread.KERNEL32(00000000,00000000,Function_0001B302,00000000,00000000,00000000), ref: 0349B895
Part of subcall function 0349B81E: SetConsoleCtrlHandler.KERNEL32(0349B4FA,00000001), ref: 0349B8A8
Part of subcall function 0349B81E: CreateThread.KERNEL32(00000000,00000000,Function_0001B5D2,00000000,00000000,00000000), ref: 0349B8BD

SetConsoleCtrlHandler.KERNEL32(0349B4FA,00000001), ref: 0349BCDC
CreateThread.KERNEL32(00000000,00000000,Function_0001B5D2,00000000,00000000,00000000), ref: 0349BCF1

Part of subcall function 034A0A54: __fassign.LIBCMT ref: 034A0A4A

Sleep.KERNEL32(00000000), ref: 0349BD0C
CloseHandle.KERNEL32(00000000), ref: 0349BD51
SetUnhandledExceptionFilter.KERNEL32(0348A35F), ref: 0349BD77
CloseHandle.KERNEL32(00000000), ref: 0349BD95

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

Sleep.KERNEL32(00004E20), ref: 0349BF77
Sleep.KERNEL32(00000BB8), ref: 0349BFAC
Sleep.KERNEL32(00000FA0,034CF400,00000000), ref: 0349BFFE
RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 0349C041
RegQueryValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,00000000,00000000), ref: 0349C068

Strings

SeTcbPrivilege, xrefs: 0349BAA9
SeDebugPrivilege, xrefs: 0349BA27
SeTrustedCredManAccessPrivilege, xrefs: 0349BC71
156.255.0.191, xrefs: 0349BE9B
SeDebugPrivilege, xrefs: 0349BBA0
SeCreatePagefilePrivilege, xrefs: 0349BB41
SeProfileSingleProcessPrivilege, xrefs: 0349BB1B
SeIncreaseQuotaPrivilege, xrefs: 0349BA70
SeSecurityPrivilege, xrefs: 0349BABC
by3, xrefs: 0349BEEF
SeMachineAccountPrivilege, xrefs: 0349BA96
1386, xrefs: 0349BEAC
SeRelabelPrivilege, xrefs: 0349BC84
156.255.0.191, xrefs: 0349BE51
1386, xrefs: 0349BE62
SeSystemtimePrivilege, xrefs: 0349BB08
SeCreatePermanentPrivilege, xrefs: 0349BB54
SeIncreaseWorkingSetPrivilege, xrefs: 0349BC97
Console, xrefs: 0349C037
SeChangeNotifyPrivilege, xrefs: 0349BBD9
SeIncreaseBasePriorityPrivilege, xrefs: 0349BB2E
SeImpersonatePrivilege, xrefs: 0349BC4B
SeSystemEnvironmentPrivilege, xrefs: 0349BBC6
SeShutdownPrivilege, xrefs: 0349BB8D
SeSystemProfilePrivilege, xrefs: 0349BAF5
SeCreateSymbolicLinkPrivilege, xrefs: 0349BCBD
SeRestorePrivilege, xrefs: 0349BB7A
qh-2, xrefs: 0349BE90
SeLockMemoryPrivilege, xrefs: 0349BA5D
SeEnableDelegationPrivilege, xrefs: 0349BC25
qh-1, xrefs: 0349BE46
SeCreateGlobalPrivilege, xrefs: 0349BC5E
SeAuditPrivilege, xrefs: 0349BBB3
SeTimeZonePrivilege, xrefs: 0349BCAA
SeLoadDriverPrivilege, xrefs: 0349BAE2
SeAssignPrimaryTokenPrivilege, xrefs: 0349BA4A
IpDatespecial, xrefs: 0349C05D
SeBackupPrivilege, xrefs: 0349BB67
SeUnsolicitedInputPrivilege, xrefs: 0349BA83
156.255.0.191, xrefs: 0349BEFA
SeUndockPrivilege, xrefs: 0349BBFF
SeManageVolumePrivilege, xrefs: 0349BC38
SeCreateTokenPrivilege, xrefs: 0349BA37
SeRemoteShutdownPrivilege, xrefs: 0349BBEC
SeSyncAgentPrivilege, xrefs: 0349BC12
SeTakeOwnershipPrivilege, xrefs: 0349BACF

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$Current$Sleep$CreateFileOpenThreadTokenValue$CloseConsoleCtrlHandleHandlerLookupModuleNamePrivilege$AdjustAttributesErrorExceptionFilterLastPrivilegesQueryUnhandled__fassign_malloc_wprintf
String ID: 1386$1386$156.255.0.191$156.255.0.191$156.255.0.191$Console$IpDatespecial$SeAssignPrimaryTokenPrivilege$SeAuditPrivilege$SeBackupPrivilege$SeChangeNotifyPrivilege$SeCreateGlobalPrivilege$SeCreatePagefilePrivilege$SeCreatePermanentPrivilege$SeCreateSymbolicLinkPrivilege$SeCreateTokenPrivilege$SeDebugPrivilege$SeDebugPrivilege$SeEnableDelegationPrivilege$SeImpersonatePrivilege$SeIncreaseBasePriorityPrivilege$SeIncreaseQuotaPrivilege$SeIncreaseWorkingSetPrivilege$SeLoadDriverPrivilege$SeLockMemoryPrivilege$SeMachineAccountPrivilege$SeManageVolumePrivilege$SeProfileSingleProcessPrivilege$SeRelabelPrivilege$SeRemoteShutdownPrivilege$SeRestorePrivilege$SeSecurityPrivilege$SeShutdownPrivilege$SeSyncAgentPrivilege$SeSystemEnvironmentPrivilege$SeSystemProfilePrivilege$SeSystemtimePrivilege$SeTakeOwnershipPrivilege$SeTcbPrivilege$SeTimeZonePrivilege$SeTrustedCredManAccessPrivilege$SeUndockPrivilege$SeUnsolicitedInputPrivilege$by3$qh-1$qh-2
API String ID: 2426362086-2869883660
Opcode ID: 4f1475bd8c1e79bc182f5050c3badb4efb0722bb4ccf79a60f2326f0bf57f105
Instruction ID: ab401c57c524ed739f5e219a80776236eb84fa8c016b0c60972c9728d54b8b03
Opcode Fuzzy Hash: 4f1475bd8c1e79bc182f5050c3badb4efb0722bb4ccf79a60f2326f0bf57f105
Instruction Fuzzy Hash: 0D128235944300AFFB14FBB4FD4ABAD3BB6EB44611F20014BE115AE194EE795984CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB770 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00DBB77A

Part of subcall function 00DABAC4: __EH_prolog3.LIBCMT ref: 00DABACB
Part of subcall function 00DABAC4: GetWindowDC.USER32(00000000,00000004), ref: 00DABAF7

GetDeviceCaps.GDI32(?,00000058), ref: 00DBB7A0
DeleteObject.GDI32(00000000), ref: 00DBB801
DeleteObject.GDI32(00000000), ref: 00DBB81E
DeleteObject.GDI32(00000000), ref: 00DBB83B
DeleteObject.GDI32(00000000), ref: 00DBB852
DeleteObject.GDI32(00000000), ref: 00DBB86F
DeleteObject.GDI32(00000000), ref: 00DBB886
DeleteObject.GDI32(00000000), ref: 00DBB89D
DeleteObject.GDI32(00000000), ref: 00DBB8B4
DeleteObject.GDI32(00000000), ref: 00DBB8D1
DeleteObject.GDI32(00000000), ref: 00DBB8E8
_memset.LIBCMT ref: 00DBB8FF
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 00DBB90F
lstrcpyW.KERNEL32(?,?), ref: 00DBB95E
EnumFontFamiliesW.GDI32(?,00000000,Function_0001B727), ref: 00DBB985
lstrcpyW.KERNEL32(?), ref: 00DBB995
EnumFontFamiliesW.GDI32(?,00000000,Function_0001B727), ref: 00DBB9B0
lstrcpyW.KERNEL32(?), ref: 00DBB9C8
CreateFontIndirectW.GDI32(?), ref: 00DBB9D4
CreateFontIndirectW.GDI32(?), ref: 00DBBA24
CreateFontIndirectW.GDI32(?), ref: 00DBBA5F
CreateFontIndirectW.GDI32(?), ref: 00DBBA87
CreateFontIndirectW.GDI32(?), ref: 00DBBAA4
GetSystemMetrics.USER32(00000048), ref: 00DBBABF
lstrcpyW.KERNEL32(?), ref: 00DBBAD3
CreateFontIndirectW.GDI32(?), ref: 00DBBAD9
GetStockObject.GDI32(00000011), ref: 00DBBB07
GetObjectW.GDI32(?,0000005C,?), ref: 00DBBB29
lstrcpyW.KERNEL32(?), ref: 00DBBB62
CreateFontIndirectW.GDI32(?), ref: 00DBBB6C
CreateFontIndirectW.GDI32(?), ref: 00DBBB8B
GetStockObject.GDI32(00000011), ref: 00DBBBA1
GetObjectW.GDI32(?,0000005C,?), ref: 00DBBBB2
CreateFontIndirectW.GDI32(?), ref: 00DBBBBC
CreateFontIndirectW.GDI32(?), ref: 00DBBBDF
__EH_prolog3_GS.LIBCMT ref: 00DBBC6A
GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 00DBBDC0
GetSystemMetrics.USER32(00001000), ref: 00DBBDCB
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00DBBE50
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 00DBBE63
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 00DBBE76
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 00DBBE89
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 00DBBE9C
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 00DBBEAF
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00DBBEF8
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00DBBF0B
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00DBBF1E

Strings

UxTheme.dll, xrefs: 00DBBE2F
DrawThemeTextEx, xrefs: 00DBBE52
DrawThemeParentBackground, xrefs: 00DBBE4A
BeginBufferedPaint, xrefs: 00DBBE8B
EndBufferedPaint, xrefs: 00DBBE9E
DwmIsCompositionEnabled, xrefs: 00DBBF0D
BufferedPaintUnInit, xrefs: 00DBBE78
DwmExtendFrameIntoClientArea, xrefs: 00DBBEF2
dwmapi.dll, xrefs: 00DBBEDD
BufferedPaintInit, xrefs: 00DBBE65
DwmDefWindowProc, xrefs: 00DBBEFA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_MetricsStockSystem$CapsCharsetDeviceH_prolog3InfoTextVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 3153784359-1174303547
Opcode ID: fc6a6350b817e2f43746d202389a7e7c9f70971ee5f6cca7496dec866eddfd87
Instruction ID: aaf0f3508428c03abef9f7e04e405c4db43b5c56bf7c6b6f48b413a1b51aa447
Opcode Fuzzy Hash: fc6a6350b817e2f43746d202389a7e7c9f70971ee5f6cca7496dec866eddfd87
Instruction Fuzzy Hash: B13234B0801718DFCB219FB5C944BDAFBF8AF59310F04486EE59AA7251DBB1A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0349A244 Relevance: 101.9, APIs: 22, Strings: 36, Instructions: 356
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0349A258
OpenProcessToken.ADVAPI32(00000000,000F01FF,00000012), ref: 0349A26D
GetTokenInformation.KERNELBASE(00000012,00000014(TokenIntegrityLevel),?,00000004,00000000), ref: 0349A28B
GetTokenInformation.ADVAPI32(00000012,00000012(TokenIntegrityLevel),?,00000004,00000000), ref: 0349A2AA
GetTokenInformation.ADVAPI32(00000012,00000013(TokenIntegrityLevel),?,00000004,00000000), ref: 0349A2C9
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 0349A2D6
CloseHandle.KERNEL32(?), ref: 0349A2E3
CloseHandle.KERNEL32(00000012), ref: 0349A2EC

Strings

SeDebugPrivilege, xrefs: 0349A36D
SeShutdownPrivilege, xrefs: 0349A50B
SeIncreaseWorkingSetPrivilege, xrefs: 0349A607
SeImpersonatePrivilege, xrefs: 0349A5BF
SeIncreaseQuotaPrivilege, xrefs: 0349A3FD
SeEnableDelegationPrivilege, xrefs: 0349A59B
SeSystemProfilePrivilege, xrefs: 0349A47B
SeBackupPrivilege, xrefs: 0349A4E7
SeSystemtimePrivilege, xrefs: 0349A48D
SeRemoteShutdownPrivilege, xrefs: 0349A565
SeTakeOwnershipPrivilege, xrefs: 0349A457
SeRelabelPrivilege, xrefs: 0349A5F5
SeAssignPrimaryTokenPrivilege, xrefs: 0349A3D9
SeSystemEnvironmentPrivilege, xrefs: 0349A541
SeCreateGlobalPrivilege, xrefs: 0349A5D1
SeSecurityPrivilege, xrefs: 0349A445
SeChangeNotifyPrivilege, xrefs: 0349A553
SeCreatePagefilePrivilege, xrefs: 0349A4C3
, xrefs: 0349A663
SeLoadDriverPrivilege, xrefs: 0349A469
SeLockMemoryPrivilege, xrefs: 0349A3EB
SeCreatePermanentPrivilege, xrefs: 0349A4D5
SeTimeZonePrivilege, xrefs: 0349A619
SeUndockPrivilege, xrefs: 0349A577
SeUnsolicitedInputPrivilege, xrefs: 0349A40F
SeIncreaseBasePriorityPrivilege, xrefs: 0349A4B1
SeAuditPrivilege, xrefs: 0349A52F
SeSyncAgentPrivilege, xrefs: 0349A589
SeMachineAccountPrivilege, xrefs: 0349A421
SeTcbPrivilege, xrefs: 0349A433
SeManageVolumePrivilege, xrefs: 0349A5AD
SeCreateSymbolicLinkPrivilege, xrefs: 0349A62B
SeRestorePrivilege, xrefs: 0349A4F9
SeProfileSingleProcessPrivilege, xrefs: 0349A49F
SeTrustedCredManAccessPrivilege, xrefs: 0349A5E3
SeDebugPrivilege, xrefs: 0349A51D

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Token$Information$CloseHandleProcess$CurrentImpersonateLoggedOpenUser
String ID: $SeAssignPrimaryTokenPrivilege$SeAuditPrivilege$SeBackupPrivilege$SeChangeNotifyPrivilege$SeCreateGlobalPrivilege$SeCreatePagefilePrivilege$SeCreatePermanentPrivilege$SeCreateSymbolicLinkPrivilege$SeDebugPrivilege$SeDebugPrivilege$SeEnableDelegationPrivilege$SeImpersonatePrivilege$SeIncreaseBasePriorityPrivilege$SeIncreaseQuotaPrivilege$SeIncreaseWorkingSetPrivilege$SeLoadDriverPrivilege$SeLockMemoryPrivilege$SeMachineAccountPrivilege$SeManageVolumePrivilege$SeProfileSingleProcessPrivilege$SeRelabelPrivilege$SeRemoteShutdownPrivilege$SeRestorePrivilege$SeSecurityPrivilege$SeShutdownPrivilege$SeSyncAgentPrivilege$SeSystemEnvironmentPrivilege$SeSystemProfilePrivilege$SeSystemtimePrivilege$SeTakeOwnershipPrivilege$SeTcbPrivilege$SeTimeZonePrivilege$SeTrustedCredManAccessPrivilege$SeUndockPrivilege$SeUnsolicitedInputPrivilege
API String ID: 377174142-2190090725
Opcode ID: d8ee79981957fdabb6e9663bcfd24befa1e52a6164a4958eae1a463583871ee8
Instruction ID: 0b10c306f2c7b16b35667b63c70783c49389a0a62c278298781ea3ff195a4fd4
Opcode Fuzzy Hash: d8ee79981957fdabb6e9663bcfd24befa1e52a6164a4958eae1a463583871ee8
Instruction Fuzzy Hash: 3DD1FF76E40208BFEF11EBA1EC46FDDBF75AB08700F140027F5107D1A2E7B215A59A69

Uniqueness

Uniqueness Score: -1.00%

Function 0349B671 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0349B68A
GetLastError.KERNEL32(?,?,?,0349BA34,?,SeDebugPrivilege,00000001), ref: 0349B694
_wprintf.LIBCMT ref: 0349B6A0
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0349B6E0
GetLastError.KERNEL32 ref: 0349B6EA
_wprintf.LIBCMT ref: 0349B6F6

Strings

The token does not have the specified privilege. , xrefs: 0349B70E
AdjustTokenPrivileges error: %u, xrefs: 0349B6F1
LookupPrivilegeValue error: %u, xrefs: 0349B69B

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast_wprintf$AdjustLookupPrivilegePrivilegesTokenValue
String ID: AdjustTokenPrivileges error: %u$LookupPrivilegeValue error: %u$The token does not have the specified privilege.
API String ID: 4053587186-2758897887
Opcode ID: 9afce97097e33a2185e85ca8f7abeda529770b0d63552c4e040d9b5af7219f2e
Instruction ID: 4ff50ab101c67e93f26eb75d764c76e02346f2dede4ec617e6ad39225409b30e
Opcode Fuzzy Hash: 9afce97097e33a2185e85ca8f7abeda529770b0d63552c4e040d9b5af7219f2e
Instruction Fuzzy Hash: 23116331A04209AFEF04EFB4EC05BBE7BF8EB08711F10045BE516EE281E77595458B69

Uniqueness

Uniqueness Score: -1.00%

Function 00DA10BE Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 72
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__floor_pentium4.LIBCMT ref: 00DA10FA
LoadLibraryW.KERNEL32(KERNEL32.dll,?,?,?), ref: 00DA112D
GetProcAddress.KERNEL32(00000000), ref: 00DA1134
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?), ref: 00DA1144
_memmove.LIBCMT ref: 00DA1157
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00DA116E

Strings

lloc, xrefs: 00DA1122
KERNEL32.dll, xrefs: 00DA110C
ualA, xrefs: 00DA111B
Virt, xrefs: 00DA1114

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Virtual$AddressAllocFreeLibraryLoadProc__floor_pentium4_memmove
String ID: KERNEL32.dll$Virt$lloc$ualA
API String ID: 3182696094-1143375017
Opcode ID: 30a8f8e3541f5dec2ce6baba8155cafd73b54bf747284944338665c55f61a6e1
Instruction ID: 3d1ab44fa80cd1627c60e4aaac1e8686a3071647ca7feea21203b6dfa9b0c311
Opcode Fuzzy Hash: 30a8f8e3541f5dec2ce6baba8155cafd73b54bf747284944338665c55f61a6e1
Instruction Fuzzy Hash: 7D2192B1A00308AFC7109FA9DD46B6FBBF8FF49700F108429F655E7281DAB0E5048B69

Uniqueness

Uniqueness Score: -1.00%

Function 03495A55 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,?,034BF0BC,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,034BF10C,00000000), ref: 03495AAC
GetLastError.KERNEL32 ref: 03495AB5
OutputDebugStringW.KERNEL32(00000000,?,?), ref: 03495B3A
OutputDebugStringW.KERNEL32(--create msg ok), ref: 03495B6B

Strings

--create msg faild: , xrefs: 03495B00
--create msg ok, xrefs: 03495B66

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: DebugOutputString$CreateErrorLastWindow
String ID: --create msg faild: $--create msg ok
API String ID: 1764726848-1093642433
Opcode ID: d09e7470da23dd27ac7e365ba4307597a7f8e5869690f0679733a6e82edf7155
Instruction ID: e18988d7a06e785915ece2e1a44d4ebcad03041e53f9ba0c2dcdddd5b38ae305
Opcode Fuzzy Hash: d09e7470da23dd27ac7e365ba4307597a7f8e5869690f0679733a6e82edf7155
Instruction Fuzzy Hash: E6312B31950258EFEF24EB64DC45B9DBBB4EB04710F20859BE51ABE1C0EB745A44CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0349A036 Relevance: 7.5, APIs: 5, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0349A05B
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0349A06E
__wcsicoll.LIBCMT ref: 0349A082
Process32NextW.KERNEL32(00000000,0000022C), ref: 0349A0A2
FindCloseChangeNotification.KERNEL32(00000000), ref: 0349A0AF

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32__wcsicoll
String ID:
API String ID: 3552435680-0
Opcode ID: 0c36a5bd205c575e575d218637809fd96315092535f7e8ef71c6d2af9ce1b1e8
Instruction ID: e6f98fb14b1f36b0ab5d73306c0ec8331dbcead7bd06e7e21850880de8bc5660
Opcode Fuzzy Hash: 0c36a5bd205c575e575d218637809fd96315092535f7e8ef71c6d2af9ce1b1e8
Instruction Fuzzy Hash: 0D01AD74900209EFEF10EFA5D849B9EBBF9EF04305F11409AE505AA250E7359A858F54

Uniqueness

Uniqueness Score: -1.00%

Function 0349B72C Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(0349BA48,00000020,00000000), ref: 0349B768
LookupPrivilegeValueW.ADVAPI32(00000000,?,00000000), ref: 0349B78E

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: LookupOpenPrivilegeProcessTokenValue
String ID:
API String ID: 2227196851-0
Opcode ID: 1524388dbf81f5a7ac27e9b7774b2d7ad07b7ee5a053a2c967c08897ec1dbcc4
Instruction ID: 25a7b93e3c02b84f39d0c6f2c17079d7837613d48854ab1bbf19d982d97f0dac
Opcode Fuzzy Hash: 1524388dbf81f5a7ac27e9b7774b2d7ad07b7ee5a053a2c967c08897ec1dbcc4
Instruction Fuzzy Hash: BF314F31A05208AFEF00DFA4D846BFFBBF8EF09301F144496D900FA281D7B49A499B65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2B1A Relevance: 3.1, APIs: 2, Instructions: 80networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00DA2B81
recv.WS2_32(?,?,00040000,00000000), ref: 00DA2B9C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 46124ebf2c64058d767bee791c7edc9a8c108668c212cd714d55977f0f2ce527
Instruction ID: cd18e1375057391d3e8187c4535c1cb6c9572c9be91a3df3963ac08687e767de
Opcode Fuzzy Hash: 46124ebf2c64058d767bee791c7edc9a8c108668c212cd714d55977f0f2ce527
Instruction Fuzzy Hash: EB219C32500518DFDF359FA99C84AAE7BB4EF0A724F144126E514AA0A0CA309945CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0349A701 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(0349B36C,00000000,0349AA8A,00000010,00000000,00000000,?,0349AA8A,0349B36C,?), ref: 0349A712

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e49af65905dde4ef3ccac38e791e3741a0f0e3a042fc83fa8f7e4c0457ac8666
Instruction ID: 6b6785f545c5e17acd9ae7a2da77b1ffb16419925e21da265b7f4cd3b4527ae7
Opcode Fuzzy Hash: e49af65905dde4ef3ccac38e791e3741a0f0e3a042fc83fa8f7e4c0457ac8666
Instruction Fuzzy Hash: BFC04C3128030CB7EA212E41DC06F843B699708B51F104010B7082C0D196F375605648

Uniqueness

Uniqueness Score: -1.00%

Function 00DA28D9 Relevance: 66.7, APIs: 37, Strings: 1, Instructions: 224
sleepnetworkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 00DA28F7
InterlockedExchange.KERNEL32(?,00000000), ref: 00DA2904
timeGetTime.WINMM ref: 00DA290A
socket.WS2_32(00000002,00000001,00000006), ref: 00DA2936
lstrlenW.KERNEL32(000000CA,00000000,00000000,00000000,00000000), ref: 00DA2952
WideCharToMultiByte.KERNEL32(00000000,00000000,000000CA,00000000), ref: 00DA295E
lstrlenW.KERNEL32(000000CA,00000000,?,00000000,00000000), ref: 00DA297B
WideCharToMultiByte.KERNEL32(00000000,00000000,000000CA,00000000), ref: 00DA2987
gethostbyname.WS2_32(?), ref: 00DA2998
Sleep.KERNEL32(00000001), ref: 00DA29BD
Sleep.KERNEL32(00000001), ref: 00DA29C0
Sleep.KERNEL32(00000001), ref: 00DA29C3
Sleep.KERNEL32(00000001), ref: 00DA29C6
Sleep.KERNEL32(00000001), ref: 00DA29C9
Sleep.KERNEL32(00000001), ref: 00DA29CC
Sleep.KERNEL32(00000001), ref: 00DA29CF
Sleep.KERNEL32(00000001), ref: 00DA29D2
Sleep.KERNEL32(00000001), ref: 00DA29D5
Sleep.KERNEL32(00000001), ref: 00DA29D8
Sleep.KERNEL32(00000001), ref: 00DA29DB
Sleep.KERNEL32(00000001), ref: 00DA29DE
Sleep.KERNEL32(00000001), ref: 00DA29E1
Sleep.KERNEL32(00000001), ref: 00DA29E4
Sleep.KERNEL32(00000001), ref: 00DA29E7
Sleep.KERNEL32(00000001), ref: 00DA29EA
Sleep.KERNEL32(00000001), ref: 00DA29ED
Sleep.KERNEL32(00000001), ref: 00DA29F0
Sleep.KERNEL32(00000001), ref: 00DA29F3
Sleep.KERNEL32(00000001), ref: 00DA29F6
htons.WS2_32(?), ref: 00DA29FB
connect.WS2_32(?,?,00000010), ref: 00DA2A1B

Strings

0u, xrefs: 00DA2A7B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep$ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 2683528456-3203441087
Opcode ID: dce923a19f552364adabdf4936f234c44f2f5ce0a3a8fc61f68f6cf714feb836
Instruction ID: 5c9a2cc543d1b663fdc0c9ca1ab317b687a1b819034861b71735ea32aac641c6
Opcode Fuzzy Hash: dce923a19f552364adabdf4936f234c44f2f5ce0a3a8fc61f68f6cf714feb836
Instruction Fuzzy Hash: ED713871900218BFDB11AFA6DC89DFF7FB8EF0A760F040066F904A6160C7759906DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB217 Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00DBB21E
GetSysColor.USER32(00000016), ref: 00DBB22D
GetSysColor.USER32(0000000F), ref: 00DBB23A
GetSysColor.USER32(00000015), ref: 00DBB24D
GetSysColor.USER32(0000000F), ref: 00DBB255
GetDeviceCaps.GDI32(?,0000000C), ref: 00DBB27B
GetSysColor.USER32(0000000F), ref: 00DBB289
GetSysColor.USER32(00000010), ref: 00DBB293
GetSysColor.USER32(00000015), ref: 00DBB29D
GetSysColor.USER32(00000016), ref: 00DBB2A7
GetSysColor.USER32(00000014), ref: 00DBB2B1
GetSysColor.USER32(00000012), ref: 00DBB2BB
GetSysColor.USER32(00000011), ref: 00DBB2C5
GetSysColor.USER32(00000006), ref: 00DBB2CC
GetSysColor.USER32(0000000D), ref: 00DBB2D3
GetSysColor.USER32(0000000E), ref: 00DBB2DA
GetSysColor.USER32(00000005), ref: 00DBB2E1
GetSysColor.USER32(00000008), ref: 00DBB2EB
GetSysColor.USER32(00000009), ref: 00DBB2F2
GetSysColor.USER32(00000007), ref: 00DBB2F9
GetSysColor.USER32(00000002), ref: 00DBB300
GetSysColor.USER32(00000003), ref: 00DBB307
GetSysColor.USER32(0000001B), ref: 00DBB30E
GetSysColor.USER32(0000001C), ref: 00DBB318
GetSysColor.USER32(0000000A), ref: 00DBB322
GetSysColor.USER32(0000000B), ref: 00DBB32C
GetSysColor.USER32(00000013), ref: 00DBB336
GetSysColor.USER32(0000001A), ref: 00DBB350
GetSysColorBrush.USER32(00000010), ref: 00DBB36B
GetSysColorBrush.USER32(00000014), ref: 00DBB382
GetSysColorBrush.USER32(00000005), ref: 00DBB394
CreateSolidBrush.GDI32(?), ref: 00DBB3B8
CreateSolidBrush.GDI32(?), ref: 00DBB3D4
CreateSolidBrush.GDI32(?), ref: 00DBB3F0
CreateSolidBrush.GDI32(?), ref: 00DBB40C
CreateSolidBrush.GDI32(?), ref: 00DBB428
CreateSolidBrush.GDI32(?), ref: 00DBB444
CreateSolidBrush.GDI32(?), ref: 00DBB460
CreatePen.GDI32(00000000,00000001,00000000), ref: 00DBB489
CreatePen.GDI32(00000000,00000001,00000000), ref: 00DBB4AC
CreatePen.GDI32(00000000,00000001,00000000), ref: 00DBB4CF
CreateSolidBrush.GDI32(?), ref: 00DBB553
CreatePatternBrush.GDI32(00000000), ref: 00DBB594

Part of subcall function 00DABCC9: DeleteObject.GDI32(00000000), ref: 00DABCD8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: ed92ca8ac26065538389bbd5db8779d74b6df71854e79ae401560bbd34520ef9
Instruction ID: d54d0bdf5440e35905d312a478b09665b04c4983e316f4a6f002985423a639b8
Opcode Fuzzy Hash: ed92ca8ac26065538389bbd5db8779d74b6df71854e79ae401560bbd34520ef9
Instruction Fuzzy Hash: 6EB18F70900B489ED730AF71CC95FABBAE0EF81710F04492EE197965A2EF75A545DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5AA6 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 240
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00DA5AB0
RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?,?,?,?,00000A58), ref: 00DA5AEE
RegQueryValueExW.ADVAPI32(?,d33f351a4aeea5e608853d1a56661059,00000000,?,00000000,?,?,?,?,00000A58), ref: 00DA5B15
_memset.LIBCMT ref: 00DA5B31
RegQueryValueExW.ADVAPI32(00000A44,d33f351a4aeea5e608853d1a56661059,00000000,?,eD,00000A44), ref: 00DA5B4A
VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 00DA5B6D
_memmove.LIBCMT ref: 00DA5B89
RegCloseKey.ADVAPI32(?,?,?,?,00000A58), ref: 00DA5B94
VirtualFree.KERNEL32(032E0000,00000000,00008000,?,?,?,00000A58), ref: 00DA5BE5
_memset.LIBCMT ref: 00DA5C8A
_memset.LIBCMT ref: 00DA5CB1
_memset.LIBCMT ref: 00DA5CC3
__CxxThrowException@8.LIBCMT ref: 00DA5CF4
_memmove.LIBCMT ref: 00DA5D0A
VirtualAlloc.KERNEL32(00000000,00003000,00000040,?,?,?,00000A58), ref: 00DA5D53
_memmove.LIBCMT ref: 00DA5D6C
_memmove.LIBCMT ref: 00DA5DAD
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 00DA5DC3
RegDeleteValueW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059), ref: 00DA5DD6
RegSetValueExW.KERNEL32(?,d33f351a4aeea5e608853d1a56661059,00000000,00000003,?,0004FF7B), ref: 00DA5DE8
RegCloseKey.KERNEL32(?), ref: 00DA5DF1

Strings

eD, xrefs: 00DA5B3D
D, xrefs: 00DA5B17
583df43850616174219ebcaf7625cd0c, xrefs: 00DA5B9C
Console\0, xrefs: 00DA5ADA, 00DA5DB9
d33f351a4aeea5e608853d1a56661059, xrefs: 00DA5B0C, 00DA5B11, 00DA5B46, 00DA5DCD, 00DA5DD2, 00DA5DE4

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Value_memmove_memset$Virtual$AllocCloseQuery$CreateDeleteException@8FreeH_prolog3_catchOpenThrow
String ID: 583df43850616174219ebcaf7625cd0c$Console\0$D$d33f351a4aeea5e608853d1a56661059$eD
API String ID: 1924354457-2298818729
Opcode ID: dff295f506d74e23f4a9389298b8ab816f9843e13d67bb4e9341bf2521f8e7a4
Instruction ID: 1935b7145520050c6fe7f6c7efa166f6da912969e6f4c03bb23c6a23a1dc1f9c
Opcode Fuzzy Hash: dff295f506d74e23f4a9389298b8ab816f9843e13d67bb4e9341bf2521f8e7a4
Instruction Fuzzy Hash: 8E91B075A00718AFEF109F60DC45BEA7B79FF0A710F488461F908EB1A1D7759A40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DA461F Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 00DA4649
RegQueryValueExW.KERNEL32(?,IpDate,00000000,00000003,00000000,?), ref: 00DA4665
_memset.LIBCMT ref: 00DA4682
RegQueryValueExW.ADVAPI32(?,IpDate,00000000,00000003,|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:,0000000A), ref: 00DA469C

Strings

p2:, xrefs: 00DA46DD
|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:, xrefs: 00DA467C, 00DA4681, 00DA468E
o3:, xrefs: 00DA4728
p3:, xrefs: 00DA4716
o2:, xrefs: 00DA46EF
t2:, xrefs: 00DA4701
p1:, xrefs: 00DA46A7
t1:, xrefs: 00DA46CB
Console, xrefs: 00DA4635
IpDate, xrefs: 00DA465D, 00DA4694
o1:, xrefs: 00DA46B9
t3:, xrefs: 00DA473A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: QueryValue$Open_memset
String ID: Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:$|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:
API String ID: 3682538864-4204340802
Opcode ID: 2f38853017c777e98d67df62c7ab11ce46fc45c4bc328db260df74debe9be5ba
Instruction ID: c14074a20305c32d1e2bd6b2274728a5c986e3352c3f15be5ecc9a8d2e9bcd20
Opcode Fuzzy Hash: 2f38853017c777e98d67df62c7ab11ce46fc45c4bc328db260df74debe9be5ba
Instruction Fuzzy Hash: E32121FA94030CBFD720AA959C46DFB77FCDBD6B05F011129BA15F2085E6B16A08C671

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1194 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__floor_pentium4.LIBCMT ref: 00DA11D2
LoadLibraryW.KERNEL32(KERNEL32.dll,?), ref: 00DA1213
GetProcAddress.KERNEL32(00000000), ref: 00DA121C
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00DA122A
_memmove.LIBCMT ref: 00DA1240
LoadLibraryW.KERNEL32(KERNEL32.dll,?), ref: 00DA1266
GetProcAddress.KERNEL32(00000000), ref: 00DA1269
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00DA1275

Strings

ualF, xrefs: 00DA1258
Virt, xrefs: 00DA1251
ualA, xrefs: 00DA1201
KERNEL32.dll, xrefs: 00DA11F5, 00DA124C
Virt, xrefs: 00DA11FA
ree, xrefs: 00DA125F
lloc, xrefs: 00DA1208

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressLibraryLoadProcVirtual$AllocFree__floor_pentium4_memmove
String ID: KERNEL32.dll$Virt$Virt$lloc$ree$ualA$ualF
API String ID: 616662133-3391502289
Opcode ID: 1278cdbd4755b2f3fda0287859245b02749ced784f690243b0292bf2a14be051
Instruction ID: 5b0a61f89ab3853a34dd21218df71519a042db50f5ef5a54d13137d50bf3eedf
Opcode Fuzzy Hash: 1278cdbd4755b2f3fda0287859245b02749ced784f690243b0292bf2a14be051
Instruction Fuzzy Hash: 19314DB0A00208AFDB00DFA9DD41BAEBBF4FF49704F108429E555F7291DB71A944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4A86 Relevance: 24.5, APIs: 13, Strings: 1, Instructions: 46
threadsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000001,MyUniqueMutexName), ref: 00DA4A91
GetLastError.KERNEL32 ref: 00DA4A9C
CloseHandle.KERNEL32 ref: 00DA4AAF
GetConsoleWindow.KERNEL32(00000000), ref: 00DA4AB8
ShowWindow.USER32(00000000), ref: 00DA4ABF
GetCurrentThreadId.KERNEL32 ref: 00DA4AC8
PostThreadMessageA.USER32(00000000), ref: 00DA4ACF
GetInputState.USER32 ref: 00DA4AD5
CreateThread.KERNEL32(00000000,00000000,Function_00004978,00000000,00000000,00000000), ref: 00DA4AEA
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00DA4AF5
CloseHandle.KERNEL32(00000000), ref: 00DA4B02
Sleep.KERNEL32(0000012C), ref: 00DA4B09
CloseHandle.KERNEL32 ref: 00DA4B15

Strings

MyUniqueMutexName, xrefs: 00DA4A87

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CloseHandleThread$CreateWindow$ConsoleCurrentErrorInputLastMessageMutexObjectPostShowSingleSleepStateWait
String ID: MyUniqueMutexName
API String ID: 3796885283-1843696251
Opcode ID: e86b609ff57e1aba76c618a763e093764f08642a6423cf76ad287cb7d6837162
Instruction ID: 09a6487f7664c61df801d2509dbc12b5218675a51809c9a0c9c7fa115f2efd58
Opcode Fuzzy Hash: e86b609ff57e1aba76c618a763e093764f08642a6423cf76ad287cb7d6837162
Instruction Fuzzy Hash: F901EC72451168AFC6142B72AC0CDDF3E69FF46365B094531F516F20A1CBA6480BDBF6

Uniqueness

Uniqueness Score: -1.00%

Function 0349A7F1 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 148
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,034BE6C8,00000000,00020019,?,C463F85C), ref: 0349A83D
RegQueryValueExW.KERNEL32(?,034BE73C,00000000,?,00000000,00000000), ref: 0349A861
RegQueryValueExW.ADVAPI32(?,034BE73C,00000000,00000000,?,00000000), ref: 0349A8B3
_memset.LIBCMT ref: 0349A914
RmStartSession.RSTRTMGR(?,00000000,?,?,?,?), ref: 0349A929
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0349A94E
RmGetList.RSTRTMGR(?,?,00000001,?,?,?,?,?), ref: 0349A974
RmShutdown.RSTRTMGR(?,00000001,00000000,?,?,?), ref: 0349A981
RmRestart.RSTRTMGR(?,00000000,00000000,?,?,?), ref: 0349A98E
RmEndSession.RSTRTMGR(?,?,?,?), ref: 0349A997
RegCloseKey.KERNEL32(?), ref: 0349A9CF

Strings

360Safetray, xrefs: 0349A823
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run, xrefs: 0349A81C

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: QuerySessionValue$CloseListOpenRegisterResourcesRestartShutdownStart_memset
String ID: 360Safetray$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
API String ID: 3039299356-2034975872
Opcode ID: a89c458274bcded5cd3e8e3191ad4c7b369adadb5436547c4a5474b086dde7be
Instruction ID: 291b52bdd08060d2c6cf81cf501a8af5386bd254a810be8f3857aebd36c956ba
Opcode Fuzzy Hash: a89c458274bcded5cd3e8e3191ad4c7b369adadb5436547c4a5474b086dde7be
Instruction Fuzzy Hash: BF51D471900218AFEF11EFA4DD46BEDBBB8FB04700F10416AF605BA190EB746A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0349B81E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 110
threadprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B849
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B85D
SetFileAttributesW.KERNEL32(?,00000007), ref: 0349B87A
CreateThread.KERNEL32(00000000,00000000,Function_0001B302,00000000,00000000,00000000), ref: 0349B895
SetConsoleCtrlHandler.KERNEL32(0349B4FA,00000001), ref: 0349B8A8
CreateThread.KERNEL32(00000000,00000000,Function_0001B5D2,00000000,00000000,00000000), ref: 0349B8BD
CopyFileW.KERNEL32(?,034BE960,00000000), ref: 0349B977
_memset.LIBCMT ref: 0349B992
CreateProcessW.KERNEL32(034BE960,00000000,00000000,00000000,00000000,00000000,00000000,C:\ProgramData,00000044,?), ref: 0349B9BF
ExitProcess.KERNEL32 ref: 0349B9CB

Strings

D, xrefs: 0349B97D
C:\ProgramData\StartMenuExperienceHos.exe, xrefs: 0349B831
C:\ProgramData, xrefs: 0349B9A8

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: File$Create$ModuleNameProcessThread$AttributesConsoleCopyCtrlExitHandler_memset
String ID: C:\ProgramData$C:\ProgramData\StartMenuExperienceHos.exe$D
API String ID: 1228958228-2896166822
Opcode ID: 7e5674fc9f5519185e8b10d86848d88388769014c292f1532058043c4bd2654f
Instruction ID: 7dc8b5517d72915f261cc92b844e583c95773eedc79e4ce69d488ff10a40b7ff
Opcode Fuzzy Hash: 7e5674fc9f5519185e8b10d86848d88388769014c292f1532058043c4bd2654f
Instruction Fuzzy Hash: 3741FFB4950218AFEF60DF54DC4AB9DB7B8EB04704F5044D6E60DBA280EBB05AC9CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00DA474C Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsrev.LIBCMT ref: 00DA4768
_memset.LIBCMT ref: 00DA477B

Part of subcall function 00DA4508: _memset.LIBCMT ref: 00DA453D
Part of subcall function 00DA4508: Sleep.KERNEL32(00000001), ref: 00DA459C

Part of subcall function 00DA4508: _memmove.LIBCMT ref: 00DA45FC

Strings

p2:, xrefs: 00DA47B6
|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:, xrefs: 00DA475C
o3:, xrefs: 00DA47F9
p3:, xrefs: 00DA47E9
o2:, xrefs: 00DA47C6
t2:, xrefs: 00DA47D9
p1:, xrefs: 00DA4786
t1:, xrefs: 00DA47A6
o1:, xrefs: 00DA4796
t3:, xrefs: 00DA4809

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$Sleep__wcsrev_memmove
String ID: o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:$|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:
API String ID: 3399873408-411582695
Opcode ID: a02b7955bc726d2b730c707bf885a8b332a8ff100ec5c11d7a802089d1c77c3d
Instruction ID: fdfcfecdb254dccfa8d3cb964d8ce8be745fc53f38ff25b8b284b6c8f4aeac13
Opcode Fuzzy Hash: a02b7955bc726d2b730c707bf885a8b332a8ff100ec5c11d7a802089d1c77c3d
Instruction Fuzzy Hash: F10169C9BC434C3FA10872A86C83CBB552CCAE3F9A7872060B248759CBC9D56D846177

Uniqueness

Uniqueness Score: -1.00%

Function 00DA58DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 00DA5966
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 00DA5983
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 00DA5992
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,00F1D400,000012A0), ref: 00DA59A3
RegCloseKey.KERNEL32(?), ref: 00DA59AC
OpenProcess.KERNEL32(00000400,00000000,i2024), ref: 00DA59E5
GetExitCodeProcess.KERNEL32(00000000,?), ref: 00DA59F4
Sleep.KERNEL32(00000BB8), ref: 00DA5A0C

Strings

IpDates_info, xrefs: 00DA5989, 00DA598E, 00DA599F
FaCai2024, xrefs: 00DA5935
SOFTWARE, xrefs: 00DA5979

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep_memmove
String ID: FaCai2024$IpDates_info$SOFTWARE
API String ID: 2965120854-764131473
Opcode ID: 078ffa0c5e7552571a1222e344b928dc6dff610ac0ad3c2ccc1826eebaf5a506
Instruction ID: 64e69054e1243cd2a1a2609d6dbb3835d67cbde953071a0aad46f3f8eb175770
Opcode Fuzzy Hash: 078ffa0c5e7552571a1222e344b928dc6dff610ac0ad3c2ccc1826eebaf5a506
Instruction Fuzzy Hash: 8F41C131A00649EFDB109FA5EC85EBFBBB9FB46320B084124E551BB190C770A90A8B71

Uniqueness

Uniqueness Score: -1.00%

Function 03495BAC Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 034959F2: LoadCursorW.USER32(00000000,00007F00), ref: 03495A29
Part of subcall function 034959F2: RegisterClassExW.USER32(00000030), ref: 03495A4B

Part of subcall function 03495A55: CreateWindowExW.USER32(00000000,?,034BF0BC,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,034BF10C,00000000), ref: 03495AAC
Part of subcall function 03495A55: GetLastError.KERNEL32 ref: 03495AB5
Part of subcall function 03495A55: OutputDebugStringW.KERNEL32(00000000,?,?), ref: 03495B3A

OutputDebugStringW.KERNEL32(doLoopMsg -- faild,?,034BF10C,?,034BF10C), ref: 03495BF8
OutputDebugStringW.KERNEL32(doLoopMsg -- ok,?,034BF10C,?,034BF10C), ref: 03495C05
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 03495C15
TranslateMessage.USER32(00000000), ref: 03495C23
DispatchMessageW.USER32(00000000), ref: 03495C2D
OutputDebugStringW.KERNEL32(doLoopMsg -- end), ref: 03495C3A

Strings

doLoopMsg -- faild, xrefs: 03495BF3
evtmsgmonitor, xrefs: 03495BBE
doLoopMsg -- ok, xrefs: 03495C00
doLoopMsg -- end, xrefs: 03495C35

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: DebugOutputString$Message$ClassCreateCursorDispatchErrorLastLoadRegisterTranslateWindow
String ID: doLoopMsg -- end$doLoopMsg -- faild$doLoopMsg -- ok$evtmsgmonitor
API String ID: 1760072369-3193813502
Opcode ID: e03d353c8662c50689321dd4dda6090940189231f005ad0b77bdaeddd10d1803
Instruction ID: cee7fa192f646b6ab135d5d4253446650b8d8e8956b0a7dc17c07cb208cfa988
Opcode Fuzzy Hash: e03d353c8662c50689321dd4dda6090940189231f005ad0b77bdaeddd10d1803
Instruction Fuzzy Hash: 6E11FA71940208AFDF11EFA5DD09BDDBBF9BB09700F204456F905BA284E774A9088B29

Uniqueness

Uniqueness Score: -1.00%

Function 00DB673E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F18878,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6751
GlobalAlloc.KERNEL32(00000002,00000000,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB67A7
GlobalHandle.KERNEL32(011829F8), ref: 00DB67B0
GlobalUnlock.KERNEL32(00000000,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB67BA
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 00DB67D3
GlobalHandle.KERNEL32(011829F8), ref: 00DB67E5
GlobalLock.KERNEL32(00000000,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB67EC
LeaveCriticalSection.KERNEL32(00000001,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB67F5
GlobalLock.KERNEL32(00000000,?,?,00000000,00F1885C,00F1885C,?,00DB6AA1,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6801
_memset.LIBCMT ref: 00DB681B
LeaveCriticalSection.KERNEL32(00000001), ref: 00DB6849

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: aa5f1de0e8dc3af9964fd10c618ccd0b8a0c41ad63455d70da8d58aa28eefb3b
Instruction ID: ec85b4b12fc06c3ac6251d538a243acea017fa5c1a089f650ca4f15c13d7ce20
Opcode Fuzzy Hash: aa5f1de0e8dc3af9964fd10c618ccd0b8a0c41ad63455d70da8d58aa28eefb3b
Instruction Fuzzy Hash: DE31A171600704AFD7209F65CC89E5ABBF9FF44308B09493DE952E3650DB75E8458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5075 Relevance: 15.2, APIs: 10, Instructions: 209memorytimeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA507C
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000004,00DA49EC,00000000), ref: 00DA509C
HeapCreate.KERNEL32(00000004,00000000,00000000,00000000), ref: 00DA5129
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00DA51A8
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DA51C7
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DA51E6

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

InterlockedExchange.KERNEL32(?,00000000), ref: 00DA531B
timeGetTime.WINMM ref: 00DA5321
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DA5335
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DA533E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Create$Event$H_prolog3$Exception@8ExchangeHeapInterlockedThrowTimetime
String ID:
API String ID: 2521172286-0
Opcode ID: efb1b8e486701fb38bb4480eace42998d8ded93ed4bdade730ad45a7636cf56d
Instruction ID: dc67dd6a3ab252aa976d2d07fd68d08dc77314a56bac7cd74540f7e2013f36b6
Opcode Fuzzy Hash: efb1b8e486701fb38bb4480eace42998d8ded93ed4bdade730ad45a7636cf56d
Instruction Fuzzy Hash: 3D91E6B0A01B46AFD718DF6AC8C469AFBE8FF09304F50462ED16D93640D774A564CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA513B Relevance: 12.1, APIs: 8, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00EA5160
__calloc_crt.LIBCMT ref: 00EA516C
__getptd.LIBCMT ref: 00EA5179
__initptd.LIBCMT ref: 00EA5182
CreateThread.KERNEL32(?,?,00EA50D6,00000000,?,?), ref: 00EA51B0
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00EA51BA
_free.LIBCMT ref: 00EA51C3
__dosmaperr.LIBCMT ref: 00EA51CE

Part of subcall function 00EA521D: __getptd_noexit.LIBCMT ref: 00EA521D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
String ID:
API String ID: 73303432-0
Opcode ID: d80f249242026802f58c6417e53a3e7e448ba3f90ba8dd102192cf93a548b5a5
Instruction ID: 4c5017069b45edcc238df20abe6af9e0af5fa9b7de0cf3124b0f754e44d2cb02
Opcode Fuzzy Hash: d80f249242026802f58c6417e53a3e7e448ba3f90ba8dd102192cf93a548b5a5
Instruction Fuzzy Hash: 4311C233605F05AFDB206FA59C41AAB37E8EF5F378B101029F915BE551DBB1B8018AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6DD9 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00DB6DE8
GetSystemMetrics.USER32(0000000C), ref: 00DB6DEF
GetSystemMetrics.USER32(00000002), ref: 00DB6DF6
GetSystemMetrics.USER32(00000003), ref: 00DB6E00
GetDC.USER32(00000000), ref: 00DB6E0A
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DB6E1B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DB6E23
ReleaseDC.USER32(00000000,00000000), ref: 00DB6E2B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: bcf4618990bb6b0879b969733a772d58d0934b6256c4e1d2a7ac3f756c3ded64
Instruction ID: bb9d2e7b9012b2531954c0121bb0c49a6d1cbfbc4bcb9c8171ed97a6d27924c5
Opcode Fuzzy Hash: bcf4618990bb6b0879b969733a772d58d0934b6256c4e1d2a7ac3f756c3ded64
Instruction Fuzzy Hash: 27F0F9B1E40718ABE7105B729C4DF267EA8FB85761F048526E6059B280DBB698168FD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E33B63 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E33B6A

Part of subcall function 00DD9F51: EnterCriticalSection.KERNEL32(00F197D0,?,?,00000000,?,00DB6667,00000010,00000008,00DAEC36,00DAEBCD,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DD9F8B
Part of subcall function 00DD9F51: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,00DB6667,00000010,00000008,00DAEC36,00DAEBCD,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DD9F9D
Part of subcall function 00DD9F51: LeaveCriticalSection.KERNEL32(00F197D0,?,?,00000000,?,00DB6667,00000010,00000008,00DAEC36,00DAEBCD,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DD9FAA
Part of subcall function 00DD9F51: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00DB6667,00000010,00000008,00DAEC36,00DAEBCD,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DD9FBA

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 00E33BC2
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 00E33BD4

Strings

DragMinDist, xrefs: 00E33BB7
windows, xrefs: 00E33BBC, 00E33BC1, 00E33BCE
DragDelay, xrefs: 00E33BC9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: c11263b745a7f46aa5485e5e8c00bd485e3d2f2f33237fa85151047ba8f9ef82
Instruction ID: 388769bf8ab15dd025e53227d60f1b1b9e505d6a0b5f007ce60409fb990373f2
Opcode Fuzzy Hash: c11263b745a7f46aa5485e5e8c00bd485e3d2f2f33237fa85151047ba8f9ef82
Instruction Fuzzy Hash: 020171B09017049FC721AF269882A0AFAE8FFD4700F55691FE145AB7A1D7F0A641CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0349AA98 Relevance: 9.2, APIs: 6, Instructions: 214comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0349AAC8
CoCreateInstance.OLE32(034BA7C4,00000000,00000001,034BA5B4,00000000), ref: 0349AAE0
CoUninitialize.OLE32 ref: 0349AAEA

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: f5890d0dd967e9c770b5e6ab685fee3263e81d18d50bd72a799d24475b179236
Instruction ID: 19b81cb189f4112178fd9fd84b44c0304604350b32eb857d3388a65d21b1914d
Opcode Fuzzy Hash: f5890d0dd967e9c770b5e6ab685fee3263e81d18d50bd72a799d24475b179236
Instruction Fuzzy Hash: 01914670900619CFEF21DF68C944BEEBBB1AF05300F14419AE819BB2A0D7756E89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0349AD79 Relevance: 7.9, APIs: 5, Instructions: 413comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0349ADA8
CoCreateInstance.OLE32(034BA7C4,00000000,00000001,034BA5B4,00000000), ref: 0349ADC4

Part of subcall function 03499FD0: VariantInit.OLEAUT32(?), ref: 03499FDA

Part of subcall function 0349A024: VariantClear.OLEAUT32(0349AC03), ref: 0349A02E

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B0DD
PathRemoveExtensionW.SHLWAPI(?), ref: 0349B0FF

Part of subcall function 03499FE5: SysAllocString.OLEAUT32(0349B187), ref: 03499FF8

CoUninitialize.OLE32 ref: 0349B2E3

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Variant$AllocClearCreateExtensionFileInitInitializeInstanceModuleNamePathRemoveStringUninitialize
String ID:
API String ID: 4284996131-0
Opcode ID: 72e5984325c2088a4c5eb056e3bfed2917aad44c5f6528dbaa3c815a29f08da1
Instruction ID: e363eea726d679c56ee738924e1b7d851554dbe92d538cc0a0a2e5f3a5140e26
Opcode Fuzzy Hash: 72e5984325c2088a4c5eb056e3bfed2917aad44c5f6528dbaa3c815a29f08da1
Instruction Fuzzy Hash: 9112DF74900619DFDB11DFA8C988BEEBBB5EF09305F10409AE909BB260D7716E88CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4978 Relevance: 7.6, APIs: 5, Instructions: 84sleepCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA4997
Sleep.KERNEL32(00000000,00000008), ref: 00DA49AE

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

_memset.LIBCMT ref: 00DA4A07
_memset.LIBCMT ref: 00DA4A1E
Sleep.KERNEL32(00000000), ref: 00DA4A7E

Part of subcall function 00DA27D7: WSAStartup.WS2_32(00000202,?), ref: 00DA2836
Part of subcall function 00DA27D7: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DA2841
Part of subcall function 00DA27D7: InterlockedExchange.KERNEL32(00000018,00000000), ref: 00DA284F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep_memset$CreateEventExchangeH_prolog3InterlockedStartup_malloc
String ID:
API String ID: 2351260541-0
Opcode ID: ea2d62adcb3652940eac59644ce3b57f40586766c4ee019cba32425f3a418cf2
Instruction ID: 421ed41d2e3a518f8df70177f4903f07de965fb93fb5af959c6880463b20be21
Opcode Fuzzy Hash: ea2d62adcb3652940eac59644ce3b57f40586766c4ee019cba32425f3a418cf2
Instruction Fuzzy Hash: 62217572900248ABCB11EFB48C499DF36ECFF89300F140626B515EB141DBB49B0487B1

Uniqueness

Uniqueness Score: -1.00%

Function 0349B302 Relevance: 7.5, APIs: 5, Instructions: 42sleepthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0349B323
PathFindFileNameW.SHLWAPI(?), ref: 0349B330
PathRemoveExtensionW.SHLWAPI(?), ref: 0349B33C
SetThreadExecutionState.KERNEL32(80000003), ref: 0349B34C

Part of subcall function 0349AA98: CoInitialize.OLE32(00000000), ref: 0349AAC8
Part of subcall function 0349AA98: CoCreateInstance.OLE32(034BA7C4,00000000,00000001,034BA5B4,00000000), ref: 0349AAE0
Part of subcall function 0349AA98: CoUninitialize.OLE32 ref: 0349AAEA

Sleep.KERNEL32(00007530), ref: 0349B37A

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: FileNamePath$CreateExecutionExtensionFindInitializeInstanceModuleRemoveSleepStateThreadUninitialize
String ID:
API String ID: 1648604079-0
Opcode ID: 40824597db9176a18c2b764dbed5f6a5606398cd57730be440819450a0481f3a
Instruction ID: a0a00d4d7730485aff79769812ef620e57e0edf4a8af18a1b050adc18888a168
Opcode Fuzzy Hash: 40824597db9176a18c2b764dbed5f6a5606398cd57730be440819450a0481f3a
Instruction Fuzzy Hash: 94016270950209EFEF14FBB5EC499AE7FF8EF08305F50006BA545ED190EA749A849B64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA453D
Sleep.KERNEL32(00000001), ref: 00DA459C
_memmove.LIBCMT ref: 00DA45FC

Strings

|p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:, xrefs: 00DA4545, 00DA454F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep_memmove_memset
String ID: |p1:156.255.0.191|o1:1386|t1:1|p2:156.255.0.191|o2:1386|t2:1|p3:156.255.0.191|o3:83|t3:1|dd:1|cl:1|fz:
API String ID: 2704151744-639424737
Opcode ID: 4cea95d2d748a9453c6595b230b4ecb30d65bd299bc6e5a5de1b55716df432ff
Instruction ID: f3ab395c6b747af05267e5e2d7b0dad802a2b11c92a953ceb8bdb945b8e64dc6
Opcode Fuzzy Hash: 4cea95d2d748a9453c6595b230b4ecb30d65bd299bc6e5a5de1b55716df432ff
Instruction Fuzzy Hash: A5318176D00128EFCF21DF58D9814EEB7B4FB8A714B698065E415D7241D3F09D818BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA48D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA48D9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00DA4922
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DA4964

Strings

(E, xrefs: 00DA490B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateEventH_prolog3ObjectSingleWait
String ID: (E
API String ID: 3065744638-4016754956
Opcode ID: 7e8f6f09eff4454989ed3a8ca6618db151d98102b71c9b89bc2c78f28e8531f2
Instruction ID: 08ca29a8388d7c2149931449a995caf9540ed03cb4ca9b0c7a25c88f02839e92
Opcode Fuzzy Hash: 7e8f6f09eff4454989ed3a8ca6618db151d98102b71c9b89bc2c78f28e8531f2
Instruction Fuzzy Hash: 47117C74A002099FCF04DFA8C8899AEBBB5FF4C314B109519F551BB290CBB15A45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2CFB Relevance: 3.1, APIs: 2, Instructions: 58networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 00DA2D30
send.WS2_32(?,?,?,00000000), ref: 00DA2D65

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: c5fcded112c083e5a666a43a3a201ef882990bae981f1ce1296ede31523f189f
Instruction ID: 22bbe9a14fc53903a8ab0fc3afc25a606f9b0a64f84b38d01e9dd297c9fcca53
Opcode Fuzzy Hash: c5fcded112c083e5a666a43a3a201ef882990bae981f1ce1296ede31523f189f
Instruction Fuzzy Hash: 3B112B32D00619FBCF119F9EC884BDDBBB4FB05754F248065E818A6152D3749E869BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2C0F Relevance: 3.0, APIs: 2, Instructions: 38sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00DA2C28
timeGetTime.WINMM ref: 00DA2C44

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: f7f22f4787c24e90cb29b1345a935da952815154722f370c2fd357041c668b04
Instruction ID: 4f0e0f2829160df8fc3510c224d02a9b0f3068f703da4c2be3c3a77de1d49570
Opcode Fuzzy Hash: f7f22f4787c24e90cb29b1345a935da952815154722f370c2fd357041c668b04
Instruction Fuzzy Hash: 09F0A4316002049FD7259F6ED88CB6E77F4FB56720F140529E042D71E0CB74AA86C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0349597D Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 034959D6
DefWindowProcW.USER32(?,?,?,?), ref: 034959E8

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e6451535c09e90273061c1d5adef022622dac20798d9b3bd101410fb66ddb262
Instruction ID: 5fa3b1d916c08a6c109cc2f68592d87f1b9826316e3e89ca4014c76711073f5a
Opcode Fuzzy Hash: e6451535c09e90273061c1d5adef022622dac20798d9b3bd101410fb66ddb262
Instruction Fuzzy Hash: 37011A30204104DFFF16EF48D408A5A7BBABB06721F2480A7F802AF260CB35A944DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0349C206 Relevance: 3.0, APIs: 2, Instructions: 25synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0349B9E1,00000000,00000000,00000000), ref: 0349C230
WaitForSingleObject.KERNEL32(000000FF,?,?,034A1EC3,?,?,?,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 0349C243

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: d7a68cb0877394d5b0ba1ff501ac0cd3cd8678bd330c3fa15b3dea3a49e5d7bb
Instruction ID: 4b2e3322fefb6229a1c1184f4b15353d9b7fdb857ef4f663fc05f44b7b537657
Opcode Fuzzy Hash: d7a68cb0877394d5b0ba1ff501ac0cd3cd8678bd330c3fa15b3dea3a49e5d7bb
Instruction Fuzzy Hash: 6BE06D30A98304FBEB50EB549C4AF197AE8F705755F200217B911BD2D4D6B45C048A48

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7416 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436
LoadLibraryW.KERNEL32(?), ref: 00DA744D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 36b4f0a37bafcfa95cca69154649a69866379724254d4bade800f335df5de989
Instruction ID: 054ceed4ec021c3a4d6d2c79bfcd5c6b3c65266e5da9b6702b8a95d676d05f07
Opcode Fuzzy Hash: 36b4f0a37bafcfa95cca69154649a69866379724254d4bade800f335df5de989
Instruction Fuzzy Hash: B0F015B0D00219AFCF11AFA1CD09A9DBAB0FB4AB10F188125E411B62A1C7B49606DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EA5095 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00EA50A1

Part of subcall function 00EAD75C: __getptd_noexit.LIBCMT ref: 00EAD75F
Part of subcall function 00EAD75C: __amsg_exit.LIBCMT ref: 00EAD76C

Part of subcall function 00EA5076: __getptd_noexit.LIBCMT ref: 00EA507B
Part of subcall function 00EA5076: __freeptd.LIBCMT ref: 00EA5085
Part of subcall function 00EA5076: ExitThread.KERNEL32 ref: 00EA508E

__XcptFilter.LIBCMT ref: 00EA50C2

Part of subcall function 00EADA8E: __getptd_noexit.LIBCMT ref: 00EADA94

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: a57bb194492259b71bfdcd73de80f15895e687a2ea3b9b70a9b5aa0c24e071b5
Instruction ID: 29bba093a414722706ad43022f6c0fd83a622202d2bfa85aac9ec2e2e4553699
Opcode Fuzzy Hash: a57bb194492259b71bfdcd73de80f15895e687a2ea3b9b70a9b5aa0c24e071b5
Instruction Fuzzy Hash: 3CE0ECB5904604EFDB08EBA0C956E2D77B5AF4A311F205189F1027F6A2CB75A944EA21

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2DDD Relevance: 1.6, APIs: 1, Instructions: 74timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1038: _memmove.LIBCMT ref: 00DA1057

timeGetTime.WINMM(?,00000000,?,?,00DA2C04,?,?,00000000), ref: 00DA2E39

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: 09e0037c97158c5d4b0d0ddd11b9524919f2dc0144431ef3e640b966490c614d
Instruction ID: aacfa786ee6d46ab00a6ba271e4216c3faba7613eede4c3a4660c9720d0a0e06
Opcode Fuzzy Hash: 09e0037c97158c5d4b0d0ddd11b9524919f2dc0144431ef3e640b966490c614d
Instruction Fuzzy Hash: B8213E79200108AFCF54EF19CC81AAA7769FF4A700F544466FD04DF216D771EA868BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2C6E Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2EB2: GetCurrentThreadId.KERNEL32 ref: 00DA2EB3
Part of subcall function 00DA2EB2: InterlockedExchange.KERNEL32(?,00000001), ref: 00DA2EC3

Part of subcall function 00DA1038: _memmove.LIBCMT ref: 00DA1057

Part of subcall function 00DA2CFB: send.WS2_32(?,?,00040000,00000000), ref: 00DA2D30
Part of subcall function 00DA2CFB: send.WS2_32(?,?,?,00000000), ref: 00DA2D65

GetCurrentThreadId.KERNEL32 ref: 00DA2CDA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CurrentThreadsend$ExchangeInterlocked_memmove
String ID:
API String ID: 3842595502-0
Opcode ID: cf83a3ec159bb61890a6aef0ee9e78d34340c1e00c13f2be7ed078f99f238543
Instruction ID: b6345c94ca03ca727476f5afb4cf0f5edc42b80737be0152378f47e1e2932200
Opcode Fuzzy Hash: cf83a3ec159bb61890a6aef0ee9e78d34340c1e00c13f2be7ed078f99f238543
Instruction Fuzzy Hash: DA11A176110609BFD720EB55CC82FAAB3ACFF11720F108426F651D6491D7B1FA598BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1038 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DA1057

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b674be14080885f2d0b722ac2ca17afe3fcc4dfb24c807cd946884e02bb0f590
Instruction ID: 3eed076038e833adf4ff28b5521dffb4d487890ac3fbac9fe20ecbfc49f19e7c
Opcode Fuzzy Hash: b674be14080885f2d0b722ac2ca17afe3fcc4dfb24c807cd946884e02bb0f590
Instruction Fuzzy Hash: A601FC76B00344AFD7109E1ACCC19AA7799FF86361F18843AF95987102D672DD818770

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4D0C Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_wmemcpy_s.LIBCPMT ref: 00DA4D4E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _wmemcpy_s
String ID:
API String ID: 67063488-0
Opcode ID: e8dcdceb6459b607be9ae2e3c81b305b3b43716992bc74d806e34566880207b5
Instruction ID: f4b9cb2c74e54c038e32386e57c17e4c7678cde58047cfc297a805eaf206553b
Opcode Fuzzy Hash: e8dcdceb6459b607be9ae2e3c81b305b3b43716992bc74d806e34566880207b5
Instruction Fuzzy Hash: C6014FB5600604AFDB00DFA8C885CAAB7B8FF8A354B104569F41187311D7B0ED00CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6A4D Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DB6A54

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 7b878b094f9f78aaf9ce7e42cccb6d940d79769606940ce5775a0968c1ef96b9
Instruction ID: 601219d1d58046b94ace9d42e4d12148d1ab684fdab54db13ca4fdbf1ee1f007
Opcode Fuzzy Hash: 7b878b094f9f78aaf9ce7e42cccb6d940d79769606940ce5775a0968c1ef96b9
Instruction Fuzzy Hash: AE017174610646CBDF24AF24C8016AE36A2EB84360F18842DE5529B290EF38DD41DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8221 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00DA8240

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 582c6e15e642d2f884a8cc01ff7d04cd56f85fdd331bb7307460aeecf3188ce9
Instruction ID: 2146850ed03f6edf3da1a945632fa41e5b3a494a82a8cf223c6ed189551ba058
Opcode Fuzzy Hash: 582c6e15e642d2f884a8cc01ff7d04cd56f85fdd331bb7307460aeecf3188ce9
Instruction Fuzzy Hash: B5E092735006159BC7008F49C508B56FBDCDF92370F1AC426EC08DF252CAB5E8048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6304 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00DA6322

Part of subcall function 00EA4CBE: __FF_MSGBANNER.LIBCMT ref: 00EA4CD7
Part of subcall function 00EA4CBE: __NMSG_WRITE.LIBCMT ref: 00EA4CDE
Part of subcall function 00EA4CBE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00EADBE9,00F1DADC,00000001,00F1DADC,?,00EAFF61,00000018,00F0BB48,0000000C,00EAFFF1), ref: 00EA4D03

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 35493af93f0b0a28a79b01e544558c2a566cc64343ec9563ee378b7171d3e544
Instruction ID: 9a735354cf8d63e23623aacbf11ef1868b8c61640842cd0651cf439ecca0c7be
Opcode Fuzzy Hash: 35493af93f0b0a28a79b01e544558c2a566cc64343ec9563ee378b7171d3e544
Instruction Fuzzy Hash: 82D02B36200129A75F205AA5DC0065D7B8DCF87BF071D0030F808DB150CE21CC1243E0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA507 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00DDAEA2: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00DDAED5
Part of subcall function 00DDAEA2: _memset.LIBCMT ref: 00DDAEEE

SystemParametersInfoW.USER32(00000029,-000001F8,?,00000000), ref: 00DBA52B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressInfoParametersProcSystem_memset
String ID:
API String ID: 831922234-0
Opcode ID: e629abe6b6b1e43415a8dc0a48ee6d2aa4f0f1e907981dc17f4e84fca5d014da
Instruction ID: 93c8ba809550c2d8332246ef50955b473f2821be5cf33b36fa7f1e9f806c26b8
Opcode Fuzzy Hash: e629abe6b6b1e43415a8dc0a48ee6d2aa4f0f1e907981dc17f4e84fca5d014da
Instruction Fuzzy Hash: 40D0A7B35D06046FE3001B75EC0AF763609E7A0724F180631B524CA1D0EB76DC408161

Uniqueness

Uniqueness Score: -1.00%

Function 00DABCC9 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DABCD8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: e182752dc696408615a156be8813a9d97ee909b885de7555eecad3e493c5c68c
Instruction ID: e9791353c6875ed3fdd022a6172546a64002693b8d8f3fbbc28ed92f81b2577f
Opcode Fuzzy Hash: e182752dc696408615a156be8813a9d97ee909b885de7555eecad3e493c5c68c
Instruction Fuzzy Hash: 15B092E0902204AEDF40A7328A08F262A949B4233AF0888A5A008A5006EF3AC0578520

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5A7D Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000BB8), ref: 00DA5A99

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3a1a82b46455e6907c663e020fc9233a76f92b92154acf32ca73ccfb8024f189
Instruction ID: 366c8364802d33c22b78f144dea2f73e387ae0f4dbc3c2a64c3173e002d68706
Opcode Fuzzy Hash: 3a1a82b46455e6907c663e020fc9233a76f92b92154acf32ca73ccfb8024f189
Instruction Fuzzy Hash: 06D0C9B1A41B00EFE2109B319C49C373BECEB16705B5009A8BC45EB656E775AC04CBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0348A5F4 Relevance: 79.0, APIs: 31, Strings: 14, Instructions: 250processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0348A61A
_memset.LIBCMT ref: 0348A634
_memset.LIBCMT ref: 0348A689
GetSystemDirectoryA.KERNEL32(00000000,000000FF), ref: 0348A69D

Part of subcall function 0348CC13: _vswprintf_s.LIBCMT ref: 0348CC2B

GetFileAttributesA.KERNEL32(00000000), ref: 0348A6D1
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 0348A725

Part of subcall function 0348A520: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,0348A74B,SeDebugPrivilege), ref: 0348A536
Part of subcall function 0348A520: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,0348A74B,SeDebugPrivilege), ref: 0348A53D

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0348A764

Strings

%s%s, xrefs: 0348A6B6
WaitForSingleObject, xrefs: 0348A7ED
ExitProcess, xrefs: 0348A7B3
SeDebugPrivilege, xrefs: 0348A741
Kernel32.dll, xrefs: 0348A7D5
Kernel32.dll, xrefs: 0348A7B8
Windows\System32\svchost.exe, xrefs: 0348A6E3
OpenProcess, xrefs: 0348A796
Kernel32.dll, xrefs: 0348A7F2
Windows\SysWOW64\svchost.exe, xrefs: 0348A6AA
Kernel32.dll, xrefs: 0348A79B
D, xrefs: 0348A66A
%s%s, xrefs: 0348A6EF
WinExec, xrefs: 0348A7D0

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$_memset$Open$AttributesCreateCurrentDirectoryFileSystemToken_vswprintf_s
String ID: %s%s$%s%s$D$ExitProcess$Kernel32.dll$Kernel32.dll$Kernel32.dll$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 2677188878-1806659523
Opcode ID: 6038561c1c83e49bca60de413910220163f1983e96f4927d5e5784e29aface38
Instruction ID: a77d160993a3945acf3c30d98e0f7ad82e675f7deee91bd7168e22b2f158f5cb
Opcode Fuzzy Hash: 6038561c1c83e49bca60de413910220163f1983e96f4927d5e5784e29aface38
Instruction Fuzzy Hash: 0FA16B75950318BFEB61EB60DC4ABED77B8AB04701F1044D6F608BA181E7B49BC59F18

Uniqueness

Uniqueness Score: -1.00%

Function 0349CB0D Relevance: 63.3, APIs: 26, Strings: 10, Instructions: 299clipboardstringsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0349CB63
Sleep.KERNEL32(00000001), ref: 0349CB7D
GetTickCount.KERNEL32 ref: 0349CB83
GetTickCount.KERNEL32 ref: 0349CB9A
InterlockedExchange.KERNEL32(034D09D8,00000000), ref: 0349CBA6
OpenClipboard.USER32(00000000), ref: 0349CBAE
GetClipboardData.USER32(0000000D), ref: 0349CBB6
GlobalSize.KERNEL32(00000000), ref: 0349CBD5
GlobalLock.KERNEL32(00000000), ref: 0349CBEB
_memmove.LIBCMT ref: 0349CCC2
wsprintfW.USER32 ref: 0349CCDC
_memset.LIBCMT ref: 0349CD00
GlobalUnlock.KERNEL32(00000000), ref: 0349CD0E
CloseClipboard.USER32 ref: 0349CD14
GetKeyState.USER32(00000014), ref: 0349CDD6
wsprintfW.USER32 ref: 0349CE40
lstrlenW.KERNEL32(-034C994B), ref: 0349CE74
wsprintfW.USER32 ref: 0349CE9E
lstrlenW.KERNEL32(-034C9973), ref: 0349CEC1

Strings

[, xrefs: 0349CCD0
%s%s, xrefs: 0349CF83
5, xrefs: 0349CFA7
%s%s, xrefs: 0349CF58
%s%s, xrefs: 0349CFC5
%s%s, xrefs: 0349CE93
%s%s, xrefs: 0349CEE0
%s%s, xrefs: 0349CE35
[esc], xrefs: 0349CE29, 0349CEFF, 0349CF77, 0349CFB9
%s%s, xrefs: 0349CF0B

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ClipboardGlobalwsprintf$CountTick_memsetlstrlen$CloseDataExchangeInterlockedLockOpenSizeSleepStateUnlock_memmove
String ID: [$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$5$[esc]
API String ID: 1392134611-3236336974
Opcode ID: 82c3afe73c0f6103e126a26f844a7323bbfc1b31c5ca7c0868ef1eff31b22b07
Instruction ID: 317c8783a04efe1d3ce247e5920745b75f684f5106f3503799bcc94e8705addd
Opcode Fuzzy Hash: 82c3afe73c0f6103e126a26f844a7323bbfc1b31c5ca7c0868ef1eff31b22b07
Instruction Fuzzy Hash: 97D12635900298EFEF24DB24CC89BD9BBB4EB18341F0441D7E489AA294D7B08ED5CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00E222CB Relevance: 53.0, APIs: 28, Strings: 2, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E22300
GetWindowRect.USER32(?,?), ref: 00E22323
PtInRect.USER32(?,?,?), ref: 00E22331

Part of subcall function 00E50E67: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00E50EDE

GetAsyncKeyState.USER32(00000012), ref: 00E22356
ScreenToClient.USER32(?,?), ref: 00E223A4
IsWindow.USER32(?), ref: 00E223EB
IsWindow.USER32(?), ref: 00E2242E
GetWindowRect.USER32(?,?), ref: 00E2244E
PtInRect.USER32(?,?,?), ref: 00E2245E
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00E22493
PtInRect.USER32(-00000054,?,?), ref: 00E224DE
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00E22503
ScreenToClient.USER32(?,?), ref: 00E2255B
PtInRect.USER32(?,?,?), ref: 00E2256B
GetParent.USER32(?), ref: 00E225F5
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00E22688
GetFocus.USER32 ref: 00E2268E
WindowFromPoint.USER32(?,?,00000000), ref: 00E226C6
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00E22710
GetSystemMenu.USER32(?,00000000,?,?,75C0A000,?), ref: 00E22799
IsMenu.USER32(?), ref: 00E227BB
EnableMenuItem.USER32(?,0000F030,00000000), ref: 00E227D8
EnableMenuItem.USER32(?,0000F120,00000000), ref: 00E227E3
IsZoomed.USER32(?), ref: 00E227F1
IsIconic.USER32(?), ref: 00E22810
EnableMenuItem.USER32(?,0000F120,00000003), ref: 00E22824
TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 00E2284C
SendMessageW.USER32(?,00000112,00000000,00000000), ref: 00E22866

Strings

p, xrefs: 00E22478, 00E22602
(, xrefs: 00E2253A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
String ID: ($p
API String ID: 3398603409-2925934162
Opcode ID: 7ffb3d555dce97756be64d293bf398e6d706bcb1f78c25b857476711ac30dd07
Instruction ID: 4c0c789df1fc7060f24284463b4df8b0a5e2baef3018f5af8fb4941464a361fb
Opcode Fuzzy Hash: 7ffb3d555dce97756be64d293bf398e6d706bcb1f78c25b857476711ac30dd07
Instruction Fuzzy Hash: CDF14972A00229AFDB249FA4EC88EAD77F5FB08308B185429F605F7261DB31DD41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03488189 Relevance: 49.4, APIs: 17, Strings: 11, Instructions: 405stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

_memset.LIBCMT ref: 034881DD
_memset.LIBCMT ref: 034881F9

Part of subcall function 03487F5B: InternetOpenW.WININET(MyApp,00000001,00000000,00000000,00000000), ref: 03487F9A

Part of subcall function 0348CBA4: _strcpy_s.LIBCMT ref: 0348CBAF

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,C463F85C), ref: 03488231
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,0349C09F,?,?,?,?,?,C463F85C), ref: 0348824D

Part of subcall function 034890BD: GetLastInputInfo.USER32(00000008), ref: 034890CE
Part of subcall function 034890BD: GetTickCount.KERNEL32 ref: 034890D4
Part of subcall function 034890BD: wsprintfW.USER32 ref: 034890FB

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,C463F85C), ref: 03488273
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,0349BE07,?,?,?,?,?,C463F85C), ref: 03488295

Part of subcall function 0348A21A: LoadLibraryW.KERNEL32(ntdll.dll), ref: 0348A229
Part of subcall function 0348A21A: GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 0348A244
Part of subcall function 0348A21A: swprintf.LIBCMT ref: 0348A284
Part of subcall function 0348A21A: RegOpenKeyExW.ADVAPI32(80000002,034C0B10,00000000,00020119,?), ref: 0348A2DE
Part of subcall function 0348A21A: RegQueryValueExW.ADVAPI32(?,ProductName,00000000,00000001,?,000000CA), ref: 0348A31A
Part of subcall function 0348A21A: RegCloseKey.ADVAPI32(?), ref: 0348A33F
Part of subcall function 0348A21A: FreeLibrary.KERNEL32(00000000), ref: 0348A357

GetSystemInfo.KERNEL32(?,?,?,?,?,C463F85C), ref: 034882C8
wsprintfW.USER32 ref: 034882E2

Part of subcall function 03489982: GetDriveTypeW.KERNEL32(?), ref: 034899EC
Part of subcall function 03489982: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03489A1A
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A33
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A41
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A4F
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A73
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A81
Part of subcall function 03489982: __aulldiv.LIBCMT ref: 03489A8F
Part of subcall function 03489982: _memset.LIBCMT ref: 03489AB6
Part of subcall function 03489982: _memset.LIBCMT ref: 03489AC6
Part of subcall function 03489982: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 03489AD9

Part of subcall function 03489E6B: CreateDXGIFactory.DXGI(034C21A8,000000FF,C463F85C), ref: 03489EAF

Part of subcall function 03488804: GetForegroundWindow.USER32(0349B117,?,03488321), ref: 0348880C
Part of subcall function 03488804: GetWindowTextW.USER32(00000000,03488321,000000FA), ref: 03488826

lstrlenW.KERNEL32(-000008CC,00000002,?,?,?,?,?,?,?,C463F85C), ref: 03488349
lstrlenW.KERNEL32(-00000994,00000002), ref: 034883CD
wsprintfW.USER32 ref: 03488448
GetCurrentProcessId.KERNEL32(-00000AD4), ref: 03488463

Part of subcall function 03489106: _memset.LIBCMT ref: 03489130
Part of subcall function 03489106: RegOpenKeyExW.ADVAPI32(80000001,034C08D8,00000000,000F003F,?), ref: 03489159
Part of subcall function 03489106: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 034891A0

Part of subcall function 03488DC4: _memset.LIBCMT ref: 03488DFF
Part of subcall function 03488DC4: lstrcatW.KERNEL32(034D09F0), ref: 03488E49
Part of subcall function 03488DC4: lstrcatW.KERNEL32(034D09F0,034C0848), ref: 03488E59

GetTickCount.KERNEL32 ref: 034884EB

Part of subcall function 034877B3: __time64.LIBCMT ref: 034877B9

Part of subcall function 034877A5: __localtime64.LIBCMT ref: 034877AB

wsprintfW.USER32 ref: 03488565
GetLocaleInfoW.KERNEL32(00000800,00000002,-00000F46,00000040), ref: 03488580
GetSystemDirectoryW.KERNEL32(-00001184,00000032), ref: 03488591
GetCurrentHwProfileW.ADVAPI32(?), ref: 0348859E

Part of subcall function 0348869B: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,C463F85C), ref: 034887A6
Part of subcall function 0348869B: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,-00000A70,?), ref: 034887CD

Strings

x86, xrefs: 0348842A
X86, xrefs: 034885B8
Network, xrefs: 034883B8
AppEvents, xrefs: 03488328
REMARK, xrefs: 034883E3
AppEvents, xrefs: 034883AC
X86 %s, xrefs: 0348843A
Network, xrefs: 03488334
x64, xrefs: 0348841E
X86, xrefs: 034885FC
GROUP, xrefs: 0348835F

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ByteCharMultiWide__aulldiv_memset$Infowsprintf$Open$CountCurrentFreeLibraryQuerySystemTickWindowlstrcatlstrlen$AddressCloseCreateDirectoryDiskDriveFactoryForegroundGlobalInputInternetLastLoadLocaleMemoryProcProcessProfileSpaceStatusTextTypeValue__localtime64__time64_malloc_strcpy_sswprintf
String ID: AppEvents$AppEvents$GROUP$Network$Network$REMARK$X86$X86$X86 %s$x64$x86
API String ID: 125929125-2868883604
Opcode ID: 2a60134b2da484bf4b4f67728f434b1ec84edd90f36ce4b44dca64e070641e4f
Instruction ID: 5e4c8274a10537c29f718952ee7823b69cc956faacb23d735780465e2f241f21
Opcode Fuzzy Hash: 2a60134b2da484bf4b4f67728f434b1ec84edd90f36ce4b44dca64e070641e4f
Instruction Fuzzy Hash: 61E13DB1940219AFEF14EBA8DC49FAEB7B8FF04314F140516F519FE281DA7599508B28

Uniqueness

Uniqueness Score: -1.00%

Function 0348AD40 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 155processmemoryinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0348AD66
_memset.LIBCMT ref: 0348AD95
_memset.LIBCMT ref: 0348ADAF
_memset.LIBCMT ref: 0348ADD1
_memset.LIBCMT ref: 0348AE0B
GetSystemDirectoryA.KERNEL32(00000000,000000FF), ref: 0348AE1F

Part of subcall function 0348CC13: _vswprintf_s.LIBCMT ref: 0348CC2B

GetFileAttributesA.KERNEL32(00000000), ref: 0348AE53
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,00000000), ref: 0348AEA8
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0348AED6
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 0348AF06

Strings

%s%s, xrefs: 0348AE71
Windows\SysWOW64\svchost.exe, xrefs: 0348AE2C
Windows\System32\svchost.exe, xrefs: 0348AE65
%s%s, xrefs: 0348AE38
D, xrefs: 0348ADD9

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$Process$AllocAttributesCreateDirectoryFileMemorySystemVirtualWrite_vswprintf_s
String ID: %s%s$%s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
API String ID: 2855821649-2772855104
Opcode ID: 5939121644851f0f37f1de23180151a6369659647ade2685f4a8f7a430654713
Instruction ID: 07e6ffde156ac0e5c1a6e0c09543409192ce27d621b9b480456cee5476a9f921
Opcode Fuzzy Hash: 5939121644851f0f37f1de23180151a6369659647ade2685f4a8f7a430654713
Instruction Fuzzy Hash: 2B513DB1D50259AFEB61EF64CC49BEDB7BCAF04304F0005EAE608BA181D7B45B849F59

Uniqueness

Uniqueness Score: -1.00%

Function 00E3E67D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3E684

Part of subcall function 00E0E8CB: FillRect.USER32(?,?), ref: 00E0E8DF

Strings

d, xrefs: 00E3E6DC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: 9e1acaace5c3f7c39a5d07413e9ffd34115495e3f6647718af8dd12d34b910d9
Instruction ID: 228d5f362bade8726c2a5f00fa143f3ab724e910435b86f89c31128bcc41b9d5
Opcode Fuzzy Hash: 9e1acaace5c3f7c39a5d07413e9ffd34115495e3f6647718af8dd12d34b910d9
Instruction Fuzzy Hash: 2FC1C87190022ADFCB14DFA8CD8A9EEBFB4EF48304F10556AF951B62D1C7349916DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0349C71F Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 137synchronizationfilestringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,034CF840,?,?,?,?,?,?,?,?,03488B96,?,?), ref: 0349C73C
lstrcatW.KERNEL32(034CF840,\DisplaySessionContainers.log), ref: 0349C74C
CreateMutexW.KERNEL32(00000000,00000000,034CF840,?,?,?,?,?,?,?,?,03488B96,?,?), ref: 0349C75B
WaitForSingleObject.KERNEL32(000000FF,?,?,?,?,?,?,?,?,03488B96,?,?), ref: 0349C76E
CreateFileW.KERNEL32(034CF840,40000000,00000002,00000000,00000004,00000080,00000000,?,?,?,?,?,?,?,?,03488B96), ref: 0349C78B
GetFileSize.KERNEL32(?,00000000), ref: 0349C79D
CloseHandle.KERNEL32(?), ref: 0349C7A9
DeleteFileW.KERNEL32(034CF840), ref: 0349C7BD
ReleaseMutex.KERNEL32 ref: 0349C7C9
DirectInput8Create.DINPUT8(00000000,00000800,034BDB6C,034CFCE8,00000000), ref: 0349C7E5

Strings

\DisplaySessionContainers.log, xrefs: 0349C742
<, xrefs: 0349C889

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateFile$Mutex$CloseDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeWaitlstrcat
String ID: <$\DisplaySessionContainers.log
API String ID: 3253485002-1170057892
Opcode ID: 233e7f08bb1a77a16d5a347369351c69a1ea9c5c5d8b664aabb5a394159ccc48
Instruction ID: cfc73a6e10d6deb077f17fa4311a6d7045cc547ad595f51a4436376eb29b8d52
Opcode Fuzzy Hash: 233e7f08bb1a77a16d5a347369351c69a1ea9c5c5d8b664aabb5a394159ccc48
Instruction Fuzzy Hash: DD516B34A50208EFEF40EFA5D84ABAD7BF5BB09701F108056E911BF295D7795849CF28

Uniqueness

Uniqueness Score: -1.00%

Function 00DE688A Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DE696E
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00DE698A
GetCapture.USER32 ref: 00DE6A04
GetKeyState.USER32(00000011), ref: 00DE6A66
GetKeyState.USER32(00000010), ref: 00DE6A73
ImmGetContext.IMM32(?), ref: 00DE6A81
ImmGetOpenStatus.IMM32(00000000,?), ref: 00DE6A8E
ImmReleaseContext.IMM32(?,00000000,?), ref: 00DE6AB0
GetFocus.USER32 ref: 00DE6ADA
IsWindow.USER32(?), ref: 00DE6B1B
IsWindow.USER32(?), ref: 00DE6BA1
ClientToScreen.USER32(?,?), ref: 00DE6BB1
IsWindow.USER32(?), ref: 00DE6BD7
ClientToScreen.USER32(?,?), ref: 00DE6C06

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 17e438a045fbfd71b3a5aeb302fc876a89ca287485bbf8ec46bedebc89042208
Instruction ID: 4b16f9ad35f1fa2a924f728757be2b37cf9bf9995f0a0e068594e2698ee34d8e
Opcode Fuzzy Hash: 17e438a045fbfd71b3a5aeb302fc876a89ca287485bbf8ec46bedebc89042208
Instruction Fuzzy Hash: 6EA17F31900646EFDF24BFA2CC94ABA77A5FF24384F18843AE596E1052DB32DC50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE49CC Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DE4AA5
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00DE4AC1
GetCapture.USER32 ref: 00DE4B41
GetKeyState.USER32(00000011), ref: 00DE4B94
GetKeyState.USER32(00000010), ref: 00DE4BA1
ImmGetContext.IMM32(?), ref: 00DE4BAF
ImmGetOpenStatus.IMM32(00000000,?), ref: 00DE4BBC
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 00DE4BDE
GetFocus.USER32 ref: 00DE4C08
IsWindow.USER32(?), ref: 00DE4C49
IsWindow.USER32(?), ref: 00DE4CCF
ClientToScreen.USER32(?,?), ref: 00DE4CDF
IsWindow.USER32(?), ref: 00DE4D05
ClientToScreen.USER32(?,?), ref: 00DE4D34

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 8099f1f28becc718e9340a3dcf54705674e638624794ffd1c79e66cb4782ebbb
Instruction ID: 9136ba28d63a64e153d2a94c6659e761c3394ef5fa251c8c60db4d28e42b251e
Opcode Fuzzy Hash: 8099f1f28becc718e9340a3dcf54705674e638624794ffd1c79e66cb4782ebbb
Instruction Fuzzy Hash: 0C91FF31900646EFDF34BFA2C894ABEB7A5FF04318F28853AE156A2061D731D990DB35

Uniqueness

Uniqueness Score: -1.00%

Function 00DCCC9C Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00DCCD19
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00DCCD37
ReleaseCapture.USER32 ref: 00DCCD3D
SetCapture.USER32(?), ref: 00DCCD50
ReleaseCapture.USER32 ref: 00DCCDC5
SetCapture.USER32(?), ref: 00DCCDD8
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00DCCEB1
UpdateWindow.USER32(?), ref: 00DCCF14
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 00DCCF5C
IsWindow.USER32(?), ref: 00DCCF67
IsIconic.USER32(?), ref: 00DCCF74
IsZoomed.USER32(?), ref: 00DCCF81
IsWindow.USER32(?), ref: 00DCCF95
UpdateWindow.USER32(?), ref: 00DCCFE1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 30402515d65ba2ea026052ad61f20c8a8d9c2b50d90513c1abbbed309870cd4f
Instruction ID: 3dc30566e5089a874b3025d3f0078dde295ed7cfad014a0d8abb1f973800ec2a
Opcode Fuzzy Hash: 30402515d65ba2ea026052ad61f20c8a8d9c2b50d90513c1abbbed309870cd4f
Instruction Fuzzy Hash: 36A12731610205AFCF25AF64CC88FA97BB6FF44314F1851BDF91A9B2A2CB319945DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0348A3FD Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 0348A413
OpenProcessToken.ADVAPI32(00000000), ref: 0348A41A
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0348A436
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0348A452
CloseHandle.KERNEL32(?), ref: 0348A45B
GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess), ref: 0348A46B
GetProcAddress.KERNEL32(00000000), ref: 0348A472
GetCurrentProcessId.KERNEL32 ref: 0348A48C
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0348A499

Strings

NtSetInformationProcess, xrefs: 0348A461
NtDll.dll, xrefs: 0348A466
SeDebugPrivilege, xrefs: 0348A42F

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 1802016953-1577477132
Opcode ID: ca2b72ef37447569e1527230448221463b49dc5d76814c75b4516d6e7a10614c
Instruction ID: 387d9503df7ddeecfa0f6cea5f889052710624670fa4a349bd6db1b8e4da19d8
Opcode Fuzzy Hash: ca2b72ef37447569e1527230448221463b49dc5d76814c75b4516d6e7a10614c
Instruction Fuzzy Hash: 2F112C71A40208BFEB00EFE4DC09FAE7BF8AB08705F100416E612FD181E7B596448B65

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC708 Relevance: 20.8, APIs: 13, Instructions: 1300COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEC712
Polygon.GDI32(?,?,00000004), ref: 00DEC82C
CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 00DECF53
InflateRect.USER32(?,000000FF,00000000), ref: 00DECFB6
GetClientRect.USER32(?,?), ref: 00DED04F
Polyline.GDI32(00000007,?,00000008), ref: 00DED0EE
CreatePolygonRgn.GDI32(?,?,00000002), ref: 00DECB5C

Part of subcall function 00DABE56: __EH_prolog3.LIBCMT ref: 00DABE5D
Part of subcall function 00DABE56: CreatePen.GDI32(?,?,?), ref: 00DABE7E

Part of subcall function 00DABD82: SelectObject.GDI32(?,00000000), ref: 00DABDA8
Part of subcall function 00DABD82: SelectObject.GDI32(?,?), ref: 00DABDBE

Part of subcall function 00DAB692: MoveToEx.GDI32(?,?,00000000,?), ref: 00DAB6BC
Part of subcall function 00DAB692: MoveToEx.GDI32(?,?,00000000,?), ref: 00DAB6CD

Part of subcall function 00DABE9F: __EH_prolog3.LIBCMT ref: 00DABEA6
Part of subcall function 00DABE9F: CreateSolidBrush.GDI32(?), ref: 00DABEC1

FillRect.USER32(0000000A,?,?), ref: 00DED677

Part of subcall function 00DAB096: MoveToEx.GDI32(?,?,?,00000000), ref: 00DAB0B3
Part of subcall function 00DAB096: LineTo.GDI32(?,?,?), ref: 00DAB0C2

CreateRectRgnIndirect.GDI32(?), ref: 00DED366
OffsetRect.USER32(?,00000001,00000000), ref: 00DED633
FillRect.USER32(0000000A,?), ref: 00DED6A1
OffsetRect.USER32(?,00000000), ref: 00DED759
CreateRectRgnIndirect.GDI32(?), ref: 00DED86C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Create$MovePolygon$FillH_prolog3IndirectObjectOffsetSelect$BrushClientH_prolog3_InflateLinePolylineSolid
String ID:
API String ID: 3550269515-0
Opcode ID: ceccd50dbaa0178a8df866122d709d37c4772a03b89b10a44e1853cefe35133d
Instruction ID: c7f2a4fb398f9365b25edb4484c9a5ad6280b6fe9bf925f178b16ee2af0d6137
Opcode Fuzzy Hash: ceccd50dbaa0178a8df866122d709d37c4772a03b89b10a44e1853cefe35133d
Instruction Fuzzy Hash: 9FC225709002599FCF24DF68CD81BEEB7B6FF49310F1481AAE51AA7251DB319A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0348B0A5 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?), ref: 0348B0D7
lstrcmpiW.KERNEL32(?,A:\), ref: 0348B117
lstrcmpiW.KERNEL32(?,B:\), ref: 0348B131
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0348B16E
lstrlenW.KERNEL32(?), ref: 0348B183
__wcsnicmp.LIBCMT ref: 0348B199
lstrcpyW.KERNEL32(00000000,?), ref: 0348B1AC
lstrcatW.KERNEL32(00000000,00000000), ref: 0348B1BF
lstrcpyW.KERNEL32(00000000,00000000), ref: 0348B1D5

Strings

A:\, xrefs: 0348B107
B:\, xrefs: 0348B121

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 62ad684ea17b711430952358bdbd6eabe0c07d2b34d001b19614c3bcd979c312
Instruction ID: 08c08d588f25ce141948b2ef970acfa68ad8bc1d7f6be2e22d516f96be4e341f
Opcode Fuzzy Hash: 62ad684ea17b711430952358bdbd6eabe0c07d2b34d001b19614c3bcd979c312
Instruction Fuzzy Hash: 8941E774A10209EFDF50EFA8D944AAE77B8EF08344F144466E91AEE250E734DA45CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00E20FB1 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00E20FDF
GetFocus.USER32 ref: 00E20FED
IsChild.USER32(?,?), ref: 00E21021
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00E21055
IsChild.USER32(?,?), ref: 00E21071
SendMessageW.USER32(?,00000100,?,00000000), ref: 00E210A0
IsIconic.USER32(?), ref: 00E210E1
GetAsyncKeyState.USER32(00000011), ref: 00E21167
GetAsyncKeyState.USER32(00000012), ref: 00E21179
GetAsyncKeyState.USER32(00000010), ref: 00E21186
IsWindowVisible.USER32(?), ref: 00E211E7

Part of subcall function 00E4FE91: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 00E4FEBE

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: 70473a5881db340570670851acab5ee7ca05fbe25635d2f7af88483e055f410f
Instruction ID: bed2ac8158359c2a76aa5013b8f74abf186d441df58f76d538d3410a6c353413
Opcode Fuzzy Hash: 70473a5881db340570670851acab5ee7ca05fbe25635d2f7af88483e055f410f
Instruction Fuzzy Hash: 0571E332A00264DFDF209FA0EC84FA977B5BB18308F0950F9E546F7161DB729E45AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E1250F Relevance: 13.6, APIs: 9, Instructions: 141clipboardwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E12516

Part of subcall function 00DABAC4: __EH_prolog3.LIBCMT ref: 00DABACB
Part of subcall function 00DABAC4: GetWindowDC.USER32(00000000,00000004), ref: 00DABAF7

CreateCompatibleDC.GDI32(00000000), ref: 00E1253C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E12565
FillRect.USER32(?,?,00000000), ref: 00E125E2
OpenClipboard.USER32(?), ref: 00E12644
EmptyClipboard.USER32 ref: 00E12652
CloseClipboard.USER32 ref: 00E12669

Part of subcall function 00DAADC5: __EH_prolog3.LIBCMT ref: 00DAADCC

SetClipboardData.USER32(00000002,00000000), ref: 00E1267F
CloseClipboard.USER32 ref: 00E12696

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Clipboard$CloseCompatibleCreateH_prolog3$BitmapDataEmptyFillH_prolog3_catch_OpenRectWindow
String ID:
API String ID: 519079464-0
Opcode ID: 18fd439f08e9338ef74730481e892db4e74ff0c3d3d0807bf41c5b91cd8479de
Instruction ID: 25f5c702914c3edc4d5c9ebd4e014dadb2d27cb99200c98f29a8faebf7b7084f
Opcode Fuzzy Hash: 18fd439f08e9338ef74730481e892db4e74ff0c3d3d0807bf41c5b91cd8479de
Instruction Fuzzy Hash: F8517D70900248AFCB04EFA4CD859EDBBB8EF09314F14812DF516B3292DB715A498B71

Uniqueness

Uniqueness Score: -1.00%

Function 00E50863 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E50899

Strings

y, xrefs: 00E508DA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: RectWindow
String ID: y
API String ID: 861336768-4225443349
Opcode ID: 6bb857372b0236e0ed8ee8df1b0a8db7743c019063c912ce44fb976c7ce393da
Instruction ID: b42bef1cbed16484992ff6b4af9e0193756e8846f8c9b5eb3be2974cc3437c5d
Opcode Fuzzy Hash: 6bb857372b0236e0ed8ee8df1b0a8db7743c019063c912ce44fb976c7ce393da
Instruction Fuzzy Hash: 6931A2729002099FEF249F68C845BAE77F4EBD830AF15983AFD16B7147D67089488B91

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA6C3 Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DDA6CD
GetFullPathNameW.KERNEL32(00000000,00000104,00000000,?,00000268,00DDA8A8,00000000,?,00000000,?,00DDFD9A,?,?,00000000), ref: 00DDA70B

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

PathIsUNCW.SHLWAPI(?,00000000,?,00000000,?,00DDFD9A,?,?,00000000), ref: 00DDA787
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00DDFD9A,?,?,00000000), ref: 00DDA7AE
CharUpperW.USER32(00000000), ref: 00DDA7E1
FindFirstFileW.KERNEL32(?,?), ref: 00DDA7FD
FindClose.KERNEL32(00000000), ref: 00DDA809
lstrlenW.KERNEL32(?), ref: 00DDA827

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: d626b0e0b5c5900d9f55dcdf2cc4a0ba0638f20ce56ea08bffbcff96a63064ad
Instruction ID: 2f921ad176ee36d64926ae1e3140ad59e37f27a0450b5cd1bf6e03682ce16b4c
Opcode Fuzzy Hash: d626b0e0b5c5900d9f55dcdf2cc4a0ba0638f20ce56ea08bffbcff96a63064ad
Instruction Fuzzy Hash: 5941A371904115ABDF14AB64CC5DBBE7778EF11304F0882A9B819A2291DB359E85CE32

Uniqueness

Uniqueness Score: -1.00%

Function 00DC91C5 Relevance: 11.1, APIs: 7, Instructions: 578COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DC91CF
GetClientRect.USER32(?,?), ref: 00DC9220

Part of subcall function 00DBAE5C: __EH_prolog3.LIBCMT ref: 00DBAE63
Part of subcall function 00DBAE5C: GetClientRect.USER32(?,?), ref: 00DBAEB6

GetClientRect.USER32(?,?), ref: 00DC92DF
SetRectEmpty.USER32(?), ref: 00DC9633
IntersectRect.USER32(?,?,?), ref: 00DC966E

Part of subcall function 00DBAFB0: __EH_prolog3_GS.LIBCMT ref: 00DBAFB7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Client$H_prolog3_$EmptyH_prolog3Intersect
String ID:
API String ID: 1307055728-0
Opcode ID: bb9f71a87d34a15323f1d3a66fc8834afc9e2fe1704aae9e1fed6647f79c607e
Instruction ID: fdc3a6b1d471f0f89cddcb7187f54d379e33c676e4e314787286eb3c03606639
Opcode Fuzzy Hash: bb9f71a87d34a15323f1d3a66fc8834afc9e2fe1704aae9e1fed6647f79c607e
Instruction Fuzzy Hash: 31325870A0122ACFCF259F60C998FADB7B5BF49700F1941AEE449A7251DB309E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0348AA41 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0348AA57
OpenProcessToken.ADVAPI32(00000000), ref: 0348AA5E
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0348AA89
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0348AA9E
GetLastError.KERNEL32 ref: 0348AAA4
CloseHandle.KERNEL32(?), ref: 0348AAB1

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: dba01b9ca3265cbe9fd967f96a54857b4582934f19c67d4106b4202cf6716df3
Instruction ID: 3a425c71ebc083fe4699e193114180e7a00ed3acec5481d4d2da3fcb48995049
Opcode Fuzzy Hash: dba01b9ca3265cbe9fd967f96a54857b4582934f19c67d4106b4202cf6716df3
Instruction Fuzzy Hash: CD115E31650208BFDB00FFB4CD4ABAE7BF8EB08701F544426A602ED180E67596049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC51E Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 00DDC5A0
UpdateWindow.USER32(?), ref: 00DDC5B7
GetKeyState.USER32(00000079), ref: 00DDC5DC
GetKeyState.USER32(00000012), ref: 00DDC5E9
GetParent.USER32(?), ref: 00DDC69F
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00DDC6BB

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID:
API String ID: 2390574533-0
Opcode ID: 9ce741317e902ec0395a4145f4a53e406a43e728401786167dc8342f674493e4
Instruction ID: 2b711b8f2083680a4c254d0a11dc50c9b27b5d0c94dce9c637fbeaf98d986f39
Opcode Fuzzy Hash: 9ce741317e902ec0395a4145f4a53e406a43e728401786167dc8342f674493e4
Instruction Fuzzy Hash: A641C431210706DBEB309B30C848FAA77E1BF44744F19657AE89A572E0DB71E840DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0349CD43 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55stringclipboardsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 0349CB7D
GetTickCount.KERNEL32 ref: 0349CB83
GetTickCount.KERNEL32 ref: 0349CB9A
InterlockedExchange.KERNEL32(034D09D8,00000000), ref: 0349CBA6
OpenClipboard.USER32(00000000), ref: 0349CBAE
GetClipboardData.USER32(0000000D), ref: 0349CBB6
GlobalSize.KERNEL32(00000000), ref: 0349CBD5
GlobalLock.KERNEL32(00000000), ref: 0349CBEB
_memmove.LIBCMT ref: 0349CCC2
wsprintfW.USER32 ref: 0349CCDC
_memset.LIBCMT ref: 0349CD00
GlobalUnlock.KERNEL32(00000000), ref: 0349CD0E
CloseClipboard.USER32 ref: 0349CD14
GetKeyState.USER32(00000014), ref: 0349CDD6
wsprintfW.USER32 ref: 0349CE40
lstrlenW.KERNEL32(-034C994B), ref: 0349CE74
wsprintfW.USER32 ref: 0349CE9E
lstrlenW.KERNEL32(-034C9973), ref: 0349CEC1
wsprintfW.USER32 ref: 0349CEEB
lstrlenW.KERNEL32(-034C9973), ref: 0349CF39
wsprintfW.USER32 ref: 0349CF63
wsprintfW.USER32 ref: 0349CFD0
lstrlenW.KERNEL32(?), ref: 0349CFF5

Strings

5, xrefs: 0349CE17
%s%s, xrefs: 0349CE35
[esc], xrefs: 0349CE29

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: wsprintf$lstrlen$ClipboardGlobal$CountTick$CloseDataExchangeInterlockedLockOpenSizeSleepStateUnlock_memmove_memset
String ID: %s%s$5$[esc]
API String ID: 1226511460-2835477063
Opcode ID: 649fde35aef5c5ebe7420184f907d198d92af193ff774843eae71c427f0f62e9
Instruction ID: 12609bc45662a9e075a38def27d4c9d21f40427cb4c6b8f93fa735e9cc6fae1b
Opcode Fuzzy Hash: 649fde35aef5c5ebe7420184f907d198d92af193ff774843eae71c427f0f62e9
Instruction Fuzzy Hash: 1E21FC31D00198DFEF64CA04C9887D9BBB5BB18341F1401D6E48AEE158C3B48EC2CF18

Uniqueness

Uniqueness Score: -1.00%

Function 034B0216 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,034B0853,?,034A4D82,?,000000BC,?,00000001,00000000,00000000), ref: 034B0255
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,034B0853,?,034A4D82,?,000000BC,?,00000001,00000000,00000000), ref: 034B027E
GetACP.KERNEL32(?,?,034B0853,?,034A4D82,?,000000BC,?,00000001,00000000), ref: 034B0292

Strings

OCP, xrefs: 034B0236
ACP, xrefs: 034B0225

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d8dfa6844032a7358bfa55ce3bcc968d943c9b50f048623e9f36b07a449141e5
Instruction ID: 37271c59983369ced5cb2f600b3434faa88a18a2e720183fb3cdbc7fd2d3be6e
Opcode Fuzzy Hash: d8dfa6844032a7358bfa55ce3bcc968d943c9b50f048623e9f36b07a449141e5
Instruction Fuzzy Hash: 69012831600706BEEF29DA759C05BDF72B86F01619F280056E440ED180E720DE45A27C

Uniqueness

Uniqueness Score: -1.00%

Function 0349F3F0 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 034A5E16
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 034A5E2B
UnhandledExceptionFilter.KERNEL32(034BB558), ref: 034A5E36
GetCurrentProcess.KERNEL32(C0000409), ref: 034A5E52
TerminateProcess.KERNEL32(00000000), ref: 034A5E59

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 90884a153a50b58cb35da0b88d81b27bef6f324fd0814f54676c2edb04d10349
Instruction ID: fab7db1a2e93408a50d69b7661c07dec6a7b794dae208054453213265e4d1248
Opcode Fuzzy Hash: 90884a153a50b58cb35da0b88d81b27bef6f324fd0814f54676c2edb04d10349
Instruction Fuzzy Hash: CD21CDB8522300DFE780FF19E5886447BE8FB08302F90546AE509AF358E7B496C18F55

Uniqueness

Uniqueness Score: -1.00%

Function 00EA47AC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EAAD3F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EAAD54
UnhandledExceptionFilter.KERNEL32(00EF0330), ref: 00EAAD5F
GetCurrentProcess.KERNEL32(C0000409), ref: 00EAAD7B
TerminateProcess.KERNEL32(00000000), ref: 00EAAD82

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e7409284138f093b9560ed9e0a0f383eec094226affa83ee9c1988e7899b272d
Instruction ID: ec67f90e35da056fa6e02884ad904c60f1bae4eb306233140dd59b58b1f30d0d
Opcode Fuzzy Hash: e7409284138f093b9560ed9e0a0f383eec094226affa83ee9c1988e7899b272d
Instruction Fuzzy Hash: 5C21E5B598138C9FC700DF99FD44AC47BA4BB48704F02D02AE428A7261D7B55985EFC6

Uniqueness

Uniqueness Score: -1.00%

Function 03494CEC Relevance: 6.1, APIs: 4, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 03494D30
_free.LIBCMT ref: 03494D88
GetProcessHeap.KERNEL32(00000000,00000000,?,0348FFF6), ref: 03494DB8
HeapFree.KERNEL32(00000000,?,0348FFF6), ref: 03494DBF

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: c1fc496532359ab7c6c8054c7ac6fd8c594856e675ba5d0ccbe1dcb757830d31
Instruction ID: b8d716af1bbc2b07a823147c8aeffb6a3eafdefdf796c75a4bbdc33c35552490
Opcode Fuzzy Hash: c1fc496532359ab7c6c8054c7ac6fd8c594856e675ba5d0ccbe1dcb757830d31
Instruction Fuzzy Hash: 5A318239A00108EFDB05DF99C698F9CBBB1EF08311F268196E505AB3A1C771AE51DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA4D3 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 00DAA4FE
LoadResource.KERNEL32(?,00000000), ref: 00DAA506
LockResource.KERNEL32(00000000), ref: 00DAA518
FreeResource.KERNEL32(00000000), ref: 00DAA566

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ef5d8bb13797908d04abcaa5b03a5e707867d00d0787c5715b407bb81df46c2d
Instruction ID: a6a3f18521e1a1bdaf3bc7e128b7667083a51c8cfaf912a97e693d3df71c0e17
Opcode Fuzzy Hash: ef5d8bb13797908d04abcaa5b03a5e707867d00d0787c5715b407bb81df46c2d
Instruction Fuzzy Hash: FC110131900616EFD7218FAEC888A6AB7F4FF06315F188239E85253590E375ED04DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0348A520 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,0348A74B,SeDebugPrivilege), ref: 0348A536
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,0348A74B,SeDebugPrivilege), ref: 0348A53D
LookupPrivilegeValueW.ADVAPI32(00000000,0348A74B,?), ref: 0348A555

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue
String ID:
API String ID: 3639550587-0
Opcode ID: 5c47bba3e347179a901eeb31053df9907f8822062c4708e4b65cef74e73f6d59
Instruction ID: 757cac125502de1dddff70659d80ec37c9afc3f77047e7fe2c4e4c209f6b1e05
Opcode Fuzzy Hash: 5c47bba3e347179a901eeb31053df9907f8822062c4708e4b65cef74e73f6d59
Instruction Fuzzy Hash: 42112D70A51309AFEB91EFA4DC45BAE7BF8EB08745F040466EA12EE180E7B496448B54

Uniqueness

Uniqueness Score: -1.00%

Function 00DB297D Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB5A26: GetWindowLongW.USER32(?,000000F0), ref: 00DB5A31

GetKeyState.USER32(00000010), ref: 00DB29A3
GetKeyState.USER32(00000011), ref: 00DB29AC
GetKeyState.USER32(00000012), ref: 00DB29B5
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 00DB29CB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 41b0ce15ea492af41e8ac2958ed0aa4492496dd285d8e565fe61473e7b7ed983
Instruction ID: 60d23d809bd43d13d5e61a1113fa94a08850d5275f27f788bc958f1992b55f13
Opcode Fuzzy Hash: 41b0ce15ea492af41e8ac2958ed0aa4492496dd285d8e565fe61473e7b7ed983
Instruction Fuzzy Hash: CBF0E937BC025AE7DE2036726C02FF50855BF58BD4F0405327647BA4C9DD91D84269B0

Uniqueness

Uniqueness Score: -1.00%

Function 0349156A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0348AA41: GetCurrentProcess.KERNEL32(00000028,?), ref: 0348AA57
Part of subcall function 0348AA41: OpenProcessToken.ADVAPI32(00000000), ref: 0348AA5E

ExitWindowsEx.USER32(00000006,00000000), ref: 0349157C

Part of subcall function 0348AA41: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0348AA89
Part of subcall function 0348AA41: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0348AA9E
Part of subcall function 0348AA41: GetLastError.KERNEL32 ref: 0348AAA4
Part of subcall function 0348AA41: CloseHandle.KERNEL32(?), ref: 0348AAB1

Strings

SeShutdownPrivilege, xrefs: 03491584
SeShutdownPrivilege, xrefs: 0349156C

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege$SeShutdownPrivilege
API String ID: 3672536310-2417394338
Opcode ID: 357f75decfc5385c8bae864c08f51b8e25eb7d138ff50181ac88f335716cc307
Instruction ID: 3562287fe6e9eede7e9a1d84a917c8d73a8916851e3a75658c1274c9262f016e
Opcode Fuzzy Hash: 357f75decfc5385c8bae864c08f51b8e25eb7d138ff50181ac88f335716cc307
Instruction Fuzzy Hash: E1D0C93B3D93412EF514F2517C47FDC2B94E741A21F30000FF216AC4C168D22046813D

Uniqueness

Uniqueness Score: -1.00%

Function 00E209E6 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00E20A11
GetKeyState.USER32(00000011), ref: 00E20A1A
GetKeyState.USER32(00000012), ref: 00E20A23

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: b455a597dcf3011ff775cec1151c74e008e1bbc9f5c789a78c1a3408121e4b5d
Instruction ID: 29e27fb6294b48c813e1a8bfa7afeac89e864db81937a9a68ed2b48d9c43ad45
Opcode Fuzzy Hash: b455a597dcf3011ff775cec1151c74e008e1bbc9f5c789a78c1a3408121e4b5d
Instruction Fuzzy Hash: 3CF0E5B16A03399EDF04A350BC00FE47A94DB047C8F806071EA84770C2CBA0ED4196A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E22E90 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00E22EE4
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 00E22F34

Part of subcall function 00DB5A26: GetWindowLongW.USER32(?,000000F0), ref: 00DB5A31

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: d672ca50e05ebcdcebb7c5a9ea147289bdc9b25aa2d545ebc71615c6c905d5bb
Instruction ID: 146ed9da6a834a5ed687babd198ee301387ca8631065426305bbed42489dc75e
Opcode Fuzzy Hash: d672ca50e05ebcdcebb7c5a9ea147289bdc9b25aa2d545ebc71615c6c905d5bb
Instruction Fuzzy Hash: 3611E173320661ABE7355A38EE45BA676B1FB54318F08173DF252F61A2C765E8409610

Uniqueness

Uniqueness Score: -1.00%

Function 0349A1C8 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00000001), ref: 0349A1E1
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,00000001,00000010,00000000,00000000), ref: 0349A227

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 3992198560680043c1a4ebb4f76401151de65d23c5b96bc30384c003c43489e7
Instruction ID: c7643f2463f999402a2073642d73c3f2a7611ff74388f0161d1ed1854272e2b7
Opcode Fuzzy Hash: 3992198560680043c1a4ebb4f76401151de65d23c5b96bc30384c003c43489e7
Instruction Fuzzy Hash: BC018470A00209AFEF00DFA4CC45BAE7FF8AB08704F40042AE915FE280E7B596558B58

Uniqueness

Uniqueness Score: -1.00%

Function 00DDCD1F Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DDCD33
IsIconic.USER32(?), ref: 00DDCD45

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 808d7088e0e11b546cb6a6c7f537400ec2d5b46026a4f40e8e45eebd7e5bec16
Instruction ID: a98ea5ab8ab05c0a6affc77dc07f781fd1704b01b2636f95651262d4ef4b1999
Opcode Fuzzy Hash: 808d7088e0e11b546cb6a6c7f537400ec2d5b46026a4f40e8e45eebd7e5bec16
Instruction Fuzzy Hash: 1AF0E932320505578921163AAC05E1EBA6FEBD2B70F09133BF515932F09AA08C12C1B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA66C Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DBA69A
CoCreateInstance.OLE32(00EF3D00,00000000,00000001,00ECD114,?), ref: 00DBA6B8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 408704309a247347634366cca72de5ea739dffc99ddf79a7fa2a45e03b35e351
Instruction ID: ef63b39151a082e8116df5cba4f6ad72ddc55b575ea0da19b0b676af847773a2
Opcode Fuzzy Hash: 408704309a247347634366cca72de5ea739dffc99ddf79a7fa2a45e03b35e351
Instruction Fuzzy Hash: 07F0BEB2284602EFC720AE589CC8ED677A5EB80309F2D043DF102AA000DB7248878B72

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2018 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00DE2038

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: db74f32f067234c46775b88de8d21a915d71e90f16c2c2f99afb7433645a1a62
Instruction ID: 2a7eb864db48fd20fc860c08c939a28e3a600735871a540b542da57cc7cb270c
Opcode Fuzzy Hash: db74f32f067234c46775b88de8d21a915d71e90f16c2c2f99afb7433645a1a62
Instruction Fuzzy Hash: 41E0DF3339C5016B96253639FC49E3A27E9EBC8B217180229F18BD30E0EE51D8029170

Uniqueness

Uniqueness Score: -1.00%

Function 034B1165 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: fdcf79c8479a50730edcf2d14d5761898b15c31167fa01a155b946bcab5b3a2c
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 41C15273D0B5B205CB35C62D08682BFEE766E81A8131F87D6DCD03F689C626AD0595F4

Uniqueness

Uniqueness Score: -1.00%

Function 034B0DC7 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: aacb077bbc7b88f0d9a48476e52a11b5e43442477af729ca253bc3d95ba4cfed
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: F9B16373D0B5B205C735C52E08682BBEE726E81A8231FC7D6DCD03F389C626AD1595E4

Uniqueness

Uniqueness Score: -1.00%

Function 034A0360 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 2f829402c3ab207cf10655af0b5e9d2ce35fef1072468b30baf732a7a9be828f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 15115CB724598243D614CA3EC8F46BBE795FBF622572C437BD0828F798D263E1459708

Uniqueness

Uniqueness Score: -1.00%

Function 0348462C Relevance: 70.2, APIs: 37, Strings: 3, Instructions: 248stringnetworktimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?), ref: 03484657
InterlockedExchange.KERNEL32(?,00000000), ref: 03484666
timeGetTime.WINMM ref: 0348466C
socket.WS2_32(00000002,00000001,00000006), ref: 034846AA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 034846D5
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 034846E3
lstrlenW.KERNEL32(?,?,000000CA,00000000,00000000), ref: 0348470D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 0348471B
gethostbyname.WS2_32(?), ref: 0348472D

Strings

%s, xrefs: 03484645
0u, xrefs: 03484877
CTcpSocket::Connect, xrefs: 03484640

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimegethostbynamesockettime
String ID: %s$0u$CTcpSocket::Connect
API String ID: 393477959-619272618
Opcode ID: f647f7a5ab867143878b08d505518ac6bb579dabd735370b3024d01db70b0cbf
Instruction ID: 0a49af6b578599b13ce370bf733c4a617aaaafd3b23382eecee69c0779222b2b
Opcode Fuzzy Hash: f647f7a5ab867143878b08d505518ac6bb579dabd735370b3024d01db70b0cbf
Instruction Fuzzy Hash: 1DA1F271A40208AFEB14EFE4DC4AFADBBB4BF08701F104015F615BE2D5D7B2A9548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00E12705 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E1270F
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000A90,00E12CC3,?,00000000,00000084), ref: 00E127BE
__wsplitpath_s.LIBCMT ref: 00E127EA
__wsplitpath_s.LIBCMT ref: 00E12809
__wmakepath_s.LIBCMT ref: 00E12836
_wcslen.LIBCMT ref: 00E12842
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000A90,00E12CC3,?,00000000,00000084), ref: 00E1287A

Strings

, xrefs: 00E12BB6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: 202ca87374d8e063fa85c38286c72f01b87d5531ff2a3d74b5a3bbc85cb66998
Instruction ID: 01d1b7558318b4ad2fffe2cf60fb1fa76ee5de10b07043ca1d09fc75f8774876
Opcode Fuzzy Hash: 202ca87374d8e063fa85c38286c72f01b87d5531ff2a3d74b5a3bbc85cb66998
Instruction Fuzzy Hash: 05D10871A00228AEDB209F60CC85EEDB7B8FB0A314F1450A9F60AB2551DB755FD4DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC213 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DCC21A
GetParent.USER32(?), ref: 00DCC275
GetParent.USER32(?), ref: 00DCC291
UpdateWindow.USER32(?), ref: 00DCC2D9
SetCursor.USER32 ref: 00DCC2FE
GetAsyncKeyState.USER32(00000012), ref: 00DCC360
UpdateWindow.USER32(?), ref: 00DCC466
InflateRect.USER32(?,00000002,00000002), ref: 00DCC4C6
SetCapture.USER32(?), ref: 00DCC4CF
SetCursor.USER32(00000000), ref: 00DCC4E7
IsWindow.USER32(?), ref: 00DCC585
GetCursorPos.USER32(?), ref: 00DCC5C4
ScreenToClient.USER32(?,?), ref: 00DCC5D1
PtInRect.USER32(?,?,?), ref: 00DCC5ED
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00DCC661
GetParent.USER32(?), ref: 00DCC67C
GetParent.USER32(?), ref: 00DCC690
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 00DCC6A2
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00DCC6C4
GetParent.USER32(?), ref: 00DCC6CD
GetParent.USER32(?), ref: 00DCC6E8
GetParent.USER32(?), ref: 00DCC6F3
InvalidateRect.USER32(?,?,00000001), ref: 00DCC72B
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000), ref: 00DCC863

Part of subcall function 00DC99E6: InvalidateRect.USER32(?,?,00000001), ref: 00DC9A5B
Part of subcall function 00DC99E6: InflateRect.USER32(?,?,?), ref: 00DC9AA1
Part of subcall function 00DC99E6: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00DC9AB4

UpdateWindow.USER32(?), ref: 00DCC7C3
UpdateWindow.USER32(?), ref: 00DCC822
SetCapture.USER32(?,?,00000000), ref: 00DCC82D

Strings

px, xrefs: 00DCC27E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID: px
API String ID: 991125134-3846731130
Opcode ID: 33a8cd5121e22572f5fd42a15c66447e84a2bc241d856a7f96b2a625ef6cd4ed
Instruction ID: fa88777070b626cbef8b13114c1b79b2d30615f41d33e39bb74174656a318112
Opcode Fuzzy Hash: 33a8cd5121e22572f5fd42a15c66447e84a2bc241d856a7f96b2a625ef6cd4ed
Instruction Fuzzy Hash: DE026570610205DFCF15AF64C898EAD7BB5FF48750B1852BDF90AAB2A6CB318845DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03491660 Relevance: 42.1, APIs: 7, Strings: 17, Instructions: 141registrysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

_memmove.LIBCMT ref: 03491689
RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 034916A6
RegDeleteValueW.ADVAPI32(?,IpDate), ref: 034916B7
RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,?,?), ref: 034916E5
RegCloseKey.ADVAPI32(?), ref: 0349170C
RegCloseKey.ADVAPI32(?), ref: 03491839
Sleep.KERNEL32(000007D0), ref: 03491844

Strings

p2:, xrefs: 0349178C
156.255.0.191, xrefs: 03491787
o2:, xrefs: 034917A9
t3:, xrefs: 0349181D
IpDate, xrefs: 034916DA
Console, xrefs: 0349169C
o3:, xrefs: 03491800
1386, xrefs: 034917A4
o1:, xrefs: 03491752
1386, xrefs: 0349174D
156.255.0.191, xrefs: 03491730
p3:, xrefs: 034917E3
156.255.0.191, xrefs: 034917DE
p1:, xrefs: 03491735
IpDate, xrefs: 034916AC
t2:, xrefs: 034917C6
t1:, xrefs: 0349176F

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CloseValue$DeleteOpenSleep_malloc_memmove
String ID: 1386$1386$156.255.0.191$156.255.0.191$156.255.0.191$Console$IpDate$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1253400751-1367307306
Opcode ID: 868718e845f89a1e9d63d3c54739b2bd0a991e6f8195d4be3c7b6a344adb0d55
Instruction ID: de406ae8205714f435894e67c672a5c9d7098e10a3fd5396536456947cdb9c70
Opcode Fuzzy Hash: 868718e845f89a1e9d63d3c54739b2bd0a991e6f8195d4be3c7b6a344adb0d55
Instruction Fuzzy Hash: 2741AEB5F903447FEB11FB148C42FAD3674EB10B05F100097B96DBE182EAB16E658E69

Uniqueness

Uniqueness Score: -1.00%

Function 00DFC289 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatW.USER32(Native), ref: 00DFC29A
RegisterClipboardFormatW.USER32(OwnerLink), ref: 00DFC2A3
RegisterClipboardFormatW.USER32(ObjectLink), ref: 00DFC2AD
RegisterClipboardFormatW.USER32(Embedded Object), ref: 00DFC2B7
RegisterClipboardFormatW.USER32(Embed Source), ref: 00DFC2C1
RegisterClipboardFormatW.USER32(Link Source), ref: 00DFC2CB
RegisterClipboardFormatW.USER32(Object Descriptor), ref: 00DFC2D5
RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 00DFC2DF
RegisterClipboardFormatW.USER32(FileName), ref: 00DFC2E9
RegisterClipboardFormatW.USER32(FileNameW), ref: 00DFC2F3
RegisterClipboardFormatW.USER32(Rich Text Format), ref: 00DFC2FD
RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 00DFC307

Strings

Object Descriptor, xrefs: 00DFC2CD
FileNameW, xrefs: 00DFC2EB
Embedded Object, xrefs: 00DFC2AF
Embed Source, xrefs: 00DFC2B9
OwnerLink, xrefs: 00DFC29C
Link Source, xrefs: 00DFC2C3
Native, xrefs: 00DFC293
ObjectLink, xrefs: 00DFC2A5
Link Source Descriptor, xrefs: 00DFC2D7
FileName, xrefs: 00DFC2E1
Rich Text Format, xrefs: 00DFC2F5
RichEdit Text and Objects, xrefs: 00DFC2FF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: a9fcf7d1e02226d8a77e3db6035ce4eab475412ac7f51fdb2511c39199503748
Instruction ID: 356117379ac3de8a28702ee360810d9259532e1f160cd8a508e29fa6c0426489
Opcode Fuzzy Hash: a9fcf7d1e02226d8a77e3db6035ce4eab475412ac7f51fdb2511c39199503748
Instruction Fuzzy Hash: 9401C770E4176A7ACB109FB79C0D80ABEA0FE457603005A37A01CA7B50EBB4D652CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4238 Relevance: 40.8, APIs: 27, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00DB5A40: GetWindowLongW.USER32(?,000000EC), ref: 00DB5A4B

GetClientRect.USER32(?,?), ref: 00DD42AA
CopyRect.USER32(?,?), ref: 00DD42DC

Part of subcall function 00DAB6D8: ScreenToClient.USER32(?,?), ref: 00DAB6E9
Part of subcall function 00DAB6D8: ScreenToClient.USER32(?,?), ref: 00DAB6F6

IntersectRect.USER32(?,?,?), ref: 00DD432B
SetRectEmpty.USER32(?), ref: 00DD4339
IntersectRect.USER32(?,?,?), ref: 00DD436B
SetRectEmpty.USER32(?), ref: 00DD4379
IsRectEmpty.USER32(?), ref: 00DD4389
IsRectEmpty.USER32(?), ref: 00DD4393
GetWindowRect.USER32(?,?), ref: 00DD43BE
GetWindowRect.USER32(?,?), ref: 00DD43E1
UnionRect.USER32(?,?,?), ref: 00DD43FE
EqualRect.USER32(?,?), ref: 00DD440C
GetWindowRect.USER32(?,?), ref: 00DD4497
IsRectEmpty.USER32(?), ref: 00DD4501
MapWindowPoints.USER32(?,?,?,00000002), ref: 00DD451E
RedrawWindow.USER32(?,?,00000000,00000185), ref: 00DD4532
IsRectEmpty.USER32(?), ref: 00DD454C
EqualRect.USER32(?,?), ref: 00DD455A
MapWindowPoints.USER32(?,?,?,00000002), ref: 00DD4577
RedrawWindow.USER32(?,?,00000000,00000185), ref: 00DD458B
UpdateWindow.USER32(?), ref: 00DD45A0
IsRectEmpty.USER32(?), ref: 00DD45E4
InvalidateRect.USER32(?,?,00000001), ref: 00DD45F9
IsRectEmpty.USER32(?), ref: 00DD45FF
EqualRect.USER32(?,?), ref: 00DD4611
InvalidateRect.USER32(?,?,00000001), ref: 00DD4624
UpdateWindow.USER32(?), ref: 00DD4629

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: afd40c25b71b13703cb81b7e066f97f20aa1bca2cfa42335a5e2de7dbe0dcf77
Instruction ID: 6697e804967040a91e444ac84f6664e55b817fa645483ac6adde9a6f2c4692da
Opcode Fuzzy Hash: afd40c25b71b13703cb81b7e066f97f20aa1bca2cfa42335a5e2de7dbe0dcf77
Instruction Fuzzy Hash: 76D1167290021D9FCF10DFA4C984AEEB7B9FF09304F1441AAE909E7255DB71AA49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 034A87D6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A87DE
__mtterm.LIBCMT ref: 034A87EA

Part of subcall function 034A84B5: DecodePointer.KERNEL32(00000007,034A1DDF,034A1DC5,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A84C6
Part of subcall function 034A84B5: TlsFree.KERNEL32(0000001C,034A1DDF,034A1DC5,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A84E0
Part of subcall function 034A84B5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,034A1DDF,034A1DC5,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034ABC65
Part of subcall function 034A84B5: _free.LIBCMT ref: 034ABC68
Part of subcall function 034A84B5: DeleteCriticalSection.KERNEL32(0000001C,?,?,034A1DDF,034A1DC5,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034ABC8F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 034A8800
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 034A880D
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 034A881A
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 034A8827
TlsAlloc.KERNEL32(?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A8877
TlsSetValue.KERNEL32(00000000,?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A8892
__init_pointers.LIBCMT ref: 034A889C
EncodePointer.KERNEL32(?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A88AD
EncodePointer.KERNEL32(?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A88BA
EncodePointer.KERNEL32(?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A88C7
EncodePointer.KERNEL32(?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A88D4
DecodePointer.KERNEL32(Function_00028639,?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A88F5
__calloc_crt.LIBCMT ref: 034A890A
DecodePointer.KERNEL32(00000000,?,?,034A1D1C,034C3898,00000008,034A1EB0,?,?,?,034C38B8,0000000C,034A1F6B,?), ref: 034A8924
GetCurrentThreadId.KERNEL32 ref: 034A8936

Strings

FlsGetValue, xrefs: 034A8802
FlsAlloc, xrefs: 034A87FA
FlsFree, xrefs: 034A881C
FlsSetValue, xrefs: 034A880F
KERNEL32.DLL, xrefs: 034A87D9

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 29e17cde9361e670a4bff5a802be1bc5f11fde1bcef0626308c4f7b718d301d3
Instruction ID: ba9ba26dc1a6df025f28f20499d66b01ee13f0da6cb0633566f1535e61ce906a
Opcode Fuzzy Hash: 29e17cde9361e670a4bff5a802be1bc5f11fde1bcef0626308c4f7b718d301d3
Instruction Fuzzy Hash: 3B31C2318107059FCB60FF7AAC0861A7FE6EB55B20B14451BD450EE398EB7C9449CF69

Uniqueness

Uniqueness Score: -1.00%

Function 034896E4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 03489711
wsprintfW.USER32 ref: 0348972B

Part of subcall function 034895B9: GetCurrentProcessId.KERNEL32(C463F85C,?,00000000,034B88FE,000000FF,?,0348973F,?), ref: 034895DE
Part of subcall function 034895B9: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,034B88FE,000000FF,?,0348973F,?), ref: 034895EC

_memset.LIBCMT ref: 03489752
GetVersionExW.KERNEL32(0000011C), ref: 0348976B
GetCurrentProcess.KERNEL32(00000008,00000000), ref: 034897A3
OpenProcessToken.ADVAPI32(00000000), ref: 034897AA
GetTokenInformation.ADVAPI32(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 034897D2
GetLastError.KERNEL32 ref: 034897DC
LocalAlloc.KERNEL32(00000040,00000000), ref: 034897EF
GetTokenInformation.ADVAPI32(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0348981F
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 03489831
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 03489844
LocalFree.KERNEL32(00000000), ref: 03489855
CloseHandle.KERNEL32(00000000), ref: 03489861
wsprintfW.USER32 ref: 034898C6
wsprintfW.USER32 ref: 034898E5
wsprintfW.USER32 ref: 03489904
wsprintfW.USER32 ref: 03489923
wsprintfW.USER32 ref: 03489942

Strings

NO/, xrefs: 034898B8
None/%s, xrefs: 03489934
-N/, xrefs: 034898D7

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: wsprintf$Process$CurrentToken$AuthorityInformationLocalOpen$AllocCloseCountErrorFreeHandleLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 1531066235-3095023699
Opcode ID: 5eb0f4d5dbbca9baf1c79634c00dbdeaa377cb63f3391d8ee223494316db7114
Instruction ID: 8be8d558f59d303f076802c12b81f98771c31bc19d223775d74d21ed158cb926
Opcode Fuzzy Hash: 5eb0f4d5dbbca9baf1c79634c00dbdeaa377cb63f3391d8ee223494316db7114
Instruction Fuzzy Hash: 07612730910218EFEF61EF65DC49BEDBBB4EF09305F044496E609AA2A0D7349B94CF49

Uniqueness

Uniqueness Score: -1.00%

Function 03490A6D Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 03490ABB
RegQueryValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,00000000,00000000), ref: 03490AD9
RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 03491967
RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 03491978
RegCloseKey.ADVAPI32(?), ref: 03491984

Strings

IpDatespecial, xrefs: 0349196D
error%c, xrefs: 034919BC
IpDatespecial, xrefs: 03491921
Console, xrefs: 034918E0
Console, xrefs: 03490AB1
IpDatespecial, xrefs: 03490AD1
e, xrefs: 03490B26
Console, xrefs: 0349195D
IpDatespecial, xrefs: 034918F0

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: OpenValue$CloseDeleteQuery
String ID: error%c$Console$Console$Console$IpDatespecial$IpDatespecial$IpDatespecial$IpDatespecial$e
API String ID: 458408797-217147615
Opcode ID: 8b73cfc3ebc7e63a6f2db9614ef7ddd22f74bd1cd7bf5b189e821888365bd6a9
Instruction ID: 07db8e2793e05b0d8c6a69fff3b338492b16ae5cf31e6a5bcc33eb7167e0d79d
Opcode Fuzzy Hash: 8b73cfc3ebc7e63a6f2db9614ef7ddd22f74bd1cd7bf5b189e821888365bd6a9
Instruction Fuzzy Hash: 11512770A41218EFEF20DF44DC59BEEBBB8AB04705F5400A7E60ABE291D7715A84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0348AB70 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 122libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wininet.dll), ref: 0348ABA9
GetProcAddress.KERNEL32(?,InternetOpenW), ref: 0348ABBA
FreeLibrary.KERNEL32(00000000), ref: 0348ABEB
GetProcAddress.KERNEL32(?,InternetOpenUrlW), ref: 0348AC00
FreeLibrary.KERNEL32(00000000), ref: 0348AC32
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0348AC51
_memset.LIBCMT ref: 0348AC72
GetProcAddress.KERNEL32(?,InternetReadFile), ref: 0348AC82
WriteFile.KERNEL32(000000FF,?,00000000,00000000,00000000), ref: 0348ACDE
CloseHandle.KERNEL32(000000FF), ref: 0348ACF4
Sleep.KERNEL32(00000001), ref: 0348ACFC
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 0348AD0A
FreeLibrary.KERNEL32(00000000), ref: 0348AD2B

Strings

InternetReadFile, xrefs: 0348AC7A
InternetOpenUrlW, xrefs: 0348ABF8
MSIE 6.0, xrefs: 0348ABCB
wininet.dll, xrefs: 0348ABA4
InternetCloseHandle, xrefs: 0348AD02
InternetOpenW, xrefs: 0348ABB2

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressLibraryProc$Free$File$CloseCreateHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2728150189-1099148085
Opcode ID: 9a49b65d46a22f436843a93aaf32fc8f9d863d06abdb4b9573c1e65dffd80146
Instruction ID: a5fa0d1358252d80b7f133580899e87862b1a46b8963d6c33dfa331808201505
Opcode Fuzzy Hash: 9a49b65d46a22f436843a93aaf32fc8f9d863d06abdb4b9573c1e65dffd80146
Instruction Fuzzy Hash: 62512B70911209EFDF20EF94CD09BEDBBF1BB04706F208096E551B9190DBB55A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E74E0E Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E74E15
GetCursorPos.USER32(?), ref: 00E74EC7
IsRectEmpty.USER32(?), ref: 00E74EFB
IsRectEmpty.USER32(?), ref: 00E74F21
IsRectEmpty.USER32(?), ref: 00E74F3D
GetWindowRect.USER32(?,?), ref: 00E74F63
SetRectEmpty.USER32(?), ref: 00E7501A

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

GetWindowRect.USER32(?,?), ref: 00E74F97
PtInRect.USER32(?,?,?), ref: 00E74FD7
OffsetRect.USER32(?,?,00000000), ref: 00E74FEF

Part of subcall function 00E53AB8: __EH_prolog3.LIBCMT ref: 00E53ABF
Part of subcall function 00E53AB8: SetRectEmpty.USER32(?), ref: 00E53BC6
Part of subcall function 00E53AB8: SetRectEmpty.USER32(?), ref: 00E53BCF

OffsetRect.USER32(?,?,?), ref: 00E75179
IsRectEmpty.USER32(?), ref: 00E7519E
IsRectEmpty.USER32(?), ref: 00E751C3
PtInRect.USER32(?,?,?), ref: 00E751D3
OffsetRect.USER32(?,?,?), ref: 00E751FC
IsRectEmpty.USER32(?), ref: 00E75213

Strings

px, xrefs: 00E74F71, 00E74F76, 00E74F83, 00E7509C, 00E750A1, 00E750AE
X', xrefs: 00E74F4E, 00E75084

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID: X'$px
API String ID: 1330315114-282588210
Opcode ID: 0498ace85f814a65aaf998bc6d7a44e4f5f4812be309774c80d04990a7aa9826
Instruction ID: 9683f0c218ba613484ab0d8386e56382935f83f4fbaf344a18e8f787694f3aa2
Opcode Fuzzy Hash: 0498ace85f814a65aaf998bc6d7a44e4f5f4812be309774c80d04990a7aa9826
Instruction Fuzzy Hash: 18E16B72A00618DFCF15DFA4C884AAEBBF9FF08704F149169E909BB259DB71D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03492601 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 205stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0349262F

Part of subcall function 0348E3C2: _wcsrchr.LIBCMT ref: 0348E3CB

_memset.LIBCMT ref: 03492670
lstrlenW.KERNEL32(00000000), ref: 03492691

Strings

D, xrefs: 034928A1
WinSta0\Default, xrefs: 034928B1
%s\shell\open\command, xrefs: 03492777
"%1, xrefs: 03492810

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$_wcsrchrlstrlen
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 348185879-33419044
Opcode ID: fae003af461334035f96ebeea6610cddf1d6c6ba364e2d1edd995a739dacf4de
Instruction ID: ab9d5405c6705bb0f67223ba64ad42c320ca40bd4447abe2e489245c20fc931e
Opcode Fuzzy Hash: fae003af461334035f96ebeea6610cddf1d6c6ba364e2d1edd995a739dacf4de
Instruction Fuzzy Hash: 0B81107194431CAEEF60DB65DC45BD977B8AB04700F0088E7A608EA190EAB55AC5CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00E001B5 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 184windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E001BF
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00E001F3
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00E00204
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E002EF
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00E00305
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E0031A
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000208), ref: 00E00356
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000208), ref: 00E00379
lstrcmpW.KERNEL32(?,?), ref: 00E00391

Strings

8H, xrefs: 00E00268

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$FileInfo$H_prolog3_lstrcmp
String ID: 8H
API String ID: 597947708-2111872595
Opcode ID: 3cae1be75f1fa1354143ba23df0095a584d616bc0bfd4a5e02f0847597430ec8
Instruction ID: c4ca5ffc7bef331f226e8803fada82b74fd37b71e0f96ccced2fbe0a34e84225
Opcode Fuzzy Hash: 3cae1be75f1fa1354143ba23df0095a584d616bc0bfd4a5e02f0847597430ec8
Instruction Fuzzy Hash: 70812171A00A18AFEF258B20CC45F9ABBB5FB08346F0051E9E608B61E1EB715ED4DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00DB41F7 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DB4201

Part of subcall function 00DB6A4D: __EH_prolog3.LIBCMT ref: 00DB6A54

CallNextHookEx.USER32(?,?,?,?), ref: 00DB4241

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

_memset.LIBCMT ref: 00DB429A

Part of subcall function 00DB0F2D: ActivateActCtx.KERNEL32(?,?,00EFEF60,00000010), ref: 00DB0F4D

GetClassLongW.USER32(?,000000E0), ref: 00DB42CE
SetWindowLongW.USER32(?,000000FC,Function_00012DFA), ref: 00DB4323
GetClassNameW.USER32(?,?,00000100), ref: 00DB435A
GetWindowLongW.USER32(?,000000FC), ref: 00DB4380
GetPropW.USER32(?,AfxOldWndProc423), ref: 00DB4397
SetPropW.USER32(?,AfxOldWndProc423,?), ref: 00DB43A9
GetPropW.USER32(?,AfxOldWndProc423), ref: 00DB43B1
GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 00DB43C0
SetWindowLongW.USER32(?,000000FC,Function_00014090), ref: 00DB43CE
CallNextHookEx.USER32(?,00000003,?,?), ref: 00DB43E0
UnhookWindowsHookEx.USER32(?), ref: 00DB43F4

Strings

AfxOldWndProc423, xrefs: 00DB4390, 00DB4395, 00DB43A7, 00DB43AF, 00DB43BF
#32768, xrefs: 00DB42AC, 00DB42B1, 00DB4370

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassH_prolog3Next$ActivateAtomException@8GlobalH_prolog3_NameThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423
API String ID: 1343327722-2141921550
Opcode ID: fc12e8fd2d03b622986001613fae658f462fffd2ae0b450f2c02a1834d06edbf
Instruction ID: d1f5bedfa2cebef2db531d4c8c108a5f8491b9c8fd71b00cf87718de89d21665
Opcode Fuzzy Hash: fc12e8fd2d03b622986001613fae658f462fffd2ae0b450f2c02a1834d06edbf
Instruction Fuzzy Hash: CA51A03154022AEFCB21EB21DC4DFDA7BB8EF15324F0841A5F40AA6291DB358E55CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA7ED Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00DBA817
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 00DBA82A
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 00DBA83D
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 00DBA850
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 00DBA89A
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 00DBA8AD
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 00DBA8C0

Strings

UxTheme.dll, xrefs: 00DBA7F2
DrawThemeTextEx, xrefs: 00DBA819
DrawThemeParentBackground, xrefs: 00DBA811
BeginBufferedPaint, xrefs: 00DBA82C
EndBufferedPaint, xrefs: 00DBA83F
DwmIsCompositionEnabled, xrefs: 00DBA8AF
DwmExtendFrameIntoClientArea, xrefs: 00DBA894
dwmapi.dll, xrefs: 00DBA87A
DwmDefWindowProc, xrefs: 00DBA89C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: 9bf2df45c1283fd066e2a49a4357ceba2ab8c058fd5d55139d58483b8df6fc65
Instruction ID: 77c76b3f193731cebe6ed5e99a9f90e7c7576c97ccc18430d22aa93e52efb2de
Opcode Fuzzy Hash: 9bf2df45c1283fd066e2a49a4357ceba2ab8c058fd5d55139d58483b8df6fc65
Instruction Fuzzy Hash: 522180B0945746AFC7317F758D88EDBFAE4EF49304F054C3EE5BAA3211DA7664028A60

Uniqueness

Uniqueness Score: -1.00%

Function 00E00A38 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E00A3F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E00A8A
ClientToScreen.USER32(?,?), ref: 00E00ABF
_memset.LIBCMT ref: 00E00AFF
SendMessageW.USER32 ref: 00E00B1E
SHGetDesktopFolder.SHELL32(?), ref: 00E00B46
GetParent.USER32(?), ref: 00E00B6E
CreatePopupMenu.USER32 ref: 00E00BB0

Strings

$, xrefs: 00E00C58

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen_memset
String ID: $
API String ID: 937397865-3993045852
Opcode ID: 46a6d982b8b0b6ec4e7528fdecb8a25baeefd1a1f12a208b3a9f4f3dd9401947
Instruction ID: 907f414b57f7e4ba11fb6dcb2af78559781739ca0702a60f6af12bd96b0285e8
Opcode Fuzzy Hash: 46a6d982b8b0b6ec4e7528fdecb8a25baeefd1a1f12a208b3a9f4f3dd9401947
Instruction Fuzzy Hash: 7F911671A01218AFDB11DFA4C888EADBBB9FF08B14F145129F516F7291C7729981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03488DC4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 203stringregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03488DFF
lstrcatW.KERNEL32(034D09F0), ref: 03488E49
lstrcatW.KERNEL32(034D09F0,034C0848), ref: 03488E59
_memset.LIBCMT ref: 03488F57
wsprintfW.USER32 ref: 03488FA0
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 03488FC4
_memset.LIBCMT ref: 03488FDC
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000001,?,00000104), ref: 03489014
lstrcatW.KERNEL32(034D09F0,?), ref: 0348902A
lstrcatW.KERNEL32(034D09F0,034C084C), ref: 0348903A
RegCloseKey.ADVAPI32(00000000), ref: 03489043
lstrlenW.KERNEL32(034D09F0,034BA864,00000000,00000017,?,?,C463F85C), ref: 0348905F
lstrcatW.KERNEL32(034D09F0,034C08C4), ref: 03489073

Part of subcall function 03488C57: _memset.LIBCMT ref: 03488C86
Part of subcall function 03488C57: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03488C92

Strings

I, xrefs: 03488ECB
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 03488F94

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: lstrcat$_memset$CloseCreateOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$I
API String ID: 875560241-999602845
Opcode ID: 2297b8d2765091ef06dd162b44657303bf6a818d5a77b8a2c5f4ca9948df8a7f
Instruction ID: 2bb1fea124607f448d111b670d8235817f1124e0b0e93c9553a57d9cef3b7c6d
Opcode Fuzzy Hash: 2297b8d2765091ef06dd162b44657303bf6a818d5a77b8a2c5f4ca9948df8a7f
Instruction Fuzzy Hash: CF819D70950358EFDB50EBA8DC45BEEBBB8AF09704F10009AF211FE181E7749A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0348882E Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 187windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 03488845

Strings

Process, xrefs: 034889FA
Malwarebytes, xrefs: 034888B5
Wireshark, xrefs: 0348893F
Sniff, xrefs: 034889D4
TCPEye, xrefs: 034888CC
ApateDNS, xrefs: 0348889E
Fiddler, xrefs: 0348899B
TaskExplorer, xrefs: 034888E3
Capsa, xrefs: 034889C1
CurrPorts, xrefs: 034888FA
Metascan, xrefs: 03488928
Capsa, xrefs: 034889E7
Port, xrefs: 03488911

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-2830603652
Opcode ID: 335e1e7e1efcd33d54e3f5363383652247d4847ad8667aa176de187384d69a34
Instruction ID: b9f053f689a9131128636b452400a8d1a70aadc6a39cabaf026bc9317e31e7da
Opcode Fuzzy Hash: 335e1e7e1efcd33d54e3f5363383652247d4847ad8667aa176de187384d69a34
Instruction Fuzzy Hash: FB513E39614306AEEF24FB6AEC51BDE7FB4EB01265F71006FE414AC1A1EB71A581960C

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC162 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DAC169
CreateCompatibleDC.GDI32(00000000), ref: 00DAC1C4
CreateCompatibleDC.GDI32(00000000), ref: 00DAC1D8
CreateCompatibleDC.GDI32(00000000), ref: 00DAC1EC
GetObjectW.GDI32(00000004,00000018,?), ref: 00DAC208
CreateBitmap.GDI32(?,?,?,?,00000000), ref: 00DAC235
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00ECBDCC), ref: 00DAC255
CreatePatternBrush.GDI32(?), ref: 00DAC263

Part of subcall function 00DABCC9: DeleteObject.GDI32(00000000), ref: 00DABCD8

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00DAC285

Part of subcall function 00DABD26: SelectObject.GDI32(?,?), ref: 00DABD31

GetPixel.GDI32(?,00000000,00000000), ref: 00DAC2C5

Part of subcall function 00DAAEC4: SetBkColor.GDI32(?,?), ref: 00DAAEE2
Part of subcall function 00DAAEC4: SetBkColor.GDI32(?,?), ref: 00DAAEEF

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00DAC2F1
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00DAC315
FillRect.USER32(?,?,?), ref: 00DAC379
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00DAC3A9
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 00DAC3C0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00DAC3D3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Create$BitmapCompatibleObject$Color$BrushDeleteFillH_prolog3_PatternPixelRectSelect
String ID:
API String ID: 1818846147-0
Opcode ID: 5c86ce289089ce7b05ccf3c3f945f1c11599ced49069d95db2397a3a1ab5a671
Instruction ID: 28482894b62af2081e9de9e6dae79e9decabf9192dedf86f61165b212d104ce6
Opcode Fuzzy Hash: 5c86ce289089ce7b05ccf3c3f945f1c11599ced49069d95db2397a3a1ab5a671
Instruction Fuzzy Hash: AB91ECB1C0020CAEDF11AFA5DD819EEBFB9EF09314F14802AF505B6162DB725E56DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6F56 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DC6F5D
CreateRectRgnIndirect.GDI32(?), ref: 00DC6F9A
CopyRect.USER32(?,?), ref: 00DC6FB0
InflateRect.USER32(?,?,?), ref: 00DC6FC6
IntersectRect.USER32(?,?,?), ref: 00DC6FD4
CreateRectRgnIndirect.GDI32(?), ref: 00DC6FDE
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00DC6FF3

Part of subcall function 00DC6C69: CombineRgn.GDI32(?,?,?,?), ref: 00DC6C8E

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00DC705B
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 00DC7078
CopyRect.USER32(?,?), ref: 00DC7083
InflateRect.USER32(?,?,?), ref: 00DC7099
IntersectRect.USER32(?,?,?), ref: 00DC70A5
SetRectRgn.GDI32(?,?,?,?,?), ref: 00DC70BA
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00DC70E6

Part of subcall function 00DC6DB8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00DC6E01
Part of subcall function 00DC6DB8: CreatePatternBrush.GDI32(00000000), ref: 00DC6E0E
Part of subcall function 00DC6DB8: DeleteObject.GDI32(00000000), ref: 00DC6E1A

Part of subcall function 00DABD82: SelectObject.GDI32(?,00000000), ref: 00DABDA8
Part of subcall function 00DABD82: SelectObject.GDI32(?,?), ref: 00DABDBE

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00DC7157
PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 00DC71AC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: c620a9c4ac1ec166dbc277be50ab9fe9fc5fb7784d65eadb584bb49ea9b99307
Instruction ID: c4936b341653d6794c7a9e8d7465c5b4ea2bd9730d0f79bce37cfa312af19009
Opcode Fuzzy Hash: c620a9c4ac1ec166dbc277be50ab9fe9fc5fb7784d65eadb584bb49ea9b99307
Instruction Fuzzy Hash: 24A1F2B2900119AFCF05DFE4C995EEEBBB9FF48310F18412AF502A7251DB359A06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 034A53B0 Relevance: 24.1, APIs: 16, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 034A53C9

Part of subcall function 034A587C: Sleep.KERNEL32(00000000), ref: 034A58A4

__calloc_crt.LIBCMT ref: 034A53ED
_free.LIBCMT ref: 034A53FB
__calloc_crt.LIBCMT ref: 034A5409
_free.LIBCMT ref: 034A5419
_free.LIBCMT ref: 034A541F
__copytlocinfo_nolock.LIBCMT ref: 034A542E
__setlocale_nolock.LIBCMT ref: 034A543B
___removelocaleref.LIBCMT ref: 034A5447
___freetlocinfo.LIBCMT ref: 034A544E
_free.LIBCMT ref: 034A5454
__setmbcp_nolock.LIBCMT ref: 034A5466
_free.LIBCMT ref: 034A5474
___removelocaleref.LIBCMT ref: 034A547B
___freetlocinfo.LIBCMT ref: 034A5482
_free.LIBCMT ref: 034A5488

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 888903860-0
Opcode ID: 43098ad2ae2cd6000f5e6116cc7fdcf6ac0371dacfa00957d5322dbd4ef9ba71
Instruction ID: a978cd18f2fbac2654c1fc90c33673ea72440cc734566c600b69f9d6e0b7b851
Opcode Fuzzy Hash: 43098ad2ae2cd6000f5e6116cc7fdcf6ac0371dacfa00957d5322dbd4ef9ba71
Instruction Fuzzy Hash: 9021B639104B04EFEB31EB2FD901A1E7BD4DFA2751B24849FE8C99E260DB719814865C

Uniqueness

Uniqueness Score: -1.00%

Function 03492909 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 191registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03492960
_memset.LIBCMT ref: 03492976
_memset.LIBCMT ref: 0349298C
RegOpenKeyExW.ADVAPI32(00000208,00000000,00000000,00020019,0349274F,?,?,?,?,?,?,?), ref: 034929A9

Strings

%08X, xrefs: 03492B74

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$Open
String ID: %08X
API String ID: 1312665934-3773563069
Opcode ID: 5731e7aac112308b33412d6c5c063100b8f215b194a485a1397178d3c70713e8
Instruction ID: d432b4320bbf0783d38d55f883a6d9cf1b4e93532cb4772cac2f31863e105234
Opcode Fuzzy Hash: 5731e7aac112308b33412d6c5c063100b8f215b194a485a1397178d3c70713e8
Instruction Fuzzy Hash: 13714AB190021DAFEF20DF50CD49BEEBBB8FB04704F0405ABE619AA190D7759A55CF68

Uniqueness

Uniqueness Score: -1.00%

Function 03490872 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,034BF658,00000000,00020019,?,C463F85C), ref: 034908BE
RegQueryValueExW.ADVAPI32(?,034BF5B4,00000000,?,00000000,00000000), ref: 034908E2
RegQueryValueExW.ADVAPI32(?,034BF5B4,00000000,00000000,?,00000000), ref: 03490934
_memset.LIBCMT ref: 03490995
RmStartSession.RSTRTMGR(?,00000000,?,?,?,?), ref: 034909AA
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,?), ref: 034909CF
RmGetList.RSTRTMGR(?,?,00000001,?,?,?,?,?), ref: 034909F5
RmShutdown.RSTRTMGR(?,00000001,00000000,?,?,?), ref: 03490A02
RmRestart.RSTRTMGR(?,00000000,00000000,?,?,?), ref: 03490A0F
RmEndSession.RSTRTMGR(?,?,?,?), ref: 03490A18
RegCloseKey.ADVAPI32(?), ref: 03490A50

Strings

SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run, xrefs: 0349089D
QQPCTray, xrefs: 034908A4

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: QuerySessionValue$CloseListOpenRegisterResourcesRestartShutdownStart_memset
String ID: QQPCTray$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
API String ID: 3039299356-1898961332
Opcode ID: d9190e9e19ac5f6c59b5556aa05cee8ed4c153dd63bfb6a403ab7b631ba44859
Instruction ID: c38d15eab77379d4422627f161a8a2ed1529648df33ca9acad66fc344571752f
Opcode Fuzzy Hash: d9190e9e19ac5f6c59b5556aa05cee8ed4c153dd63bfb6a403ab7b631ba44859
Instruction Fuzzy Hash: 4451E671900218AFEF11EFA4DD46BEDBBB8FB04700F10406AF605BA190EB746A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03490677 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,034BF5C8,00000000,00020019,?,C463F85C), ref: 034906C3
RegQueryValueExW.ADVAPI32(?,034BF59C,00000000,?,00000000,00000000), ref: 034906E7
RegQueryValueExW.ADVAPI32(?,034BF59C,00000000,00000000,?,00000000), ref: 03490739
_memset.LIBCMT ref: 0349079A
RmStartSession.RSTRTMGR(?,00000000,?,?,?,?), ref: 034907AF
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?,?,?), ref: 034907D4
RmGetList.RSTRTMGR(?,?,00000001,?,?,?,?,?), ref: 034907FA
RmShutdown.RSTRTMGR(?,00000001,00000000,?,?,?), ref: 03490807
RmRestart.RSTRTMGR(?,00000000,00000000,?,?,?), ref: 03490814
RmEndSession.RSTRTMGR(?,?,?,?), ref: 0349081D
RegCloseKey.ADVAPI32(?), ref: 03490855

Strings

360Safetray, xrefs: 034906A9
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run, xrefs: 034906A2

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: QuerySessionValue$CloseListOpenRegisterResourcesRestartShutdownStart_memset
String ID: 360Safetray$SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
API String ID: 3039299356-2034975872
Opcode ID: 2e84818c7a71d33a7eb02e8df6380731570add1af2793ccee232525d0ed1299b
Instruction ID: efd93abc99d0b368526ccaeb9c8736d1113eec95cd489184fe032f3461d1641f
Opcode Fuzzy Hash: 2e84818c7a71d33a7eb02e8df6380731570add1af2793ccee232525d0ed1299b
Instruction Fuzzy Hash: 4A51D671900218AFEF11EFA4DD46FEDBBB8FB04700F1041AAF605BA190EB746A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03486483 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll), ref: 03486492
GetProcAddress.KERNEL32(?,ResetEvent), ref: 034864A3
timeGetTime.WINMM ref: 034864C3
InterlockedExchange.KERNEL32(?,00000000), ref: 034864D8
WaitForSingleObject.KERNEL32(?,00001770), ref: 03486538

Part of subcall function 03485F7D: GetCurrentThreadId.KERNEL32 ref: 03485F85

InterlockedExchange.KERNEL32(?,00000001), ref: 03486567
ResetEvent.KERNEL32(?), ref: 03486570

Strings

CUdpSocket::Connect, xrefs: 034864B2
kernel32.dll, xrefs: 0348648D
ResetEvent, xrefs: 0348649B
%s, xrefs: 034864B7

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ExchangeInterlocked$AddressCurrentEventLibraryLoadObjectProcResetSingleThreadTimeWaittime
String ID: %s$CUdpSocket::Connect$ResetEvent$kernel32.dll
API String ID: 2755558117-779552593
Opcode ID: df7674625198433dc7d355716c25308430724b93ed3031ec6e71be70ce175f2d
Instruction ID: 3447efb54a5289f4356e4aad59b54a8dd0529ab8ee0ddb7088f901d8e5f7b88e
Opcode Fuzzy Hash: df7674625198433dc7d355716c25308430724b93ed3031ec6e71be70ce175f2d
Instruction Fuzzy Hash: 53411A74901208AFDF44EFA8D949AEDBBF1AF08301F24019AE501BB395D6769E51CF29

Uniqueness

Uniqueness Score: -1.00%

Function 00DC507A Relevance: 22.9, APIs: 15, Instructions: 351windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DC5081
GetFocus.USER32 ref: 00DC50A1
GetParent.USER32(?), ref: 00DC50EC
GetParent.USER32(?), ref: 00DC50FC
GetKeyState.USER32(00000012), ref: 00DC51B4
IsDialogMessageW.USER32(?,?), ref: 00DC5263
GetFocus.USER32 ref: 00DC5276
GetFocus.USER32 ref: 00DC5283
IsWindow.USER32(?), ref: 00DC529B
GetFocus.USER32 ref: 00DC52A7
IsWindow.USER32(?), ref: 00DC52BD
GetFocus.USER32 ref: 00DC52C3
GetKeyState.USER32(00000010), ref: 00DC52EC
MessageBeep.USER32(00000000), ref: 00DC53E3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prolog3_catch
String ID:
API String ID: 44247675-0
Opcode ID: 45d3970cf8f422c75f4bfff51dfadfcdd5d7ff1c5d0ba01622662b73f5a160b1
Instruction ID: d6e582a95ad45518c06238fab6b5c6e3c448e2b4b1b6abffb55ac9d693e3b068
Opcode Fuzzy Hash: 45d3970cf8f422c75f4bfff51dfadfcdd5d7ff1c5d0ba01622662b73f5a160b1
Instruction Fuzzy Hash: 81C1B031900A0B9BCF25ABA4E848FAEB7B5EF44355F1C402DE842A7168D774ECC1CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0348A21A Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 100registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll), ref: 0348A229
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 0348A244
swprintf.LIBCMT ref: 0348A284

Part of subcall function 0348A1AC: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 0348A1D5
Part of subcall function 0348A1AC: GetProcAddress.KERNEL32(00000000), ref: 0348A1DC

RegOpenKeyExW.ADVAPI32(80000002,034C0B10,00000000,00020119,?), ref: 0348A2DE
RegOpenKeyExW.ADVAPI32(80000002,034C0B10,00000000,00020019,?), ref: 0348A2FC
RegQueryValueExW.ADVAPI32(?,ProductName,00000000,00000001,?,000000CA), ref: 0348A31A
RegCloseKey.ADVAPI32(?), ref: 0348A33F
FreeLibrary.KERNEL32(00000000), ref: 0348A357

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0348A2BB
ProductName, xrefs: 0348A312
ntdll.dll, xrefs: 0348A224
%d.%d.%d, xrefs: 0348A27A
RtlGetNtVersionNumbers, xrefs: 0348A23C

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressLibraryOpenProc$CloseFreeHandleLoadModuleQueryValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2201495386-3190923360
Opcode ID: 9a0c65864c2bdc3c003c1f10e20b26d904c0a63e60ec255fe979ed19d5f81844
Instruction ID: 0d6e1473a6682453a743ec2d9dc1f95c1be1e4cfb4be909afc13f060d2b5e544
Opcode Fuzzy Hash: 9a0c65864c2bdc3c003c1f10e20b26d904c0a63e60ec255fe979ed19d5f81844
Instruction Fuzzy Hash: F141D575D00209AFDF11EFE4DC09BEEBBB9FB08300F14402AEA11B9291E7B59A549F54

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC880 Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00DDC8EA
GetDlgItem.USER32(?,?), ref: 00DDC974
ShowWindow.USER32(00000000,00000000), ref: 00DDC97F
GetMenu.USER32(?), ref: 00DDC991
InvalidateRect.USER32(?,00000000,00000001), ref: 00DDC9AC

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

GetDlgItem.USER32(?,0000E900), ref: 00DDC9E9
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 00DDCA06
GetDlgItem.USER32(0000EA21,0000EA21), ref: 00DDCA1F
GetDlgItem.USER32(0000E900,0000E900), ref: 00DDCA35
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 00DDCA47
SetWindowLongW.USER32(?,000000F4,0000E900), ref: 00DDCA53
InvalidateRect.USER32(00000001,00000000,00000001), ref: 00DDCA66
SetMenu.USER32(00000000,00000000), ref: 00DDCA7D
GetDlgItem.USER32(?,00000000), ref: 00DDCAC4
ShowWindow.USER32(?,00000005), ref: 00DDCAD2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 3935238147-0
Opcode ID: bf32cba75e8ac66ee3eab7532f369e5877d75d599bcee3f8ba3671cf4ec2fe36
Instruction ID: 7b3ad37be6cf5be73c63d224c1737114a81b20b3f0db31c720021a1f8aed0338
Opcode Fuzzy Hash: bf32cba75e8ac66ee3eab7532f369e5877d75d599bcee3f8ba3671cf4ec2fe36
Instruction Fuzzy Hash: 42816D30610605EFCB219F25C888E69BBF5FF48301F18956AE85A9B3A0DB319841DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA305F Relevance: 21.1, APIs: 14, Instructions: 133networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 00DA3081
WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00DA30AE
setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 00DA30CA
setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 00DA30DC
WSACreateEvent.WS2_32 ref: 00DA30DE
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00DA30F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00DA30FC
lstrlenW.KERNEL32(?,00000000,?,00000000,00000000), ref: 00DA3119
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00DA3121
gethostbyname.WS2_32(?), ref: 00DA3131

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
String ID:
API String ID: 2536029566-0
Opcode ID: 4fcdd9f36fd33b656c86bcc34edc9140a16d1d8500e260211036e011e35897c0
Instruction ID: c00328acd6aab3d88bd23efd4017c94f3bfa2578c1a65696dd6fdabf80906b2a
Opcode Fuzzy Hash: 4fcdd9f36fd33b656c86bcc34edc9140a16d1d8500e260211036e011e35897c0
Instruction Fuzzy Hash: 23417CB190024DAFEB109FA5CC89EBEBBB9EF09314F140529F611A22A0C7759D46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03492BD2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 54registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,034BFA88,00000000,00000002,?), ref: 03492C07
RegDeleteValueW.ADVAPI32(?,?), ref: 03492C13
RegCloseKey.ADVAPI32(?), ref: 03492C1C
RegCreateKeyW.ADVAPI32(80000001,034BFAAC,?), ref: 03492C4A
lstrlenW.KERNEL32(034BFA88), ref: 03492C57
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,034BFA88,00000000), ref: 03492C6D
RegCloseKey.ADVAPI32(?), ref: 03492C7A
RegCloseKey.ADVAPI32(?), ref: 03492C85

Strings

Network, xrefs: 03492C37
AppEvents, xrefs: 03492BE7
Network, xrefs: 03492BF0
AppEvents, xrefs: 03492C2E

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Close$Value$CreateDeleteOpenlstrlen
String ID: AppEvents$AppEvents$Network$Network
API String ID: 3935456190-3165713004
Opcode ID: 47fa48a5ea037d18af14db5bd72d073c498ab967b4c9aad1710a5c714ea75906
Instruction ID: 9e4c81de7a943d3021c9613668cf9b4ac140ca05df67b15019f2b32e587e4b2a
Opcode Fuzzy Hash: 47fa48a5ea037d18af14db5bd72d073c498ab967b4c9aad1710a5c714ea75906
Instruction Fuzzy Hash: 3D11D330900208FFEF11EF94DD09BEDBFB5FB08304F5484A6B615A9160D7B28A59EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4ACF Relevance: 19.8, APIs: 13, Instructions: 269windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 00DD4B0E
DispatchMessageW.USER32(?), ref: 00DD4B20
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00DD4B30
GetCapture.USER32 ref: 00DD4B36
SetCapture.USER32(?), ref: 00DD4B43
GetWindowRect.USER32(?,?), ref: 00DD4B67
GetCapture.USER32 ref: 00DD4BC6
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DD4BE1
DispatchMessageW.USER32(?), ref: 00DD4C05
GetScrollPos.USER32(?,00000002), ref: 00DD4D1C
RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 00DD4D36

Part of subcall function 00DB5B7D: ShowWindow.USER32(?,?,?,?,?,00DB1B96,00000001), ref: 00DB5B8E

ReleaseCapture.USER32 ref: 00DD4DC2
IsWindow.USER32(?), ref: 00DD4DCB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Message$CaptureWindow$Dispatch$PeekRectRedrawReleaseScrollShow
String ID:
API String ID: 1149966214-0
Opcode ID: 2ed5c86b11d3a901c3d29aa978a457914d6ca61c32808957c62f52d7dc1e5eac
Instruction ID: 74e0c6c8f33bcaa0815ddebcac4fa5c420a438490c8ad08c234669c996f9a152
Opcode Fuzzy Hash: 2ed5c86b11d3a901c3d29aa978a457914d6ca61c32808957c62f52d7dc1e5eac
Instruction Fuzzy Hash: 70A11B71A006099FDB24DFB8C998ABEB7F9FF48300F18452EE556A7351CB70A8418B60

Uniqueness

Uniqueness Score: -1.00%

Function 03492297 Relevance: 19.6, APIs: 13, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,C463F85C), ref: 034922D1
GlobalLock.KERNEL32(?), ref: 034922DD
_memmove.LIBCMT ref: 034922EF
GlobalUnlock.KERNEL32(?), ref: 034922FA
CreateStreamOnHGlobal.OLE32(?,00000001,00000000), ref: 0349230D
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 03492346
GetHGlobalFromStream.OLE32(00000000,00000000), ref: 0349236F
GlobalLock.KERNEL32(00000000), ref: 03492378
GlobalFree.KERNEL32(?), ref: 03492395
GlobalSize.KERNEL32(00000000), ref: 034923BC
_memmove.LIBCMT ref: 034923E6
GlobalUnlock.KERNEL32(00000000,?,?,00000000), ref: 03492456
GlobalFree.KERNEL32(?), ref: 03492481

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$Stream$CreateFreeLockUnlock_memmove$AllocFromSize
String ID:
API String ID: 923863684-0
Opcode ID: 9350c9b4d1a2f45ef16e7d5c7c68e4306ce69270c2c377cacd5b65be5dc5744f
Instruction ID: 3f12c080df54b4a3e00d954e424ba5579966f391d7e6a65639cce104bfeddc54
Opcode Fuzzy Hash: 9350c9b4d1a2f45ef16e7d5c7c68e4306ce69270c2c377cacd5b65be5dc5744f
Instruction Fuzzy Hash: 3461E234C10218EFEF21EFA5EC48B9CBBB5FF04315F20416AE415AA2A1DB755A54DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6603 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00DF6621
GetWindowRect.USER32(?,?), ref: 00DF6689
GetCursorPos.USER32(?), ref: 00DF66D3

Strings

px, xrefs: 00DF66E4
X', xrefs: 00DF6636

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CursorRectStateWindow
String ID: X'$px
API String ID: 3412758350-282588210
Opcode ID: cc577f86b5707eeeaa7eb4dd3ca4e5d7604d7e3b633437c1b4042d826a3d754b
Instruction ID: fa42f2b559251785131d6bd1067280e6eef1913314ced1eb8c37939497089efd
Opcode Fuzzy Hash: cc577f86b5707eeeaa7eb4dd3ca4e5d7604d7e3b633437c1b4042d826a3d754b
Instruction Fuzzy Hash: ADB1F370A00209EFCB24EFA4D984AFDBBF5FF48344F19842EE646A6651DB709940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC4C3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DAC4F1

Part of subcall function 00DD3F25: GetClientRect.USER32(?,00DAC51A), ref: 00DD3F56
Part of subcall function 00DD3F25: PtInRect.USER32(00DAC51A,?,?), ref: 00DD3F70

ScreenToClient.USER32(?,?), ref: 00DAC563
PtInRect.USER32(?,?,?), ref: 00DAC573
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DAC59F
GetParent.USER32(?), ref: 00DAC5BE
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DAC627
GetFocus.USER32 ref: 00DAC62D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DAC66A
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DAC68E

Strings

p, xrefs: 00DAC5CB
(, xrefs: 00DAC542

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$Rect$Client$FocusParentScreenWindow
String ID: ($p
API String ID: 4216724418-2925934162
Opcode ID: 07a943fb057f8cf76dbbeefc803ea8183b6f4179b5f4e386e1f36b4871f75bd3
Instruction ID: cbf185ca401e503161a673264bc0923115df195edf1624f2cccd6120b7ff25c8
Opcode Fuzzy Hash: 07a943fb057f8cf76dbbeefc803ea8183b6f4179b5f4e386e1f36b4871f75bd3
Instruction Fuzzy Hash: F9517E72A10208AFDB20DF64C898EAD77F5EB0D314B1D9465F909E7271DB31DD009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEE73C Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEE746
_memset.LIBCMT ref: 00DEE766
_memset.LIBCMT ref: 00DEE77D

Part of subcall function 00DA6156: __EH_prolog3.LIBCMT ref: 00DA615D

__wsplitpath_s.LIBCMT ref: 00DEE7F4
_wcslen.LIBCMT ref: 00DEE800

Part of subcall function 00DB7E42: __wcsicoll.LIBCMT ref: 00DB7E5D

Strings

Aero, xrefs: 00DEE82F
homestead, xrefs: 00DEE8D5
Luna, xrefs: 00DEE81B
metallic, xrefs: 00DEE8EE
normalcolor, xrefs: 00DEE8BC
royale, xrefs: 00DEE928

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$H_prolog3H_prolog3___wcsicoll__wsplitpath_s_wcslen
String ID: Aero$Luna$homestead$metallic$normalcolor$royale
API String ID: 1120789618-2881773410
Opcode ID: 1f253ee7ca52232b825d5bd17b36351efa37dfa22f1071c13238b824f9ba8a80
Instruction ID: 89db2871a5d8291ee25b2bf93ae8342f9ae67f9aedbccafa92c41d7960de58a4
Opcode Fuzzy Hash: 1f253ee7ca52232b825d5bd17b36351efa37dfa22f1071c13238b824f9ba8a80
Instruction Fuzzy Hash: 6251B57090026C96DB24EB61CC91FEE776DDF95310F0801E9B119A21C1DBB1DF90CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E18A00 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E18A07

Part of subcall function 00E3657B: __EH_prolog3.LIBCMT ref: 00E36582

GetWindowRect.USER32(?,?), ref: 00E18AD2

Part of subcall function 00DB5AF9: GetDlgCtrlID.USER32(?), ref: 00DB5B02

Part of subcall function 00E180B2: GetWindowRect.USER32(?,?), ref: 00E180C2

Strings

MRUWidth, xrefs: 00E18B81
RecentRowIndex, xrefs: 00E18B60
IsFloating, xrefs: 00E18B6F
RectRecentFloat, xrefs: 00E18B29
%sPane-%d%x, xrefs: 00E18A72
PinState, xrefs: 00E18B93
RecentFrameAlignment, xrefs: 00E18B4E
%sPane-%d, xrefs: 00E18A59
RectRecentDocked, xrefs: 00E18B3C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3RectWindow$Ctrl
String ID: %sPane-%d$%sPane-%d%x$IsFloating$MRUWidth$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 2598721110-1120251949
Opcode ID: c9c23e31ee7d6c14b0acf3b66e15bc9c6ff01051da8ec59618581636fc55abf6
Instruction ID: 439d50ac8958f3b30fad09f1ac44622cb6dea162bfcde254f6421a1fccf21ff5
Opcode Fuzzy Hash: c9c23e31ee7d6c14b0acf3b66e15bc9c6ff01051da8ec59618581636fc55abf6
Instruction Fuzzy Hash: 8051AA70600205EFCF11AFA0C889EFEBBB2FF49300F145419F956AB2A1DB709951CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E02F21 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00E02F4A
LoadCursorW.USER32(?,00007904), ref: 00E02F71
LoadCursorW.USER32(?,00007905), ref: 00E02F93
SendMessageW.USER32(?,0000120A,00000000,00000006), ref: 00E02FDA
SendMessageW.USER32(?,0000120A,00000001,00000006), ref: 00E02FFE
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00E03038
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 00E03052
GetParent.USER32(?), ref: 00E0307C

Strings

Property, xrefs: 00E02FB2
Value, xrefs: 00E02FE0
d, xrefs: 00E02FE7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$CursorLoad$EmptyParentRect
String ID: Property$Value$d
API String ID: 2284761715-1409410049
Opcode ID: a6d1d0832e4acd9ab39ad7868b09bd8cfb9c8d15f647574147c54feb13eac5b9
Instruction ID: b41af20ed1d1f7ce266809030a25cb955ced81541db65d843ae1debb3d52f345
Opcode Fuzzy Hash: a6d1d0832e4acd9ab39ad7868b09bd8cfb9c8d15f647574147c54feb13eac5b9
Instruction Fuzzy Hash: 82516D71600608AFDB11EF65CD89EEEB7F9EF88314F104169F206A72A1DB71A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03489106 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03489130
RegOpenKeyExW.ADVAPI32(80000001,034C08D8,00000000,000F003F,?), ref: 03489159
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 034891A0
_memset.LIBCMT ref: 034891E6
_memset.LIBCMT ref: 03489224
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 03489257
lstrlenW.KERNEL32(?), ref: 03489264
lstrlenW.KERNEL32(?), ref: 03489276
RegCloseKey.ADVAPI32(?), ref: 034892B1
lstrlenW.KERNEL32(?), ref: 034892BE

Strings

Software\Tencent\Plugin\VAS, xrefs: 0348913F

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: 79d3067478f3c934425af7f3773af744f59496819aecb075d1b2c2f1eeebadd5
Instruction ID: 7657087952582f75d805624a5d6de51eba540e6ff3278bd85731f3dddfc1a42b
Opcode Fuzzy Hash: 79d3067478f3c934425af7f3773af744f59496819aecb075d1b2c2f1eeebadd5
Instruction Fuzzy Hash: 91511D71D5021CAFDB60EB90DC89BEDB7B8BB08704F5404D6E609EA181E7759B84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0349EF11 Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

____lc_handle_func.LIBCMT ref: 0349EF45
____lc_codepage_func.LIBCMT ref: 0349EF4D
__GetLocaleForCP.LIBCPMT ref: 0349EF75
____mb_cur_max_l_func.LIBCMT ref: 0349EF8B
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,00000000,00000000,?,?,?,?,03495263,?,00000000,00000001,00000000,?), ref: 0349EFAA
____mb_cur_max_l_func.LIBCMT ref: 0349EFB8
___pctype_func.LIBCMT ref: 0349EFDD
____mb_cur_max_l_func.LIBCMT ref: 0349F003
____mb_cur_max_l_func.LIBCMT ref: 0349F01B
____mb_cur_max_l_func.LIBCMT ref: 0349F033
MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,?,?,?,?,03495263,?,00000000,00000001,00000000,?), ref: 0349F040
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,?,03495263,?,00000000,00000001,00000000,?), ref: 0349F071

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: 7221ed6881092b211bccf5399238e2b2028360823ed51a6b113986ebc18c6cfe
Instruction ID: 0e575bd649f3afd75f06693dc8ce298be16349ef2cfee9a0e77145ae29259789
Opcode Fuzzy Hash: 7221ed6881092b211bccf5399238e2b2028360823ed51a6b113986ebc18c6cfe
Instruction Fuzzy Hash: 7C41B135114251BEEF20DF36D840B6A7FA8AF11691F18846BF865CE395EB74C890CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00E36A2A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E36A34
GetSystemMenu.USER32(?,00000000,00000214,00DE4998,00000000,00000000,00000001,?), ref: 00E36A96
IsMenu.USER32(?), ref: 00E36AAF
IsMenu.USER32(?), ref: 00E36AC9
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00E36AFE
GetClassLongW.USER32(?,000000DE), ref: 00E36B14
GetWindowLongW.USER32(?,000000F0), ref: 00E36B5F

Strings

0, xrefs: 00E36C3C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: c2915de0db9588c09432bb67c6840e40e9601cf530ae0a328f62b5f6720ab32d
Instruction ID: 896d9ac4264cbc83aa91e5b252ff793e2596faa542bf2db8b5ec80c7fa30d216
Opcode Fuzzy Hash: c2915de0db9588c09432bb67c6840e40e9601cf530ae0a328f62b5f6720ab32d
Instruction Fuzzy Hash: 59815E30500655AFDB21DF25CC88FAEFBF4FF44304F2496AAE8AAA6191DB315A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DFCE4B Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFCE60
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00DFCE82
SHGetDesktopFolder.SHELL32(?), ref: 00DFCEC1
CreatePopupMenu.USER32 ref: 00DFCF35
GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 00DFCF64
GetParent.USER32(?), ref: 00DFCF91
GetParent.USER32(?), ref: 00DFCFD6
GetParent.USER32(?), ref: 00DFCFE5
SendMessageW.USER32(?,?,00000000,00000000), ref: 00DFCFFA

Strings

$, xrefs: 00DFCF87

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
String ID: $
API String ID: 2190390364-3993045852
Opcode ID: d19e3cc11e7f644f5a8c35489d632ceb5d1e8a65193dcbd187ac924d5d125b31
Instruction ID: 778a6dcbdfebee8aa4035bfb8043b261cddee2658e43d0cb39dee24c9e2a4579
Opcode Fuzzy Hash: d19e3cc11e7f644f5a8c35489d632ceb5d1e8a65193dcbd187ac924d5d125b31
Instruction Fuzzy Hash: 66514D75A00218AFCB209FA5C888EAEBBBAFF48744F198055F905EB254C771D941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E4CC1D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E4CC4C
MonitorFromPoint.USER32(?,?,00000002), ref: 00E4CC7E
GetMonitorInfoW.USER32(00000000), ref: 00E4CC85
CopyRect.USER32(00DF24D4,?), ref: 00E4CC97
SystemParametersInfoW.USER32(00000030,00000000,00DF24D4,00000000), ref: 00E4CCA7
OffsetRect.USER32(?,00DF24D4,00000000), ref: 00E4CCD1
OffsetRect.USER32(?,?,00000000), ref: 00E4CCFC
OffsetRect.USER32(?,00000000,00000000), ref: 00E4CD29
OffsetRect.USER32(?,00000000,?), ref: 00E4CD4E

Strings

(, xrefs: 00E4CC77

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: (
API String ID: 4030222242-3887548279
Opcode ID: a0f9c5c5617064d6125c04251087f6e89ad0bcf52dd1c2fd7660a3feca667acb
Instruction ID: 4e7683e272666e1b16eaecdeeb5fd15996a7b659b80002c3044bfe552676e6bb
Opcode Fuzzy Hash: a0f9c5c5617064d6125c04251087f6e89ad0bcf52dd1c2fd7660a3feca667acb
Instruction Fuzzy Hash: 77410571E01209EFDB14CFA9D984AAEFBB9FF48304F24912AE506A3250D770AD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DAEEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DAEEC9
GetObjectW.GDI32(?,00000018,?), ref: 00DAEEE4
GetSystemMetrics.USER32(00000032), ref: 00DAEF03
GetSystemMetrics.USER32(00000031), ref: 00DAEF0D
_memset.LIBCMT ref: 00DAEF2E
GetMenuItemInfoW.USER32 ref: 00DAEF56
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DAEF7D
GetSystemMetrics.USER32(0000000F), ref: 00DAEFE2
GetSystemMetrics.USER32(0000000F), ref: 00DAEFEB

Strings

@, xrefs: 00DAEF4F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MetricsSystem$InfoItemMenu$H_prolog3Object_memset
String ID: @
API String ID: 3341327673-2766056989
Opcode ID: 710561bdd58f3949624ddc3d512177d6fedd1a94d146f87e6a0bb1ea4a51cd7d
Instruction ID: f8fcad1c5dcfcf121661db53f7a7e00bf5dd7e7a19f03b486724d6841c7cde7e
Opcode Fuzzy Hash: 710561bdd58f3949624ddc3d512177d6fedd1a94d146f87e6a0bb1ea4a51cd7d
Instruction Fuzzy Hash: 2D410B72900209AFDB14DBA4CC86FEEB7B4FF19314F144115F615AB292DB70AA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0349C9D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78stringtimeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0349C9EF
GetForegroundWindow.USER32 ref: 0349C9F7
GetWindowTextW.USER32(034D01B8,00000800), ref: 0349CA12
_memset.LIBCMT ref: 0349CA33
lstrlenW.KERNEL32(034D01B8), ref: 0349CA51
GetLocalTime.KERNEL32(?), ref: 0349CA66
wsprintfW.USER32 ref: 0349CAAD

Part of subcall function 0349C950: WaitForSingleObject.KERNEL32(000000FF,?,?,?,0349CAC2,?), ref: 0349C95D
Part of subcall function 0349C950: CreateFileW.KERNEL32(034CF840,40000000,00000002,00000000,00000004,00000002,00000000,?,?,?,0349CAC2,?), ref: 0349C977

_memset.LIBCMT ref: 0349CAD1
_memset.LIBCMT ref: 0349CAE5

Strings

[, xrefs: 0349CAA1

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$Window$CreateFileForegroundLocalObjectSingleTextTimeWaitlstrlenwsprintf
String ID: [
API String ID: 720303121-4056885943
Opcode ID: db600781441fc4d55c5e367a63c9df8b774e2403bed86f6df5378b2808be34c8
Instruction ID: 79d0e23598a10c59c8dec41a80e2b19edc2aa82fc7a2146d6502e0b3b0fbb2db
Opcode Fuzzy Hash: db600781441fc4d55c5e367a63c9df8b774e2403bed86f6df5378b2808be34c8
Instruction Fuzzy Hash: B7315275940318EFD790EB54DC46BAD77F8FB04700F1480A6F984EE181EF7599988BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA69B0 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DA69BA
GetMenuItemCount.USER32(?), ref: 00DA69EC
GetSubMenu.USER32(?,?), ref: 00DA6A30
GetMenuState.USER32(?,?,00000400), ref: 00DA6A49
GetSubMenu.USER32(?,?), ref: 00DA6AB8
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 00DA6ADD
_wcslen.LIBCMT ref: 00DA6B34
AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 00DA6B62
GetMenuItemCount.USER32(00000000), ref: 00DA6BA1
GetMenuItemID.USER32(?,?), ref: 00DA6BDA
InsertMenuW.USER32(?,?,00000000,00000000), ref: 00DA6BF0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString_wcslen
String ID:
API String ID: 881407318-0
Opcode ID: 200d0503c1182c684235617fa9fa013c0a5d145b4946563e6966666168430034
Instruction ID: e9a5f2ae802a0f4da90ecd193ae903dae2f21fae9a650190e8d7b55940cd18f4
Opcode Fuzzy Hash: 200d0503c1182c684235617fa9fa013c0a5d145b4946563e6966666168430034
Instruction Fuzzy Hash: DF71E07184122DEFCB209F94DD8CBD9BBB4FB19310F1841EAE509A6261D7359E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA780 Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DAA787
FindResourceW.KERNEL32(?,?,00000005,00000024,00DA4BED), ref: 00DAA7BD
LoadResource.KERNEL32(?,00000000), ref: 00DAA7C5

Part of subcall function 00DB20A6: UnhookWindowsHookEx.USER32(?), ref: 00DB20D6

LockResource.KERNEL32(?,00000024,00DA4BED), ref: 00DAA7D6
GetDesktopWindow.USER32 ref: 00DAA809
IsWindowEnabled.USER32(?), ref: 00DAA817
EnableWindow.USER32(?,00000000), ref: 00DAA826

Part of subcall function 00DB5BA4: IsWindowEnabled.USER32(?), ref: 00DB5BAD

Part of subcall function 00DB5BBF: EnableWindow.USER32(?,?), ref: 00DB5BD0

EnableWindow.USER32(?,00000001), ref: 00DAA90B
GetActiveWindow.USER32 ref: 00DAA916
SetActiveWindow.USER32(?,?,00000024,00DA4BED), ref: 00DAA924
FreeResource.KERNEL32(?,?,00000024,00DA4BED), ref: 00DAA940

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: bf62242fcc1a0a181fcccbaadb22a9f3870a8d5c9e93ad19e491d23f3841d621
Instruction ID: b7c630988e61b2cf9e944762acce3069ce7d8e4d12e2a8afde8fff0a492d486e
Opcode Fuzzy Hash: bf62242fcc1a0a181fcccbaadb22a9f3870a8d5c9e93ad19e491d23f3841d621
Instruction Fuzzy Hash: 2E514031A00605DFDB21AFB9C849BAEBAB1FF49701F58463DE502761A1CB754942CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00E02A21 Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00E02A5D
ReleaseCapture.USER32 ref: 00E02A67
GetClientRect.USER32(?,?), ref: 00E02A80
GetSystemMetrics.USER32(00000015), ref: 00E02AA7
GetSystemMetrics.USER32(00000015), ref: 00E02ACB
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00E02B04
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00E02B26
GetCapture.USER32 ref: 00E02B4B
ReleaseCapture.USER32 ref: 00E02B55
GetClientRect.USER32(?,?), ref: 00E02B6E
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00E02BBC

Part of subcall function 00E01D81: __EH_prolog3_GS.LIBCMT ref: 00E01D88
Part of subcall function 00E01D81: IsRectEmpty.USER32(?), ref: 00E01DA3
Part of subcall function 00E01D81: InvertRect.USER32(?,?), ref: 00E01DB9
Part of subcall function 00E01D81: SetRectEmpty.USER32(?), ref: 00E01DC7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
String ID:
API String ID: 174338775-0
Opcode ID: 8760ffe2bcaf14a3261dfdb44033dd99e0258f078394a872333dff2207d73ca5
Instruction ID: 0ac0b0db29fb971a389cb8e1e8816c8aeb0a49d9446bb6750d47b99ac1c2cd9e
Opcode Fuzzy Hash: 8760ffe2bcaf14a3261dfdb44033dd99e0258f078394a872333dff2207d73ca5
Instruction Fuzzy Hash: D4515E72A00609DFCB14DFA9CC889AEBBF5FF48304F25452DE55AA7250DB70AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DA40F4 Relevance: 16.6, APIs: 11, Instructions: 105networktimeCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,?,?,00000004), ref: 00DA4128
EnterCriticalSection.KERNEL32(00000204,?,?,00000004), ref: 00DA413D
WSASetLastError.WS2_32(00002746), ref: 00DA414F
LeaveCriticalSection.KERNEL32(?), ref: 00DA4158
timeGetTime.WINMM ref: 00DA417A
timeGetTime.WINMM ref: 00DA41A2
SetEvent.KERNEL32(?), ref: 00DA41D0
InterlockedExchange.KERNEL32(?,00000001), ref: 00DA41DC
WSASetLastError.WS2_32(00002746), ref: 00DA41F2
LeaveCriticalSection.KERNEL32(?), ref: 00DA41FB
LeaveCriticalSection.KERNEL32(?), ref: 00DA420C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$ErrorLastLeave$Timetime$EnterEventExchangeInterlocked
String ID:
API String ID: 1405026782-0
Opcode ID: b511e4ea3409918fc1cdbde0c705d5dddfa00965acd2d721e54f5036103c7ec2
Instruction ID: 26c1a9815a21fab424870c96452ea9c3b773ed44e7807550d01a7a17828f53cc
Opcode Fuzzy Hash: b511e4ea3409918fc1cdbde0c705d5dddfa00965acd2d721e54f5036103c7ec2
Instruction Fuzzy Hash: 594120316003009FCB349F65D84CB6ABBF5BFA5315F084138E486972A1D7B1EC86CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00E10A17 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E0DAE0: GdipGetImagePixelFormat.GDIPLUS(?,00F1A600,00000000,00000000,?,00E10A41,00000000,00000000,00F1A600), ref: 00E0DAF0

_free.LIBCMT ref: 00E10B4A
_free.LIBCMT ref: 00E10B96
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00F1A600), ref: 00E10C5F
_free.LIBCMT ref: 00E10C8F

Part of subcall function 00E0DB02: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00E10AFB,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00E0DB16

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00F1A600), ref: 00E10D0B
_free.LIBCMT ref: 00E10D86

Strings

&, xrefs: 00E10A97

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: 6c6bb1b4b2b054ad1ad1d5bd1c14f4b8dc1861f3f53b409a4bfead48418d3b0a
Instruction ID: a5ad9828d399fd179477fd787db93d5acd4615ea561c5985cf945ce6d68cdd95
Opcode Fuzzy Hash: 6c6bb1b4b2b054ad1ad1d5bd1c14f4b8dc1861f3f53b409a4bfead48418d3b0a
Instruction Fuzzy Hash: BEA14DB19002289BCB31DB54CD80BE9B7B5EF44318F1095E9E649B7291CBB4AEC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2420 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 191libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DB2427
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 00DB2480
GetProcAddress.KERNEL32(CloseGestureInfoHandle,00000018), ref: 00DB24A2
_memset.LIBCMT ref: 00DB24DC
ScreenToClient.USER32(?,?), ref: 00DB251F

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

Strings

GetGestureInfo, xrefs: 00DB247A
user32.dll, xrefs: 00DB2442
CloseGestureInfoHandle, xrefs: 00DB2497

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressProc$ActivateClientH_prolog3Screen_memset
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 4039673286-2905070798
Opcode ID: c7fa49c6f8f528f63f1e5e5223ab3c35aa9d0ab748669da05ecdbda717206357
Instruction ID: deecf25cceba03f003c2bffa86546857dfa2b211ea5b640ec3a173cc5a1139a4
Opcode Fuzzy Hash: c7fa49c6f8f528f63f1e5e5223ab3c35aa9d0ab748669da05ecdbda717206357
Instruction Fuzzy Hash: 26719072900715DFCB29CF64D944ABABBF1FF58310B25465DE497A7661CB31A801DF20

Uniqueness

Uniqueness Score: -1.00%

Function 03490F60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

_memset.LIBCMT ref: 03490F84
_memmove.LIBCMT ref: 03490FCD

Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB71
Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB8B
Part of subcall function 0349FB22: __CxxThrowException@8.LIBCMT ref: 0349FB9C

_memmove.LIBCMT ref: 034910C2
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 034910D8
RegCloseKey.ADVAPI32(?,?,?,?), ref: 0349115E

Part of subcall function 0348869B: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,?,C463F85C), ref: 034887A6
Part of subcall function 0348869B: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,-00000A70,?), ref: 034887CD

RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03491120
RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?), ref: 03491136
CloseHandle.KERNEL32(?), ref: 034911A1

Strings

Console\0, xrefs: 034910CE

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ByteCharCloseMultiValueWide_memmovestd::exception::exception$CreateDeleteException@8HandleThrow_malloc_memset
String ID: Console\0
API String ID: 724019667-1253790388
Opcode ID: c70cf6aa276fa0c84337b167da0055eaf3ccc656c4096b422e0f203508721499
Instruction ID: b709b4c17dcd44ab7b44596ea8d69d3ce5ae8b3bf48ea79e9e2d777327a9a8ed
Opcode Fuzzy Hash: c70cf6aa276fa0c84337b167da0055eaf3ccc656c4096b422e0f203508721499
Instruction Fuzzy Hash: 1961C175E01218AFEF15DF98E845B9CBBB1EF08300F1440AAF909AB391D7716A91DF48

Uniqueness

Uniqueness Score: -1.00%

Function 00E744A4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E744AB
_wcslen.LIBCMT ref: 00E744D7
_memset.LIBCMT ref: 00E744E8
GetKeyboardLayout.USER32(00000000), ref: 00E744F1
MapVirtualKeyExW.USER32(00000000,00000000,00000000), ref: 00E744FA
GetKeyNameTextW.USER32(00000000,?,00000032), ref: 00E74521
_wcslen.LIBCMT ref: 00E7452B
IsCharLowerW.USER32(00000000,?,00000000), ref: 00E7455D

Strings

Pause, xrefs: 00E744D1, 00E744D6, 00E744DE

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _wcslen$CharH_prolog3_KeyboardLayoutLowerNameTextVirtual_memset
String ID: Pause
API String ID: 192923521-375111145
Opcode ID: 64ef108b40432bda890fd9ccc117efe7769bc2cf0f345f6363fc702cb3107e83
Instruction ID: 4366f9a88f416b1e89216b6c26cfe321777aaf2ff607041b8d491d7090a64af1
Opcode Fuzzy Hash: 64ef108b40432bda890fd9ccc117efe7769bc2cf0f345f6363fc702cb3107e83
Instruction Fuzzy Hash: D34114B1A00118ABDB31AB68CC45FAEB7ACEF86704F149419F519BB1C2DBB0AD41D770

Uniqueness

Uniqueness Score: -1.00%

Function 00DE22E2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE22E9
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DE231F
GetParent.USER32(?), ref: 00DE2344
GetTopWindow.USER32(?), ref: 00DE23FE
GetWindow.USER32(?,00000002), ref: 00DE241C
IsWindow.USER32(?), ref: 00DE243C
GetParent.USER32(?), ref: 00DE2449
DestroyWindow.USER32(?,?,00000020), ref: 00DE2457

Strings

X', xrefs: 00DE23C0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Parent$DestroyH_prolog3MessageSend
String ID: X'
API String ID: 3234442123-2274823755
Opcode ID: 2e0aba72a927c0bd9c7ca6749678459db3bf36378812e496d07351fbab9be60c
Instruction ID: 91b04a8a87e1f13c6c7ef1d18e9dad33c719a6029289b06f1a4b956f8d9fbe78
Opcode Fuzzy Hash: 2e0aba72a927c0bd9c7ca6749678459db3bf36378812e496d07351fbab9be60c
Instruction Fuzzy Hash: 54416DB16006459FCB14BFA5C885ABDB7B9FF48304F58142CE256A72A2DB35AD41CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4090 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00DB4097
GetPropW.USER32(?,AfxOldWndProc423), ref: 00DB40AF
CallWindowProcW.USER32(?,?,00000110,?,?), ref: 00DB411B

Part of subcall function 00DB2C54: GetWindowRect.USER32(?,?), ref: 00DB2C97
Part of subcall function 00DB2C54: GetWindow.USER32(?,00000004), ref: 00DB2CB4

SetWindowLongW.USER32(?,000000FC,?), ref: 00DB4142
RemovePropW.USER32(?,AfxOldWndProc423), ref: 00DB414A
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 00DB4151
GlobalDeleteAtom.KERNEL32(?), ref: 00DB415B

Part of subcall function 00DB119B: GetWindowRect.USER32(?,?), ref: 00DB11AA

CallWindowProcW.USER32(?,?,?,?,?), ref: 00DB41AE

Strings

AfxOldWndProc423, xrefs: 00DB40A2, 00DB40A7, 00DB4148, 00DB4150

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
String ID: AfxOldWndProc423
API String ID: 3351853316-1060338832
Opcode ID: dce28f2b01e05f215a2a4ed71b92455186b204379c8d352dde70bfe2ef4af1be
Instruction ID: d78cf0cc73349a43e35ca8bfc019658183076c45b22ededd4b3d47293b2a7365
Opcode Fuzzy Hash: dce28f2b01e05f215a2a4ed71b92455186b204379c8d352dde70bfe2ef4af1be
Instruction Fuzzy Hash: 22314D72C00218FFCB05AFA9DC99DEEBAB8EF49350F08412AF512B2251C7358941DB74

Uniqueness

Uniqueness Score: -1.00%

Function 00DDE37E Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DDE385

Part of subcall function 00DB5A26: GetWindowLongW.USER32(?,000000F0), ref: 00DB5A31

swprintf.LIBCMT ref: 00DDE3CF
_wcslen.LIBCMT ref: 00DDE3D8

Part of subcall function 00DA6906: _wcsnlen.LIBCMT ref: 00DA693A
Part of subcall function 00DA6906: _wmemcpy_s.LIBCPMT ref: 00DA696E

_wcslen.LIBCMT ref: 00DDE3F3
_wcslen.LIBCMT ref: 00DDE42A
swprintf.LIBCMT ref: 00DDE456
_wcslen.LIBCMT ref: 00DDE45F

Part of subcall function 00DA6988: _wcslen.LIBCMT ref: 00DA699A

Strings

- , xrefs: 00DDE3ED, 00DDE3F2, 00DDE3FA, 00DDE424, 00DDE429, 00DDE431
:%d, xrefs: 00DDE3C4, 00DDE44B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _wcslen$swprintf$H_prolog3_LongWindow_wcsnlen_wmemcpy_s
String ID: - $:%d
API String ID: 472068148-2359489159
Opcode ID: a4ca939c775f81d8cf5806eef3817009fb2bc9d6323b2c28ee6eccf2867b9e1c
Instruction ID: 0673af1d5862fd8a559023ecc813df3bea51acf72731d3c569599c4ce9cb76b2
Opcode Fuzzy Hash: a4ca939c775f81d8cf5806eef3817009fb2bc9d6323b2c28ee6eccf2867b9e1c
Instruction Fuzzy Hash: 48312472900514ABDB15FAE0CD86EEFB36CEF56300F085026B502BE156DB74EE098B70

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D0A5 Relevance: 15.3, APIs: 10, Instructions: 269COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E4D0DD
GetWindowRect.USER32(?,00000000), ref: 00E4D133
CopyRect.USER32(00000000,?), ref: 00E4D14B
PtInRect.USER32(?,?,?), ref: 00E4D222
PtInRect.USER32(?,?,?), ref: 00E4D24E
PtInRect.USER32(?,?,?), ref: 00E4D283
PtInRect.USER32(?,?,?), ref: 00E4D2AB
PtInRect.USER32(?,?,?), ref: 00E4D317
PtInRect.USER32(?,?,?), ref: 00E4D345
PtInRect.USER32(?,?,?), ref: 00E4D385

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: 2dc60b9adb1f3df1cb6fdf63211e4b2f7262bfc2b91f53f2badb1a2141501dbd
Instruction ID: 3fafa0a04d2a56c39a53b8f6a098c73f243718fb8fd367cb1ebe955e8691096e
Opcode Fuzzy Hash: 2dc60b9adb1f3df1cb6fdf63211e4b2f7262bfc2b91f53f2badb1a2141501dbd
Instruction Fuzzy Hash: F9B1DEB1E04219ABCF11CFA8D984AEEBBF9FF48344F14416AE815F7214E7759A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC732 Relevance: 15.2, APIs: 10, Instructions: 158windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DAC7B9
SendMessageW.USER32(?,00000100,?,00000000), ref: 00DAC7D7
IsWindow.USER32(?), ref: 00DAC7EE
IsWindow.USER32(?), ref: 00DAC80C
IsWindow.USER32(?), ref: 00DAC861
SendMessageW.USER32(?,0000020A,?,?), ref: 00DAC883
IsWindow.USER32(?), ref: 00DAC8AF
ClientToScreen.USER32(?,?), ref: 00DAC8BC
IsWindow.USER32(?), ref: 00DAC8DB
ClientToScreen.USER32(?,?), ref: 00DAC90A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$ClientMessageScreenSend
String ID:
API String ID: 526472501-0
Opcode ID: 8854ff5fcf6f2cae495d2d4c1d5a03c11d1b9551636cb15615448b6a46e518e7
Instruction ID: c9b32139a2a8400d149a5adb206da8a795d4200bd504af74b8502f4beb44eaca
Opcode Fuzzy Hash: 8854ff5fcf6f2cae495d2d4c1d5a03c11d1b9551636cb15615448b6a46e518e7
Instruction Fuzzy Hash: 0951BF36A20204ABDB219F75CC48E7A3BF5FB0A7A0F18A435E595E21A1D339DC51DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2487 Relevance: 15.1, APIs: 10, Instructions: 111windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE248E

Part of subcall function 00DE03D0: GetObjectW.GDI32(?,00000054,?), ref: 00DE03EF

Part of subcall function 00DABA35: __EH_prolog3.LIBCMT ref: 00DABA3C
Part of subcall function 00DABA35: GetDC.USER32(00000000), ref: 00DABA68

CreateCompatibleDC.GDI32(?), ref: 00DE24DE
SelectObject.GDI32(?,?), ref: 00DE24F9
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DE2528
GdipDisposeImage.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DE253B
GdipCreateFromHDC.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00DE254A
GdipSetInterpolationMode.GDIPLUS(?,00000007,?,?), ref: 00DE255B
GdipDeleteGraphics.GDIPLUS(?,?,00000007,?,?), ref: 00DE2595
GdipDisposeImage.GDIPLUS(?,?,?,00000007,?,?), ref: 00DE259D
SelectObject.GDI32(?,?), ref: 00DE25AD

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Gdip$CreateObject$DisposeFromH_prolog3ImageSelect$BitmapCompatibleDeleteGraphicsInterpolationMode
String ID:
API String ID: 3579439469-0
Opcode ID: 78e56f95033d4fb317c042fd932fb3e6e07cb5fa4b507eace64539c5aab24608
Instruction ID: a3da6886bca175e32d68d004cc432934aa01e642ca8c162010b1f8bf806343ae
Opcode Fuzzy Hash: 78e56f95033d4fb317c042fd932fb3e6e07cb5fa4b507eace64539c5aab24608
Instruction Fuzzy Hash: 764161759002589FCF10EFA4CD919FEBBB5EF08310F14442AF906B7252DB719A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2ED6 Relevance: 15.1, APIs: 10, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00DA301F: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00DA3027

InterlockedIncrement.KERNEL32(00F1F1DC), ref: 00DA2F38
InterlockedIncrement.KERNEL32(00F1F1DC), ref: 00DA2F42
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00DA2F68
setsockopt.WS2_32(?,0000FFFF,00001002,00040000,00000004), ref: 00DA2F80
ResetEvent.KERNEL32(?), ref: 00DA2FB9
SetLastError.KERNEL32 ref: 00DA2FCD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00DA2FFF

Part of subcall function 00DA372B: GetCurrentThreadId.KERNEL32 ref: 00DA3731
Part of subcall function 00DA372B: SetEvent.KERNEL32(?,00000000,?,?,?,?,00DA300E), ref: 00DA3788
Part of subcall function 00DA372B: SetLastError.KERNEL32(0000139F,?,?,?,?,00DA300E,?,?,?,?,?,?,?,?,?,00000000), ref: 00DA37B1

SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00DA300F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast$EventIncrementInterlockedsetsockopt$CreateCurrentResetThreadTimerWaitable
String ID:
API String ID: 1321792636-0
Opcode ID: 599cedc265d97cec5551628ad6773f1f8c358703f313969ca9c6097f02cb080c
Instruction ID: b474790eac8979b531a7e8c8b62cad190ebd5c1b0c6716a4fe54fe3558d066b7
Opcode Fuzzy Hash: 599cedc265d97cec5551628ad6773f1f8c358703f313969ca9c6097f02cb080c
Instruction Fuzzy Hash: F6317CB1500704AFD760AF6ACC88E6BBBF9FF89308F14442AE586D3650D7B1A9459F21

Uniqueness

Uniqueness Score: -1.00%

Function 00DB71ED Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00DB720B
WindowFromPoint.USER32(?,?), ref: 00DB721A
GetActiveWindow.USER32 ref: 00DB723C
GetCurrentThreadId.KERNEL32 ref: 00DB7254
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DB7263
GetDesktopWindow.USER32 ref: 00DB726F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 4b8a6e06bcc0dcf04550647227836b9da1e37a8306af591eb0c2513bd8adf51c
Instruction ID: 63c386900feeb3138a977af43fc974fa1b401bba17506c3007b2c29fd1d394b2
Opcode Fuzzy Hash: 4b8a6e06bcc0dcf04550647227836b9da1e37a8306af591eb0c2513bd8adf51c
Instruction Fuzzy Hash: A8315D72D04218DFCB11ABE5C9888EEBBB5FB84354B590169F847A7210DB31CE42DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8EA8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DA8EB2
MapDialogRect.USER32(?,?), ref: 00DA8F50
SysAllocStringLen.OLEAUT32(?,?), ref: 00DA8F6F
CLSIDFromString.OLE32(?,?,00000000), ref: 00DA906D

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

CLSIDFromProgID.OLE32(?,?,00000000), ref: 00DA9075
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,00000000,?,00000000), ref: 00DA911D
SysFreeString.OLEAUT32(00000000), ref: 00DA916F

Strings

`<u, xrefs: 00DA916F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow_malloc
String ID: `<u
API String ID: 2980224915-3367579956
Opcode ID: 788ab6a6b76dd8daead03f25cf4076a614e19802f8a211808b7aa95133506e7f
Instruction ID: 3da92c0df0e245485745052e5ebf845c8f09173a1fb83a22992ba20428348d9a
Opcode Fuzzy Hash: 788ab6a6b76dd8daead03f25cf4076a614e19802f8a211808b7aa95133506e7f
Instruction Fuzzy Hash: 58B11275D00219DFCB14DFA8C984AEDBBF5FF09304F14812AE819AB251E774AA85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DD841F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DD843F
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00DD847F
GetParent.USER32(?), ref: 00DD8513
PostMessageW.USER32(?,-00000111,?,00000000), ref: 00DD85B7
GetParent.USER32(?), ref: 00DD861B
InvalidateRect.USER32(?,?,00000001,?), ref: 00DD868D
UpdateWindow.USER32(?), ref: 00DD8699

Strings

p, xrefs: 00DD844C, 00DD8520, 00DD8628

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Parent$Message$InvalidatePostRectSendUpdateWindow
String ID: p
API String ID: 896913059-2678736219
Opcode ID: 326f86da8735b2f6a29d49878c1e5b18568825fedcd538394de0ceb99283e4f8
Instruction ID: e1c2b0a67b140f1e6812b84412984fd9f87d3143653de19be11a22d37c3b9101
Opcode Fuzzy Hash: 326f86da8735b2f6a29d49878c1e5b18568825fedcd538394de0ceb99283e4f8
Instruction Fuzzy Hash: AD71A0326002059FCB26AF68DC55BAE77B6FF44710F19012AF906AB391DF71D940ABB1

Uniqueness

Uniqueness Score: -1.00%

Function 034856D4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195threadtimenetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 034856E4
SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 03485744
__alloca_probe_16.LIBCMT ref: 0348577B
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03485827
GetCurrentThreadId.KERNEL32 ref: 0348592F

Part of subcall function 03485DFA: send.WS2_32(?,00000000,00000000,00000000), ref: 03485E5F
Part of subcall function 03485DFA: WSAGetLastError.WS2_32 ref: 03485EA4

Strings

---------------> Client Worker Thread 0x%08X started <---------------, xrefs: 034856EB
---------------> Client Worker Thread 0x%08X stoped <---------------, xrefs: 03485936

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CurrentThread$ErrorEventsLastMultipleTimerWaitWaitable__alloca_probe_16send
String ID: ---------------> Client Worker Thread 0x%08X started <---------------$---------------> Client Worker Thread 0x%08X stoped <---------------
API String ID: 3753095551-654994865
Opcode ID: 6b2ecfe6c32ffd34484c71c4d3b7b8dd4baf88aa2c6fdbc61de8e8f907c8db30
Instruction ID: c39e93c9afbaaaf2597ef43935e243d07d0cbd8c8f03b2e326b4f1c468a33f6c
Opcode Fuzzy Hash: 6b2ecfe6c32ffd34484c71c4d3b7b8dd4baf88aa2c6fdbc61de8e8f907c8db30
Instruction Fuzzy Hash: 83812774E00209EFDB14EBA9C845BAEBBB1EF0A314F1444ABD911AF380DB355A51CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00DC44D5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DC44DC
_memset.LIBCMT ref: 00DC4547

Part of subcall function 00DBCAF0: _memset.LIBCMT ref: 00DBCAFC

VariantClear.OLEAUT32(?), ref: 00DC4584
SysFreeString.OLEAUT32(?), ref: 00DC4601
SysFreeString.OLEAUT32(?), ref: 00DC460F
SysFreeString.OLEAUT32(?), ref: 00DC461D
VariantClear.OLEAUT32(?), ref: 00DC4632

Part of subcall function 00DC3F95: __EH_prolog3.LIBCMT ref: 00DC3F9F
Part of subcall function 00DC3F95: VariantClear.OLEAUT32(?), ref: 00DC3FFE

Part of subcall function 00DBCACC: VariantCopy.OLEAUT32(?,?), ref: 00DBCADD

Strings

`<u, xrefs: 00DC4601, 00DC460F, 00DC461D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID: `<u
API String ID: 2905758408-3367579956
Opcode ID: daa0c746f05bf75e7849f2fcead559461bb5a749619310b10416b3b06f9a75e7
Instruction ID: b34a9d5fd8a8a100becd7f4bf369bc459e28aae67b56c3f075c031c31bafa8d9
Opcode Fuzzy Hash: daa0c746f05bf75e7849f2fcead559461bb5a749619310b10416b3b06f9a75e7
Instruction Fuzzy Hash: 8351E4B1D0020AEFCB14DFA4C894EEEBBB9FF49309F18452DE116AB251D771A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E284AC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E284B3

Part of subcall function 00E30678: __EH_prolog3.LIBCMT ref: 00E3067F

SetRectEmpty.USER32(?), ref: 00E28649
SetRectEmpty.USER32(?), ref: 00E28652
SetRectEmpty.USER32(?), ref: 00E2867F
SetRectEmpty.USER32(?), ref: 00E286E5
SetRectEmpty.USER32(?), ref: 00E286EE
SetRectEmpty.USER32(?), ref: 00E286F7

Strings

L, xrefs: 00E28580

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: L
API String ID: 3752103406-4033448573
Opcode ID: 093b1ca6b858a9e9e985ba076dcf0879f52419e012387972269afb1cbef9e36f
Instruction ID: d715a544a89baa4c59d8e8af5ea9677f8dac15ae65ac08123a1a3408f09c1731
Opcode Fuzzy Hash: 093b1ca6b858a9e9e985ba076dcf0879f52419e012387972269afb1cbef9e36f
Instruction Fuzzy Hash: 7E6156B1802B458FC761EF7A85897DAFBE8BFA5300F104A1F90AF92261DBB42145CF15

Uniqueness

Uniqueness Score: -1.00%

Function 034924A3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 034924E5
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 03492503
WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0349253D

Strings

%s %s, xrefs: 03492579

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: File$CreateWrite_memset
String ID: %s %s
API String ID: 1195118367-2939940506
Opcode ID: 03b57fbb54ac4cf1650b0348141f3bf43457b02b6f8e8d2939db223c854b3604
Instruction ID: cd58e1f667e8e1af4ca80fe80658584c81cbdbfcbd3637c95a0233390af35f54
Opcode Fuzzy Hash: 03b57fbb54ac4cf1650b0348141f3bf43457b02b6f8e8d2939db223c854b3604
Instruction Fuzzy Hash: 8C31127195061DBFEFA0DA64DC49FDBBBBCAB04311F0044A7A509FA180EB70AA84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03492D24 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03492D35
_memmove.LIBCMT ref: 03492D7B
GetFileAttributesW.KERNEL32(00000000), ref: 03492DAD
GetLastError.KERNEL32 ref: 03492DB8

Strings

D, xrefs: 03492DEA
WinSta0\Default, xrefs: 03492DF1

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AttributesErrorFileLast_memmovelstrlen
String ID: D$WinSta0\Default
API String ID: 2661315425-1101385590
Opcode ID: 78a43b932e14f39de34c8c86b897ff134c852bb15cfcceb6083b0ec50b4aab83
Instruction ID: 52d660d626d8ed11f813b30f894296c7c5e8e62ba3712dc7b2c77a166d5d75f0
Opcode Fuzzy Hash: 78a43b932e14f39de34c8c86b897ff134c852bb15cfcceb6083b0ec50b4aab83
Instruction Fuzzy Hash: F9312C76D00308AFEF15EFA4DD45BADBBB5EB04311F20052BE509EE190DB719A45DB18

Uniqueness

Uniqueness Score: -1.00%

Function 034A0A5F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 034A0A88
GetSystemInfo.KERNEL32(?), ref: 034A0AA0
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 034A0AB0
GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 034A0AC0
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 034A0B12
VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 034A0B27

Strings

kernel32.dll, xrefs: 034A0AA9
SetThreadStackGuarantee, xrefs: 034A0ABA

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
String ID: SetThreadStackGuarantee$kernel32.dll
API String ID: 3290314748-423161677
Opcode ID: 8369456b5b023a34dd2ab6ba99195efd3da69ef7b2595b7dd8b8f435d8afc223
Instruction ID: 8c55021c895f1f32f375c7df9c32b5c22d3ff854a70fa25610fd7e63043dea60
Opcode Fuzzy Hash: 8369456b5b023a34dd2ab6ba99195efd3da69ef7b2595b7dd8b8f435d8afc223
Instruction Fuzzy Hash: BD318471E00619AFDB10DBE8DD84AEFB7B8EB14749F144116E511FB240EB70A944CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 03484D7D Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 35synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 03484D9D
Sleep.KERNEL32(00000258), ref: 03484DA8
InterlockedExchange.KERNEL32(?,00000000), ref: 03484DB7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03484DC5
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03484DD3
Sleep.KERNEL32(0000012C), ref: 03484DEB

Strings

CTcpSocket::run_event_loop, xrefs: 03484D84
%s, xrefs: 03484D89

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID: %s$CTcpSocket::run_event_loop
API String ID: 3137405945-2177198936
Opcode ID: 40dc83323999edcd8eff8e26144ac4e4abc28fdcfc081b639246206b2b3a8b9c
Instruction ID: e56b89275781dc26e1ce0f3de2f3f856b9fce04768d0e4af571404e9687c4433
Opcode Fuzzy Hash: 40dc83323999edcd8eff8e26144ac4e4abc28fdcfc081b639246206b2b3a8b9c
Instruction Fuzzy Hash: B7F0F635500204EFDF44EFA8DD49D4C7BF0EF08321B204285F220AE3E2DA729E109B15

Uniqueness

Uniqueness Score: -1.00%

Function 00DE25DC Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DE25E6
GetWindowRect.USER32(?,?), ref: 00DE2635
OffsetRect.USER32(?,?,?), ref: 00DE264B

Part of subcall function 00DABA35: __EH_prolog3.LIBCMT ref: 00DABA3C
Part of subcall function 00DABA35: GetDC.USER32(00000000), ref: 00DABA68

CreateCompatibleDC.GDI32(?), ref: 00DE26BC
SelectObject.GDI32(?,?), ref: 00DE26DC
SelectObject.GDI32(?,?), ref: 00DE271E
CreateCompatibleDC.GDI32(?), ref: 00DE2837
SelectObject.GDI32(?,?), ref: 00DE2857
SelectObject.GDI32(?,00000000), ref: 00DE2887

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: 9999e4bc57de565c6616ea2e9b5786d29afb192f727c7f37bb14816baedfaf3c
Instruction ID: a6944629d469b02a463e26082e626a6add29eec27bab3340af2fdd3da35c0870
Opcode Fuzzy Hash: 9999e4bc57de565c6616ea2e9b5786d29afb192f727c7f37bb14816baedfaf3c
Instruction Fuzzy Hash: CBA1E272D0025AAFCF15EFA5C985AEEBBB9FF08300F1441AAE905B7251DB315E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E3EA66 Relevance: 13.7, APIs: 9, Instructions: 240windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E3EA6D
UnionRect.USER32(?,?,?), ref: 00E3EAC5
EqualRect.USER32(?,?), ref: 00E3EAD3
CreateCompatibleDC.GDI32(?), ref: 00E3EB0A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E3EB3A
SelectObject.GDI32(?,00000000), ref: 00E3EB9A
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00E3EBC4
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00E3ECD2
DeleteObject.GDI32(?), ref: 00E3ECF2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CompatibleCreateObjectRect$BitmapDeleteEqualH_prolog3_SelectUnion
String ID:
API String ID: 1408062871-0
Opcode ID: 59dc7db1633995fe631912e8ce25a175cb0050d9f9d2d5bed8c23a87de5b9ffd
Instruction ID: 9c85eee5846611f88e7cd13d006cd4eabe4db87bc008c254d73b10570649f103
Opcode Fuzzy Hash: 59dc7db1633995fe631912e8ce25a175cb0050d9f9d2d5bed8c23a87de5b9ffd
Instruction Fuzzy Hash: EDA1E071A01259EFCF14DFA4D9888EDBBB5FF08304F24912AE906AB351D730A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6C40 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DA6C47
OleDuplicateData.OLE32(?,?,00000000), ref: 00DA6CC8
GlobalLock.KERNEL32(00000000,0000005C), ref: 00DA6CF7
CopyMetaFileW.GDI32(?,00000000), ref: 00DA6D03
GlobalUnlock.KERNEL32(?), ref: 00DA6D13
GlobalFree.KERNEL32(?), ref: 00DA6D1C
GlobalUnlock.KERNEL32(?), ref: 00DA6D28

Part of subcall function 00DA6156: __EH_prolog3.LIBCMT ref: 00DA615D

lstrlenW.KERNEL32(?,0000005C), ref: 00DA6D88
CopyFileW.KERNEL32(?,?,00000000,?,?,0000005C), ref: 00DA6E80

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMetalstrlen
String ID:
API String ID: 3994854817-0
Opcode ID: c45590ca707a1dcae2dc5f80c896657b69a68bb45c7a05ca68773abd4a9a308f
Instruction ID: 5b5eb02bf189891947407fe1b1815ae331c37389922dd38ff126d2c7fa7ec0b8
Opcode Fuzzy Hash: c45590ca707a1dcae2dc5f80c896657b69a68bb45c7a05ca68773abd4a9a308f
Instruction Fuzzy Hash: F2819DB190060AEFDB249FA0CD8892ABBB9FF4A75471C8528F4A6D7650D730EC51CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00E02079 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00E020EC
InvalidateRect.USER32(?,?,00000001), ref: 00E0214F
InvalidateRect.USER32(?,?,00000001), ref: 00E0215A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: 029dc4c415ca966eabdcdf394070d6e74139abb114f203b274f0b35943966a42
Instruction ID: dea2a6563188e0054c24c7555cb6cc04969216202b0a2974e8c2650a13432013
Opcode Fuzzy Hash: 029dc4c415ca966eabdcdf394070d6e74139abb114f203b274f0b35943966a42
Instruction Fuzzy Hash: A3615B71A002099FCB11CF64C888AEEB7F5FF48304F1540A9EA05BB291D771AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA621 Relevance: 13.7, APIs: 9, Instructions: 181windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DCA628
MessageBeep.USER32(000000FF), ref: 00DCA646
ScreenToClient.USER32(?,?), ref: 00DCA6AC
UpdateWindow.USER32(?), ref: 00DCA721
UpdateWindow.USER32(?), ref: 00DCA763

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: UpdateWindow$BeepClientH_prolog3_MessageScreen
String ID:
API String ID: 2499273244-0
Opcode ID: 6bcbd9ec429b5b092db2d3ce095146143418c43b88eb6b6b579e9707ed1a32ba
Instruction ID: 94fee8db3c2e978df8d3f0a68bdddc3f632f043fb4d7f2b7e4c6b8ae6126aa31
Opcode Fuzzy Hash: 6bcbd9ec429b5b092db2d3ce095146143418c43b88eb6b6b579e9707ed1a32ba
Instruction Fuzzy Hash: 87715074A0060A9FCF14EFA8C895EADB7B5FF08368F14422DF515A72A0DB349902DF21

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0B37 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E47477: GetParent.USER32(?), ref: 00E47483
Part of subcall function 00E47477: GetParent.USER32(00000000), ref: 00E47486

Part of subcall function 00DB5A26: GetWindowLongW.USER32(?,000000F0), ref: 00DB5A31

GetParent.USER32(?), ref: 00DE0B98
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00DE0BAD
GetClientRect.USER32(?,?), ref: 00DE0C14
GetClientRect.USER32(?,?), ref: 00DE0C29

Part of subcall function 00DAB719: ClientToScreen.USER32(?,?), ref: 00DAB72A
Part of subcall function 00DAB719: ClientToScreen.USER32(?,?), ref: 00DAB737

GetWindowRect.USER32(?,?), ref: 00DE0C49

Part of subcall function 00DB5D83: SetWindowPos.USER32(?,?,?,?,?,?,?,?,00DAA8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00DB5DAB

GetParent.USER32(?), ref: 00DE0C98
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00DE0CAC
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DE0D01
PostMessageW.USER32(?,00000000,00000000), ref: 00DE0D23

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: 8f1c74e6b57e0c7417e52e971c5d109a6523be13ddcdc3ecc1e299fa1cd9dad0
Instruction ID: 906470060108005892bcbb1e6914d35c57f85668c2d3c1f65716af2d9788ac27
Opcode Fuzzy Hash: 8f1c74e6b57e0c7417e52e971c5d109a6523be13ddcdc3ecc1e299fa1cd9dad0
Instruction Fuzzy Hash: 256114B1900209AFCB14DFA9DD84AEEBBF5FF88304F14416AE905BB261C771A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03494AF0 Relevance: 13.7, APIs: 9, Instructions: 165COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F,?,?,?,?,?,0348FFAE,00000000,Main), ref: 03494B1F
SetLastError.KERNEL32(0000007F,?,?,?,?,?,0348FFAE,00000000,Main), ref: 03494B4B

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 34761e1de37f7c0036bde89f2e7d2df7ad84377358b2023df3f038821e328b72
Instruction ID: 0cd50cef87e844cd537fe1d27e43bcf4c7dd6325911ae69b4f5a91bc999c3611
Opcode Fuzzy Hash: 34761e1de37f7c0036bde89f2e7d2df7ad84377358b2023df3f038821e328b72
Instruction Fuzzy Hash: 0371BF74E00209EFDF04DF99C594AADBBF1FF08314F55849AE416AB391D735AA42CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC373 Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB7A7F: GetFocus.USER32 ref: 00DB7A85
Part of subcall function 00DB7A7F: GetParent.USER32(00000000), ref: 00DB7AAD
Part of subcall function 00DB7A7F: GetWindowLongW.USER32(?,000000F0), ref: 00DB7AC8
Part of subcall function 00DB7A7F: GetParent.USER32(?), ref: 00DB7AD6
Part of subcall function 00DB7A7F: GetDesktopWindow.USER32 ref: 00DB7ADA
Part of subcall function 00DB7A7F: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00DB7AEE

GetMenu.USER32(?), ref: 00DDC3ED
GetMenuItemCount.USER32(?), ref: 00DDC41D
GetSubMenu.USER32(?,00000000), ref: 00DDC42E
GetMenuItemCount.USER32(?), ref: 00DDC450
GetMenuItemID.USER32(?,00000000), ref: 00DDC471
GetSubMenu.USER32(?,00000000), ref: 00DDC489
GetMenuItemID.USER32(?,00000000), ref: 00DDC4A1
GetMenuItemCount.USER32(?), ref: 00DDC4D8
GetMenuItemID.USER32(?,00000000), ref: 00DDC4F3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: c3f4a35ef81c0d257f9fdd588c923b80f2ea68baee15494f96c711cfbf348cd8
Instruction ID: 7017a4ba0ecc751f322f58f7406921a1dba39c7c79aa159f7e4131f9e309edb1
Opcode Fuzzy Hash: c3f4a35ef81c0d257f9fdd588c923b80f2ea68baee15494f96c711cfbf348cd8
Instruction Fuzzy Hash: 33518B3191020ADFCF119FA8DD84AAEB7B5FF48300F285566E816E6261DB31ED41DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAFB0 Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 00DCB004
EnableMenuItem.USER32(?,0000420E,00000001), ref: 00DCB020
CheckMenuItem.USER32(?,00004213,00000008), ref: 00DCB055
EnableMenuItem.USER32(?,00004212,00000001), ref: 00DCB075
EnableMenuItem.USER32(?,00004212,00000001), ref: 00DCB099
EnableMenuItem.USER32(?,00004213,00000001), ref: 00DCB0A5
EnableMenuItem.USER32(?,00004214,00000001), ref: 00DCB0B1
EnableMenuItem.USER32(?,00004215,00000001), ref: 00DCB0F9
CheckMenuItem.USER32(?,00004215,00000008), ref: 00DCB10D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: bcd0a0e1af51f00dd7fbad594b502b98e71d74eb9f5a475101277dbbf775355d
Instruction ID: 38b772f875ddd1cab459a6a648a2b563934aad5458467306545db7a2a8fb5adb
Opcode Fuzzy Hash: bcd0a0e1af51f00dd7fbad594b502b98e71d74eb9f5a475101277dbbf775355d
Instruction Fuzzy Hash: 8841A270780206EBDF208F15CC86F16B7A1BF15764F18817AFA15AB1E1D7B1DC50EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E391BF Relevance: 13.6, APIs: 9, Instructions: 121clipboardwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00E391C6

Part of subcall function 00DABAC4: __EH_prolog3.LIBCMT ref: 00DABACB
Part of subcall function 00DABAC4: GetWindowDC.USER32(00000000,00000004), ref: 00DABAF7

CreateCompatibleDC.GDI32(00000000), ref: 00E391F9
CreateCompatibleBitmap.GDI32(?,00000010,00000010), ref: 00E3921C
FillRect.USER32(?,00000000), ref: 00E39294
OpenClipboard.USER32(?), ref: 00E392CB
EmptyClipboard.USER32 ref: 00E392DD
CloseClipboard.USER32 ref: 00E392F4
SetClipboardData.USER32(00000002,00000000), ref: 00E3930A
CloseClipboard.USER32 ref: 00E39321

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Clipboard$CloseCompatibleCreate$BitmapDataEmptyFillH_prolog3H_prolog3_catch_OpenRectWindow
String ID:
API String ID: 2025026072-0
Opcode ID: 7fb025f712df35d26244e26eb6871f0a83298d879d617102b135c65840a1a02f
Instruction ID: e1ad4add1c9d5b22685550729e08b86da61ffe0df419144f83877f1827f99224
Opcode Fuzzy Hash: 7fb025f712df35d26244e26eb6871f0a83298d879d617102b135c65840a1a02f
Instruction Fuzzy Hash: D4415C31C00248AEDF01EBE4D949AEEBFB8EF1A324F148169F411722A2DB754A05DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E00905 Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E0090C
_memset.LIBCMT ref: 00E0092C
SendMessageW.USER32 ref: 00E00954
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00E00974
SHGetDesktopFolder.SHELL32(?), ref: 00E0099C
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00E009C5
SendMessageW.USER32(?,00001115,00000000,?), ref: 00E009FC
SendMessageW.USER32(00DFFE88,0000000B,00000001,00000000), ref: 00E00A06
RedrawWindow.USER32(00DFFE88,00000000,00000000,00000105), ref: 00E00A12

Part of subcall function 00DB4EE7: __EH_prolog3_catch_GS.LIBCMT ref: 00DB4EF1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$DesktopFolderH_prolog3H_prolog3_catch_RedrawWindow_memset
String ID:
API String ID: 3540180273-0
Opcode ID: 8d7720dbd378f573a658fdbc34100ebbc24c29dfd6d0e83c8cc2c2e6cd5f769a
Instruction ID: 6d754797766cfb35f72671dd7ef5deacee85dc46324a475ce0cfd957ea0faa41
Opcode Fuzzy Hash: 8d7720dbd378f573a658fdbc34100ebbc24c29dfd6d0e83c8cc2c2e6cd5f769a
Instruction Fuzzy Hash: 444141B1900209AFDB14DFA0CC85EAEBBB9FF48344F504529F556BA1A1D7719D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB68FD Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DB6904
EnterCriticalSection.KERNEL32(?,00000010,00DB6ACD,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6915
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6933
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6967
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB69D3
_memset.LIBCMT ref: 00DB69F2
TlsSetValue.KERNEL32(?,00000000), ref: 00DB6A03
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6A24

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 13c7316775c3133f1d6c313ab305bf81e421b1b079c3356d02f765ba879d873e
Instruction ID: 3f943a3edc3a27152e25e9ceadce51d5f622c151ad1937d1289f9d303ea2c027
Opcode Fuzzy Hash: 13c7316775c3133f1d6c313ab305bf81e421b1b079c3356d02f765ba879d873e
Instruction Fuzzy Hash: EB31ABB140060AEFCB24AF50D885CAABBA1FF05314B24C53EE957A7560CB36E954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4063 Relevance: 13.6, APIs: 9, Instructions: 57COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,?,?,?,?,00DA3E9E,00000000), ref: 00DA4076
TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00DA3E9E,00000000), ref: 00DA408F
TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,00DA3E9E,00000000), ref: 00DA4099
SetLastError.KERNEL32(0000139F,?,?,?,?,?,00DA3E9E,00000000), ref: 00DA40B0
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00DA3E9E,00000000), ref: 00DA40B9
LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,00DA3E9E,00000000), ref: 00DA40BE

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 5384d8d296bcd43d81dfb8ce28686eeadcaa392c3f01f49a9b83162b8df844a9
Instruction ID: bb4838ecb815b77a905a88aeeb4994a72ed82fb557607a5dd73bb70fdfed07e3
Opcode Fuzzy Hash: 5384d8d296bcd43d81dfb8ce28686eeadcaa392c3f01f49a9b83162b8df844a9
Instruction Fuzzy Hash: 6301C472500208EFC720AB76CC49D6FBBEDEF893587094439E652E2060D6F1E84ADB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4FEB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DD5100
GetWindowRect.USER32(?,?), ref: 00DD5119
PtInRect.USER32(?,?,?), ref: 00DD5137
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DD5148
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DD51A0

Part of subcall function 00DB38C1: GetParent.USER32(?), ref: 00DB38CB

GetFocus.USER32 ref: 00DD527C

Part of subcall function 00DF442A: __EH_prolog3_GS.LIBCMT ref: 00DF4434
Part of subcall function 00DF442A: GetWindowRect.USER32(?,?), ref: 00DF44CD
Part of subcall function 00DF442A: SetRect.USER32(00000019,00000000,00000000,?,?), ref: 00DF44EF
Part of subcall function 00DF442A: CreateCompatibleDC.GDI32(?), ref: 00DF44FB
Part of subcall function 00DF442A: CreateCompatibleBitmap.GDI32(?,00000019,?), ref: 00DF4525
Part of subcall function 00DF442A: GetWindowRect.USER32(?,?), ref: 00DF4587
Part of subcall function 00DF442A: GetClientRect.USER32(?,?), ref: 00DF4590

Strings

X', xrefs: 00DD5027, 00DD502C, 00DD5039

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID: X'
API String ID: 2914356772-2274823755
Opcode ID: eb2b7b0b2d045cf9c012d47dd96c35135fccbb77ad646ad9639d5a639ccef065
Instruction ID: c0b9938c5d3397ed73e09716ed99f0c8060193a79236875c2c29ebc43bd4c5cd
Opcode Fuzzy Hash: eb2b7b0b2d045cf9c012d47dd96c35135fccbb77ad646ad9639d5a639ccef065
Instruction Fuzzy Hash: 5281C630600B049FCB259F649895ABD77F6FF89700B28416FE4069B35ADB719C458F71

Uniqueness

Uniqueness Score: -1.00%

Function 03490B96 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03490BC8
wsprintfW.USER32 ref: 03490C00

Strings

%s_bin, xrefs: 03490BF4
E, xrefs: 03490EC8
E, xrefs: 03490B96

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memsetwsprintf
String ID: %s_bin$E$E
API String ID: 1984265443-2200726181
Opcode ID: 99cac167eaf1094619c4ed1af5d509590311ed0a2a2626a7783f8ba084b6cba8
Instruction ID: 921cea53fd683bc094e2554ed998da726bd26445d73af0c61b90edacce65f4ea
Opcode Fuzzy Hash: 99cac167eaf1094619c4ed1af5d509590311ed0a2a2626a7783f8ba084b6cba8
Instruction Fuzzy Hash: 72B1C079900218CFEF25DF58C844BEDBBB4AF09315F04409AE409AA2A0D7759E85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 03486835 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 126COMMON

Download Yara Rule

Strings

CUdpSocket::OnReceive, xrefs: 0348691B
CUdpSocket::OnReceive, xrefs: 034868A8
%s %d, xrefs: 03486848
CUdpSocket::OnReceive, xrefs: 03486843
%s memcmp baddata , xrefs: 034868AD
%s memcmp baddata , xrefs: 03486920

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memmove
String ID: %s memcmp baddata $%s memcmp baddata $%s %d$CUdpSocket::OnReceive$CUdpSocket::OnReceive$CUdpSocket::OnReceive
API String ID: 4104443479-1242840546
Opcode ID: f9fb551478dac23fdff3c02303ffb701af2f2bb5824e58b24e3494098cee290b
Instruction ID: 9c83929dc4e917c1bafe4171b6a3e23a090f8a4d06cc788f3d77234faf765a02
Opcode Fuzzy Hash: f9fb551478dac23fdff3c02303ffb701af2f2bb5824e58b24e3494098cee290b
Instruction Fuzzy Hash: 52414174600205AFEB48FBD9C855BADB775EF45308F14009FE642AF2C1CA796A51CA1D

Uniqueness

Uniqueness Score: -1.00%

Function 03484E02 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 126COMMON

Download Yara Rule

Strings

CTcpSocket::OnReceive, xrefs: 03484E0D
%s memcmp baddata , xrefs: 03484ED4
%s memcmp baddata , xrefs: 03484E6D
%s, xrefs: 03484E12
CTcpSocket::OnReceive, xrefs: 03484ECF
CTcpSocket::OnReceive, xrefs: 03484E68

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memmove
String ID: %s$%s memcmp baddata $%s memcmp baddata $CTcpSocket::OnReceive$CTcpSocket::OnReceive$CTcpSocket::OnReceive
API String ID: 4104443479-1824560099
Opcode ID: d35a55b72f3de72dcf1f2c3c90d7d92230082560734066cc1946c3fd20f9f6c0
Instruction ID: 78fe6416a7326c7dca74ce7aee895a9fead8c06d5f775e601a7d5a9f33c7fb8b
Opcode Fuzzy Hash: d35a55b72f3de72dcf1f2c3c90d7d92230082560734066cc1946c3fd20f9f6c0
Instruction Fuzzy Hash: 9141F279A00244BFDB08FB99D891BBDB775AF44358F14008FE502AF381CA71AA91CA1D

Uniqueness

Uniqueness Score: -1.00%

Function 034852A8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125networkCOMMON

Download Yara Rule

APIs

Part of subcall function 03485457: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03485464

Part of subcall function 034813BF: InterlockedIncrement.KERNEL32(?), ref: 034813C5

setsockopt.WS2_32(?,0000FFFF,00001001,00040000,00000004), ref: 03485376
setsockopt.WS2_32(?,0000FFFF,00001002,00040000,00000004), ref: 03485399
WSAGetLastError.WS2_32(?,?), ref: 03485407
GetLastError.KERNEL32(00000000,00000005,00000000,00000001,0000000B,CUdpSocket::Start,00000000), ref: 03485436
SetLastError.KERNEL32(?), ref: 0348544A

Part of subcall function 0348624B: SetLastError.KERNEL32(?), ref: 03486274

Strings

CUdpSocket::Start, xrefs: 0348540E
CUdpSocket::Start, xrefs: 034853F6

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateIncrementInterlockedTimerWaitable
String ID: CUdpSocket::Start$CUdpSocket::Start
API String ID: 1541469502-3840691471
Opcode ID: 873d04a3e3b391a81ff4190a42548e1a55595334041352f618e53b05c6212d5e
Instruction ID: bae8d31e52fd0a9825c9d7b2141034da9afd8fbf335b38c82b81b67ca0539f7a
Opcode Fuzzy Hash: 873d04a3e3b391a81ff4190a42548e1a55595334041352f618e53b05c6212d5e
Instruction Fuzzy Hash: 2E510674A60218AFDB14EB94EC55FADB7B1BF09B05F1400AAF601BF2D1DBB16844CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00DBCF16 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DBCF1D

Part of subcall function 00DA6156: __EH_prolog3.LIBCMT ref: 00DA615D

Strings

`<u, xrefs: 00DBD025, 00DBD04B, 00DBD088
Invalid DateTime, xrefs: 00DBCF9F, 00DBD033

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3
String ID: Invalid DateTime$`<u
API String ID: 431132790-2078082403
Opcode ID: 65e2e8c8f76247881dcac2e229f4deec6c1ca0fe5dd70424c51d5db097be4d9e
Instruction ID: c732306be935912742314f4db49c36da6b7bbda7ab2d8c7928c87e04cec53fe9
Opcode Fuzzy Hash: 65e2e8c8f76247881dcac2e229f4deec6c1ca0fe5dd70424c51d5db097be4d9e
Instruction Fuzzy Hash: 0C41A171500119EBCB04AFA4CC41AFE7B75FF45324B288615F46AAB2D2DFB0D90187B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DAAC12 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAAB60: GetParent.USER32(?), ref: 00DAABB4
Part of subcall function 00DAAB60: GetLastActivePopup.USER32(?), ref: 00DAABC5
Part of subcall function 00DAAB60: IsWindowEnabled.USER32(?), ref: 00DAABD9
Part of subcall function 00DAAB60: EnableWindow.USER32(?,00000000), ref: 00DAABEC

EnableWindow.USER32(?,00000001), ref: 00DAAC5F
GetWindowThreadProcessId.USER32(?,?), ref: 00DAAC73
GetCurrentProcessId.KERNEL32 ref: 00DAAC7D
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00DAAC95
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00DAAD11
EnableWindow.USER32(00000000,00000001), ref: 00DAAD58

Strings

0, xrefs: 00DAACEA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 76628a28d20e2710906443a392f6512e193867bbb58f5c695748d0c761574c09
Instruction ID: 14d8a226fb4df9f9b9efd4bba9cae93fee6b9d7174ee1f228fe2e461c4d566f2
Opcode Fuzzy Hash: 76628a28d20e2710906443a392f6512e193867bbb58f5c695748d0c761574c09
Instruction Fuzzy Hash: C841D336A0021CAFDB209F68DC89BE9B7B5FF05310F180669F415E6190D771CE81CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA9E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DBA9E9
SysStringLen.OLEAUT32(00000000), ref: 00DBAA38

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

SysStringLen.OLEAUT32(00000000), ref: 00DBAA54
_memset.LIBCMT ref: 00DBAA68
SysAllocString.OLEAUT32(?), ref: 00DBAAA6
SysFreeString.OLEAUT32(00000000), ref: 00DBAAEF

Strings

`<u, xrefs: 00DBAAEF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: String$AllocFreeH_prolog3_malloc_memset
String ID: `<u
API String ID: 1388600264-3367579956
Opcode ID: e4415cb79a9ea8733f2bca89c71de710c7fe9c9765b7b83bf8b079ef9943a83a
Instruction ID: f3fac154158cfe69b8ee57923f00ef24213ed1437fdf2ee56779bc98e0dc9869
Opcode Fuzzy Hash: e4415cb79a9ea8733f2bca89c71de710c7fe9c9765b7b83bf8b079ef9943a83a
Instruction Fuzzy Hash: D2417171900209DFDF14DFA8CC45AEE7BB8EF49314F144129F926AB291D6709951CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E004AA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E004B1
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078), ref: 00E004D4

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

SHGetDesktopFolder.SHELL32(?), ref: 00E004E9
GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00E004FE
SendMessageW.USER32 ref: 00E005A7
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 00E005B4

Strings

g, xrefs: 00E004F7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FolderH_prolog3MessageSend$AllocDesktopException@8GlobalLocationSpecialThrow
String ID: g
API String ID: 2027722222-30677878
Opcode ID: 72df868b324c7324c0622314346fb4e7d1f25b3d813c2370a003c314c3eb03ff
Instruction ID: d9b5288207186864af73e259beb8ba3cb0e234d1c15484cc07383dd14b4ba7b0
Opcode Fuzzy Hash: 72df868b324c7324c0622314346fb4e7d1f25b3d813c2370a003c314c3eb03ff
Instruction Fuzzy Hash: 2A3168B1A002199FCB10DFA5CC89EAEBBF9FF89300F054569E515FB291DB759841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE4C4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DBE4CE
GetStockObject.GDI32(00000011), ref: 00DBE4F9
GetStockObject.GDI32(0000000D), ref: 00DBE504
GetObjectW.GDI32(?,0000005C,?), ref: 00DBE523
GetDeviceCaps.GDI32(?,0000005A), ref: 00DBE5A6
OleCreateFontIndirect.OLEAUT32(00000020,00EF3DD0), ref: 00DBE5DC

Strings

, xrefs: 00DBE530

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Object$Stock$CapsCreateDeviceFontH_prolog3_Indirect
String ID:
API String ID: 721287286-3916222277
Opcode ID: 1f6fe56ebe76c10954f6b140337570433d4bf6573c35f782f5c021f66a2caf65
Instruction ID: 259acf5c690081bcc6a11872670e80fc6bdffb325352cf4c7a40db938f291af1
Opcode Fuzzy Hash: 1f6fe56ebe76c10954f6b140337570433d4bf6573c35f782f5c021f66a2caf65
Instruction Fuzzy Hash: A7410574E01258DEDB20DFB5C885BEDBBB0BF19304F1441AAE559E7282EB708A458F21

Uniqueness

Uniqueness Score: -1.00%

Function 00E00CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 00E00D37
_memset.LIBCMT ref: 00E00D44
SendMessageW.USER32(?,00001102,00008001,?), ref: 00E00DAD

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E00D76
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00E00D81
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E00D9B

Strings

@, xrefs: 00E00D55

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw_memset
String ID: @
API String ID: 3199205413-2766056989
Opcode ID: 50472ecd46b289e963afe0f21abd2290b1a63868bd65228ca2d16da6e7c4c84e
Instruction ID: 35701af267ffdfee03f837b5a3952b82f54f3a9ada1e2127ed7e96d6b04fbea0
Opcode Fuzzy Hash: 50472ecd46b289e963afe0f21abd2290b1a63868bd65228ca2d16da6e7c4c84e
Instruction Fuzzy Hash: 9C219F72640308BFEB219B95CC81FEA77A9FB58758F145021F644BA0E0E6B1ED808B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC1AE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DEC1B5
GetSysColorBrush.USER32(00000018), ref: 00DEC1CE
FillRect.USER32(00000000,?,00000000), ref: 00DEC1DA
GetSysColor.USER32(00000017), ref: 00DEC202
GetSysColor.USER32(00000017), ref: 00DEC22C
GetSysColor.USER32(00000017), ref: 00DEC231

Strings

mmm, xrefs: 00DEC1F9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Color$BrushFillH_prolog3Rect
String ID: mmm
API String ID: 24942539-1545505134
Opcode ID: 700e34c39ce0493f5ed1eac09e51a6c33156566c03530141d6ad7ade63797c40
Instruction ID: d42cff703c18bd6853896c55417655766dbf47589c60bca31d930e6401d2b1aa
Opcode Fuzzy Hash: 700e34c39ce0493f5ed1eac09e51a6c33156566c03530141d6ad7ade63797c40
Instruction Fuzzy Hash: B8115E762002499FCB00EFA5CC85EAE77A9FF88710B055029FA569B291CB70ED01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCC871 Relevance: 12.3, APIs: 8, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DCC878
SetCursor.USER32(00000040), ref: 00DCC912

Part of subcall function 00DABA35: __EH_prolog3.LIBCMT ref: 00DABA3C
Part of subcall function 00DABA35: GetDC.USER32(00000000), ref: 00DABA68

Part of subcall function 00DC6F56: __EH_prolog3_GS.LIBCMT ref: 00DC6F5D
Part of subcall function 00DC6F56: CreateRectRgnIndirect.GDI32(?), ref: 00DC6F9A
Part of subcall function 00DC6F56: CopyRect.USER32(?,?), ref: 00DC6FB0
Part of subcall function 00DC6F56: InflateRect.USER32(?,?,?), ref: 00DC6FC6
Part of subcall function 00DC6F56: IntersectRect.USER32(?,?,?), ref: 00DC6FD4
Part of subcall function 00DC6F56: CreateRectRgnIndirect.GDI32(?), ref: 00DC6FDE
Part of subcall function 00DC6F56: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00DC6FF3
Part of subcall function 00DC6F56: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00DC705B

Part of subcall function 00DABA89: __EH_prolog3.LIBCMT ref: 00DABA90
Part of subcall function 00DABA89: ReleaseDC.USER32(?,00000000), ref: 00DABAAD

GetFocus.USER32 ref: 00DCC9B1
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00DCCA71
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 00DCCB16
KillTimer.USER32(?,00000014), ref: 00DCCC42
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 00DCCC5F
UpdateWindow.USER32(?), ref: 00DCCC7E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID:
API String ID: 2399994607-0
Opcode ID: 720fa620cf879ffe9770f2d34458b8ac175b9cb1e859fa877a7663c4a341e1e8
Instruction ID: 2d4c475773eb8a0443f254e19699bebe03ede1b78693bf6d7594019e6ea302e7
Opcode Fuzzy Hash: 720fa620cf879ffe9770f2d34458b8ac175b9cb1e859fa877a7663c4a341e1e8
Instruction Fuzzy Hash: F5C158316102069FDF258F64C989FA937A1AB08324F28527DEE1D9F296DB719D84CF30

Uniqueness

Uniqueness Score: -1.00%

Function 00DC06EC Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DC06F3

Part of subcall function 00DBEC6C: SysStringLen.OLEAUT32(?), ref: 00DBEC76
Part of subcall function 00DBEC6C: CoGetClassObject.OLE32(?,?,00000000,00EF3CD0,?), ref: 00DBEC94

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00DC087D
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00DC089E
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00DC08EB
GlobalLock.KERNEL32(00000000), ref: 00DC08F9
GlobalUnlock.KERNEL32(?), ref: 00DC0911
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 00DC0934
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00DC0950

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: f709910119541b948d0d5cae8818c15aa70a2daae85ca58289ad7bb18a03a714
Instruction ID: c627acab7755ba9a61d34da1f8ab21b02670007426316f28fc9229ca75a13691
Opcode Fuzzy Hash: f709910119541b948d0d5cae8818c15aa70a2daae85ca58289ad7bb18a03a714
Instruction Fuzzy Hash: 6AC1DAB4A0021ADFDF14DFA4C888EAEBBB9FF48304B14492DF515AB251CB759941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 034845A3 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 034845EA
CancelIo.KERNEL32(?), ref: 034845F6
InterlockedExchange.KERNEL32(?,00000000), ref: 03484605
closesocket.WS2_32(?), ref: 03484611
SetEvent.KERNEL32(?), ref: 0348461D

Strings

CTcpSocket::Disconnect, xrefs: 034845AB
%s, xrefs: 034845B0

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID: %s$CTcpSocket::Disconnect
API String ID: 1486965892-2313599901
Opcode ID: 28cffa623e777538e4c41f3a24be36b2dfef267609a9e54106a0d10f2e473715
Instruction ID: 160ce590113dc3403a353716ff10db93cc705da07298e2a23ce6fc29d4f3ee03
Opcode Fuzzy Hash: 28cffa623e777538e4c41f3a24be36b2dfef267609a9e54106a0d10f2e473715
Instruction Fuzzy Hash: 4401C535A54208FFDB04EB98D84AE9DBFB4EF08315F1041A5F651AB2A1E771DA50CB18

Uniqueness

Uniqueness Score: -1.00%

Function 03490549 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 0349056E
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 03490580
GetTickCount.KERNEL32 ref: 03490586
wsprintfW.USER32 ref: 034905A0
MoveFileW.KERNEL32(?,?), ref: 034905B7
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 034905C8

Strings

%s\%d.bak, xrefs: 03490594

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: 9cb01a058a60b0e4a7972640114dd6a4da677f07280a956fa472601050ac851c
Instruction ID: c8fe3785ae0ea314460a966fc37e680552f230dcce5207cd2a98ea9e398c1d6c
Opcode Fuzzy Hash: 9cb01a058a60b0e4a7972640114dd6a4da677f07280a956fa472601050ac851c
Instruction Fuzzy Hash: A401F4B195021CAFDB50EFA4DC89ED977FCFB08700F4044A6A715EB044EA749AC98FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6C76 Relevance: 12.2, APIs: 8, Instructions: 241windowtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DD6C7D

Part of subcall function 00E33F33: __EH_prolog3.LIBCMT ref: 00E33F3A
Part of subcall function 00E33F33: EnterCriticalSection.KERNEL32(00F1A9EC,00000000,00DCD804,00000001), ref: 00E33F96
Part of subcall function 00E33F33: __beginthread.LIBCMT ref: 00E33FB0
Part of subcall function 00E33F33: SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00E33FC9
Part of subcall function 00E33F33: LeaveCriticalSection.KERNEL32(00F1A9EC), ref: 00E33FE0

LoadCursorW.USER32(00000000,00007F00), ref: 00DD6CB0
GetClientRect.USER32(?,?), ref: 00DD6CFA

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

IsWindowVisible.USER32(?), ref: 00DD6F10
SetTimer.USER32(?,00000001,00000000), ref: 00DD6F2E
_clock.LIBCMT ref: 00DD6F34
InvalidateRect.USER32(?,00000000,00000001,00F18640,00000000,00000000,00000000,00000000,00000053), ref: 00DD6F99
UpdateWindow.USER32(?), ref: 00DD6FA2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalH_prolog3RectSectionWindow$ClientCursorEnterException@8H_prolog3_InvalidateLeaveLoadPriorityThreadThrowTimerUpdateVisible__beginthread_clock
String ID:
API String ID: 2591694234-0
Opcode ID: 8c3941693a6cb9ecccbbe57218090ff6fff55228873f28e56ef32945f40eb6ad
Instruction ID: 453f37a6ae6596487c98b22fded4ecf0a97651274d7d073ad48bc25f8da0c8b3
Opcode Fuzzy Hash: 8c3941693a6cb9ecccbbe57218090ff6fff55228873f28e56ef32945f40eb6ad
Instruction Fuzzy Hash: D6A10775A00A459FCB24DF74D980AEEB7F5FF48300F18492EE55AA7340DB70A841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40970 Relevance: 12.2, APIs: 8, Instructions: 232windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E40977
CreateCompatibleDC.GDI32(?), ref: 00E409DA
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E40A0C
SelectObject.GDI32(?,00000000), ref: 00E40A6A
_memmove.LIBCMT ref: 00E40AE0
_memmove.LIBCMT ref: 00E40B82
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00E40BB7
DeleteObject.GDI32(?), ref: 00E40BFD

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CompatibleCreateObject_memmove$BitmapDeleteH_prolog3Select
String ID:
API String ID: 1211385342-0
Opcode ID: 722f28da108fe5d5d2d429fb71dfef691d0231a62898290c067a5ff86b2ae930
Instruction ID: 07b9776275342ca7d7832cbdea69a30229aa6e6261f204d18f30408326c61b21
Opcode Fuzzy Hash: 722f28da108fe5d5d2d429fb71dfef691d0231a62898290c067a5ff86b2ae930
Instruction Fuzzy Hash: A0916C71D00219DFCF10CFA8D985AEEBBB5FF48324F149229E915BB291C771AA05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E5038D Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E50394
GetSystemMenu.USER32(?,00000000,00000038,00DE49C6,00000000,00000000,?), ref: 00E50442
IsMenu.USER32(?), ref: 00E50457
IsMenu.USER32(?), ref: 00E50468
GetWindowLongW.USER32(?,000000F0), ref: 00E50490
_memset.LIBCMT ref: 00E50572
GetMenuItemInfoW.USER32(00000000,0000F060,00000000,?), ref: 00E5058D
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00E505E2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
String ID:
API String ID: 428562733-0
Opcode ID: 239d756f116f2f25f17bfff5adbc6344a76865d8df22cb0bc709f89862825cf5
Instruction ID: 10d498274e7355188d622669c9d0ded165ccb09978ce13b0dfdf852cdd678330
Opcode Fuzzy Hash: 239d756f116f2f25f17bfff5adbc6344a76865d8df22cb0bc709f89862825cf5
Instruction Fuzzy Hash: 6071AC71900309AFDB21DF64C845BAEB7F4FF44315F245A29F866A6291EB70AA45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEF1A Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00DFEF63
ScreenToClient.USER32(00000000,?), ref: 00DFEFA8
SendMessageW.USER32(?,0000102C,00000000,00000003), ref: 00DFEFE6
SetCapture.USER32(?), ref: 00DFF00C
ReleaseCapture.USER32 ref: 00DFF047
ScreenToClient.USER32(?,?), ref: 00DFF066
GetSystemMetrics.USER32(00000044), ref: 00DFF0A1
GetSystemMetrics.USER32(00000045), ref: 00DFF0BD

Part of subcall function 00DFE4D4: SendMessageW.USER32(?,00001018,00000000,00000000), ref: 00DFE4E0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: 452fea9db2e35cd71d808f1e2671ba7b7a5128df8747db57e3cabc147b9e52fb
Instruction ID: c881186b798a0e88022e446c52ee02ccd4fe03eddf2cfc0fb6f4a80bbb105e7d
Opcode Fuzzy Hash: 452fea9db2e35cd71d808f1e2671ba7b7a5128df8747db57e3cabc147b9e52fb
Instruction Fuzzy Hash: F0517F71A00609AFCB14DFB8C944AAABBF5FF18300F148539F696D7291DB71A981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC3F9 Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DEC400
IsWindowVisible.USER32(?), ref: 00DEC459
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00DEC48F
CreateRectRgn.GDI32(00000000,00000000,00000005,00000005), ref: 00DEC4AA
CreateEllipticRgn.GDI32(00000000,00000000,0000000B,0000000B,00000000), ref: 00DEC4D5
CreateRectRgn.GDI32(?,00000000,?,00000005), ref: 00DEC509
CreateEllipticRgn.GDI32(?,00000000,?,0000000B,00000000), ref: 00DEC53C

Part of subcall function 00DC6C69: CombineRgn.GDI32(?,?,?,?), ref: 00DC6C8E

SetWindowRgn.USER32(?,00000000,00000001), ref: 00DEC56E

Part of subcall function 00DA4EC8: __EH_prolog3_catch.LIBCMT ref: 00DA4EE7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Create$Rect$EllipticWindow$CombineH_prolog3H_prolog3_catchVisible
String ID:
API String ID: 1498846911-0
Opcode ID: 34d58a229a9d938f480ead644e406e7d176661720d3636cce7c418d150a4e6b1
Instruction ID: 35a3d9326bb622937606b1e174b3452c872c58f77806c09f863d17f397a1977d
Opcode Fuzzy Hash: 34d58a229a9d938f480ead644e406e7d176661720d3636cce7c418d150a4e6b1
Instruction Fuzzy Hash: 32511D7290020AAACB11EFA1CD96EEF7778EF14310F14452AB516B71D1DF74AA06CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2771 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DB27B4
BeginDeferWindowPos.USER32(00000008), ref: 00DB27CC
GetTopWindow.USER32(?), ref: 00DB27E1
GetDlgCtrlID.USER32(00000000), ref: 00DB27F0
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 00DB2822
GetWindow.USER32(00000000,00000002), ref: 00DB282B
CopyRect.USER32(?,?), ref: 00DB2849
EndDeferWindowPos.USER32(00000000), ref: 00DB28C0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: c4dd2ea248bcb76e9e368c643e2d505d2438079b0377443fffe740942cf19c23
Instruction ID: 260914bfce43ed78a37b5a2f34c95704198bea59baf568f19b8c18b2cfa8ea5d
Opcode Fuzzy Hash: c4dd2ea248bcb76e9e368c643e2d505d2438079b0377443fffe740942cf19c23
Instruction Fuzzy Hash: 24513376900218DFCF11DFA9D8889EEBBB5FF48310F18456AE806BB250DB319945CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4143 Relevance: 12.1, APIs: 8, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DE414A
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DE4163
DestroyAcceleratorTable.USER32(?), ref: 00DE41A4
GetTopWindow.USER32(?), ref: 00DE41D9
GetWindow.USER32(?,00000002), ref: 00DE41F2
IsWindow.USER32(?), ref: 00DE4211
GetParent.USER32(?), ref: 00DE421C
DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,0000001C), ref: 00DE4228

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Destroy$AcceleratorH_prolog3MessageParentSendTable
String ID:
API String ID: 271420684-0
Opcode ID: d86a2a2fbf2a1818ae441ae9952a08b71a271ef4a3ffc7490866ba4a88a106e5
Instruction ID: 0cbd1208c70c74fe4f2a38f33390457fce5d2ce18257216de76d22705d021abe
Opcode Fuzzy Hash: d86a2a2fbf2a1818ae441ae9952a08b71a271ef4a3ffc7490866ba4a88a106e5
Instruction Fuzzy Hash: EB31BF71A00609AFCB20AFA1D889AADBBB5FF08310F58112CF546B7251CB31AD52CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DEEA64 Relevance: 12.1, APIs: 8, Instructions: 75keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000012), ref: 00DEEA94
GetAsyncKeyState.USER32(00000012), ref: 00DEEAAE
_memset.LIBCMT ref: 00DEEACD
GetKeyboardState.USER32(?), ref: 00DEEADC
GetKeyboardLayout.USER32(?), ref: 00DEEAF3
MapVirtualKeyW.USER32(?,00000000), ref: 00DEEB0F
ToUnicodeEx.USER32(?,00000000), ref: 00DEEB17
CharUpperW.USER32(?), ref: 00DEEB24

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: b23b31a37465a82a41e52f008af43575db93882bb91ac3e24ad9b9c11d425b96
Instruction ID: f973df4596a1e2b5d832d26e811a6f4713ec907769177c1bbdded374992d87b9
Opcode Fuzzy Hash: b23b31a37465a82a41e52f008af43575db93882bb91ac3e24ad9b9c11d425b96
Instruction Fuzzy Hash: C521807160010CEFDB10BB629C85FED77ACAB55708F084076F541E71C1EBB099899BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6568 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00DA657A
GetMenuItemCount.USER32(?), ref: 00DA6582
GetSubMenu.USER32(?,-00000001), ref: 00DA659F
GetMenuItemCount.USER32(00000000), ref: 00DA65AF
GetSubMenu.USER32(00000000,00000000), ref: 00DA65C0
RemoveMenu.USER32(00000000,00000000,00000400), ref: 00DA65DD
GetSubMenu.USER32(?,?), ref: 00DA65F7
RemoveMenu.USER32(?,?,00000400), ref: 00DA6615

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 8b48c65cef499619297bdc9749c54e5ea7342692fe1ce08f181c32a387865d25
Instruction ID: 3adc3bbadb480b8083c69a171a0e5352aecd95401faf1b8b871498c96cabf23a
Opcode Fuzzy Hash: 8b48c65cef499619297bdc9749c54e5ea7342692fe1ce08f181c32a387865d25
Instruction Fuzzy Hash: FD211571D0020DFFCF119FA4CD849AEBBB5FB05304F2848A2E911A6155D771EB91AFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA1B6 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 00DBA1CC
GetSystemMetrics.USER32(00000032), ref: 00DBA1D6
SetRectEmpty.USER32(00F18AA4), ref: 00DBA1E5
EnumDisplayMonitors.USER32(00000000,00000000,00DBA131,00F18AA4,?,?,?,00DAE2E4,?), ref: 00DBA1F5
SystemParametersInfoW.USER32(00000030,00000000,00F18AA4,00000000), ref: 00DBA210
SystemParametersInfoW.USER32(00001002,00000000,00F18AD0,00000000), ref: 00DBA230
SystemParametersInfoW.USER32(00001012,00000000,00F18AD4,00000000), ref: 00DBA248
SystemParametersInfoW.USER32 ref: 00DBA268

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: a32eba9bbb12f12370db02fc45da1ad619217d93e5c7cece5fcbb7bbe51d57c0
Instruction ID: 09674592a0ba3ef399ed0a92d2a109c23aae68424d1b5bb5d9fc4c3b0f347826
Opcode Fuzzy Hash: a32eba9bbb12f12370db02fc45da1ad619217d93e5c7cece5fcbb7bbe51d57c0
Instruction Fuzzy Hash: 24111CB1500744AFE3318B668C49EE7BAFCEFCAB00F04492EF69A86140D7B16945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6796 Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 00DA67A7
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00DA67B9
GlobalSize.KERNEL32(?), ref: 00DA67CA
GlobalLock.KERNEL32(?), ref: 00DA67DB
GlobalLock.KERNEL32(?), ref: 00DA67E1
GlobalSize.KERNEL32(?), ref: 00DA67EC
GlobalUnlock.KERNEL32(?), ref: 00DA67FF
GlobalUnlock.KERNEL32(?), ref: 00DA6804

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: ecd8d21dd2c2b3f2b0cb70f1c1d253d48876155dcc1861dd0878b4112e1e0d22
Instruction ID: 5caf1cec50a821661a91c698e0e63de75b60116c8d006f0d0c671d38b829678c
Opcode Fuzzy Hash: ecd8d21dd2c2b3f2b0cb70f1c1d253d48876155dcc1861dd0878b4112e1e0d22
Instruction Fuzzy Hash: C6017C71900268FFEB11AFAA8C88C5E7F6CEF452A87194436FD04A3211EA71DD15DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0348302E Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 433COMMON

Download Yara Rule

Strings

input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 03483245
input wins: %lu, xrefs: 034833BB
[RI] %d bytes, xrefs: 0348305C
input psh: sn=%lu ts=%lu, xrefs: 0348327F
input probe, xrefs: 03483386

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 0-868042568
Opcode ID: ad6a371caeb5fe6a0d781c113e85c3910183f07573b48ef4d5b0182f3a46c66a
Instruction ID: d5e99f55563c6e20617f559c2c799c4a2542da72e8bb78ca08d4b887de1b84db
Opcode Fuzzy Hash: ad6a371caeb5fe6a0d781c113e85c3910183f07573b48ef4d5b0182f3a46c66a
Instruction Fuzzy Hash: CF020879904208AFCB05EF59D850AED7BB1FF08760F14805AF815AF291DB32EA91CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00DF632D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00DF6359
GetKeyState.USER32(00000011), ref: 00DF6361
IsRectEmpty.USER32(?), ref: 00DF63BE
GetWindowRect.USER32(?,?), ref: 00DF653B

Strings

px, xrefs: 00DF64D2
X', xrefs: 00DF637E, 00DF6383, 00DF63E3, 00DF643F, 00DF644C, 00DF64B2, 00DF64BF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID: X'$px
API String ID: 2684165152-282588210
Opcode ID: d2286a532b1fcdd98d0820ef32f2647fc2c56e0c5c38eb5013ff357ba1f898b3
Instruction ID: d65770c982ad3a22d1ed9a7af03b5575ac9b9a62d59dc1c30581f91ee74f426d
Opcode Fuzzy Hash: d2286a532b1fcdd98d0820ef32f2647fc2c56e0c5c38eb5013ff357ba1f898b3
Instruction Fuzzy Hash: C6916A31A002099FCF159FA4C845AFE7BB6FF48310F198169FA06AB295DB74D941CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 03492E2D Relevance: 10.7, APIs: 7, Instructions: 207registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,034CF400,00000000,000F003F,00000000,C463F85C,?,?,?,?,?,?,?,?,?,?), ref: 03492E6E
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03492EAC
_memset.LIBCMT ref: 03492F2C
_memset.LIBCMT ref: 03492F43
RegEnumValueW.ADVAPI32(00000000,00000000,034CF400,034904F2,00000000,00000000,?,?), ref: 03492F65

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB71
Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB8B
Part of subcall function 0349FB22: __CxxThrowException@8.LIBCMT ref: 0349FB9C

_memmove.LIBCMT ref: 03492FFE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,034B8C27), ref: 03493099

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc_memmove
String ID:
API String ID: 1346252173-0
Opcode ID: ace9ed196df0eace3eae5197504af9ec82541111b0256457d5d962834a855af1
Instruction ID: 8805e7c2e21944b4ea3d85494cab21adfe02a37418b423b71c7f28ec8f3474e3
Opcode Fuzzy Hash: ace9ed196df0eace3eae5197504af9ec82541111b0256457d5d962834a855af1
Instruction Fuzzy Hash: A681AD75E00208EFDF04DFA8D885BEDBBB5FB08310F14402AE915BB291DB75A945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03490191 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 03488BD2: GetLocalTime.KERNEL32(?), ref: 03488BE6
Part of subcall function 03488BD2: wsprintfW.USER32 ref: 03488C42

_memset.LIBCMT ref: 034901E4
_memset.LIBCMT ref: 034901F7

Part of subcall function 0348AF98: lstrlenW.KERNEL32(00000000), ref: 0348AFA7
Part of subcall function 0348AF98: _memset.LIBCMT ref: 0348AFB7
Part of subcall function 0348AF98: lstrlenW.KERNEL32(?), ref: 0348AFC2
Part of subcall function 0348AF98: lstrlenW.KERNEL32(?), ref: 0348AFCE
Part of subcall function 0348AF98: _memmove.LIBCMT ref: 0348B077

Sleep.KERNEL32(000003E8,00000000,00000001,00000000), ref: 034903E9

Strings

o1:, xrefs: 03490227
p1:, xrefs: 03490208
t1:, xrefs: 03490243

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memsetlstrlen$LocalSleepTime_memmovewsprintf
String ID: o1:$p1:$t1:
API String ID: 1534246781-1570741781
Opcode ID: a9fd2298297ef86b8f836527b5cd8ac15ee3dcae642e119973c3b90f840931fe
Instruction ID: f5eb7e9b61b33d305c475d153cf2b8189cfd9a4b6febaee566a402294fdcad38
Opcode Fuzzy Hash: a9fd2298297ef86b8f836527b5cd8ac15ee3dcae642e119973c3b90f840931fe
Instruction Fuzzy Hash: 0D812875D002199FEF20EBA8CD45BAEB7B8FB04310F14419BE459AA290DB709E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00DF8DE7 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DF8DF1

Part of subcall function 00E3657B: __EH_prolog3.LIBCMT ref: 00E36582

_free.LIBCMT ref: 00DF8FE6

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Strings

px, xrefs: 00DF8E68
DockingPaneAndPaneDividers, xrefs: 00DF8FD8
X', xrefs: 00DF8F1A
%sDockingManager-%d, xrefs: 00DF8E3A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow_free
String ID: %sDockingManager-%d$DockingPaneAndPaneDividers$X'$px
API String ID: 211500954-1970218059
Opcode ID: 860739e5eb104b40ad64c9c2bee6a1d5a6b2c4b17d89a5dc385bbb289ece68e6
Instruction ID: 0d0971ff2d7f295ae495bfdec2e4313504393442f3eb84cc3d6e0863ce95b632
Opcode Fuzzy Hash: 860739e5eb104b40ad64c9c2bee6a1d5a6b2c4b17d89a5dc385bbb289ece68e6
Instruction Fuzzy Hash: 1C61DE30A00249DFCF15EBA4C845BADBBB1AF45320F198258F9157B296CF709E00DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2C51 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 175libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DE2C58
GetModuleHandleW.KERNEL32(DWMAPI), ref: 00DE2DC4
GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 00DE2DD4

Strings

AFX_SUPERBAR_TAB, xrefs: 00DE2C94
DwmSetWindowAttribute, xrefs: 00DE2DCE
DWMAPI, xrefs: 00DE2DB8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: AFX_SUPERBAR_TAB$DWMAPI$DwmSetWindowAttribute
API String ID: 2418878492-136793874
Opcode ID: 71a60c862aea6672a08f9e99360fc33eb3a8eb83234fb751e4e51a18dea7df99
Instruction ID: 83109e230123f7bc2b04c6984490878e3d31e178a083e50d65dc075e2ef17077
Opcode Fuzzy Hash: 71a60c862aea6672a08f9e99360fc33eb3a8eb83234fb751e4e51a18dea7df99
Instruction Fuzzy Hash: AD516CB07006459BDB14ABA6CC91FBE77ADEF48700F180129FA46A7281DBB4DD01CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E84C18 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E84C1F

Part of subcall function 00E84B90: OleGetClipboard.OLE32(?), ref: 00E84BA8

ReleaseStgMedium.OLE32(?), ref: 00E84C94
ReleaseStgMedium.OLE32(?), ref: 00E84CD9
CoTaskMemFree.OLE32(?), ref: 00E84D81
ReleaseStgMedium.OLE32(?), ref: 00E84CF9

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

Strings

', xrefs: 00E84C5B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: 20537b07a62f7cca5d94f0338ba043fd783e00e5eda9acbe8b6d66b1bb7c2281
Instruction ID: 11bcfc3429958d01c4b3fa168f0f44dd054b2f8d322bdd523bb6b5ef15b65c02
Opcode Fuzzy Hash: 20537b07a62f7cca5d94f0338ba043fd783e00e5eda9acbe8b6d66b1bb7c2281
Instruction Fuzzy Hash: 95517DB190010AEEDF11EFA4C985AECBBF8EF08304F24542AF50DBB1D1DA759E449B61

Uniqueness

Uniqueness Score: -1.00%

Function 00DBE619 Relevance: 10.6, APIs: 7, Instructions: 147memorywindowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DBE620
SendMessageW.USER32(?,00000138,?,?), ref: 00DBE69C
GetBkColor.GDI32(?), ref: 00DBE6A5
GetTextColor.GDI32(?), ref: 00DBE6B1
GetThreadLocale.KERNEL32 ref: 00DBE747
SysAllocStringLen.OLEAUT32(?,?), ref: 00DBE777
SysAllocStringLen.OLEAUT32(?,?), ref: 00DBE7D4

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AllocColorString$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 4082463931-0
Opcode ID: e8250bd31506fda58b16a7bd3b541cedb7227cdb6e2216f278538724d2d87de6
Instruction ID: 39c41d75bf36e75f332637e24bb1f8cd9a3164d70a967127e447d567948d30b4
Opcode Fuzzy Hash: e8250bd31506fda58b16a7bd3b541cedb7227cdb6e2216f278538724d2d87de6
Instruction Fuzzy Hash: E3518C32500709EFCB24DF64C805AEAB3A4FF19310F248929F5979B2A1DB70E801DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E20C9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 00E20D81
GetMonitorInfoW.USER32(00000000), ref: 00E20D88
CopyRect.USER32(?,?), ref: 00E20D9A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E20DAA
IntersectRect.USER32(?,?,?), ref: 00E20DDD

Strings

(, xrefs: 00E20D7A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 52a54c06f1d74e529ab687e66fdf13b4d29693b73c8042363bf663f649363940
Instruction ID: 7a5bac945e923a545967697f678ce21460b2be0d164cae71ae1f9a1f3f1b95fb
Opcode Fuzzy Hash: 52a54c06f1d74e529ab687e66fdf13b4d29693b73c8042363bf663f649363940
Instruction Fuzzy Hash: 9351F7B19012199FCB20CF99D988AEEFBF9FF58304B14452AE416F7251D770AA05CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6ED6 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00DB70BB
SendMessageW.USER32(?,00000365,00000000,00000000), ref: 00DB70D6
GetFocus.USER32 ref: 00DB70EB
SendMessageW.USER32(?,00000365,00000000,00000000), ref: 00DB70F9
GetLastActivePopup.USER32(?), ref: 00DB7122
SendMessageW.USER32(?,00000365,00000000,00000000), ref: 00DB712F
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 00DB7155

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 1476a192814c65fda88e4bdc79ccb62c5a3a1e01cd170507e2dbbbec5c8610a4
Instruction ID: 19338b1f42881ca197c904bf95d3c377afb0c11d451bc8c3505db7fd95517f1b
Opcode Fuzzy Hash: 1476a192814c65fda88e4bdc79ccb62c5a3a1e01cd170507e2dbbbec5c8610a4
Instruction Fuzzy Hash: 21317075A04215EFDF21AB65CC45DEE7B79EF85384F284075F946A7220DB31CE019AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF867F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DF86BE
ShowWindow.USER32(00000000,00000004), ref: 00DF86F0
IsWindow.USER32(?), ref: 00DF8735
IsWindowVisible.USER32(?), ref: 00DF8740
ShowWindow.USER32(?,00000000), ref: 00DF877B

Strings

X', xrefs: 00DF86CF, 00DF8751

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Show$Visible
String ID: X'
API String ID: 2757229004-2274823755
Opcode ID: 685dbbc7911e1df19bce48f1a76e284cdb64eacb4a5682c22adf9e08bad4586d
Instruction ID: e79c143477e38d28e7349a646a3d3f4f3e772bf6c793f7ab0857fdef967f5b33
Opcode Fuzzy Hash: 685dbbc7911e1df19bce48f1a76e284cdb64eacb4a5682c22adf9e08bad4586d
Instruction Fuzzy Hash: 8531A232200209ABD724AF65CC45BBB77A8EF45750F298039EA46AB151EF70DC41DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2151 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00DE20BE: _malloc.LIBCMT ref: 00DE20D1

_free.LIBCMT ref: 00DE217A
_memset.LIBCMT ref: 00DE2193
_memset.LIBCMT ref: 00DE21CD
_memcpy_s.LIBCMT ref: 00DE21E7

Part of subcall function 00DA57FA: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA57FA: __EH_prolog3.LIBCMT ref: 00DA6474

CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 00DE2200
_free.LIBCMT ref: 00DE2212
_free.LIBCMT ref: 00DE2245

Part of subcall function 00EA4D52: HeapFree.KERNEL32(00000000,00000000,?,00EAD74D,00000000,?,?,?,?,?,?,00EA6776,00F1DADC,00DA49A6,?,00000000), ref: 00EA4D68
Part of subcall function 00EA4D52: GetLastError.KERNEL32(00000000,?,00EAD74D,00000000,?,?,?,?,?,?,00EA6776,00F1DADC,00DA49A6,?,00000000), ref: 00EA4D7A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _free$_memset$CreateErrorException@8FreeH_prolog3HeapLastSectionThrow_malloc_memcpy_s
String ID:
API String ID: 3135816610-0
Opcode ID: e4925ad09249e52deaa6dc776086047f401d274d5415d16311f706346693ab97
Instruction ID: df3cbb7d6019e925a3858438620c10d87894c2550d37a49a89a3e2bdd4eb1042
Opcode Fuzzy Hash: e4925ad09249e52deaa6dc776086047f401d274d5415d16311f706346693ab97
Instruction Fuzzy Hash: 4C31E272900755ABEB20AF66CC41B7B77ACEF16324F144929FA95E7240DA70EE0087B4

Uniqueness

Uniqueness Score: -1.00%

Function 00E95064 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E9506B
RedrawWindow.USER32(?,00000000,00000000,00000105,0000005C,00E9532F,?,00E95468,?,?,?,00E52E62,00000004,?,00000001,?), ref: 00E95090
GetClientRect.USER32(?,?), ref: 00E950AE
CreateCompatibleDC.GDI32(hT), ref: 00E95116
UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,?,00000000,?,00000002), ref: 00E95176

Strings

hT, xrefs: 00E9510F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$ClientCompatibleCreateH_prolog3_LayeredRectRedrawUpdate
String ID: hT
API String ID: 2227077885-1597815231
Opcode ID: a73ff816963b460955336515d3bfc8d012f8ab46485d9aab7cb54260ae85027c
Instruction ID: d8cb36ef059e432a36e3a6178ff6fba9f12782b98fad7821e44ff960cb200ec5
Opcode Fuzzy Hash: a73ff816963b460955336515d3bfc8d012f8ab46485d9aab7cb54260ae85027c
Instruction Fuzzy Hash: 3A410272C01618AFCF01EFE4C985ADEBBB9EF09310F10815AF915B6256DB715A06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB213F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB21D8
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 00DB2201
GetWindowLongW.USER32(?,000000FC), ref: 00DB2213
GetWindowLongW.USER32(?,000000FC), ref: 00DB2224
SetWindowLongW.USER32(?,000000FC,?), ref: 00DB2240

Strings

,, xrefs: 00DB21F7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 13c3c766762141c73f67b78d1b5f6ad0913f99b6052b3ac218a34fb375511ef3
Instruction ID: 63594309f46e38964cb3743920ffb78f422c243bdb4f88cf57b0bfa4a237726a
Opcode Fuzzy Hash: 13c3c766762141c73f67b78d1b5f6ad0913f99b6052b3ac218a34fb375511ef3
Instruction Fuzzy Hash: 39415F72600305EFDB20AF78C984AAAB7E5BF49710B19062DF5939B691DB30E905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0A12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(?,00007904), ref: 00DD0A4D
LoadCursorW.USER32(?,00007905), ref: 00DD0A6F
LoadCursorW.USER32(00000000,00007F86), ref: 00DD0A89
CreatePen.GDI32(00000000,00000001), ref: 00DD0AF7

Strings

dx, xrefs: 00DD0B47

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CursorLoad$Create
String ID: dx
API String ID: 1516763891-1881687096
Opcode ID: 859d54ac868c46ac381d2ee2ea5b9efc093bf5ec1f5e16893c29f86cb331f9f1
Instruction ID: d5b4478eb1001b38522647e215aca438c645e0a93cbf015f53948ab4d310728f
Opcode Fuzzy Hash: 859d54ac868c46ac381d2ee2ea5b9efc093bf5ec1f5e16893c29f86cb331f9f1
Instruction Fuzzy Hash: 7A31D072611304AFD7207BB09C89EEE77A9EF95324F19993FF10297292DE349841DA31

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD090 Relevance: 10.6, APIs: 7, Instructions: 101windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DDD097
GetDesktopWindow.USER32 ref: 00DDD0DF
GetWindow.USER32(00000000), ref: 00DDD0E6
IsWindowEnabled.USER32(00000000), ref: 00DDD0F7
SendMessageW.USER32(00000000,0000036C,00000000,00000000), ref: 00DDD123
EnableWindow.USER32(00000000,00000000), ref: 00DDD12F
GetWindow.USER32(00000000,00000002), ref: 00DDD145

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$H_prolog3$DesktopEnableEnabledException@8MessageSendThrow
String ID:
API String ID: 2907971239-0
Opcode ID: 6b29f4147a0771076e4e3adcbb2bfa1effb9dbbf2a56b3f32854c3a099868903
Instruction ID: 9c026b655c7929e8ad55103434fa3406fb2258b512cdaa6b408f4b7cce215cb8
Opcode Fuzzy Hash: 6b29f4147a0771076e4e3adcbb2bfa1effb9dbbf2a56b3f32854c3a099868903
Instruction Fuzzy Hash: F831A3729002059FDF14AFB48D8AABE7AB9FB49304F59453EE102B7291DB359D46CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0FC3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DD1040
ScreenToClient.USER32(?,?), ref: 00DD104D
_memset.LIBCMT ref: 00DD105B
_free.LIBCMT ref: 00DD1098
SendMessageW.USER32(?,00000030,0C0A0E94,00000000), ref: 00DD10BA

Strings

,, xrefs: 00DD1071

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: 3083e0ba4daef39cf41238438c4e28f8ae9d197db188df8bc84ddd8376bfeb1d
Instruction ID: 7180653b2de58f28d1866d912a63167c54f8bc6612bfe04598204b5f56c16d52
Opcode Fuzzy Hash: 3083e0ba4daef39cf41238438c4e28f8ae9d197db188df8bc84ddd8376bfeb1d
Instruction Fuzzy Hash: E7318075A00209AFCB18EB64EC45FAD77F5FB48311F14052AF415E62A1DB709845CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DE296C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE2018: IsIconic.USER32(?), ref: 00DE2038

GetWindowRect.USER32(?,?), ref: 00DE29E4

Part of subcall function 00DAB6D8: ScreenToClient.USER32(?,?), ref: 00DAB6E9
Part of subcall function 00DAB6D8: ScreenToClient.USER32(?,?), ref: 00DAB6F6

Part of subcall function 00DE25DC: __EH_prolog3_GS.LIBCMT ref: 00DE25E6
Part of subcall function 00DE25DC: GetWindowRect.USER32(?,?), ref: 00DE2635
Part of subcall function 00DE25DC: OffsetRect.USER32(?,?,?), ref: 00DE264B
Part of subcall function 00DE25DC: CreateCompatibleDC.GDI32(?), ref: 00DE26BC
Part of subcall function 00DE25DC: SelectObject.GDI32(?,?), ref: 00DE26DC

GetModuleHandleW.KERNEL32(DWMAPI), ref: 00DE2A1C
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00DE2A2C
DeleteObject.GDI32(00000000), ref: 00DE2A43

Strings

DWMAPI, xrefs: 00DE2A17
DwmSetIconicLivePreviewBitmap, xrefs: 00DE2A26

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: 8d8ca34a0bc6edabb1a072fa1528a98dedbf580d1510057ec553b6d285a9c0af
Instruction ID: 4bc1fcf72ee7d3c1614a5657d04c2e83841030d37a47f53d289bc55c4908f30a
Opcode Fuzzy Hash: 8d8ca34a0bc6edabb1a072fa1528a98dedbf580d1510057ec553b6d285a9c0af
Instruction Fuzzy Hash: F5314171A002099FCB14EFA9D995CBEFBF9FF88304B14456AE016E3251DA749D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD1C2 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00DDD1E2
GetParent.USER32(?), ref: 00DDD1F0
GetWindowThreadProcessId.USER32(?,?), ref: 00DDD20B
GetCurrentProcessId.KERNEL32 ref: 00DDD211
GetActiveWindow.USER32 ref: 00DDD264
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 00DDD278
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 00DDD28C

Part of subcall function 00DB5BBF: EnableWindow.USER32(?,?), ref: 00DB5BD0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: c37d3a26d8fb00e0e272cd93a7f188f91c78d6e5e3511f72f645acddb5fcf923
Instruction ID: b52d6ccc1a8d8d513c1bd21799bcbc11199c70f908385fd53fc240d78f51ab5f
Opcode Fuzzy Hash: c37d3a26d8fb00e0e272cd93a7f188f91c78d6e5e3511f72f645acddb5fcf923
Instruction Fuzzy Hash: CB219171200704AFCF319F65DCC8F5A7BA6FF44764F28412AF586962A0C772E8858B64

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2316 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DB231D
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 00DB2382
GetProcAddress.KERNEL32(CloseTouchInputHandle,00000000), ref: 00DB23A4

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

Strings

CloseTouchInputHandle, xrefs: 00DB2399
user32.dll, xrefs: 00DB2344
GetTouchInputInfo, xrefs: 00DB237C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressProc$ActivateH_prolog3
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 1001276555-1853737257
Opcode ID: 5c0848648652ea5373cf491d25fe73306a64cf6e46db31aa3119d246e7657161
Instruction ID: ffe51d8a982a5580a3df9ec77267ade4e4e0b5c35f56d364b360e0ae538d7d74
Opcode Fuzzy Hash: 5c0848648652ea5373cf491d25fe73306a64cf6e46db31aa3119d246e7657161
Instruction Fuzzy Hash: 1A21D632200318DAD7259B249E8ABF93EE4EB157B0F5D802CEC06961E4CF75C842E720

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4104 Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 00DD4130
IsRectEmpty.USER32(?), ref: 00DD414F
IsRectEmpty.USER32(?), ref: 00DD415C
GetCursorPos.USER32(00000000), ref: 00DD416E
ScreenToClient.USER32(?,00000000), ref: 00DD417B
PtInRect.USER32(?,00000000,00000000), ref: 00DD418E
PtInRect.USER32(?,00000000,00000000), ref: 00DD41A1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: a17a3427828df2badcd7cea59d4b0fd3c9d4284145b60999e3a046972b5674b1
Instruction ID: f068e741e785ed914ce6de03976e8246cc31deaf8879bded2818028658c87c12
Opcode Fuzzy Hash: a17a3427828df2badcd7cea59d4b0fd3c9d4284145b60999e3a046972b5674b1
Instruction Fuzzy Hash: A0217176500209BFDF219BA1CC08EEE7BF9EF54394F084536E545A2251D732EA86DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00E0E7F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00E0E818

Part of subcall function 00DB77C2: DeleteObject.GDI32(00000000), ref: 00DB77DB

SelectObject.GDI32(?,00000000), ref: 00E0E82E
DeleteObject.GDI32(00000000), ref: 00E0E899
DeleteDC.GDI32(00000000), ref: 00E0E8A8
LeaveCriticalSection.KERNEL32(00F1A600), ref: 00E0E8C1

Strings

, xrefs: 00E0E849

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-3916222277
Opcode ID: ca8430d602f02286972b2b327a35b1962d03037a7844d36735a772bb1061e981
Instruction ID: 068b1f48e2499c699f56f95438d8cb793b2822258d523a8bd11ec602d4611d80
Opcode Fuzzy Hash: ca8430d602f02286972b2b327a35b1962d03037a7844d36735a772bb1061e981
Instruction Fuzzy Hash: 5921CF71900208DFCF05EF65DC84999BBB6FF85314B088576E904AB2A6CB71D882DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4B1D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA4B27
InitCommonControlsEx.COMCTL32(?,?,?,?,?,000000C8), ref: 00DA4B40

Part of subcall function 00DA7EFF: __EH_prolog3.LIBCMT ref: 00DA7F06
Part of subcall function 00DA7EFF: InterlockedExchange.KERNEL32(00F1CF48,?), ref: 00DA7F3E

GetCommandLineA.KERNEL32(00000005,?,?,?,?,?,000000C8), ref: 00DA4B58
GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,000000C8), ref: 00DA4B61

Part of subcall function 00DA4A86: CreateMutexW.KERNEL32(00000000,00000001,MyUniqueMutexName), ref: 00DA4A91
Part of subcall function 00DA4A86: GetLastError.KERNEL32 ref: 00DA4A9C
Part of subcall function 00DA4A86: CloseHandle.KERNEL32 ref: 00DA4AAF

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

LoadIconW.USER32(?,00000080), ref: 00DA4BCD

Part of subcall function 00DA95CF: SHGetMalloc.SHELL32(00000004), ref: 00DA95F6

Strings

,I, xrefs: 00DA4BD6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3Handle$CloseCommandCommonControlsCreateErrorExchangeIconInitInterlockedLastLineLoadMallocModuleMutex_malloc
String ID: ,I
API String ID: 2051022832-1346160756
Opcode ID: b5f68791f0f37d757162b1e2842e56d512cc84d2a91c7d1fa83a8b6cfebfc633
Instruction ID: b8f427d719ef922a4fb4808ae7a3ad82bc774a5d4014bb4a93eccf58905112ca
Opcode Fuzzy Hash: b5f68791f0f37d757162b1e2842e56d512cc84d2a91c7d1fa83a8b6cfebfc633
Instruction Fuzzy Hash: 72218371A00205AFDB50EBF58D4AB6EB6B8EF86310F144569F115A72C1DFB48A068B31

Uniqueness

Uniqueness Score: -1.00%

Function 00DB8AFF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloadertimeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DB8B06
SetTimer.USER32(00000000,?,00000000), ref: 00DB8BA9

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00DB8B3B

Part of subcall function 00DA6156: __EH_prolog3.LIBCMT ref: 00DA615D

CoTaskMemFree.OLE32(?), ref: 00DB8B86

Strings

SHELL32.DLL, xrefs: 00DB8B1F
SHGetKnownFolderPath, xrefs: 00DB8B35

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$ActivateAddressFreeProcTaskTimer
String ID: SHELL32.DLL$SHGetKnownFolderPath
API String ID: 3676277837-4069204515
Opcode ID: 654d11640771d7621eae547fc6ac6d3979ac5baa5762312840c099ec6e5f96a8
Instruction ID: ce4dca5d1b10946791da8f4d975d02c815eee196a04708c36984bf79d8b3a499
Opcode Fuzzy Hash: 654d11640771d7621eae547fc6ac6d3979ac5baa5762312840c099ec6e5f96a8
Instruction Fuzzy Hash: E0116DB090020ADFCB249FB4CD85EBEBBB5FF04304F18096DE662A71A1CB718944DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7186 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00DA7198
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 00DA71B5
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 00DA71BF

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Strings

ApplicationRecoveryInProgress, xrefs: 00DA71AF
ApplicationRecoveryFinished, xrefs: 00DA71B7
KERNEL32.DLL, xrefs: 00DA7190

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 417325364-4287352451
Opcode ID: dcfc31a2990444d63bb1e0f3c3359e23541f1cefe47710fd9a2f55c20671364b
Instruction ID: 62408ee05800a556d24a415d6937abc3e9d1fcbc1a4bd6261e158b2d979f97ad
Opcode Fuzzy Hash: dcfc31a2990444d63bb1e0f3c3359e23541f1cefe47710fd9a2f55c20671364b
Instruction Fuzzy Hash: B201B532A0031AAFD71097B58D49E6F76F8EF86721F191079E901E3210EB75CD0186B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB699E Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 00DB69A5
__CxxThrowException@8.LIBCMT ref: 00DB69AF

Part of subcall function 00EA5A1B: KiUserExceptionDispatcher.NTDLL(00000004,00DA4426,80004005,00000001,00000004,00DA4426,8007000E,00DA4FD0,80004005,00000001,00DA5105), ref: 00EA5A5D

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB69C6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB69D3

Part of subcall function 00DA6419: __CxxThrowException@8.LIBCMT ref: 00DA642F

_memset.LIBCMT ref: 00DB69F2
TlsSetValue.KERNEL32(?,00000000), ref: 00DB6A03
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6A24

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocDispatcherExceptionLocalUserValue_memset
String ID:
API String ID: 814762356-0
Opcode ID: df5c6bef07e2263295f6a991b6e28701973454b5d9ff44c7260cb0d2f487f280
Instruction ID: 2690d2725c56cd69e52c661d53d9c7b8e657478495347be1d6f5782540224e47
Opcode Fuzzy Hash: df5c6bef07e2263295f6a991b6e28701973454b5d9ff44c7260cb0d2f487f280
Instruction Fuzzy Hash: F5118BB0100609EFDB14AF60DC89C6ABBAAFF45318714C439F856A7561CB31EC64CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0349C950 Relevance: 10.5, APIs: 7, Instructions: 41filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,?,?,0349CAC2,?), ref: 0349C95D
CreateFileW.KERNEL32(034CF840,40000000,00000002,00000000,00000004,00000002,00000000,?,?,?,0349CAC2,?), ref: 0349C977
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 0349C995
lstrlenW.KERNEL32(000000FF,00000000,00000000), ref: 0349C9A4
WriteFile.KERNEL32(000000FF,000000FF,00000000), ref: 0349C9B3
CloseHandle.KERNEL32(000000FF), ref: 0349C9BC
ReleaseMutex.KERNEL32 ref: 0349C9C8

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 8fc06b724f8187f0d23a2ab8b193fc0f8fd80fb67c3e34241b854de4cdff103c
Instruction ID: 6d89c33838753ae5b79d90550cb6ab7967bbd29c619f4087578999e84404fea0
Opcode Fuzzy Hash: 8fc06b724f8187f0d23a2ab8b193fc0f8fd80fb67c3e34241b854de4cdff103c
Instruction Fuzzy Hash: 1C014B70540205FFEF106FA0EC0AF9C7EB9FB04711F204251B611BC1E4E7B119509B18

Uniqueness

Uniqueness Score: -1.00%

Function 034A84F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,034C3BC0,00000008,034A85FA,00000000,00000000,?,034A5848,00000000,00000001,00000000,?,034ABD03,00000018,034C3CD0,0000000C), ref: 034A8503
__lock.LIBCMT ref: 034A8537

Part of subcall function 034ABD78: __mtinitlocknum.LIBCMT ref: 034ABD8E
Part of subcall function 034ABD78: __amsg_exit.LIBCMT ref: 034ABD9A
Part of subcall function 034ABD78: EnterCriticalSection.KERNEL32(00000000,00000000,?,034A86CA,0000000D,034C3BE8,00000008,034A87C1,00000000,?,034A1E4B,00000000,034C3898,00000008,034A1EB0,?), ref: 034ABDA2

InterlockedIncrement.KERNEL32(?), ref: 034A8544
__lock.LIBCMT ref: 034A8558
___addlocaleref.LIBCMT ref: 034A8576

Strings

KERNEL32.DLL, xrefs: 034A84FE

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 561e701262135cf3fb5abc713e769f35e5475e0a9e58251fa238e1453a9460c9
Instruction ID: 04b0c72be1f65b1ed820033f286a502b109f0386090718d06b6a5c108d387789
Opcode Fuzzy Hash: 561e701262135cf3fb5abc713e769f35e5475e0a9e58251fa238e1453a9460c9
Instruction Fuzzy Hash: 6B013CB9840B00DFD760EF6AD444749BFF4EF24324F20890FD9956E2A0CBB4A644CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0348A35F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 0348A38B
GetCommandLineW.KERNEL32 ref: 0348A391
GetStartupInfoW.KERNEL32(?), ref: 0348A3A4
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0348A3D1
ExitProcess.KERNEL32 ref: 0348A3DF

Strings

bad_exception, xrefs: 0348A372

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID: bad_exception
API String ID: 3421218197-3825118028
Opcode ID: 7d461429d28f64e47b860e58c50c2c75bbff4059a22111965025459b6474abe8
Instruction ID: fa0cbeca9a7fedbdc7b01ffd30f1ebbc690799575c82bf6728601f9e799a2275
Opcode Fuzzy Hash: 7d461429d28f64e47b860e58c50c2c75bbff4059a22111965025459b6474abe8
Instruction Fuzzy Hash: AC013675940318AFEB60AFA0DC4DFE977B8EB04705F200295B614F91D1EA706A848F18

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6D93 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00DB6DA1
GetSysColor.USER32(00000010), ref: 00DB6DA8
GetSysColor.USER32(00000014), ref: 00DB6DAF
GetSysColor.USER32(00000012), ref: 00DB6DB6
GetSysColor.USER32(00000006), ref: 00DB6DBD
GetSysColorBrush.USER32(0000000F), ref: 00DB6DCA
GetSysColorBrush.USER32(00000006), ref: 00DB6DD1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2a55db47bb194b591efaf022e3388d8402d1606bbea6d4cb6724260541252eea
Instruction ID: 07c19e858cfecca934c8a104197c52cc04f14ba4c66d07eb5ab1831d1fe0d4d4
Opcode Fuzzy Hash: 2a55db47bb194b591efaf022e3388d8402d1606bbea6d4cb6724260541252eea
Instruction Fuzzy Hash: 43F0D4719407489BD730BBB29D09B47BAE1EFC4B10F06092AE2858BA90E6B6E4419F40

Uniqueness

Uniqueness Score: -1.00%

Function 00DF609C Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF60CE

Part of subcall function 00DB5A40: GetWindowLongW.USER32(?,000000EC), ref: 00DB5A4B

GetWindowRect.USER32(?,?), ref: 00DF61C9
GetParent.USER32(?), ref: 00DF61D6
GetParent.USER32(?), ref: 00DF61F0
OffsetRect.USER32(?,?,?), ref: 00DF62BD
OffsetRect.USER32(?,?,?), ref: 00DF62C9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$OffsetParent$Long
String ID:
API String ID: 2171155602-0
Opcode ID: 987545cb7d3f647f44088d337ebbe95f32d60a7b79483ee8363aee60840b73d9
Instruction ID: e770ee24a1a5d4df30ab079d1cf223f6d24b4d9547bfdd15234c7c10d5ada157
Opcode Fuzzy Hash: 987545cb7d3f647f44088d337ebbe95f32d60a7b79483ee8363aee60840b73d9
Instruction Fuzzy Hash: 0391D171D0020DEFCF15DFA8C988AEEBBB5FF48300F14856AEA45A7251D775AA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DFE5B6 Relevance: 9.2, APIs: 6, Instructions: 202windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DFE5BD
GetClientRect.USER32(?,?), ref: 00DFE603

Part of subcall function 00DABA35: __EH_prolog3.LIBCMT ref: 00DABA3C
Part of subcall function 00DABA35: GetDC.USER32(00000000), ref: 00DABA68

Part of subcall function 00DABD82: SelectObject.GDI32(?,00000000), ref: 00DABDA8
Part of subcall function 00DABD82: SelectObject.GDI32(?,?), ref: 00DABDBE

SendMessageW.USER32(?,00000030,?,00000000), ref: 00DFE654
GetTextMetricsW.GDI32(?,?), ref: 00DFE661
GetParent.USER32(?), ref: 00DFE746
SendMessageW.USER32(?,00000030,?,00000000), ref: 00DFE771

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageObjectSelectSend$ClientH_prolog3H_prolog3_MetricsParentRectText
String ID:
API String ID: 1207058154-0
Opcode ID: ab6f5ca96538521205444c74d4c8e1ae3781c09e5d84710d6313328ff67fdd50
Instruction ID: 942174b127524aacad22796b4bb9cabd377048f7252bcfdf9f85622cae0eb932
Opcode Fuzzy Hash: ab6f5ca96538521205444c74d4c8e1ae3781c09e5d84710d6313328ff67fdd50
Instruction Fuzzy Hash: D1718372A005199FCF14DFA8C894EBE77B6FF48710F194129E91AAB255DB31AD01CB70

Uniqueness

Uniqueness Score: -1.00%

Function 03487178 Relevance: 9.1, APIs: 6, Instructions: 142networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000000D,03486DA7,?,?,?,03485D67,?,00000010,?), ref: 034871A2
WSASetLastError.WS2_32(0000139F,03486DA7,?,?,?,03485D67,?,00000010,?), ref: 034871D0

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7a8f3ce8c1e2ac1c811be364fe56c0eebf4f035456507fe0709b0f8e3d9fb58d
Instruction ID: 2b43cf9d545909c619dc2fcad0e0eb4ecdbe41959a823f184b4185986eb637f6
Opcode Fuzzy Hash: 7a8f3ce8c1e2ac1c811be364fe56c0eebf4f035456507fe0709b0f8e3d9fb58d
Instruction Fuzzy Hash: 8051CC34900109DFDB04EF99C5A5AEDBBB1BF18304F24805AE8117F391DB75A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA5BC Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DAA5C3
GlobalLock.KERNEL32(?,?,?), ref: 00DAA6A9
CreateDialogIndirectParamW.USER32(?,?,?,00DA9F19,00000000), ref: 00DAA6D8
DestroyWindow.USER32(00000000), ref: 00DAA752
GlobalUnlock.KERNEL32(?), ref: 00DAA762
GlobalFree.KERNEL32(?), ref: 00DAA76B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 43e3b5d526b05975e6f8ed5249463de6978002a270b7aad9427fc0a30dcc46a3
Instruction ID: d8b471d96ddf7d4d3f86044f897722d084eba1c0e83d42a0f6db98fb6e8b1f88
Opcode Fuzzy Hash: 43e3b5d526b05975e6f8ed5249463de6978002a270b7aad9427fc0a30dcc46a3
Instruction Fuzzy Hash: 9A51903190064ADFCF14EFA8C8859AE7BB1EF45314F18062DF502A7291CB709A85CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E02526 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E02585
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00E025C7
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00E025E9
SendMessageW.USER32(?,00000201,00000000,00000000), ref: 00E02663
SendMessageW.USER32(?,00000202,00000000,00000000), ref: 00E0267B
PtInRect.USER32(?,?,?), ref: 00E02697

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: 3d3a514fe926bebdc3efb714b2911f91683a9e8df0165a84b8ac7548cb070d29
Instruction ID: 6fc83a2df2e36bdc612a0ad85e62ac323bacd217bb6246144c1cb44cd5713fe6
Opcode Fuzzy Hash: 3d3a514fe926bebdc3efb714b2911f91683a9e8df0165a84b8ac7548cb070d29
Instruction Fuzzy Hash: F3514B71500219DFCB11DF64C988DAE7BF9FF49704B1801B9E909AB265CB72A981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC49F9 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DC4A19
GetWindow.USER32(?,00000002), ref: 00DC4A3F
GetWindow.USER32(?,00000002), ref: 00DC4A51
GetWindowLongW.USER32(?,000000EC), ref: 00DC4A61
IsWindowVisible.USER32(?), ref: 00DC4A79
GetTopWindow.USER32(?), ref: 00DC4AA5

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 7912e5ccd07dd54c00f576ddbed94fa5bff657e00846e8ba79aa45967f098148
Instruction ID: 22933584dac40e3d03c7336600fed2e3f686f820edd111e3dfd49d9b290cf721
Opcode Fuzzy Hash: 7912e5ccd07dd54c00f576ddbed94fa5bff657e00846e8ba79aa45967f098148
Instruction Fuzzy Hash: DA219232580626BBCB216B658C29FAB7B68FF48798F0D4528F846E7151DB31EC0187B4

Uniqueness

Uniqueness Score: -1.00%

Function 03488C57 Relevance: 9.1, APIs: 6, Instructions: 80processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03488C86
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03488C92
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 03488CC5
CloseHandle.KERNEL32(000000FF), ref: 03488D97

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32_memset
String ID:
API String ID: 854347881-0
Opcode ID: 2663310db7fcbccffb0d1bb7a39dc9d84a7f2ec24b05d89515cb089e3502a839
Instruction ID: 6af6c43a7093378ed5111d9f0ad49bfbc6bad4ef2ee67c5e2eb496318fdfc2a4
Opcode Fuzzy Hash: 2663310db7fcbccffb0d1bb7a39dc9d84a7f2ec24b05d89515cb089e3502a839
Instruction Fuzzy Hash: 9A41AE759112289BDB70EF24DC8C79DB7B4EF18319F9042DAE40DAA290E7785AC5CF09

Uniqueness

Uniqueness Score: -1.00%

Function 00E10E12 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,00E10F5B,00000000,00000000,?,?,00E12D96,?,?,?,00000084), ref: 00E10E22
GlobalLock.KERNEL32(00000000,?,00E10F5B,00000000,00000000,?,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A), ref: 00E10E3A
_memmove.LIBCMT ref: 00E10E47
CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 00E10E56
EnterCriticalSection.KERNEL32(00F1A600,00000000), ref: 00E10E6F
LeaveCriticalSection.KERNEL32(00F1A600,00000000), ref: 00E10ED6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: 171035eb6401d32098b37d7ef3c5497cc3eab20ab4caa6ef0fc61a278d343eaa
Instruction ID: 0ee2005837bcf33752507f1778300798e3cb8c3382039b98ba6d161343084c0d
Opcode Fuzzy Hash: 171035eb6401d32098b37d7ef3c5497cc3eab20ab4caa6ef0fc61a278d343eaa
Instruction Fuzzy Hash: B321A435601209EFDF10ABB2DC19ADE7BA9EF04354F185429F801E6251EBB5DD80DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DAAB60 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00DAAB93
GetParent.USER32(?), ref: 00DAABA1
GetParent.USER32(?), ref: 00DAABB4
GetLastActivePopup.USER32(?), ref: 00DAABC5
IsWindowEnabled.USER32(?), ref: 00DAABD9
EnableWindow.USER32(?,00000000), ref: 00DAABEC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 49788087f0a70e34440fa9494039f798547c256b850fa1c78b43873c57a589d9
Instruction ID: abf70092bba9635d31ba10112b9af6f5ee17f3ba8c842107bba1e5e3fc171d5f
Opcode Fuzzy Hash: 49788087f0a70e34440fa9494039f798547c256b850fa1c78b43873c57a589d9
Instruction Fuzzy Hash: 421191326012259BDB321A6EDC44F6E73AAAF57B64F1E4326EC00A7200DB25CC41C2F3

Uniqueness

Uniqueness Score: -1.00%

Function 03488B3E Relevance: 9.0, APIs: 6, Instructions: 47sleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,034CD2DC), ref: 03488B4D
GetLastError.KERNEL32 ref: 03488B56
GetModuleHandleW.KERNEL32(00000000), ref: 03488B77
GetConsoleWindow.KERNEL32 ref: 03488B80

Part of subcall function 03488AC6: _memset.LIBCMT ref: 03488ADE
Part of subcall function 03488AC6: lstrlenW.KERNEL32(?,00000002), ref: 03488AEC
Part of subcall function 03488AC6: lstrcmpW.KERNEL32(?,034C0810), ref: 03488B21

Sleep.KERNEL32(000003E8), ref: 03488BAD

Part of subcall function 0349CB0D: _memset.LIBCMT ref: 0349CB63
Part of subcall function 0349CB0D: Sleep.KERNEL32(00000001), ref: 0349CB7D
Part of subcall function 0349CB0D: GetTickCount.KERNEL32 ref: 0349CB83
Part of subcall function 0349CB0D: GetTickCount.KERNEL32 ref: 0349CB9A
Part of subcall function 0349CB0D: InterlockedExchange.KERNEL32(034D09D8,00000000), ref: 0349CBA6
Part of subcall function 0349CB0D: OpenClipboard.USER32(00000000), ref: 0349CBAE
Part of subcall function 0349CB0D: GetClipboardData.USER32(0000000D), ref: 0349CBB6
Part of subcall function 0349CB0D: GlobalSize.KERNEL32(00000000), ref: 0349CBD5
Part of subcall function 0349CB0D: GlobalLock.KERNEL32(00000000), ref: 0349CBEB
Part of subcall function 0349CB0D: _memmove.LIBCMT ref: 0349CCC2
Part of subcall function 0349CB0D: wsprintfW.USER32 ref: 0349CCDC

Sleep.KERNEL32(000003E8), ref: 03488BBD

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep$ClipboardCountGlobalTick_memset$ConsoleCreateDataErrorExchangeHandleInterlockedLastLockModuleMutexOpenSizeWindow_memmovelstrcmplstrlenwsprintf
String ID:
API String ID: 4202571106-0
Opcode ID: 22f60d3ebb7d2967497af956484e28b8bb79341096a22ac975c1c5faa9f44084
Instruction ID: 2feec2b0796a228dbc273579c37a2a84e16448debcf1c8b9cf9b50225f91e07e
Opcode Fuzzy Hash: 22f60d3ebb7d2967497af956484e28b8bb79341096a22ac975c1c5faa9f44084
Instruction Fuzzy Hash: A8018FB5D40305AFDB10FBB5A849B5E7AE8AB88241F804477F122ED2C4FA74C2008659

Uniqueness

Uniqueness Score: -1.00%

Function 034A8F2A Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 034A8F36

Part of subcall function 034A861F: __getptd_noexit.LIBCMT ref: 034A8622
Part of subcall function 034A861F: __amsg_exit.LIBCMT ref: 034A862F

__amsg_exit.LIBCMT ref: 034A8F56
__lock.LIBCMT ref: 034A8F66
InterlockedDecrement.KERNEL32(?), ref: 034A8F83
_free.LIBCMT ref: 034A8F96
InterlockedIncrement.KERNEL32(03711658), ref: 034A8FAE

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: de4d6ead77fc792f073a3030e251f45d72febbb1a699e63997580653f4c02996
Instruction ID: c0aed0888534a38a81212f86f198bc228712b8220333183f4468c5661df18bff
Opcode Fuzzy Hash: de4d6ead77fc792f073a3030e251f45d72febbb1a699e63997580653f4c02996
Instruction Fuzzy Hash: 3E015E35901F229FDA51FB5E944475EBFA1FB28620F08050BE9146F280CB346981CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 00EB07B4 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00EB07C0

Part of subcall function 00EAD75C: __getptd_noexit.LIBCMT ref: 00EAD75F
Part of subcall function 00EAD75C: __amsg_exit.LIBCMT ref: 00EAD76C

__amsg_exit.LIBCMT ref: 00EB07E0
__lock.LIBCMT ref: 00EB07F0
InterlockedDecrement.KERNEL32(?), ref: 00EB080D
_free.LIBCMT ref: 00EB0820
InterlockedIncrement.KERNEL32(02E71660), ref: 00EB0838

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 7612cc3284a7ef67c646652c75150d1d37a8c1515c384d8a88660f534b6b3276
Instruction ID: 86093ab47af23c4fb36ad2cb8ec347621b5bef615455de632bfba535abe7a8cf
Opcode Fuzzy Hash: 7612cc3284a7ef67c646652c75150d1d37a8c1515c384d8a88660f534b6b3276
Instruction Fuzzy Hash: 7401A135902B25DBCB24AB6498057CFB7A0BB45B24F455015E414BB691CB34B981DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0235C Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00E02383
ReleaseCapture.USER32 ref: 00E02389
GetCapture.USER32 ref: 00E023AE
ReleaseCapture.USER32 ref: 00E023B4
GetCapture.USER32 ref: 00E023BD
ReleaseCapture.USER32 ref: 00E023C3

Part of subcall function 00E01D81: __EH_prolog3_GS.LIBCMT ref: 00E01D88
Part of subcall function 00E01D81: IsRectEmpty.USER32(?), ref: 00E01DA3
Part of subcall function 00E01D81: InvertRect.USER32(?,?), ref: 00E01DB9
Part of subcall function 00E01D81: SetRectEmpty.USER32(?), ref: 00E01DC7

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Capture$RectRelease$Empty$H_prolog3_Invert
String ID:
API String ID: 4148550730-0
Opcode ID: bf896d15251639c73303179891e85e6c9e85f4a31cbe5e976709f8063e052e1d
Instruction ID: 1923d68ed08e98a48f260303d56fd05e42dda56a06b1dc6d5e181af868262336
Opcode Fuzzy Hash: bf896d15251639c73303179891e85e6c9e85f4a31cbe5e976709f8063e052e1d
Instruction Fuzzy Hash: 98017132210611CFD325BB21CC98BAE73E4BF44719F14153CE65BA61E0CB6968868B51

Uniqueness

Uniqueness Score: -1.00%

Function 034867BE Relevance: 9.0, APIs: 6, Instructions: 32sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 034867CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 034867DE
Sleep.KERNEL32(00000258), ref: 034867E9
CloseHandle.KERNEL32(?), ref: 03486806
CloseHandle.KERNEL32(?), ref: 03486815
Sleep.KERNEL32(0000012C), ref: 0348682D

Part of subcall function 03485F7D: GetCurrentThreadId.KERNEL32 ref: 03485F85

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CloseHandleObjectSingleSleepWait$CurrentThread
String ID:
API String ID: 1839609998-0
Opcode ID: 373115d7b5230789091f2eb48e31281b07fb6f1e72d36a5a27856926f9bc7cf9
Instruction ID: a114c49fc347499eb3973f65f5cf316aabf7a59b594cabafa2fc8ec195815871
Opcode Fuzzy Hash: 373115d7b5230789091f2eb48e31281b07fb6f1e72d36a5a27856926f9bc7cf9
Instruction Fuzzy Hash: CD01A435505104EFCB04FF98DA4DD4CBBF1AF09311B254295F555AB3A1D7729E10EB00

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2D8B Relevance: 9.0, APIs: 6, Instructions: 29synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DA2D9B
Sleep.KERNEL32(00000258), ref: 00DA2DA8
InterlockedExchange.KERNEL32(?,00000000), ref: 00DA2DB0
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DA2DBB
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DA2DC2
Sleep.KERNEL32(0000012C), ref: 00DA2DD3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: ec17ff6501303eaa330b1e9385daa45f65288733f6f8d7b2c353972ae019c8c6
Instruction ID: d836616a00ef2aeef741eaaa737e1257f7d6e340351effb2006fd6f28d83c22b
Opcode Fuzzy Hash: ec17ff6501303eaa330b1e9385daa45f65288733f6f8d7b2c353972ae019c8c6
Instruction Fuzzy Hash: 33F030311046186FDA206B5ADC48E4AB7E9EF85334F250725F271922F1CAE1AC059B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E3EFFB Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

FillRect.USER32(00000002,?,?), ref: 00E3F039

Part of subcall function 00DA4EC8: __EH_prolog3_catch.LIBCMT ref: 00DA4EE7

FillRect.USER32(?,?,?), ref: 00E3F0BE
FillRect.USER32(00000002,?,?), ref: 00E3F136

Part of subcall function 00DABE9F: __EH_prolog3.LIBCMT ref: 00DABEA6
Part of subcall function 00DABE9F: CreateSolidBrush.GDI32(?), ref: 00DABEC1

Strings

@, xrefs: 00E3F196

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FillRect$BrushCreateH_prolog3H_prolog3_catchSolid
String ID: @
API String ID: 85268656-2766056989
Opcode ID: b96d43806d8ccee31e24db67a0845abcbdcb15ca8b9d26cce6a6658e323eed87
Instruction ID: ff88fe4a39f2d6495d086b88f7a9db26a39a498516e6ac2945da52cacfa7d0ba
Opcode Fuzzy Hash: b96d43806d8ccee31e24db67a0845abcbdcb15ca8b9d26cce6a6658e323eed87
Instruction Fuzzy Hash: CCA1F571D0021ADFCF08CFA8D9959EEBBB1FF48315F05912AE815BB251C774AA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E005D3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143memorywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E005DD
_memset.LIBCMT ref: 00E00645
GlobalAlloc.KERNEL32(00000040,0000000C), ref: 00E0065E
SendMessageW.USER32 ref: 00E00747

Strings

g, xrefs: 00E00650

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AllocGlobalH_prolog3MessageSend_memset
String ID: g
API String ID: 653267268-30677878
Opcode ID: 4f845084e54a0e6db987f1ba99ee324d8936826ceba0529ad4e4baa2b11ca4d9
Instruction ID: c2399d5d1b79820d118a10f50ab556d0f56d46e122c90c166be92bf8283a2da0
Opcode Fuzzy Hash: 4f845084e54a0e6db987f1ba99ee324d8936826ceba0529ad4e4baa2b11ca4d9
Instruction Fuzzy Hash: 98513771A002199FDF04CFA4C889BEEBBB5BF48304F144168E515FB291DBB5A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0348495A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 130networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03484A66
recv.WS2_32(?,?,00040000,00000000), ref: 03484AA3

Strings

%s, xrefs: 03484974
CTcpSocket::WorkThread, xrefs: 0348496F
@, xrefs: 034849FE

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: recvselect
String ID: %s$@$CTcpSocket::WorkThread
API String ID: 741273618-4073167393
Opcode ID: a6b86bd1d41ddcfa138d4080c4f6f26a81794f0ea59d8f274ae94be0baf1296f
Instruction ID: f284e5951f8098cbaadb9ef4a99b07b52d8b73d9a4d5425c5dca9d7ca4244d19
Opcode Fuzzy Hash: a6b86bd1d41ddcfa138d4080c4f6f26a81794f0ea59d8f274ae94be0baf1296f
Instruction Fuzzy Hash: F151E434900219EFDF24EFA9E849BDDB7B0EB09315F2040DAD515AB290D774AA85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00DAD094 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00DAD0AC
_memset.LIBCMT ref: 00DAD124
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00DAD186
LoadBitmapW.USER32(00000000,00007FE3), ref: 00DAD19E

Strings

, xrefs: 00DAD105

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 4c775b6d93b9e25e135aa132740160a123afa99358aaf92ae6a86b637979156e
Instruction ID: 5c81c656c13b7322b05ae4d2c0bc918ca614951e2c810587553f2480b0567597
Opcode Fuzzy Hash: 4c775b6d93b9e25e135aa132740160a123afa99358aaf92ae6a86b637979156e
Instruction Fuzzy Hash: 2E313971A002189FEB20CF28DD85BA977B5FB45304F4940BAF549EB282DF71DD469B60

Uniqueness

Uniqueness Score: -1.00%

Function 034892FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 03489306
CoCreateInstance.OLE32(034BD938,00000000,00000001,034BD958,?), ref: 0348931E

Strings

FriendlyName, xrefs: 034893B1

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: FriendlyName
API String ID: 3519745914-3623505368
Opcode ID: d2ee5da11b284b44a9247293b7962054fbc3f243e76f1bc89490f4395b727d14
Instruction ID: 0d0a25816c82225885792990e9b04744ebfddd57c3db283d825f4596c15e0e89
Opcode Fuzzy Hash: d2ee5da11b284b44a9247293b7962054fbc3f243e76f1bc89490f4395b727d14
Instruction Fuzzy Hash: 4831A574E4020AEFDB00DF94C949BAEBBB4EF08311F144066E911FB2A1D7749A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DC2025 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 00DC204C
CoTaskMemFree.OLE32(?), ref: 00DC20DB

Strings

`<u, xrefs: 00DC20BC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID: `<u
API String ID: 3253174383-3367579956
Opcode ID: be923b4449f45cea31a0954df107eb47c0c538a559953db85ebf1ac5d143c5af
Instruction ID: edfd4468bc32ed06ed9ad5cf48d9fd3c6f566c44099549fa7efed5f9e74aaced
Opcode Fuzzy Hash: be923b4449f45cea31a0954df107eb47c0c538a559953db85ebf1ac5d143c5af
Instruction Fuzzy Hash: B92148B1100206EFCF298F69C888E757769FB8475172C882EE599CB190C772DC41EA31

Uniqueness

Uniqueness Score: -1.00%

Function 00DAE36D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DAE377
GetClassNameW.USER32(00000000,?,000000FF), ref: 00DAE3C5
GetStockObject.GDI32(00000005), ref: 00DAE46E

Strings

Static, xrefs: 00DAE3F5
Button, xrefs: 00DAE3E1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClassH_prolog3_NameObjectStock
String ID: Button$Static
API String ID: 3900068017-2498952662
Opcode ID: 665a7b6908126c0108259a25eb31c2c05318db53fc25d61fa2d66059977006f4
Instruction ID: db5837bb6e97dfd4e6f79e119c382ff7e917ef07c4dda14f8623ea9326a847d0
Opcode Fuzzy Hash: 665a7b6908126c0108259a25eb31c2c05318db53fc25d61fa2d66059977006f4
Instruction Fuzzy Hash: F621A531A40219DBCF24EB60CD45BE9B374EF19301F0841A9E92AA72D1DAB09E81CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA0DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 00DAA134

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 270628197f3c56b4437eb7e3647b59073a5f21cc3c8161b599b1ed6a076e6112
Instruction ID: 1ea55bf1cf74d980639d6bdb6729635ee65335dd4a5e3c2f16873e97fe08c1c5
Opcode Fuzzy Hash: 270628197f3c56b4437eb7e3647b59073a5f21cc3c8161b599b1ed6a076e6112
Instruction Fuzzy Hash: 3D118231240305BBDA211A3ACC09F6AB6A9AB527A4F1C4639F546E10E1DF61DC56CA72

Uniqueness

Uniqueness Score: -1.00%

Function 034844C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0348453A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 03484548
InterlockedExchange.KERNEL32(?,00000000), ref: 03484563

Strings

%s, xrefs: 03484522
CTcpSocket::CTcpSocket, xrefs: 0348451D

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateEventExchangeInterlockedStartup
String ID: %s$CTcpSocket::CTcpSocket
API String ID: 784645330-2126482478
Opcode ID: 91edad1094d8d5aa512e58df094fd697dc538c86470173a518bb8501ca06a467
Instruction ID: c64c67c48b782f18fa3a62514020aab1ef5bc97348ea1ce657bfd497aa012298
Opcode Fuzzy Hash: 91edad1094d8d5aa512e58df094fd697dc538c86470173a518bb8501ca06a467
Instruction Fuzzy Hash: 78210038A203589FDB14EF59DC65BDDB7B0AF06315F1040CAE649AF291CA719D44CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00DE28E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 00DE290E
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 00DE291E
DeleteObject.GDI32(00000000), ref: 00DE2958

Strings

DWMAPI, xrefs: 00DE2903
DwmSetIconicThumbnail, xrefs: 00DE2918

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: d63bf7162569450e5268aff217e7a231832d410120c6299e272d92ae533867be
Instruction ID: af1fc7ed16dc87f6f19b95ba2fb1471bb81917cb807952560c579b93f9966446
Opcode Fuzzy Hash: d63bf7162569450e5268aff217e7a231832d410120c6299e272d92ae533867be
Instruction Fuzzy Hash: 5E01AD75240349BFDB006B668C88EAE77ADEF88714F084125F902A7252DAB5D902CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0043 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DF007E
DestroyWindow.USER32(?), ref: 00DF009A
IsWindow.USER32(?), ref: 00DF00B9
DestroyWindow.USER32(?), ref: 00DF00C9

Strings

px, xrefs: 00DF0059

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Destroy
String ID: px
API String ID: 3707531092-3846731130
Opcode ID: b7096e7574dbe238decb90a8d1faba43704b677e1eeab2f371c4ddde10e07eaf
Instruction ID: 1a90d565867cd41c28f5d7124f78d4a603f90c0e4858cf3ca0c41d6fa234d00a
Opcode Fuzzy Hash: b7096e7574dbe238decb90a8d1faba43704b677e1eeab2f371c4ddde10e07eaf
Instruction Fuzzy Hash: 3801C032201608EFE7215B24DC49FB6BBB9FF40361F19822AF55993152DF35AC61DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA07F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00DDA093
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 00DDA0A3
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00DDA0E2

Strings

kernel32.dll, xrefs: 00DDA08E
CreateFileTransactedW, xrefs: 00DDA09D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 3be7785849579652983ef26b750f7da4abab4a6ed5c72b53525d9c72f6f1dd75
Instruction ID: 6e65f8842c9ae3fcb91bddf2bac79e864891e24fffb5d6a915058a0390a008c7
Opcode Fuzzy Hash: 3be7785849579652983ef26b750f7da4abab4a6ed5c72b53525d9c72f6f1dd75
Instruction Fuzzy Hash: E801DA32000249BBCF221FD9DC04CAA7F76FB99751B18C52AFA6561164C733C961FB61

Uniqueness

Uniqueness Score: -1.00%

Function 03488AC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03488ADE
lstrlenW.KERNEL32(?,00000002), ref: 03488AEC

Part of subcall function 03489BA4: _memset.LIBCMT ref: 03489BF5
Part of subcall function 03489BA4: _memset.LIBCMT ref: 03489C0B
Part of subcall function 03489BA4: _memset.LIBCMT ref: 03489C21
Part of subcall function 03489BA4: RegOpenKeyExW.ADVAPI32(00000000,-000008CC,00000000,00020019,03488374,?,?,?,?,?,?,?), ref: 03489C3E

lstrcmpW.KERNEL32(?,034C0810), ref: 03488B21

Strings

open, xrefs: 03488AFD
key, xrefs: 03488B02

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$Openlstrcmplstrlen
String ID: key$open
API String ID: 3415559920-2893384115
Opcode ID: 9d71c5c7466006eebfbdb9dba6d1189d44b1d0ec64a4860af919b608c271544d
Instruction ID: 3769ecf00da2ce88c7d7eb80f4aee5a8fe260a860268724ca5884f7f1691c383
Opcode Fuzzy Hash: 9d71c5c7466006eebfbdb9dba6d1189d44b1d0ec64a4860af919b608c271544d
Instruction Fuzzy Hash: B1F0A974A60308BFEB50F7F88C46FAE72ECBB04744F54042E7A11EE182FA61D5058B65

Uniqueness

Uniqueness Score: -1.00%

Function 0348A1AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 0348A1D5
GetProcAddress.KERNEL32(00000000), ref: 0348A1DC
GetSystemInfo.KERNEL32(00000000), ref: 0348A1F8

Strings

kernel32.dll, xrefs: 0348A1D0
GetNativeSystemInfo, xrefs: 0348A1CB

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressHandleInfoModuleProcSystem
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1167836806-192647395
Opcode ID: f52b71212c93a5bb99e7c292e00612171705dfcbeb1486905be455a500847eaf
Instruction ID: b3de2197ed25437b283949a31d5e6e10f7c763731d043d5720335f22a04a2159
Opcode Fuzzy Hash: f52b71212c93a5bb99e7c292e00612171705dfcbeb1486905be455a500847eaf
Instruction Fuzzy Hash: 1D018132954208EFCF54EBE4C8086EEB7F9EB08321F140827E442FA180E7B5A585C664

Uniqueness

Uniqueness Score: -1.00%

Function 0349C07C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31sleepregistryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00004E20), ref: 0349BF77
Sleep.KERNEL32(00000BB8), ref: 0349BFAC
Sleep.KERNEL32(00000FA0,034CF400,00000000), ref: 0349BFFE
RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00020019,?), ref: 0349C041
RegQueryValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,00000000,00000000), ref: 0349C068

Strings

IpDatespecial, xrefs: 0349C05D
Console, xrefs: 0349C037

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Sleep$OpenQueryValue
String ID: Console$IpDatespecial
API String ID: 2173693006-1840232981
Opcode ID: a1518357c1a701d6c66c3ec6e4284d6ee062473cbb95d54a3dff308dd3f1b632
Instruction ID: 063a46f870bf206b1a55514d4695fc27cfbb65731141af289571029f62f36b1d
Opcode Fuzzy Hash: a1518357c1a701d6c66c3ec6e4284d6ee062473cbb95d54a3dff308dd3f1b632
Instruction Fuzzy Hash: 05013170944218EFFB20CE60DC48BA87AB9A740709F104197E61CB9180D7B71E94CF19

Uniqueness

Uniqueness Score: -1.00%

Function 034A3789 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 034A37AA

Part of subcall function 034A861F: __getptd_noexit.LIBCMT ref: 034A8622
Part of subcall function 034A861F: __amsg_exit.LIBCMT ref: 034A862F

__getptd.LIBCMT ref: 034A37BB
__getptd.LIBCMT ref: 034A37C9

Strings

MOC, xrefs: 034A379C
RCC, xrefs: 034A3795

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: 2aabf437fbc74d97c402033b8ee6bd90e827c486c6c1ae5615b2729dc242f7f4
Instruction ID: 6a514bdff58d31e494ab1035ac55946b2875301e34e2ce4be5e20e16db2f5971
Opcode Fuzzy Hash: 2aabf437fbc74d97c402033b8ee6bd90e827c486c6c1ae5615b2729dc242f7f4
Instruction Fuzzy Hash: 7EE0127C104A088FD710DF6DC049B6976A4FBA8215F5940E7D90DCF322DB28E4504E9A

Uniqueness

Uniqueness Score: -1.00%

Function 00E4AADC Relevance: 7.9, APIs: 5, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E4AAE3
GetWindow.USER32(?,00000005), ref: 00E4AB03
GetWindow.USER32(?,00000002), ref: 00E4AB39
IsWindowVisible.USER32(?), ref: 00E4AC1D
GetWindow.USER32(?,00000002), ref: 00E4AEAD

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID:
API String ID: 3969123015-0
Opcode ID: 8e959e6f3a30413c1f28ad79bb54ed1b0ceab8e39664685c4a015fbfb8f43aad
Instruction ID: 4bd15cf840007b2ec4a1e9db8e23151d8596fb69832f0dd33f048a7cf252bfc6
Opcode Fuzzy Hash: 8e959e6f3a30413c1f28ad79bb54ed1b0ceab8e39664685c4a015fbfb8f43aad
Instruction Fuzzy Hash: F2D1AA70A002059FCF15EFA4D889ABEB7F5AF48324F181539F816BB292DB309D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E2470A Relevance: 7.9, APIs: 5, Instructions: 362COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E24771
GetWindowRect.USER32(?,?), ref: 00E24849
InflateRect.USER32(?,00000000,?), ref: 00E2486F
GetWindowRect.USER32(?,?), ref: 00E24924
GetWindowRect.USER32(?,?), ref: 00E24A2F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$Inflate
String ID:
API String ID: 1123775244-0
Opcode ID: 7ace97647b8d8ce796b1f7a1bf9f9b1f57f8c9b902c6e06ce441f68a457ec5e1
Instruction ID: 52a3d97b9d6be89ca894a41738a87107e9f790e93a0aaa0581a60752230f4616
Opcode Fuzzy Hash: 7ace97647b8d8ce796b1f7a1bf9f9b1f57f8c9b902c6e06ce441f68a457ec5e1
Instruction Fuzzy Hash: 65E129B1E0022ADFCB14DFA9D984AAEBBF5FF48314F18516AE515B7280D770AD40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA2B0 Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00DCA2D8
SetRectEmpty.USER32(?), ref: 00DCA350
GetClientRect.USER32(?,?), ref: 00DCA550
GetClientRect.USER32(?,?), ref: 00DCA578
SetRectEmpty.USER32(?), ref: 00DCA607

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: b825fcce25d134bbb2bdfed5a56cc6467a6edc0d3dfe32f9eadd16c97b16e501
Instruction ID: 62e8b51fd5fd32117918adf54d9077cab036a2eb87f2f0577ef9e8b02ddc4cd1
Opcode Fuzzy Hash: b825fcce25d134bbb2bdfed5a56cc6467a6edc0d3dfe32f9eadd16c97b16e501
Instruction Fuzzy Hash: E1D10B71E0061ACFCF19CF98C594AAEB7B2FF45314F28816DE815AB240D775AD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEE22C Relevance: 7.7, APIs: 5, Instructions: 241COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEE236
CreatePolygonRgn.GDI32(?,00000008,00000002), ref: 00DEE430
FillRect.USER32(00000002,?,?), ref: 00DEE4A2
FillRect.USER32(00000002,?,07100EB7), ref: 00DEE4D2
Polyline.GDI32(00000002,?,00000008), ref: 00DEE4E9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FillRect$CreateH_prolog3_PolygonPolyline
String ID:
API String ID: 3866795319-0
Opcode ID: ba9bb0a32fc81b95fb522025640314bf85ab644cf9bee898ef8ccdc6f34c2089
Instruction ID: 9097de1ae7941823589461e71ed574b507f088402fb644156f4c3f1d991d6fa0
Opcode Fuzzy Hash: ba9bb0a32fc81b95fb522025640314bf85ab644cf9bee898ef8ccdc6f34c2089
Instruction Fuzzy Hash: 45A15970D00258CFCF15DFA5C985AEDBBB9FF49300F14816AE919AB252DB709A46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DF30CE Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00DF3122
GetParent.USER32(?), ref: 00DF3141
GetParent.USER32(?), ref: 00DF3150

Part of subcall function 00DE07FA: SetParent.USER32(?,?), ref: 00DE080D

GetWindowRect.USER32(?,?), ref: 00DF31E7
GetClientRect.USER32(?,?), ref: 00DF3260

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Parent$RectWindow$Client
String ID:
API String ID: 3043635113-0
Opcode ID: ea31888ad6d79acae4a6a96993bfbf50c5154192b1220b7af00d30d370c13971
Instruction ID: cd5243abe51e1bc2caad478b15a5294fbfe6668406eae7346a939b2c7597d7de
Opcode Fuzzy Hash: ea31888ad6d79acae4a6a96993bfbf50c5154192b1220b7af00d30d370c13971
Instruction Fuzzy Hash: 65713B30700604AFCB14AFA9CC99EAEBBF9EF89700F0545B9F506DB252CB759905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DD4720 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DD476E
InflateRect.USER32(?,00000000,00000000), ref: 00DD479A
GetSystemMetrics.USER32(00000002), ref: 00DD4817
_memset.LIBCMT ref: 00DD483D

Part of subcall function 00DB5D83: SetWindowPos.USER32(?,?,?,?,?,?,?,?,00DAA8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00DB5DAB

Part of subcall function 00DAFFBD: GetScrollInfo.USER32(?,?,?), ref: 00DAFFF1

Part of subcall function 00DAFF7D: SetScrollInfo.USER32(?,?,?,?), ref: 00DAFFAE

EnableScrollBar.USER32(?,00000002,00000000), ref: 00DD4920

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
String ID:
API String ID: 4263531605-0
Opcode ID: d7d1a5e4377e9fc381bbaa5d60971695375b8a2b8482e25aee94d1b8bb92d3d2
Instruction ID: 8a33f677d9196c9032480f11de98dab72f1d99b3fb03dd265e104f487c692dc7
Opcode Fuzzy Hash: d7d1a5e4377e9fc381bbaa5d60971695375b8a2b8482e25aee94d1b8bb92d3d2
Instruction Fuzzy Hash: 7E613A71A01259EFDF10CFA8C984AEEB7F5FF48700F18417AE809AB245C7B19D059B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2453C Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E245B6
EqualRect.USER32(?,?), ref: 00E245E1
BeginDeferWindowPos.USER32(?), ref: 00E245EE
EndDeferWindowPos.USER32(?), ref: 00E24613

Part of subcall function 00E17E09: GetWindowRect.USER32(?,?), ref: 00E17E1F
Part of subcall function 00E17E09: GetParent.USER32(?), ref: 00E17E61
Part of subcall function 00E17E09: GetParent.USER32(?), ref: 00E17E71

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

GetWindowRect.USER32(?,?), ref: 00E246C8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 601628497-0
Opcode ID: 3f234b26fc717829ee2930485954ad87d19f99a83749e8ce3e231d987ee9026c
Instruction ID: d3f799301e0030c77161f92b06a22695cd0c0653f218ea341dc9c77a63d8a875
Opcode Fuzzy Hash: 3f234b26fc717829ee2930485954ad87d19f99a83749e8ce3e231d987ee9026c
Instruction Fuzzy Hash: 98513AB1E00219DFCB10DFA9D9849EEBBF5FF49304B14516AE506B7250DB70AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DFD04E Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON

Download Yara Rule

APIs

SHGetPathFromIDListW.SHELL32(?,?), ref: 00DFD0F7
SHGetPathFromIDListW.SHELL32(?,?), ref: 00DFD127

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 00DFD1DA
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 00DFD1FB
lstrcmpiW.KERNEL32(?,?), ref: 00DFD20F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FileFromInfoListPath$Exception@8H_prolog3Throwlstrcmpi
String ID:
API String ID: 4171047833-0
Opcode ID: 1ed0eb6ee0cd0177da6ae6daa6f8c2b01f52db43f93d2c486af04740b522657c
Instruction ID: ce5d33070d9076cad37f67c00becf321db736a237966cdda9c1918849589e6e2
Opcode Fuzzy Hash: 1ed0eb6ee0cd0177da6ae6daa6f8c2b01f52db43f93d2c486af04740b522657c
Instruction Fuzzy Hash: 4F5151B191022D9BCF249B54CD40ABDB7BBFF88304F05819AA649A2150DB71DE91DFF4

Uniqueness

Uniqueness Score: -1.00%

Function 00E94BD8 Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E94BDF
CreateCompatibleDC.GDI32(00000002), ref: 00E94C2D
GetBoundsRect.GDI32(?,?,00000000,00000000), ref: 00E94C55
CreateSolidBrush.GDI32 ref: 00E94C6F
FillRect.USER32(00000001,?,?), ref: 00E94C88

Part of subcall function 00E93F92: FrameRgn.GDI32(00000002,?,00000002,00000001,00000001), ref: 00E93FBA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
String ID:
API String ID: 2864772683-0
Opcode ID: 9d16b90c4d6b1151077967e9c0c21e1ad43de61fe382339f795664f1983785d4
Instruction ID: f33cfb43404f04c2ec2f5b366cd9fe4b59da0afe35d52794cf24523f27fff5e0
Opcode Fuzzy Hash: 9d16b90c4d6b1151077967e9c0c21e1ad43de61fe382339f795664f1983785d4
Instruction Fuzzy Hash: E85179B1911228EFDF11DFA4C981EEDBBB5FF08714F04512AF801BA191C7B15A86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEAE90 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DEAEDD
GetWindowRect.USER32(?,?), ref: 00DEAEFF
GetClientRect.USER32(?,?), ref: 00DEAF8F
MapWindowPoints.USER32(?,?,?,00000002), ref: 00DEAFA2
FillRect.USER32(?,?), ref: 00DEAFE2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$ClientFillParentPoints
String ID:
API String ID: 1064458942-0
Opcode ID: 157889ba8cfcd82ac2b6492f9a47990d955499260203e51b719862d774c7da16
Instruction ID: 4cbcb29f6969b1eab435fdd3de6931b544dd0a91fa98b6541a06100578af7f1a
Opcode Fuzzy Hash: 157889ba8cfcd82ac2b6492f9a47990d955499260203e51b719862d774c7da16
Instruction Fuzzy Hash: 345130B1A0125ADFCB11EF99C8848EEBBB5FF48710B18406AF405E7211D770AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4D0C Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DF4D13
SetRectEmpty.USER32(?), ref: 00DF4D3C

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

__CxxThrowException@8.LIBCMT ref: 00DF4DE3

Part of subcall function 00DBD1BC: __EH_prolog3.LIBCMT ref: 00DBD1C3

GetWindowRect.USER32(?,?), ref: 00DF4E0E
IsWindowVisible.USER32(?), ref: 00DF4E2B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: RectWindow$EmptyException@8H_prolog3H_prolog3_ThrowVisible_malloc
String ID:
API String ID: 3103794022-0
Opcode ID: b06a86cc5a6be48ea8b18247dd0f07757e7c4ff4b528785cfc126dc8117cad31
Instruction ID: 1b70d3d622a0133d2ae53d5ec7df515e1c3a3dc9551eacfa9778f1aa4184a1c7
Opcode Fuzzy Hash: b06a86cc5a6be48ea8b18247dd0f07757e7c4ff4b528785cfc126dc8117cad31
Instruction Fuzzy Hash: CB413771A01209EBCB05EFA4D991AFEB6FAFF48300F54942DF15AE6241DB34A9059B31

Uniqueness

Uniqueness Score: -1.00%

Function 00DF8913 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DF891A
SetRectEmpty.USER32(?), ref: 00DF8A77
SetRectEmpty.USER32(?), ref: 00DF8A84
SetRectEmpty.USER32(?), ref: 00DF8A91
SetRectEmpty.USER32(?), ref: 00DF8A98

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID:
API String ID: 3752103406-0
Opcode ID: 995b0eb85d22505a8748c3affc814231f9b821e69eadc99d7a95782763579136
Instruction ID: 65b7a48b5b5c2fba1dcc8f626ab0e026297c5a5ab7c46c197fccc93a9dde7759
Opcode Fuzzy Hash: 995b0eb85d22505a8748c3affc814231f9b821e69eadc99d7a95782763579136
Instruction Fuzzy Hash: EF51CAB1900B45DFD321DF36C545BDAFBE8AFA5300F40891FD5AA96291DBB42244CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8FD Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DCA926
ScreenToClient.USER32(?,?), ref: 00DCA956
SetCursor.USER32 ref: 00DCA99F
ScreenToClient.USER32(?,?), ref: 00DCA9BF
PtInRect.USER32(?,?,?), ref: 00DCA9E8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 6764a0b11cf9f6491cdecc9bdb399dc3e08ea2c417681adacf1e09411171fae2
Instruction ID: 0a75a9c0cec7819032e513b21678fce8f8cc7d3c7695b64bd1b55a1e74881a21
Opcode Fuzzy Hash: 6764a0b11cf9f6491cdecc9bdb399dc3e08ea2c417681adacf1e09411171fae2
Instruction Fuzzy Hash: A13138B1A0020E9FCB10EFA9C985AAEB7B5FF48314B55442EE506A3250DB359D06DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4288 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DF428F
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00DF4308
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DF4315
SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 00DF4320
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00DF432D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID:
API String ID: 1885053084-0
Opcode ID: b3c2c34e5abe8027122fc5b550a2f627a3c203a29bc6f7c048eb67111f8c75b7
Instruction ID: f48459677774b2247cc5e245b6e434689e85315ac44ec65276cea649219750b2
Opcode Fuzzy Hash: b3c2c34e5abe8027122fc5b550a2f627a3c203a29bc6f7c048eb67111f8c75b7
Instruction Fuzzy Hash: 22317E31340609ABDF249B20CC96FBE36A5BF84710F094279F64A9F2D6DF709840DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD31FD Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DD3251

Part of subcall function 00DB5A40: GetWindowLongW.USER32(?,000000EC), ref: 00DB5A4B

OffsetRect.USER32(?,?,00000000), ref: 00DD32AC
UnionRect.USER32(?,?,?), ref: 00DD32CA
EqualRect.USER32(?,?), ref: 00DD32D8
UpdateWindow.USER32(?), ref: 00DD3314

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: efb414069d56c77187994d31eb9fb66b4ad4c000b55507429d5bb95a5310b299
Instruction ID: 5852af0f19f886bc48542d40f573d1fd0de323dcca2cca0a69415f50f45d2bcf
Opcode Fuzzy Hash: efb414069d56c77187994d31eb9fb66b4ad4c000b55507429d5bb95a5310b299
Instruction Fuzzy Hash: 23311AB1901209EFCB10DFA5D9849EEBBF9FF48314F14463EE556A3250DB31AA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0348AF98 Relevance: 7.6, APIs: 5, Instructions: 92stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 0348AFA7
_memset.LIBCMT ref: 0348AFB7
lstrlenW.KERNEL32(?), ref: 0348AFC2
lstrlenW.KERNEL32(?), ref: 0348AFCE
_memmove.LIBCMT ref: 0348B077

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: lstrlen$_memmove_memset
String ID:
API String ID: 3850538971-0
Opcode ID: 5cd20005bdb971c7855b8e2d5603ad2a0455aa37f545b7afc4a9f52b36f77f1f
Instruction ID: 67057d31e58cf372d1ec7b707f8ddff18d22b41ab9b944bfacdf62a72fba1c14
Opcode Fuzzy Hash: 5cd20005bdb971c7855b8e2d5603ad2a0455aa37f545b7afc4a9f52b36f77f1f
Instruction Fuzzy Hash: 8241CF74904109EFCF15EF98C980AAEB7F1FF04304F20489AE961EB250D771AEA6DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8942 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DD898E
GetClientRect.USER32(?,?), ref: 00DD89CF
PtInRect.USER32(?,?,?), ref: 00DD89E7
MapWindowPoints.USER32(?,?,?,00000001), ref: 00DD8A11
SendMessageW.USER32(?,00000200,?,?), ref: 00DD8A30

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: 08e1685feaa00c76f64599712fd8db84d6b7791dd7063e86986b08d4d43afad7
Instruction ID: 8ad4e704bf82afde21343f220866468a793bd21d98d5286ca27aff6897c6776b
Opcode Fuzzy Hash: 08e1685feaa00c76f64599712fd8db84d6b7791dd7063e86986b08d4d43afad7
Instruction Fuzzy Hash: 9F311C71A0020AAFDB05DFA5CC84DEEBBB9FF44310F14412BF915A6250DB71A951EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E4CFA1 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E4CFE4
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00E4D017
GetWindowRect.USER32(?,?), ref: 00E4D026
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00E4D07C
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00E4D08E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: 9ae4996d19c1280455418fcd864837953a2e858a2680c4f87356310c27eac3a4
Instruction ID: 566b7f7b7aff0cc59a9c3f4e36135a66dac1f03ca08f5f71930f4ac9dceb5a93
Opcode Fuzzy Hash: 9ae4996d19c1280455418fcd864837953a2e858a2680c4f87356310c27eac3a4
Instruction Fuzzy Hash: 7F312F72900544AFCB11DFA9DD88EAFBBF5FB88710F10465AF525B71A0C771A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3189 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DB3193
GetTopWindow.USER32(?), ref: 00DB31B8
GetDlgCtrlID.USER32(00000000), ref: 00DB31CA
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 00DB3226
GetWindow.USER32(00000000,00000002), ref: 00DB3266

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 66db69ea4e038aaa8ffa706ed49149ee069e5463fda120c267734f2fe149ac37
Instruction ID: 2a2449f047a81f0ab973cd33f8ed8daac320ab639bec0ad1e94842bff4f95dea
Opcode Fuzzy Hash: 66db69ea4e038aaa8ffa706ed49149ee069e5463fda120c267734f2fe149ac37
Instruction Fuzzy Hash: 0A21B471900218EEDF20AB64DC85EEEB6B8EF56314F284169F453A2190DB304F41EB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0E9F Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD0904: __EH_prolog3_GS.LIBCMT ref: 00DD090B
Part of subcall function 00DD0904: GetWindowRect.USER32(?,?), ref: 00DD094C
Part of subcall function 00DD0904: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00DD0976
Part of subcall function 00DD0904: SetWindowRgn.USER32(?,?,00000000), ref: 00DD098C

GetSystemMenu.USER32(?,00000000), ref: 00DD0F13
DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 00DD0F34
DeleteMenu.USER32(?,0000F020,00000000), ref: 00DD0F40
DeleteMenu.USER32(?,0000F030,00000000), ref: 00DD0F4C
EnableMenuItem.USER32(?,0000F060,00000001), ref: 00DD0F66

Part of subcall function 00DC9AD2: SetRectEmpty.USER32(?), ref: 00DC9B05
Part of subcall function 00DC9AD2: ReleaseCapture.USER32 ref: 00DC9B0B
Part of subcall function 00DC9AD2: SetCapture.USER32(?), ref: 00DC9B1A
Part of subcall function 00DC9AD2: GetCapture.USER32 ref: 00DC9B5C
Part of subcall function 00DC9AD2: ReleaseCapture.USER32 ref: 00DC9B6C
Part of subcall function 00DC9AD2: SetCapture.USER32(?), ref: 00DC9B7B
Part of subcall function 00DC9AD2: RedrawWindow.USER32(?,?,?,00000505), ref: 00DC9BE6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID:
API String ID: 2818640433-0
Opcode ID: e1c4b67bd55463f75dc93e3cd334156fab60fc75170532271d37b3286165d295
Instruction ID: 81ee609a0f7159a34ddd23fe9e3b0336aff9985830495d785c461b8dc8a83743
Opcode Fuzzy Hash: e1c4b67bd55463f75dc93e3cd334156fab60fc75170532271d37b3286165d295
Instruction Fuzzy Hash: F421A271740214AFDB312B61CC99FAE7F69EF84750F084076F505AA2A2CB719C11DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD6593 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DD659A
DestroyMenu.USER32(?,00000004), ref: 00DD65D6
IsWindow.USER32(?), ref: 00DD65E7
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00DD65FB
~_Task_impl.LIBCPMT ref: 00DD6674

Part of subcall function 00E3C1EF: GetParent.USER32(00000000), ref: 00E3C255

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 0eeb3a2c572c66ba4296ad4cf496863935006518e60d1846fb70bdda2f8f4a71
Instruction ID: 0c8ad4646b795bb19755b898f988102a6a17de0a9d1e4d769559eb85a6435815
Opcode Fuzzy Hash: 0eeb3a2c572c66ba4296ad4cf496863935006518e60d1846fb70bdda2f8f4a71
Instruction Fuzzy Hash: A831B470501684DEC721EB74C645BAEBBF0BF96304F18095CE49A67282CBB56606DB72

Uniqueness

Uniqueness Score: -1.00%

Function 034A16DB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 034A16E9

Part of subcall function 0349FA8E: __FF_MSGBANNER.LIBCMT ref: 0349FAA7
Part of subcall function 0349FA8E: __NMSG_WRITE.LIBCMT ref: 0349FAAE
Part of subcall function 0349FA8E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,034A5848,00000000,00000001,00000000,?,034ABD03,00000018,034C3CD0,0000000C,034ABD93), ref: 0349FAD3

_free.LIBCMT ref: 034A16FC

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 9dd635f6ae340b436bbd391b9d873e939b638118c190368a1d5d01e935ea35fb
Instruction ID: d6506a535b440c94541e362038100721f763cb8b824b9204d6b73a2a2d6a5792
Opcode Fuzzy Hash: 9dd635f6ae340b436bbd391b9d873e939b638118c190368a1d5d01e935ea35fb
Instruction Fuzzy Hash: 35117D3A400B11AFDF21FB79A804A5A3F98AF542B3F28012BF46ADF250DF358441875C

Uniqueness

Uniqueness Score: -1.00%

Function 00E2075B Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E2078F
SHAppBarMessage.SHELL32(00000007,?), ref: 00E207AD
SHAppBarMessage.SHELL32(00000007,?), ref: 00E207C7
SHAppBarMessage.SHELL32(00000007,?), ref: 00E207DD
SHAppBarMessage.SHELL32(00000007,?), ref: 00E207F6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Message$_memset
String ID:
API String ID: 2485647581-0
Opcode ID: 14930b8528cdf654108c397f24fdb3207dccd6a3c257c46fbc603075b77e6c25
Instruction ID: 571e48b87f19c86708931b95344dd9e9eb30ad10adaae20ccfd72c52c34d7de9
Opcode Fuzzy Hash: 14930b8528cdf654108c397f24fdb3207dccd6a3c257c46fbc603075b77e6c25
Instruction Fuzzy Hash: 5E216F71A0121AAFEB04DFA5DC81FDABBA8AB04318F04102AE515E6181DB71E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD888F Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00004212,00000001), ref: 00DD88C9
EnableMenuItem.USER32(?,00004213,00000000), ref: 00DD88D5
EnableMenuItem.USER32(?,00004214,00000000), ref: 00DD8901
CheckMenuItem.USER32(?,00004213,00000008), ref: 00DD892A
CheckMenuItem.USER32(?,00004214,00000000), ref: 00DD8936

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: caf0ee180ad1fc6ae6ad5fbb3d7ef074c64b215ebfe57bf8832364109bd9a2b3
Instruction ID: b38bb26c0d521e4d53879a08dd1a6b11cbebc2d327db3011f76d9322ecaf7aac
Opcode Fuzzy Hash: caf0ee180ad1fc6ae6ad5fbb3d7ef074c64b215ebfe57bf8832364109bd9a2b3
Instruction Fuzzy Hash: D3112771244304BFD725AB12DD42F2677A9FF90710F85802AFA46AA1A1CA70EC01FF70

Uniqueness

Uniqueness Score: -1.00%

Function 00EA6ADB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00EA6AE9

Part of subcall function 00EA4CBE: __FF_MSGBANNER.LIBCMT ref: 00EA4CD7
Part of subcall function 00EA4CBE: __NMSG_WRITE.LIBCMT ref: 00EA4CDE
Part of subcall function 00EA4CBE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00EADBE9,00F1DADC,00000001,00F1DADC,?,00EAFF61,00000018,00F0BB48,0000000C,00EAFFF1), ref: 00EA4D03

_free.LIBCMT ref: 00EA6AFC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: fdd565e9eacccf66e058ba9143d21cffa0beea19fc93e1b5bf1a22f23e780d8e
Instruction ID: 46c0a8232d1868b2188fd60072ea637f71afdf7e92028cab4f328ec4e5e3f775
Opcode Fuzzy Hash: fdd565e9eacccf66e058ba9143d21cffa0beea19fc93e1b5bf1a22f23e780d8e
Instruction Fuzzy Hash: C211AB338445159ACF212B74EC05AD93BD4AF4F364B296135F855FF1A0EE30A84287B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC16C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00DDC1E6
GlobalAddAtomW.KERNEL32(?), ref: 00DDC1F5
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00DDC20B
GlobalAddAtomW.KERNEL32(?), ref: 00DDC214
SendMessageW.USER32(?,000003E4,?,?), ref: 00DDC23E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 27b4add666d699c9dc3eee66587816b7a69547221367980ecdbd7c9344e58fcb
Instruction ID: 7ae67c2c3468cccfe106e6408ddd435c00a901879b41201fe9096e3b7d2eac9a
Opcode Fuzzy Hash: 27b4add666d699c9dc3eee66587816b7a69547221367980ecdbd7c9344e58fcb
Instruction Fuzzy Hash: E121927190021CABDB20DFA9CC48AEAB7F8EB59300F04445AE55DD7141D7B4AE84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DEA459 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00DEA490
GetParent.USER32(?), ref: 00DEA4AD
GetClientRect.USER32(?,?), ref: 00DEA4BC
GetParent.USER32(?), ref: 00DEA4C5
MapWindowPoints.USER32(?,?,?,00000002), ref: 00DEA4DA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: e5daa6e2baee6bd04c6fcec09a9aee50a0d5039006f1cb0e4cfea9143c07948e
Instruction ID: 0bf2b6f8561047de3df280afa73e3fea789575a00c93cb9a9937d91951d67167
Opcode Fuzzy Hash: e5daa6e2baee6bd04c6fcec09a9aee50a0d5039006f1cb0e4cfea9143c07948e
Instruction Fuzzy Hash: 2C215171900209EFCB00EFA5CD49CAFBBB5FF49310B554569F806A7261DB71A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4233 Relevance: 7.6, APIs: 5, Instructions: 62networkCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA423A
EnterCriticalSection.KERNEL32(00000204,00000004,00DA3573,?,00000000,?,?,?,?,00DA32D1,?,?,00000000,000000FF,00000000), ref: 00DA4256
WSASetLastError.WS2_32(000005B6,?,?,00000000,?,?,00DA32D1,?,?,00000000,000000FF,00000000), ref: 00DA426A
LeaveCriticalSection.KERNEL32(00000204,?,?,00000000,?,?,00DA32D1,?,?,00000000,000000FF,00000000), ref: 00DA4271

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$EnterErrorH_prolog3LastLeave
String ID:
API String ID: 3795183752-0
Opcode ID: e938670b055198ae2b904438d378a4faf32175c1395bddb7699e6c1ccae6891c
Instruction ID: 9c78d9ed2af55c84591d85b0f704cb82508a534e91e2677a3e5533ceafd8198f
Opcode Fuzzy Hash: e938670b055198ae2b904438d378a4faf32175c1395bddb7699e6c1ccae6891c
Instruction Fuzzy Hash: 3F110132200B05EBCF119F64CC05B6E7BA4FB86725F144929F952D9090DBF2D4509B39

Uniqueness

Uniqueness Score: -1.00%

Function 00DFE810 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 00DFE844
CreateFontIndirectW.GDI32(?), ref: 00DFE859
IsWindow.USER32(?), ref: 00DFE877
InvalidateRect.USER32(?,00000000,00000001), ref: 00DFE895
UpdateWindow.USER32(?), ref: 00DFE89E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID:
API String ID: 1602852816-0
Opcode ID: 8705c1e5998717e4614b6e1de51eecae6c89a80dd597b04c02fb43f3a254f268
Instruction ID: 32decdd79ea189d8b7a1014473dd63035760a6d2dd0ca1497a139ef8b5210fb7
Opcode Fuzzy Hash: 8705c1e5998717e4614b6e1de51eecae6c89a80dd597b04c02fb43f3a254f268
Instruction Fuzzy Hash: 5C118231600208AFDB20AF71DC49EAAB7A8FF44754F09443AB646A71A1EF71EC05DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6C98 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00DBF9E5,?,00000000), ref: 00DC6CAA
GetDeviceCaps.GDI32(?,00000058), ref: 00DC6CE4
GetDeviceCaps.GDI32(?,0000005A), ref: 00DC6CED

Part of subcall function 00DAB810: MulDiv.KERNEL32(?,00000000,00000000), ref: 00DAB852
Part of subcall function 00DAB810: MulDiv.KERNEL32(?,00000000,00000000), ref: 00DAB86F

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00DC6D11
MulDiv.KERNEL32(?,000009EC,?), ref: 00DC6D1C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: b5c76b99ae8d39e518815311b0e562357221da412262e6e0ce7f079ae0449b47
Instruction ID: 2f2575e9f7f90ee2e38b2baa14efb6e19261fe1c06af3e2ef84123fc14851362
Opcode Fuzzy Hash: b5c76b99ae8d39e518815311b0e562357221da412262e6e0ce7f079ae0449b47
Instruction Fuzzy Hash: B811C271600608AFCB215F6ACD44D1EBBE9EF88760B164429F98697360CB72EC029F60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC6D28 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00DBF97A,?,00000000), ref: 00DC6D3A
GetDeviceCaps.GDI32(?,00000058), ref: 00DC6D74
GetDeviceCaps.GDI32(?,0000005A), ref: 00DC6D7D

Part of subcall function 00DAB7A5: MulDiv.KERNEL32(?,00000000,00000000), ref: 00DAB7E7
Part of subcall function 00DAB7A5: MulDiv.KERNEL32(?,00000000,00000000), ref: 00DAB804

MulDiv.KERNEL32(?,00000060,000009EC), ref: 00DC6DA1
MulDiv.KERNEL32(?,?,000009EC), ref: 00DC6DAC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 91ea07b916a1f5e8616529f1549f90be40d7f572973b69ee2c101dc1a6837d4c
Instruction ID: 88b4043273d6ed8c8d6ab709f1eb0a4dd162cf79720165a6d77b3d64e470a2d6
Opcode Fuzzy Hash: 91ea07b916a1f5e8616529f1549f90be40d7f572973b69ee2c101dc1a6837d4c
Instruction Fuzzy Hash: 9711C275700605AFDB215F55CC48D1EBBF9EF88760B19442DF98257360CB71EC029BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0904 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DD090B
GetWindowRect.USER32(?,?), ref: 00DD094C
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00DD0976
SetWindowRgn.USER32(?,?,00000000), ref: 00DD098C

Part of subcall function 00DA4EC8: __EH_prolog3_catch.LIBCMT ref: 00DA4EE7

SetWindowRgn.USER32(?,00000000,00000000), ref: 00DD09A8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_H_prolog3_catchRound
String ID:
API String ID: 3306422325-0
Opcode ID: 3ac2b414d97a98bc5267969cdab04789ba6ad229b148d816b063d64aa572f707
Instruction ID: 5dcbb046b02b7f625ec6bde14f654ae8b353eb658e5fbe142868fad7cfb41068
Opcode Fuzzy Hash: 3ac2b414d97a98bc5267969cdab04789ba6ad229b148d816b063d64aa572f707
Instruction Fuzzy Hash: 851106718006089FDB20DFA9C959EEEFAB4FF88310F18022EE591B2261D7715941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0782 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SetCapture.USER32(?), ref: 00DF079A
GetCursorPos.USER32(?), ref: 00DF07D9
LoadCursorW.USER32(00000000,00007F86), ref: 00DF0803
SetCursor.USER32(00000000), ref: 00DF080A
GetCursorPos.USER32(?), ref: 00DF0817

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID:
API String ID: 1460996051-0
Opcode ID: 31b6ebb87314623f8160418cb7543f9539830df2aff9642e56a4f4dabdabaac2
Instruction ID: 14a0f1c4cbf59a9c9b4a43cadd819d439edd3dbffff2c7546a1b72365b630566
Opcode Fuzzy Hash: 31b6ebb87314623f8160418cb7543f9539830df2aff9642e56a4f4dabdabaac2
Instruction Fuzzy Hash: 081182316002089FDB24AB75C80CFEA7BE9FF55755F05443DE68A93252CB71A841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0348B1E9 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,0348846F), ref: 0348B218

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: e4e1a673b57e6ad371ed897d81929e0650eed862e7a834d03a78eee13a1b15b9
Instruction ID: e549bb5003a1fc58d319d1982d4b50092683bc6b512e0d16b31516c5e317c871
Opcode Fuzzy Hash: e4e1a673b57e6ad371ed897d81929e0650eed862e7a834d03a78eee13a1b15b9
Instruction Fuzzy Hash: 7A110630A1420CEFDF00FF74D849AAE7BF8EF18305F1048A6E916EE250E7719A559B48

Uniqueness

Uniqueness Score: -1.00%

Function 00DDA458 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DDA45F

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000008), ref: 00DDA499
GetCurrentProcess.KERNEL32(?,00000000), ref: 00DDA49F
DuplicateHandle.KERNEL32(00000000), ref: 00DDA4A2
GetLastError.KERNEL32(?), ref: 00DDA4BC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorH_prolog3HandleLast_malloc
String ID:
API String ID: 3353467733-0
Opcode ID: 393d4740d5e8d75216642e039b684c5239ef3880e2006f926c6fe66aaecd4838
Instruction ID: 427cce27c62d34587899ca075694b164f55aef1a6791beb656d136db2cf1e9ce
Opcode Fuzzy Hash: 393d4740d5e8d75216642e039b684c5239ef3880e2006f926c6fe66aaecd4838
Instruction Fuzzy Hash: 8901A171A002059FCB20EFB9DC4995EB7A4FF44700B19852AF919EF391CB71D9018B71

Uniqueness

Uniqueness Score: -1.00%

Function 00E10EE4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,75296BA0,00000000,00ED7718,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A,00000000), ref: 00E10F08
LoadResource.KERNEL32(?,00000000,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A,00000000,00000014,00E0B725,00000004), ref: 00E10F1E
LockResource.KERNEL32(00000000,?,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A,00000000,00000014,00E0B725,00000004), ref: 00E10F2D
FreeResource.KERNEL32(?,00000000,00000000,?,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A,00000000,00000014), ref: 00E10F3E
SizeofResource.KERNEL32(?,00000000,?,?,00E12D96,?,?,?,00000084,00E1316A,0000000A,0000000A,0000000A,00000000,00000014,00E0B725), ref: 00E10F4B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: e8827f22fc058c79b6f0951efec216ff34bff552ba39075a0e6c26ad56e9d867
Instruction ID: 575e5299c91bdd1fdd9071fceac0ed25cd9ad0d9c81194c9528c1f66650c3fb8
Opcode Fuzzy Hash: e8827f22fc058c79b6f0951efec216ff34bff552ba39075a0e6c26ad56e9d867
Instruction Fuzzy Hash: E0017176600619BF8B215BA69C19CDF7BACEB893683059034FD05B3210DA75DD82C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA275E Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00DA277C
TranslateMessage.USER32(?), ref: 00DA27A2
DispatchMessageW.USER32(?), ref: 00DA27AC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DA27BB
SetLastError.KERNEL32(000005B4), ref: 00DA27C8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Message$DispatchErrorLastMultipleObjectsPeekTranslateWait
String ID:
API String ID: 2669921780-0
Opcode ID: 3c485cf962d2573a060eeec38ac17ab54a771d7369e4373857123fae1f2e267b
Instruction ID: 4a6292498b0cbf23fece50639dc83a274935007f4662f74778b7b8e6285aec1c
Opcode Fuzzy Hash: 3c485cf962d2573a060eeec38ac17ab54a771d7369e4373857123fae1f2e267b
Instruction Fuzzy Hash: 8D01D6335002196BCA2067BA9C4DDAB7AACDF46768B480231F522E10D0D664D94786B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7023 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00DB7032
SendMessageW.USER32(?,00000366,00000000,?), ref: 00DB704E
ClientToScreen.USER32(?,?), ref: 00DB705B
GetWindowLongW.USER32(?,000000F0), ref: 00DB7064
GetParent.USER32(?), ref: 00DB7072

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 6dddf91e091c8a2ac590f2f2ecf4b7363bb74ec96577ee39c588ae3b948ee7ae
Instruction ID: dd22f69e2c93382da3c40bb4168718f490ddf34ffb417b7e6b8cfedfed3f600e
Opcode Fuzzy Hash: 6dddf91e091c8a2ac590f2f2ecf4b7363bb74ec96577ee39c588ae3b948ee7ae
Instruction Fuzzy Hash: 0AF08176105528BBE3121B1A9C08EFA37BCEF81761F184237FD26D6180DB35DE0686B5

Uniqueness

Uniqueness Score: -1.00%

Function 00DD469F Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 00DD46B5
ScreenToClient.USER32(?,00000000), ref: 00DD46C2
PtInRect.USER32(?,00000000,00000000), ref: 00DD46D5
LoadCursorW.USER32(00000000,00007F86), ref: 00DD46F4
SetCursor.USER32(00000000), ref: 00DD4700

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: c8d60462a800ab31efce57b05f2506e1c188b589c0e77ceeda79afcb6c7db984
Instruction ID: 289a245b395e25e4b1b3543e9d66aa228e0e8dd0643b8ad44c53b45944887ef7
Opcode Fuzzy Hash: c8d60462a800ab31efce57b05f2506e1c188b589c0e77ceeda79afcb6c7db984
Instruction Fuzzy Hash: EA01487250020DBFDB10AFA1DC48FAE7BBCFB04359F04442AF906E2120DB359A46EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DEE9D9 Relevance: 7.5, APIs: 5, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DEE9F5
_memset.LIBCMT ref: 00DEEA0F
GetKeyboardLayout.USER32(?), ref: 00DEEA1F
MapVirtualKeyW.USER32(?,00000000), ref: 00DEEA3D
ToUnicodeEx.USER32(?,00000000), ref: 00DEEA47

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Keyboard$Exception@8H_prolog3LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 4204171240-0
Opcode ID: 8d1ad7ab3c80a234821e5a200b686aa1d99f38f4ade7c4d724e685e422ae56b9
Instruction ID: 85c0a6f8aaf3e74a8a0df635aff4c35f02c897f050bcdbe6244c486482e4c9a4
Opcode Fuzzy Hash: 8d1ad7ab3c80a234821e5a200b686aa1d99f38f4ade7c4d724e685e422ae56b9
Instruction Fuzzy Hash: E701627160010CAFDB10AB61DC4AFDE77BCEF19704F444075B646E60D1DAB1EA458B65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4484 Relevance: 7.5, APIs: 6, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00DA449A
EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 00DA44A0
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00DA44AF
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00DA44B2

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 1f34f8e8c86ed15033000f92f9fd56cccd33da358c1dfdb4bec1be49b255a368
Instruction ID: ef2cda8d29705380dad8b8ef7471098d836e62655bb4599f2bf0e25fbe705f93
Opcode Fuzzy Hash: 1f34f8e8c86ed15033000f92f9fd56cccd33da358c1dfdb4bec1be49b255a368
Instruction Fuzzy Hash: 46F0A47290152DAFC7009B61CC48B6AB79CFF4932AF090025E90593900C7F5B814CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2877 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00DA28A7
CancelIo.KERNEL32(?), ref: 00DA28B0
InterlockedExchange.KERNEL32(?,00000000), ref: 00DA28B9
closesocket.WS2_32(?), ref: 00DA28C2
SetEvent.KERNEL32(?), ref: 00DA28CB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: e660157d5ecd085ccbef8dd573cf14cb50bb4277363a8a0b5ed2f6565ec52ab0
Instruction ID: fc8adf86c278a5104ca786e1e79c5831f70bc84cef773f47505a09d612e6d8b4
Opcode Fuzzy Hash: e660157d5ecd085ccbef8dd573cf14cb50bb4277363a8a0b5ed2f6565ec52ab0
Instruction Fuzzy Hash: 4BF0A932100308EFD7245B65DC0AEAA77B8FF44B15F044639E292A15B0D7B1A80ADB01

Uniqueness

Uniqueness Score: -1.00%

Function 034A96AB Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 034A96B7

Part of subcall function 034A861F: __getptd_noexit.LIBCMT ref: 034A8622
Part of subcall function 034A861F: __amsg_exit.LIBCMT ref: 034A862F

__getptd.LIBCMT ref: 034A96CE
__amsg_exit.LIBCMT ref: 034A96DC
__lock.LIBCMT ref: 034A96EC
__updatetlocinfoEx_nolock.LIBCMT ref: 034A9700

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ea5c9f4840bc14e37b69de13ce9dda59d1a54fdb0f9389500d104783581bd278
Instruction ID: 3fb9ba252602e27e0bc42de5418450d44c6fd0fd2834312ed530768ac335a06e
Opcode Fuzzy Hash: ea5c9f4840bc14e37b69de13ce9dda59d1a54fdb0f9389500d104783581bd278
Instruction Fuzzy Hash: EBF0903A901F189FEB61FB6E9401B5D7AE0AF24720F14410FD521AF2E1CB6449408A9D

Uniqueness

Uniqueness Score: -1.00%

Function 03492C8F Relevance: 7.5, APIs: 5, Instructions: 34processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 03492CB6
GetCommandLineW.KERNEL32 ref: 03492CBC
GetStartupInfoW.KERNEL32(?), ref: 03492CCF
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 03492CFC
ExitProcess.KERNEL32 ref: 03492D0A

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-0
Opcode ID: fc291f5c27dbe2e7277876af4a450279acdbc1d8aeff2dd2d2ca6f7c0858f1c9
Instruction ID: ebb0aeb202f23097f735b72053167e95c3d2592baa18bc01b5300844c90069b3
Opcode Fuzzy Hash: fc291f5c27dbe2e7277876af4a450279acdbc1d8aeff2dd2d2ca6f7c0858f1c9
Instruction Fuzzy Hash: 3F01EC71944318EFEB60AFA4DC4DFDA77B8EB04701F1042A1B619FA1D5EA706A888F54

Uniqueness

Uniqueness Score: -1.00%

Function 00EB0F35 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00EB0F41

Part of subcall function 00EAD75C: __getptd_noexit.LIBCMT ref: 00EAD75F
Part of subcall function 00EAD75C: __amsg_exit.LIBCMT ref: 00EAD76C

__getptd.LIBCMT ref: 00EB0F58
__amsg_exit.LIBCMT ref: 00EB0F66
__lock.LIBCMT ref: 00EB0F76
__updatetlocinfoEx_nolock.LIBCMT ref: 00EB0F8A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: d59e1304941e84e002129a916f7d91b86bdb2d35e9927f708f338db8adc9519c
Instruction ID: f00ef60a219cf932c58fe8d8f2eb024e7ae2390731e12b0794be738013721e40
Opcode Fuzzy Hash: d59e1304941e84e002129a916f7d91b86bdb2d35e9927f708f338db8adc9519c
Instruction Fuzzy Hash: 56F09032B44714DBDB31BBA858037AF37E0AF46724F156209F1557A1C2CB74B902DA96

Uniqueness

Uniqueness Score: -1.00%

Function 034985CA Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

Part of subcall function 034999C8: std::_Lockit::_Lockit.LIBCPMT ref: 034999F2

_localeconv.LIBCMT ref: 034986A6
_strcspn.LIBCMT ref: 034987C6

Strings

@, xrefs: 034988B9
e, xrefs: 034986B2

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: LockitLockit::__localeconv_strcspnstd::_
String ID: @$e
API String ID: 2081099538-1139482787
Opcode ID: cc618f7a7803a166894e01518565d1ba91ee3f5ea411354344fa6d3e37677421
Instruction ID: 566d13b4b94fa6d389da1d7c506b7d86233c603dd5c6f90e79b828b9439fcf8e
Opcode Fuzzy Hash: cc618f7a7803a166894e01518565d1ba91ee3f5ea411354344fa6d3e37677421
Instruction Fuzzy Hash: 6422E275900249AFEF15DFA8CC80AEE7BB5FF08304F0441AAF919AB261D7359A60DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F0BA Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E6F0C1
IsRectEmpty.USER32(?), ref: 00E6F4E0
OffsetRect.USER32(?,00000000,00000001), ref: 00E6F51C

Strings

!, xrefs: 00E6F366

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_Offset
String ID: !
API String ID: 307044148-2657877971
Opcode ID: 03b5e1bc640b48298619cff41b1c409a88a1357dbefa3c9dff41c48a1cf80bf7
Instruction ID: 8088d552d7317f2bcd0b87b2d8e0782476b77271ee59025f0e3bc36fddbb8a49
Opcode Fuzzy Hash: 03b5e1bc640b48298619cff41b1c409a88a1357dbefa3c9dff41c48a1cf80bf7
Instruction Fuzzy Hash: D5027C71A00219DFCF00DFA8D894AEDBBB5FF49344F144169E816BB295DB70A946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0348F6AF Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

Part of subcall function 0348EE46: GdipGetImagePixelFormat.GDIPLUS(?,?), ref: 0348EE58

Part of subcall function 0348EE6C: GdipGetImagePaletteSize.GDIPLUS(00000000,00000000), ref: 0348EE82

__alloca_probe_16.LIBCMT ref: 0348F7AB

Part of subcall function 0348EFAD: GdipCreateBitmapFromScan0.GDIPLUS(?,?,?,?,?,00000000), ref: 0348EFDD

Part of subcall function 0348EC8C: GdipGetImageGraphicsContext.GDIPLUS(?,00000000), ref: 0348ECA8

Part of subcall function 0348ECDA: GdipDrawImageI.GDIPLUS(?,00000000,?,?), ref: 0348ED05

Part of subcall function 0348ECC6: GdipDeleteGraphics.GDIPLUS(?), ref: 0348ECD2

Strings

&, xrefs: 0348F925
, xrefs: 0348F70E
&, xrefs: 0348F71E

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Gdip$Image$Graphics$BitmapContextCreateDeleteDrawFormatFromPalettePixelScan0Size__alloca_probe_16
String ID: &$ &$
API String ID: 2756110551-2797992771
Opcode ID: b136438b0ab4d4c17c8097612b882cb4b5af1df16ef04f4ec1732f78f2feabf8
Instruction ID: 7475450a68d6bd32b68ca077f33f2a6fc9de65fc2f0847eda1fe40052b86b841
Opcode Fuzzy Hash: b136438b0ab4d4c17c8097612b882cb4b5af1df16ef04f4ec1732f78f2feabf8
Instruction Fuzzy Hash: D8C1E5B4D002299FDF20EF55DD81BAEB7B5AF48304F5040EAE609AB251DB345E89CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00E683CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

OffsetRect.USER32(-00000018,00000000,00000000), ref: 00E684A8
__EH_prolog3.LIBCMT ref: 00E684CB
GetSystemMetrics.USER32(00000002), ref: 00E68538

Part of subcall function 00DC731F: __EH_prolog3.LIBCMT ref: 00DC7326

Strings

t, xrefs: 00E684ED

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$MetricsOffsetRectSystem
String ID: t
API String ID: 1613555380-1810194760
Opcode ID: cfcb08aeed82260afae4edd24e4cd86d0c79d21cf09a62c3f06bd7c74aaf5384
Instruction ID: 1340fb35d9c6cdcc0cb649b3257cb15eb22dba32adde0e883d56f75c79adabe8
Opcode Fuzzy Hash: cfcb08aeed82260afae4edd24e4cd86d0c79d21cf09a62c3f06bd7c74aaf5384
Instruction Fuzzy Hash: EBA16A31A4070ADFCB20DFA8D989AAEB7F1FF44354F144669E566AB251DF30A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DCEDD6 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 237windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DCEDE0
GetParent.USER32(?), ref: 00DCF03F
SendMessageW.USER32(?,?,00000000), ref: 00DCF063

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Part of subcall function 00E160F6: __EH_prolog3.LIBCMT ref: 00E160FD

Strings

<w, xrefs: 00DCF0AC

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_MessageParentSendThrow
String ID: <w
API String ID: 361253730-539545700
Opcode ID: ac75364b1dcebe325ea0224809b9bf483f2a398a0e66694d51f882c4c3bb78be
Instruction ID: 67d56ddcb019da66bd640c50d77dd4204e21f2bae55c8432813b961d76a3ccf2
Opcode Fuzzy Hash: ac75364b1dcebe325ea0224809b9bf483f2a398a0e66694d51f882c4c3bb78be
Instruction Fuzzy Hash: D6917DB1600216DFCB249F64C884FEEB7BAAF44314F1446BDE5AA97291DB709D80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DD0B59 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00DD0B60
IsWindow.USER32(?), ref: 00DD0C99

Part of subcall function 00DB64CC: __EH_prolog3_catch.LIBCMT ref: 00DB64D3

IsWindow.USER32(?), ref: 00DD0D4C

Strings

<w, xrefs: 00DD0D08

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3_catchWindow
String ID: <w
API String ID: 751930432-539545700
Opcode ID: e16f911a946840e12095a4ffa6d2831e65137235cc9214aa14b5d4e1f4d82bc1
Instruction ID: e9d40f9a257f85d3de04cad05584ab366a4f8819b2717d020f4e1f26ef90777c
Opcode Fuzzy Hash: e16f911a946840e12095a4ffa6d2831e65137235cc9214aa14b5d4e1f4d82bc1
Instruction Fuzzy Hash: EE616C352006059FCB15EF68C494BAEBBB5FF88304F18056DF956A7391DF30A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF6ACB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF6B07
GetWindowRect.USER32(?,?), ref: 00DF6BA4
IsRectEmpty.USER32(?), ref: 00DF6BAE

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Strings

\, xrefs: 00DF6B24, 00DF6B39

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window$EmptyException@8H_prolog3Throw
String ID: \
API String ID: 2711673171-2661760580
Opcode ID: 6691a476f5d61aff6a27ab6a8e84d650ee1837fa8534fb0bcb6f6fb9a88e6168
Instruction ID: a184bde0f7498f7cb5770cb761f2be09ec71da6d2805101d0bcaa0bf167d48f8
Opcode Fuzzy Hash: 6691a476f5d61aff6a27ab6a8e84d650ee1837fa8534fb0bcb6f6fb9a88e6168
Instruction Fuzzy Hash: C761E271A0020A9FCB15DFA9C595AFEBBF5FB48300F298069E685E7651DB31ED40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DEA74F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEA756
FillRect.USER32(?,?), ref: 00DEA891

Part of subcall function 00E40970: __EH_prolog3.LIBCMT ref: 00E40977
Part of subcall function 00E40970: CreateCompatibleDC.GDI32(?), ref: 00E409DA
Part of subcall function 00E40970: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E40A0C
Part of subcall function 00E40970: SelectObject.GDI32(?,00000000), ref: 00E40A6A

Strings

h+, xrefs: 00DEA761

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CompatibleCreate$BitmapFillH_prolog3H_prolog3_ObjectRectSelect
String ID: h+
API String ID: 593165290-1818233205
Opcode ID: 6a706256367b8fa6e13b3d0065dc146495c9450311f773102b362d8541cb7c6a
Instruction ID: e3795a3695bcd9dcfd7eb4a9ec0565fccdaf8443fc3435cc22621e77eb8f61b5
Opcode Fuzzy Hash: 6a706256367b8fa6e13b3d0065dc146495c9450311f773102b362d8541cb7c6a
Instruction Fuzzy Hash: 2D515E3190055ADFCF01EFA5CD859EE7BB5BF45300B054028E906BB262DB71AE0ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 0349E3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0349E3C7
_Fputc.LIBCPMT ref: 0349E422
_Fputc.LIBCPMT ref: 0349E4F5

Strings

, xrefs: 0349E4CC

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Fputc$H_prolog3_
String ID:
API String ID: 2569218679-3916222277
Opcode ID: 49ec501af1c6e6bcfbe78e97f3c55a2a549e9cd97ee7deeaae266ca1c84b006b
Instruction ID: c9e8131c5c7f843d5df0aaa5f6bf62a13a2f323de5cbd5a8b8f786a5d69e54f4
Opcode Fuzzy Hash: 49ec501af1c6e6bcfbe78e97f3c55a2a549e9cd97ee7deeaae266ca1c84b006b
Instruction Fuzzy Hash: DA41A331D00609DFEF20CBA8C9849EEBBB9AF49710F14496BE512AF340E771A585CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00DD62A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DD62AB

Part of subcall function 00E3D8A1: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 00E3D91B

Part of subcall function 00DABA35: __EH_prolog3.LIBCMT ref: 00DABA3C
Part of subcall function 00DABA35: GetDC.USER32(00000000), ref: 00DABA68

CreateCompatibleDC.GDI32(?), ref: 00DD632F

Part of subcall function 00DABD26: SelectObject.GDI32(?,?), ref: 00DABD31

UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,?,00000000,?,00000002), ref: 00DD63AA

Strings

!j, xrefs: 00DD62BF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateH_prolog3$CompatibleLayeredObjectSectionSelectUpdateWindow
String ID: !j
API String ID: 1721362709-3318286649
Opcode ID: d6305af6e7ab6346d6196f9a1ce81c00570f2089704d1a85835211f24ed5858c
Instruction ID: 044c8e9e916d98f37df15eb7e49022949ab49433027377f47927fe4c4781128d
Opcode Fuzzy Hash: d6305af6e7ab6346d6196f9a1ce81c00570f2089704d1a85835211f24ed5858c
Instruction Fuzzy Hash: F841F77190024DAFCF00DFE8D9819EEBBB9FF09310F14452AF515A7252DB719A49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB8BC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DB8BCA

Part of subcall function 00DB6FB3: _wcsrchr.LIBCMT ref: 00DB6FC1

CoCreateGuid.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000028), ref: 00DB8C17

Part of subcall function 00DA6988: _wcslen.LIBCMT ref: 00DA699A

Part of subcall function 00DA6906: _wcsnlen.LIBCMT ref: 00DA693A
Part of subcall function 00DA6906: _wmemcpy_s.LIBCPMT ref: 00DA696E

Strings

0<, xrefs: 00DB8C00
%08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 00DB8C63

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateGuidH_prolog3__wcslen_wcsnlen_wcsrchr_wmemcpy_s
String ID: %08lX%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X$0<
API String ID: 4087696989-3535680886
Opcode ID: 42b53e61456d4a5fd2a517244e2af4500dc79caafe2ef657f577a94d932f23af
Instruction ID: 22c0c948b5b8df7c24db90045813557ac0175eec63ac0d9544ff6c3da4649aaa
Opcode Fuzzy Hash: 42b53e61456d4a5fd2a517244e2af4500dc79caafe2ef657f577a94d932f23af
Instruction Fuzzy Hash: F8315B72900158AECB01EBE48952AFEFBB9EF4E311F044059F955B7282CA799A059B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DF2AFD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00DF2C1D

Part of subcall function 00E74B09: SetRectEmpty.USER32(?), ref: 00E74B5F
Part of subcall function 00E74B09: IsRectEmpty.USER32(?), ref: 00E74B69
Part of subcall function 00E74B09: SetRectEmpty.USER32(?), ref: 00E74BC0
Part of subcall function 00E74B09: SetRectEmpty.USER32(?), ref: 00E74BC6

IsWindowVisible.USER32(?), ref: 00DF2B3A
GetParent.USER32(?), ref: 00DF2B6D

Strings

px, xrefs: 00DF2B54

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect$CaptureParentReleaseVisibleWindow
String ID: px
API String ID: 1768054721-3846731130
Opcode ID: c7574b27ce44a79681d429f546bc63f7ffbff6ecc6345a4016c53712b9b7e6a9
Instruction ID: f5f0acaeeac7570e5be3b19382efd59b29c19d204c5506b3bbea5d3a058c3689
Opcode Fuzzy Hash: c7574b27ce44a79681d429f546bc63f7ffbff6ecc6345a4016c53712b9b7e6a9
Instruction Fuzzy Hash: 5531A331300600AFDB25AB68C85AFFD77E6AF44701F19406DF68A971A2DB609C81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4B0A6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00E4B0B0

Part of subcall function 00E3657B: __EH_prolog3.LIBCMT ref: 00E36582

Part of subcall function 00DBC8C7: __EH_prolog3.LIBCMT ref: 00DBC8CE

Part of subcall function 00DBC885: __EH_prolog3.LIBCMT ref: 00DBC88C

Part of subcall function 00E3629E: __EH_prolog3.LIBCMT ref: 00E362A5

_free.LIBCMT ref: 00E4B1A8

Strings

MDITabsState, xrefs: 00E4B19A
%sMDIClientArea-%d, xrefs: 00E4B0EF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch_free
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 276651542-353449602
Opcode ID: f38e2c65c58e4e2fe31aaa052f038b60c54c56a00df5bf4cb010cdea6f4b7f51
Instruction ID: 0f818fc00ba70e20301641362407b2bc74a064690d85255c418c09680602a491
Opcode Fuzzy Hash: f38e2c65c58e4e2fe31aaa052f038b60c54c56a00df5bf4cb010cdea6f4b7f51
Instruction Fuzzy Hash: B7417671900249AFDB05EFE4C895AEDBBB4EF59304F10805DF5057B282DBB05A45CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E20670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E20677

Part of subcall function 00E3657B: __EH_prolog3.LIBCMT ref: 00E36582

Part of subcall function 00DB5AF9: GetDlgCtrlID.USER32(?), ref: 00DB5B02

Strings

%sBasePane-%d%x, xrefs: 00E206DF
IsVisible, xrefs: 00E2071E
%sBasePane-%d, xrefs: 00E206C8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %sBasePane-%d$%sBasePane-%d%x$IsVisible
API String ID: 3879667756-4027084908
Opcode ID: e553e49a32658b3af6f6944ddab593e471735dacac66ec9255711f93283c27af
Instruction ID: 8e4649abb966f3adef878350cadd8f97fa746538aaeb1dafe4afff003b2570eb
Opcode Fuzzy Hash: e553e49a32658b3af6f6944ddab593e471735dacac66ec9255711f93283c27af
Instruction Fuzzy Hash: 8321CE71A00204AFCF01AFA4CC89EBE7BB5FF45324F145619F915AB2C2CB709A51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E167ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E167F4

Part of subcall function 00E20493: __EH_prolog3.LIBCMT ref: 00E2049A
Part of subcall function 00E20493: SetRectEmpty.USER32(?), ref: 00E20530

Part of subcall function 00E74648: SetRectEmpty.USER32(?), ref: 00E7467A
Part of subcall function 00E74648: SetRectEmpty.USER32(?), ref: 00E74681

SetRectEmpty.USER32(?), ref: 00E168DA
SetRectEmpty.USER32(?), ref: 00E16903

Strings

X', xrefs: 00E168F9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: X'
API String ID: 3752103406-2274823755
Opcode ID: 6cd826169fa03b06c6b465571b3ec647016511ca4e3723ad37c27a467fbb69d4
Instruction ID: 2efc444c70f4535d0113b0a533ce0bcdf86780a242b7451d6cdfafe612356acb
Opcode Fuzzy Hash: 6cd826169fa03b06c6b465571b3ec647016511ca4e3723ad37c27a467fbb69d4
Instruction Fuzzy Hash: 7A4166B1845B44CFC3659F3A89897C6FBE0BB5A300F90892EE1AE9B341DB752144CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DBA2A2
GetSysColor.USER32(00000014), ref: 00DBA2EC
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 00DBA33F

Strings

(, xrefs: 00DBA2D0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: 87cca4cd7532d0ecbd3ec9fa1711283776603664b6d27b457d4a93d08b552d00
Instruction ID: 90aac4e06f8b9c2a0724ffefea765beecc0c3523c3726f5f3eb881d69a23a528
Opcode Fuzzy Hash: 87cca4cd7532d0ecbd3ec9fa1711283776603664b6d27b457d4a93d08b552d00
Instruction Fuzzy Hash: E121F531A10258DFEB04CBB8CD46BEDBBF8EB95700F00846EF546EB281DA755908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE0DA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00E48F36), ref: 00DE0E1E
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00DE0E2E

Strings

DWMAPI, xrefs: 00DE0E19
DwmInvalidateIconicBitmaps, xrefs: 00DE0E28

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: c838adbc8701f4df1453695ce2661768c51297e5224a9b809446265fa57d869f
Instruction ID: 491f5434cf0df6e8bd6e10ff4a9cb98845a46cec9aa292cf5b2c94b958f831ef
Opcode Fuzzy Hash: c838adbc8701f4df1453695ce2661768c51297e5224a9b809446265fa57d869f
Instruction Fuzzy Hash: 02118471A002459FCB10EF768D856AF7AF9EF89700B080879B806EB141DAB1DD41C771

Uniqueness

Uniqueness Score: -1.00%

Function 03499528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 03499552

Part of subcall function 03494FF2: std::_Lockit::_Lockit.LIBCPMT ref: 03495007

Strings

bad cast, xrefs: 034995A7

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: bad cast
API String ID: 3382485803-3145022300
Opcode ID: 60cf4795948b2461204189c96b6f925c7cd57a2791a20aafa2a452cd0cc2a9bd
Instruction ID: 5f4f9e23ec38dbffa732da27143460498813a04fb6650037c2310d9d74fc9203
Opcode Fuzzy Hash: 60cf4795948b2461204189c96b6f925c7cd57a2791a20aafa2a452cd0cc2a9bd
Instruction Fuzzy Hash: DA211979D0025AEFEF44DFA5D841AEEBBB4FB08210F10462FE521AF290E7749945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00DE897E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DE8985
InflateRect.USER32(?,000000FE,000000FE), ref: 00DE89E1

Strings

iii, xrefs: 00DE89F0
, xrefs: 00DE8A09

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3_InflateRect
String ID: iii$
API String ID: 3173815319-462628325
Opcode ID: 4ccb030667e0a995559edf52a7185c60f27b1f55f7d72b165bd3ebe80c94328c
Instruction ID: e593c8aa5cbadb14e339344dcdfc87d4e0f4089e1b7e4ebb52b40900699ee655
Opcode Fuzzy Hash: 4ccb030667e0a995559edf52a7185c60f27b1f55f7d72b165bd3ebe80c94328c
Instruction Fuzzy Hash: 6621A931A001489FCB00EFA9CC449EDB7F4BF5C760B155129E446BB292EB319E01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAD30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DBAD37
LoadCursorW.USER32(00000000,00007F00), ref: 00DBAD63
GetClassInfoW.USER32(?,00000000,?), ref: 00DBADA7

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Strings

%s:%x:%x:%x:%x, xrefs: 00DBAD91

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$ClassCursorException@8InfoLoadThrow
String ID: %s:%x:%x:%x:%x
API String ID: 3308755097-1000192757
Opcode ID: 7444398b7876f6237b464025b586c707a77fec705353dc2c9017e78e9cd35575
Instruction ID: 3193ffdf19d63fd73a656638052b31916f2dff605fcb74e8e03b3261b53fc01b
Opcode Fuzzy Hash: 7444398b7876f6237b464025b586c707a77fec705353dc2c9017e78e9cd35575
Instruction Fuzzy Hash: 102115B1D00209EFDB00EFA9D885AEEBBB4FF09300F148429F515B7251DBB59A418BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DFE982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DFE989
SetRectEmpty.USER32(?), ref: 00DFE9BF

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

SendMessageW.USER32(?,00001036,00000000,00000020), ref: 00DFEA29

Strings

SysListView32, xrefs: 00DFEA03

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyH_prolog3_MessageRectSend_malloc
String ID: SysListView32
API String ID: 385562461-78025650
Opcode ID: 96063dd0f3f074f8660b5879d82778645ba299967d65d91fff65308721f7f62b
Instruction ID: 1b43c3144fdf75b79d3b1047a70aa9b14944b6e09084019960126c0f28fab9ec
Opcode Fuzzy Hash: 96063dd0f3f074f8660b5879d82778645ba299967d65d91fff65308721f7f62b
Instruction Fuzzy Hash: 2D11A5B1A00349AFCB249FA58D81DEEB6F5FB44310F15422DF366772E1C6715A418B30

Uniqueness

Uniqueness Score: -1.00%

Function 00DEA3A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 00DEA3C9
InflateRect.USER32(?,000000FF,000000FF), ref: 00DEA400
DrawEdge.USER32(?,?,00000000,0000000F), ref: 00DEA420

Strings

iii, xrefs: 00DEA3E6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: 25c190e499114779a53299610040d003990c5fdbe61daac17cab9dd0a06ab47e
Instruction ID: 2d6979674d6a53b467fb646d95feecaa54c885e71046657aa56682269f3ba95f
Opcode Fuzzy Hash: 25c190e499114779a53299610040d003990c5fdbe61daac17cab9dd0a06ab47e
Instruction Fuzzy Hash: C91106B150020DAFCF00DFA4DD84DEF7BB9FB49324B104226B916EB191DB71AA06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03494E2D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 03494E5A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 03494EC6

Part of subcall function 034878FE: std::exception::exception.LIBCMT ref: 0348790C

__CxxThrowException@8.LIBCMT ref: 03494EBB

Part of subcall function 034A1F70: RaiseException.KERNEL32(?,?,0349FBA1,?,?,?,?,?,0349FBA1,?,034C3F4C,034CE654,?,03499F4E,0000000C,C463F85C), ref: 034A1FB2

Strings

bad locale name, xrefs: 03494EA5

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::exception
String ID: bad locale name
API String ID: 3240751772-1405518554
Opcode ID: 029ae82ee4b8cedae07dccf0eddb9101b496b86a1964c573c7de1f7196cef9c9
Instruction ID: 47da4c51114acb1af1bb3bb623105638fd9d312b81fe8f4b99e4a0fc00333c13
Opcode Fuzzy Hash: 029ae82ee4b8cedae07dccf0eddb9101b496b86a1964c573c7de1f7196cef9c9
Instruction Fuzzy Hash: 25116A34D00249AFEF09EFA9C851BAEBB74AF01314F20815ED4226F2C1CB786A048B58

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0665 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF067A
GetCursorPos.USER32(00000000), ref: 00DF06BA
ScreenToClient.USER32(?,00000000), ref: 00DF06C7

Strings

px, xrefs: 00DF0692

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientCursorRectScreenWindow
String ID: px
API String ID: 3342839850-3846731130
Opcode ID: a1894289d418074a331a60c1914ffce3ccb2c90e89b2b3e122daca306c69cdb3
Instruction ID: afadd2810f4473f80604e04e5cfe26a2c3b20a2135d73996e8be0613d0787625
Opcode Fuzzy Hash: a1894289d418074a331a60c1914ffce3ccb2c90e89b2b3e122daca306c69cdb3
Instruction Fuzzy Hash: 94018C73501608AFEB04DF95CC89EEABBB9EB85321F140066ED08AB211DB71A9058B60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 00DB6B69
GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 00DB6B79

Strings

mfcm100u.dll, xrefs: 00DB6B59
AfxmReleaseManagedReferences, xrefs: 00DB6B73

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AfxmReleaseManagedReferences$mfcm100u.dll
API String ID: 1646373207-3074801404
Opcode ID: 2c8fae2b1abc283477c4a82ca62d28501af13ae544163d22cc57813808b28a16
Instruction ID: f3ec883f788e65f657a73cec0fef52d87af7fffbc347dcc375de40deea5cfd0c
Opcode Fuzzy Hash: 2c8fae2b1abc283477c4a82ca62d28501af13ae544163d22cc57813808b28a16
Instruction Fuzzy Hash: 9EF03072A00248AA8B10DBAAAD45EEF77ECEB89754B141039F505F7181CA75D90586A4

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8274 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(00000000,00000000,00000001), ref: 00DD8292
UpdateWindow.USER32(00000000), ref: 00DD829B
GetParent.USER32(00000000), ref: 00DD82AD

Strings

p, xrefs: 00DD82BA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: InvalidateParentRectUpdateWindow
String ID: p
API String ID: 208172379-2678736219
Opcode ID: 202e3423270abcf1de4e54cabeea57073286e2a42749a931efb86371c412317c
Instruction ID: 622879f43673ac026d7fb50db437c159e5b4afaf9230fb69ae6d42f9fee47af6
Opcode Fuzzy Hash: 202e3423270abcf1de4e54cabeea57073286e2a42749a931efb86371c412317c
Instruction Fuzzy Hash: CCF06732101A009FD7265B64DC1CB977AB5FF48300F08063AF146AA5B0EFB29880DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA8F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DBA8F8
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00DBA939

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

Strings

SHCreateItemFromParsingName, xrefs: 00DBA933
Shell32.dll, xrefs: 00DBA911

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 323876227-214508289
Opcode ID: 138969178eeb970f5ebae662ab1bad2a794308b3b9b7162a85936a9affcceb3b
Instruction ID: d6941ad892a4d4deb9af0cd57be192ec9eeae9235f6ae0b628920a34e3600ca3
Opcode Fuzzy Hash: 138969178eeb970f5ebae662ab1bad2a794308b3b9b7162a85936a9affcceb3b
Instruction Fuzzy Hash: 06F090B1608309EEDF10DF649E05B993BA4AB45354F258418F522A60E0CB72C912BF25

Uniqueness

Uniqueness Score: -1.00%

Function 034890BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32(00000008), ref: 034890CE
GetTickCount.KERNEL32 ref: 034890D4
wsprintfW.USER32 ref: 034890FB

Strings

%d min, xrefs: 034890F3

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CountInfoInputLastTickwsprintf
String ID: %d min
API String ID: 4242421333-1947832151
Opcode ID: d44ca45c44f9f79b5853451b42f85bc16d58f0a57b97a8dd7f47530dcace31fd
Instruction ID: f5fd916ffb2d80961eb388c06e011a7136ea34db7dedcf68472abc08c4377d52
Opcode Fuzzy Hash: d44ca45c44f9f79b5853451b42f85bc16d58f0a57b97a8dd7f47530dcace31fd
Instruction Fuzzy Hash: 88E01271D00208FFDB08EFA5E80999D7BF6FB84304F408079E505FA194EB704A15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0349A71A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 17COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0349A72F

Strings

<, xrefs: 0349A720
runas, xrefs: 0349A737
cmd.exe, xrefs: 0349A73E

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset
String ID: <$cmd.exe$runas
API String ID: 2102423945-985064537
Opcode ID: 2eee1878fc7aee0ecebde0cccd24c3badc7e033bcec71b72a8694e73211f8c04
Instruction ID: d047b7bd05aec5d8c49eb6eedcf038afc5c976c39a182d8cc2968e8e1f356b12
Opcode Fuzzy Hash: 2eee1878fc7aee0ecebde0cccd24c3badc7e033bcec71b72a8694e73211f8c04
Instruction Fuzzy Hash: 7BE0ECB4D00308ABDF00EFA5E846BCDBFB8AB54348F404015E900BE391D7B49188CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00DDECDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(COMCTL32.DLL,00DB973B,0000001C), ref: 00DDECDF
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 00DDECF4

Strings

COMCTL32.DLL, xrefs: 00DDECDA
TaskDialogIndirect, xrefs: 00DDECEE

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$TaskDialogIndirect
API String ID: 1646373207-244319309
Opcode ID: f8b0fe854895c46bb4ea65bc57c115d2ecf2c1532287651c691004185c8da09d
Instruction ID: fcda140d8d25d0fd72571450db1ad7d69f77f5af5e578af7258298fc68a1e1f1
Opcode Fuzzy Hash: f8b0fe854895c46bb4ea65bc57c115d2ecf2c1532287651c691004185c8da09d
Instruction Fuzzy Hash: F2C080703D431B4E4D1017B56C0DE1C21546510F0670C22327403F5180E965C0054811

Uniqueness

Uniqueness Score: -1.00%

Function 00DDEEF6 Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DDEEFD

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

_memset.LIBCMT ref: 00DDEF91
_memset.LIBCMT ref: 00DDF02A
_memset.LIBCMT ref: 00DDF158

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _memset$H_prolog3$Exception@8Throw
String ID:
API String ID: 3059216242-0
Opcode ID: 0b8b934eea8dec3783bae625bf56ef147b2b70f5424af690e10f392f0a0aea3e
Instruction ID: 80da4794d7111946b64a83d9d9c9f2430761e64630b1090539e0a0c62300ebe9
Opcode Fuzzy Hash: 0b8b934eea8dec3783bae625bf56ef147b2b70f5424af690e10f392f0a0aea3e
Instruction Fuzzy Hash: 92A19171A0070ADFCB14DF64C98176EBBB5EF90314F29852AE46A9B391D770EA40CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DD66A7 Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DD66B1

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

GetMenuItemCount.USER32(?), ref: 00DD674B
GetMenuItemID.USER32(?,00000000), ref: 00DD676F
GetSubMenu.USER32(00000001,00000000), ref: 00DD6892

Part of subcall function 00E423F2: __EH_prolog3.LIBCMT ref: 00E423F9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Menu$H_prolog3Item$CountException@8H_prolog3_Throw
String ID:
API String ID: 2058131584-0
Opcode ID: 577087f0ae2a7d921a9870306851854a3f77617f529a933b4bcde07d0ee5004c
Instruction ID: e2077eb692192038eceed37637ad8ce89c8f2f5eda3b6f1d9515977402abb226
Opcode Fuzzy Hash: 577087f0ae2a7d921a9870306851854a3f77617f529a933b4bcde07d0ee5004c
Instruction Fuzzy Hash: 8A917A30A04228DFDB25DB64CD58BEDB7B5EF09710F1842A9E459A72D1DB319E81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0348E8AB Relevance: 6.2, APIs: 4, Instructions: 196timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0348E7FC: CreateEventW.KERNEL32(00000001,00000000,00000000,00000001,-0000002C,-0000002C,?,0348E8F7,00000001,00000001,00000000,00000000,C463F85C,000000FF,?,0349BE0A), ref: 0348E810

Part of subcall function 03481412: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000000,-00000160,-00000160,?,0348E9D0,00000000,00000001,00000005,00000000,00000001,00000001,00000001,00000000,00000000,C463F85C), ref: 03481420

InterlockedExchange.KERNEL32(-00000018,00000000), ref: 0348EAEA
timeGetTime.WINMM ref: 0348EAF0
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0348EB04
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0348EB18

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: CreateEvent$CountCriticalExchangeInitializeInterlockedSectionSpinTimetime
String ID:
API String ID: 1802938668-0
Opcode ID: 7953d26d089a2acd0883a2e9fc495da992fa692f60098baf4f389af2f9545eb7
Instruction ID: f2f3a11202ce0463697e59f5865050b8e734bc220c135277fa4536fe36e1b5eb
Opcode Fuzzy Hash: 7953d26d089a2acd0883a2e9fc495da992fa692f60098baf4f389af2f9545eb7
Instruction Fuzzy Hash: 2B910A74A40349EFEB15EB98C856FAEBBB0AF05719F140059E7016F3D1CBB56980CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00DCF0F7 Relevance: 6.2, APIs: 4, Instructions: 183COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 00DCF121

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

LoadResource.KERNEL32(?,00000000), ref: 00DCF134
LockResource.KERNEL32(00000000), ref: 00DCF142
FreeResource.KERNEL32(?), ref: 00DCF2E6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Resource$Exception@8FindFreeH_prolog3LoadLockThrow
String ID:
API String ID: 1564530344-0
Opcode ID: 8d4ba5e493220964a23e5b274cd3fa0d81fe022bdacd2357b1a87a74a688be54
Instruction ID: f03da71ad74867d482a66812fbbfe813c6b60dbd7e4b3510dcb55df942b4bbfa
Opcode Fuzzy Hash: 8d4ba5e493220964a23e5b274cd3fa0d81fe022bdacd2357b1a87a74a688be54
Instruction Fuzzy Hash: E9619F74A00207EFCB159FA5C954BEAB7B6FF04344F18813DE84697291EB70D941CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E48443 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00E484DF
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00E48525
RedrawWindow.USER32(?,00000000,00000000,00000185,?,?,00E222B4,?), ref: 00E48535
IsWindowVisible.USER32(?), ref: 00E485DA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: a6404335e9ac3fdacc79f54c538f2a6206c8ad2aaf9571928d936f4a0f4bda15
Instruction ID: 25d38168750b1769cc6262afdc576dda6229e86aff349dab0e7689b4ae5949f8
Opcode Fuzzy Hash: a6404335e9ac3fdacc79f54c538f2a6206c8ad2aaf9571928d936f4a0f4bda15
Instruction Fuzzy Hash: 96516D31200600EFC7219F64DA88D6E77F6FB88704F245569F54AAB6A1DE36ED41CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E7486F Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E748A1
SetRectEmpty.USER32(?), ref: 00E74933
SetRect.USER32(?,0000000A,?,?), ref: 00E7496A
CopyRect.USER32(?,?), ref: 00E749A3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: 684637a6d1f9830ae6520c1039f37c81237453152d17a88b1afdf006e943ed10
Instruction ID: 42651353a54e7e9bedd4b321d022bd01114a9afe91cbc0ed9f36a0b12b92113f
Opcode Fuzzy Hash: 684637a6d1f9830ae6520c1039f37c81237453152d17a88b1afdf006e943ed10
Instruction Fuzzy Hash: 3551E2B1D0021DAFCB14DFA9D9848EEFBF8EF88704B14812AE515B7254D7706A46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03486E9D Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000139F,C463F85C,?,?,?,?,00000000,034B8D26,000000FF,?,03486CCC,?,?,034858A9), ref: 03486ED6
SetLastError.KERNEL32(0000139F,C463F85C,?,?,?,?,00000000,034B8D26,000000FF,?,03486CCC,?), ref: 03486F13

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8c967ee046c99acb7b7d5aba71b2cbf0368b6aed233963dad6d27b2b4a9df276
Instruction ID: d9f567b706b1ff29fdd166280b8f32c3fd4e9204880e3ae44e5f106a439a038c
Opcode Fuzzy Hash: 8c967ee046c99acb7b7d5aba71b2cbf0368b6aed233963dad6d27b2b4a9df276
Instruction Fuzzy Hash: 2B61F734915219EFCB08EFA9E994EEDBBB5FF08310F10415AE411BF2A1DB35AA01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00DBAB2F Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DBAB48
_wcslen.LIBCMT ref: 00DBAB6A
_wcslen.LIBCMT ref: 00DBABAB
_wcslen.LIBCMT ref: 00DBAC80

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 7fa8e863f39b23a23959c80db46801450d5f80ddf0f985a70494f2fcaefbed30
Instruction ID: 4d5b4d767c5f2dbefe6a34c2aa855d56397d011cd9ecb99f46d364e9c92faa12
Opcode Fuzzy Hash: 7fa8e863f39b23a23959c80db46801450d5f80ddf0f985a70494f2fcaefbed30
Instruction Fuzzy Hash: 29517336D00619EFCF11DFACC8808EEBBF5EF49310B25455AE916BB201D770AE418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC252 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEC259
InflateRect.USER32(?,000000FF,00000000), ref: 00DEC280
InflateRect.USER32(?,000000FF,000000FE), ref: 00DEC29E
FillRect.USER32(?,?,000000FF), ref: 00DEC2BB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Inflate$FillH_prolog3_
String ID:
API String ID: 3515757206-0
Opcode ID: 562113168bec2a4fd70d676cf26244aff3fcb04a33357a678757dba9ff4b15d5
Instruction ID: 3d049831cd66acf243739d13f2e2c004464dbd5b2063b3534af2656a196c1d32
Opcode Fuzzy Hash: 562113168bec2a4fd70d676cf26244aff3fcb04a33357a678757dba9ff4b15d5
Instruction Fuzzy Hash: 1E51367190014DABCF01EFA4CC81CEE7BA9EB49364B05622AF915B2191DB31DD569B70

Uniqueness

Uniqueness Score: -1.00%

Function 00E23044 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00E2304B

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Part of subcall function 00DB64CC: __EH_prolog3_catch.LIBCMT ref: 00DB64D3

GetWindowRect.USER32(?,?), ref: 00E2313F
GetSystemMetrics.USER32(00000010), ref: 00E2314D
GetSystemMetrics.USER32(00000011), ref: 00E23158

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: bc84ad07e98b144ccdab80658c0e4d7107742c545bd7b08b861a62d4f8c644fc
Instruction ID: 7d24eb0d7b9df8d84948ae34d58424ac57ac5a51d4eb40f9aeca61bf7dad9ea4
Opcode Fuzzy Hash: bc84ad07e98b144ccdab80658c0e4d7107742c545bd7b08b861a62d4f8c644fc
Instruction Fuzzy Hash: 95414771A006159FCB04EFB8C895AEEBBF6FF48300F054569E906BB291CB75A905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DA31C1 Relevance: 6.1, APIs: 4, Instructions: 123networktimeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 00DA3208
WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 00DA3275
GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 00DA32EB
WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 00DA331C

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3439003633-0
Opcode ID: 734e498788bed5eb8c01e2cef9184aef471f478bc0f2a15bfc33b3af478cd515
Instruction ID: ea4708c5bdf8ad3810bc2ce45a97111f362884b27d231b71bdd965f1656a56fe
Opcode Fuzzy Hash: 734e498788bed5eb8c01e2cef9184aef471f478bc0f2a15bfc33b3af478cd515
Instruction Fuzzy Hash: B341AD70600612AFDB649F69CC85BAAB7E5FF0A710F144229F815E7240DB30EE21CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00DB8F8B Relevance: 6.1, APIs: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DB8F95

Part of subcall function 00DA9883: RegCloseKey.ADVAPI32(?), ref: 00DA9928
Part of subcall function 00DA9883: RegCloseKey.ADVAPI32(?), ref: 00DA9932

_memset.LIBCMT ref: 00DB903C
_memset.LIBCMT ref: 00DB9089
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00DB9100

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Close_memset$EnumH_prolog3_Value
String ID:
API String ID: 3508048145-0
Opcode ID: 3de09195f603ed306474cfb2faeb58ee5d0b547368ba766a345f4b68b48eb6c7
Instruction ID: 2f25a531cadce92360854361cdf6ae227a7c79be4d2942536a9a5fd76b1a69ae
Opcode Fuzzy Hash: 3de09195f603ed306474cfb2faeb58ee5d0b547368ba766a345f4b68b48eb6c7
Instruction Fuzzy Hash: 10410DF19011289BCB20DB64CC95BDEB7B8EF49310F4011DAB20AA7252DB705B84CF78

Uniqueness

Uniqueness Score: -1.00%

Function 03487370 Relevance: 6.1, APIs: 4, Instructions: 119networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(0000139F,C463F85C,00000010,?,?,03485D67,?,00000010,?), ref: 034873D0

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6248be1932f76ad3b571e362d1d22582c852e300b15771f8e7f88b3b1de1316e
Instruction ID: 27590b8c615e12cfd121dbb6096772dedbde88661675a7cc8e1dcfd85a2c3ce1
Opcode Fuzzy Hash: 6248be1932f76ad3b571e362d1d22582c852e300b15771f8e7f88b3b1de1316e
Instruction Fuzzy Hash: 72511835901209EFCB05FFA5DA55AAEBFB1EF04320F20421AE422BA2E0D7745A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03492F0A Relevance: 6.1, APIs: 4, Instructions: 114registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 03492F2C
_memset.LIBCMT ref: 03492F43
RegEnumValueW.ADVAPI32(00000000,00000000,034CF400,034904F2,00000000,00000000,?,?), ref: 03492F65

Part of subcall function 0349FB22: _malloc.LIBCMT ref: 0349FB3C

Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB71
Part of subcall function 0349FB22: std::exception::exception.LIBCMT ref: 0349FB8B
Part of subcall function 0349FB22: __CxxThrowException@8.LIBCMT ref: 0349FB9C

_memmove.LIBCMT ref: 03492FFE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,034B8C27), ref: 03493099

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8ThrowValue_malloc_memmove
String ID:
API String ID: 3562744608-0
Opcode ID: 7152287dd141145c2031d0caabebcdd03f0702215fb285bafc965bbfacf9eb15
Instruction ID: d6692b268ee3c3c2d9584b7a668ec6b6cbe0c8ef96042d52170233c421a7d332
Opcode Fuzzy Hash: 7152287dd141145c2031d0caabebcdd03f0702215fb285bafc965bbfacf9eb15
Instruction Fuzzy Hash: B3518D79E00208EFDF05DF98E881ADDBBB5FF48310F14406AE919AB3A1DB31A945DB54

Uniqueness

Uniqueness Score: -1.00%

Function 034B330B Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 034B333F
__isleadbyte_l.LIBCMT ref: 034B3372
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,?,?,034C3858,00000000,00000000), ref: 034B33A3
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,?,?,034C3858,00000000,00000000), ref: 034B3411

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c3af2ee93ce4904a6f3b03a9af663566582206d75f1614e6b01ecbd69c9a6252
Instruction ID: f272a6b42dd0a9704ddf5d80138e5def60dcd2f030b5415607be1d5e23246258
Opcode Fuzzy Hash: c3af2ee93ce4904a6f3b03a9af663566582206d75f1614e6b01ecbd69c9a6252
Instruction Fuzzy Hash: 7B31BF39A04295EFDB20DF66C8909EF7BB5EF00210B0C85AAE4659F290EB30D941CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8AEE Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Parent$MessageSend
String ID:
API String ID: 2251359880-0
Opcode ID: 521ff34d3e479bbc70769b4099f9816265edc335fdf44c7d57460d58eec94f4c
Instruction ID: 6c7c9767e4a515d65a18863dfbff493c2299668a9c6206a52e03cdbea68b8532
Opcode Fuzzy Hash: 521ff34d3e479bbc70769b4099f9816265edc335fdf44c7d57460d58eec94f4c
Instruction Fuzzy Hash: 8C317CB1A00245EFCB219F64C848EAA7BB9FB48704B15417BE58A92350EB31E905EB74

Uniqueness

Uniqueness Score: -1.00%

Function 00E74B09 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00E74B5F
IsRectEmpty.USER32(?), ref: 00E74B69
SetRectEmpty.USER32(?), ref: 00E74BC0
SetRectEmpty.USER32(?), ref: 00E74BC6

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: d9f59864f8287d0d6b2e2b66c67a239f546480f68eae2d39b48edf21054be31b
Instruction ID: e36b18c2f5d6885219965472cb2da765746e652ea729d48d00a7ff375e0b47ca
Opcode Fuzzy Hash: d9f59864f8287d0d6b2e2b66c67a239f546480f68eae2d39b48edf21054be31b
Instruction Fuzzy Hash: 5831B2B1900218DFCF11DFA5C880A9EB7F8EF49714B14906AE909BB145D771DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD8799 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DD87C4
PtInRect.USER32(?,?,?), ref: 00DD87E8

Part of subcall function 00DD7E03: ScreenToClient.USER32(?,?), ref: 00DD7E20
Part of subcall function 00DD7E03: GetParent.USER32(?), ref: 00DD7E37

MapWindowPoints.USER32(?,?,?,00000001), ref: 00DD8813
SendMessageW.USER32(?,00000202,?,?), ref: 00DD8832

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: 0994191e6fc89a5b273348167927decc8df28732f7b6640f7248aefede5a973b
Instruction ID: 247e44249b0ee9c5f23b4b6842a6e2ba3d1842ffb35098b330196ff5ab7d0bda
Opcode Fuzzy Hash: 0994191e6fc89a5b273348167927decc8df28732f7b6640f7248aefede5a973b
Instruction Fuzzy Hash: 38318BB1A00209EFCF11DF65DC88CAE7BB6FB48300B54443EF81A96220DB31D911EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E026C3 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 00E026E4
ScreenToClient.USER32(?,00000000), ref: 00E026F1
SetCursor.USER32 ref: 00E0271E
PtInRect.USER32(?,00000000,00000000), ref: 00E02788

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: 4f9091c6639aa5e8746a99970673aaef0eb07a2c6b6e71d3d45259376fa53681
Instruction ID: cc9ebf5a56407d1ec7bb0f6f533e3553dd9d308a300384086ebb046271a3b5fd
Opcode Fuzzy Hash: 4f9091c6639aa5e8746a99970673aaef0eb07a2c6b6e71d3d45259376fa53681
Instruction Fuzzy Hash: A221A03650020AEFCB20ABA4C94CADEBBF9FF44319F18546EE105F6050DB30EA85DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00DF0248 Relevance: 6.1, APIs: 4, Instructions: 73keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00DF025F
GetCursorPos.USER32(?), ref: 00DF02A5
SetRectEmpty.USER32(?), ref: 00DF02BB
IsRectEmpty.USER32(?), ref: 00DF02E5

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID:
API String ID: 2369637639-0
Opcode ID: 9be4437e3b6a3671b06650032e5507c4617a35669025704e6babbd752a572f92
Instruction ID: b59c98c1514717f07c9bc1343d6af2c400e878350f96c5badb203be3a65bc6fa
Opcode Fuzzy Hash: 9be4437e3b6a3671b06650032e5507c4617a35669025704e6babbd752a572f92
Instruction Fuzzy Hash: 092138B1E0022DEFCF11DFA588489FEBBB8EB4C741B14412AE211F3101DB759A069BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DD86C9 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00DD8704
PtInRect.USER32(?,?,?), ref: 00DD871C

Part of subcall function 00DD7E03: ScreenToClient.USER32(?,?), ref: 00DD7E20
Part of subcall function 00DD7E03: GetParent.USER32(?), ref: 00DD7E37

MapWindowPoints.USER32(?,?,?,00000001), ref: 00DD8753
SendMessageW.USER32(?,00000201,?,?), ref: 00DD8772

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientRect$MessageParentPointsScreenSendWindow
String ID:
API String ID: 4233697448-0
Opcode ID: 4444af3e8e0fcc06dd9d93e43e827f22155bd255f83facff2bc1b3b85d5ebc6e
Instruction ID: 70787d1696aef78275ff3f07e67e7b1fcd169e74f303bd3d4192fc77559b4e3c
Opcode Fuzzy Hash: 4444af3e8e0fcc06dd9d93e43e827f22155bd255f83facff2bc1b3b85d5ebc6e
Instruction Fuzzy Hash: C4212A71A0020DEFDF119FA5CC84DBEBBB5FB48300F14442EF915A6250DB759915DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA8811 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 2b8473d4d6ba2a0a078020ffad0e131e8fd7b067120e1918fcadf49e286608bd
Instruction ID: d31235919e18bcd21f3fabc37008ea43c08c30a694567203236a7810305f16d3
Opcode Fuzzy Hash: 2b8473d4d6ba2a0a078020ffad0e131e8fd7b067120e1918fcadf49e286608bd
Instruction Fuzzy Hash: FD110672500208AFDB206B64DD05B9E3AA5FB8A764F955120F950BF1A0DF35AC41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DF29A1 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB5A26: GetWindowLongW.USER32(?,000000F0), ref: 00DB5A31

GetForegroundWindow.USER32 ref: 00DF29DE
GetLastActivePopup.USER32(?), ref: 00DF2A02
SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 00DF2A1A
SendMessageW.USER32(?,0000036D,00000000,00000000), ref: 00DF2A3F

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
String ID:
API String ID: 2019557511-0
Opcode ID: 61cfb8ccf0564e2bac0e6643dd71e192433688110021dbf77fe66afe900dece7
Instruction ID: a1681eb09bd75e203a8ee7f6ea7442399e6bc082bab9cfa82efd129014f86565
Opcode Fuzzy Hash: 61cfb8ccf0564e2bac0e6643dd71e192433688110021dbf77fe66afe900dece7
Instruction Fuzzy Hash: 19110A72710208ABDB21AB658C45F7E36BCEF48700F054075F602D3160EA74DE01C671

Uniqueness

Uniqueness Score: -1.00%

Function 00DAC923 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DAC972
GetWindowRect.USER32(?,?), ref: 00DAC993
PtInRect.USER32(?,?,?), ref: 00DAC9A3
CallNextHookEx.USER32(?,?,?), ref: 00DAC9CB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: f43ef77b65470893cc6df3c8863e1a52530cb32596fbe4745f34a7d08e607f16
Instruction ID: a06d019a135f7b1c05b17044814d958fe08ee8f52d7dfa4bda43ff2f09459ddf
Opcode Fuzzy Hash: f43ef77b65470893cc6df3c8863e1a52530cb32596fbe4745f34a7d08e607f16
Instruction Fuzzy Hash: 1D212C72A0020AAFCF00DFA9DD499EEBBF8FF45315B09402AE510E2260D7719A01EF61

Uniqueness

Uniqueness Score: -1.00%

Function 0348122A Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0348125F

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 212063db3888200a19c0a2d27d34be04b44b318070cd9bc3e855f96c4b91caaa
Instruction ID: 061bbf8555325c1b3e0d27bb41a3ae33a4d50468d71a3aa4423dc060b32c52e9
Opcode Fuzzy Hash: 212063db3888200a19c0a2d27d34be04b44b318070cd9bc3e855f96c4b91caaa
Instruction Fuzzy Hash: 20212A74D1020AEFCB04EFA8D945AAEBBF1FF08300F10846AE555AB391DB71A951CB18

Uniqueness

Uniqueness Score: -1.00%

Function 03481168 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0348119D
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 034811BB
_memmove.LIBCMT ref: 034811DB
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 034811F9

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4_memmove
String ID:
API String ID: 1828152804-0
Opcode ID: fcf804a5ff379d66c308cbfd05d95231e2c1fd7c1a6e2a3da02219c552fa5a10
Instruction ID: bf0fa19525bdcfbd367009e762ef8d080a65ff030ef497157e0e959721cc1f3a
Opcode Fuzzy Hash: fcf804a5ff379d66c308cbfd05d95231e2c1fd7c1a6e2a3da02219c552fa5a10
Instruction Fuzzy Hash: 9F213875A0020AEFCB04EF98D945AAEBBF1FF08300F14846AE955AB390D771A950CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0349A0C4 Relevance: 6.1, APIs: 4, Instructions: 62threadprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0349A100
Thread32First.KERNEL32(?,0000001C), ref: 0349A117
Thread32Next.KERNEL32(?,0000001C), ref: 0349A13C
CloseHandle.KERNEL32(?), ref: 0349A149

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3643885135-0
Opcode ID: 374e03607a2cdcdfaf61c08287f07a86cb7c5df4e276dd2086e6e19fc4f46024
Instruction ID: a91df2fb8bce38833eb07e119cdd03cfbb8640a8463dbbff045c361efec38653
Opcode Fuzzy Hash: 374e03607a2cdcdfaf61c08287f07a86cb7c5df4e276dd2086e6e19fc4f46024
Instruction Fuzzy Hash: BA21CA75910218EFDF14EFA4DD85BDDBBB8FF08714F50412AE915EA290EB34AA05CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00DA66E5 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DA66EC

Part of subcall function 00DA6304: _malloc.LIBCMT ref: 00DA6322

__CxxThrowException@8.LIBCMT ref: 00DA6731
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,80004005,00000000,00000000,?,?,00EFE6CC,00000004,00DA4426,8007000E,00DA4FD0,80004005,00000001), ref: 00DA675B

Part of subcall function 00DA57FA: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA57FA: __EH_prolog3.LIBCMT ref: 00DA6474

LocalFree.KERNEL32(?), ref: 00DA6789

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Exception@8H_prolog3Throw$FormatFreeLocalMessage_malloc
String ID:
API String ID: 489379502-0
Opcode ID: 0d64495db18dc31b4bbc6dc477111655244f9eac23ea2e406a88b2ef374cf2a0
Instruction ID: 0db6021c435218bb11ac342f16d803ef03052302d1d6447346365ba48d0ea200
Opcode Fuzzy Hash: 0d64495db18dc31b4bbc6dc477111655244f9eac23ea2e406a88b2ef374cf2a0
Instruction Fuzzy Hash: 2D11D3B2510308EFDB01DF64CC05FAE3BA8FF49714F18C529F929AA190D771D90187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DC102B Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00DAEC52: ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00DFB3E3,000000FF,00000050), ref: 00DAEC75

IntersectRect.USER32(?,?,?), ref: 00DC1081
EqualRect.USER32(?,?), ref: 00DC108C
IsRectEmpty.USER32(?), ref: 00DC1096
InvalidateRect.USER32(?,?,?), ref: 00DC10B3

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$ActivateEmptyEqualIntersectInvalidate
String ID:
API String ID: 4049613494-0
Opcode ID: c0324f9e29695ff81b4b2744ec4f0338a2283cd43824d91692126909860ffc0a
Instruction ID: ecac2cbaa5f532e63c8a40361a1e554e16fa474e455cd2c30ed1a064d04bb25b
Opcode Fuzzy Hash: c0324f9e29695ff81b4b2744ec4f0338a2283cd43824d91692126909860ffc0a
Instruction Fuzzy Hash: 9D111A7690011AEFCF00DFA9D988DAEB7B8FF89304B114066E905A7111D770AA05CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE10A0 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DE10B1
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00DE10F4
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00DE1100
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00DE10DF

Part of subcall function 00E47ECF: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 00E47F4A
Part of subcall function 00E47ECF: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 00E47F71
Part of subcall function 00E47ECF: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 00E47F8E
Part of subcall function 00E47ECF: SendMessageW.USER32(?,00000222,?,00000000), ref: 00E47FA5

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: a4008fb7f93a13898b755e3b9a3e78a95580cc8776bef3c7057548377aa4d517
Instruction ID: 4783028a0ec0b9a204e1bbb90eedcacd91448b122cf56bd1233da2f5ee085c02
Opcode Fuzzy Hash: a4008fb7f93a13898b755e3b9a3e78a95580cc8776bef3c7057548377aa4d517
Instruction Fuzzy Hash: 0C11E076600349BFDB216F52CCC9EAE7AAAFB80384F180138F24167150C7B19C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA9F6 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB59C6: GetDlgItem.USER32(?,?), ref: 00DB59D7

GetWindowLongW.USER32(?,000000F0), ref: 00DFAA13
GetWindowTextLengthW.USER32(?), ref: 00DFAA40
GetWindowTextW.USER32(?,00000000,00000100), ref: 00DFAA6F
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 00DFAA90

Part of subcall function 00DB7729: lstrlenW.KERNEL32(?,?,?), ref: 00DB7755
Part of subcall function 00DB7729: _memset.LIBCMT ref: 00DB7773
Part of subcall function 00DB7729: GetWindowTextW.USER32(00000000,?,00000100), ref: 00DB778D
Part of subcall function 00DB7729: lstrcmpW.KERNEL32(?,?,?,?), ref: 00DB779F
Part of subcall function 00DB7729: SetWindowTextW.USER32(00000000,?), ref: 00DB77AB

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: 780002158c1f878c5d46ef7d3e74a24b8dedc17d5d58571f2f20ec99bf0ae779
Instruction ID: 81da05e63758e9e1a92f7d8c442f2811867e979dfcc497edeb919604e8333257
Opcode Fuzzy Hash: 780002158c1f878c5d46ef7d3e74a24b8dedc17d5d58571f2f20ec99bf0ae779
Instruction Fuzzy Hash: 0E11937110420DFFCF11AF58DC05EB97B65EF45360F188228FA695A1E0CB329996DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DB0CEF Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 00DB0D3C
SetBkColor.GDI32(?,?), ref: 00DB0D46
GetSysColor.USER32(00000008), ref: 00DB0D56
SetTextColor.GDI32(?,?), ref: 00DB0D5E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 73c6028c48dcec1ac3bbbea8f9610ea6226840ce7fc28fc17963767d946a2627
Instruction ID: 6f9c67b05370efc2e778942e4898ce6b5aca58f0e86b81961642af97cf7078d8
Opcode Fuzzy Hash: 73c6028c48dcec1ac3bbbea8f9610ea6226840ce7fc28fc17963767d946a2627
Instruction Fuzzy Hash: 48115E35600208EFCB20AFA99D45AFF7BACEB45714F180525F912E61D0CB30ED0187B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB4541 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00DB456D
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00DB4598
GetCapture.USER32 ref: 00DB45AA
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00DB45B9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: f22879ac8dfeada6c99cc0c3b5bfb8d2c184a56433bbee410e895544a5ef5304
Instruction ID: cde20b48399df4c7e2fe5ca6e307dda3809f96d6de89b53a698f8c28be935935
Opcode Fuzzy Hash: f22879ac8dfeada6c99cc0c3b5bfb8d2c184a56433bbee410e895544a5ef5304
Instruction Fuzzy Hash: 63012571350554BBDB306B668CCDFEB3E79DFCAB00F150079B646AA1A7C9A1C801D570

Uniqueness

Uniqueness Score: -1.00%

Function 00DA89FB Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 00DA8A21
LoadResource.KERNEL32(?,00000000), ref: 00DA8A2D
LockResource.KERNEL32(00000000), ref: 00DA8A3B
FreeResource.KERNEL32(00000000), ref: 00DA8A69

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: a284938cf762435700fa3892544c6eac09ba26186c96331f9dbaa420aade894c
Instruction ID: 4b79ade20bf66aef85c2706a8cf4914d1945462294fee26c08c89c4e2d9b5f38
Opcode Fuzzy Hash: a284938cf762435700fa3892544c6eac09ba26186c96331f9dbaa420aade894c
Instruction Fuzzy Hash: 7C114871600209EFDB108F96C848E9E7BB9EF46365F08807AF906A7260CB75DE00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DACF17 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 00DACF53

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

GetFocus.USER32 ref: 00DACF69
GetParent.USER32(?), ref: 00DACF77
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 00DACF8A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: e2467081687686aa8b69597dfa83792ee941b7c822f6cba975daa933c44fd5a8
Instruction ID: 0c4cacd0bdde2a58414d85fe4ea001a61f45420b64509c26850476c1fddf6653
Opcode Fuzzy Hash: e2467081687686aa8b69597dfa83792ee941b7c822f6cba975daa933c44fd5a8
Instruction Fuzzy Hash: 1A11C271111604EFCB209F20DC84D26BBBBFF853257188639F14656560C771EC49CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDC028 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00DDC046
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DDC05F
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DDC092
DragFinish.SHELL32(?), ref: 00DDC0BA

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: c4567e6218b93e164af0d627e5387689b179408715daa421e9a52b2d635f26c0
Instruction ID: a72832960b09373c906ca770fd1f31cf7a018b86436c9c06203d76c6400c41c9
Opcode Fuzzy Hash: c4567e6218b93e164af0d627e5387689b179408715daa421e9a52b2d635f26c0
Instruction Fuzzy Hash: 4411517194021CAFCB20EB64CC88FEDB7B8FB58310F1405A6F119A7191CBB0AA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DFEE68 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DFEEA5
GetSystemMetrics.USER32(0000002D), ref: 00DFEEB9
GetSystemMetrics.USER32(00000002), ref: 00DFEEC1
SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 00DFEED9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: 4dd7b1e1adea63720d388e14e21e7141d8eac431d1da0105b21629e0e316f6a3
Instruction ID: 4e08aa1fde96db337b08c9bd5262bdc9038a274d334d85e1412637ca548bf81f
Opcode Fuzzy Hash: 4dd7b1e1adea63720d388e14e21e7141d8eac431d1da0105b21629e0e316f6a3
Instruction Fuzzy Hash: 81016572A00208AFCB14DFB99D45ABE7BF4EB48300F164176F905F7191D6B19D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB300E Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00DB301E
GetTopWindow.USER32(00000000), ref: 00DB305D
GetWindow.USER32(00000000,00000002), ref: 00DB307B

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 9de28d7fe0e4a9b12d08e04eb92cdadf6c26f48508acfa0434be8716c2e1a120
Instruction ID: 42f94d6e533a822ceed4a5b68ac618c981587974cb072e7848eed729c7674bd7
Opcode Fuzzy Hash: 9de28d7fe0e4a9b12d08e04eb92cdadf6c26f48508acfa0434be8716c2e1a120
Instruction Fuzzy Hash: 1C01D73240051DFBCF226F959D09EEE3B6AEF58391F094024FA1265060C736CA66EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB26F8 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00DB2705
GetTopWindow.USER32(00000000), ref: 00DB2718

Part of subcall function 00DB26F8: GetWindow.USER32(00000000,00000002), ref: 00DB275F

GetTopWindow.USER32(?), ref: 00DB2748

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 09a065e311a4f0cbe9d90a19bc9c875cedb20ec76fe9338d25356a84cc56fe44
Instruction ID: 94c7c274f41b07557fdead03b4806b70e1f6dab7954fab693ef33ba7fdd94067
Opcode Fuzzy Hash: 09a065e311a4f0cbe9d90a19bc9c875cedb20ec76fe9338d25356a84cc56fe44
Instruction Fuzzy Hash: CB014F37401A19EBCF232BA18D08EFF3A69EF55795F094125FD12A5120EB31C91296B9

Uniqueness

Uniqueness Score: -1.00%

Function 00DEAAA0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DEAAA7
IsRectEmpty.USER32(?), ref: 00DEAAC9

Part of subcall function 00E40970: __EH_prolog3.LIBCMT ref: 00E40977
Part of subcall function 00E40970: CreateCompatibleDC.GDI32(?), ref: 00E409DA
Part of subcall function 00E40970: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E40A0C
Part of subcall function 00E40970: SelectObject.GDI32(?,00000000), ref: 00E40A6A

IsRectEmpty.USER32(?), ref: 00DEAB0D
FillRect.USER32(?,?), ref: 00DEAB24

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$CompatibleCreateEmptyH_prolog3$BitmapFillObjectSelect
String ID:
API String ID: 1042983850-0
Opcode ID: 34fbc4d39ff834766d06fd9722922a852d99cb7280da830b4866035c5b7595da
Instruction ID: 30e0c7d8152b03a3b50343509c470f3806769b929bab07d5c46428ab3fd942ef
Opcode Fuzzy Hash: 34fbc4d39ff834766d06fd9722922a852d99cb7280da830b4866035c5b7595da
Instruction Fuzzy Hash: C711283240018EEBCF01EFA1DD45EEE3769BB44318F158229F525B20A1DB31AA15DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA97F Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 00DAA99B
LoadResource.KERNEL32(?,00000000), ref: 00DAA9A3
LockResource.KERNEL32(00000000), ref: 00DAA9B0
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00DAA9C8

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: ccef8b54058084a5868640108dd81a7719f4eb78db033086a835eeb8e84e58c2
Instruction ID: 2c534d5e9b957a975af0f209921a1a2671739d2ae6db7142338ff13dfcfb092f
Opcode Fuzzy Hash: ccef8b54058084a5868640108dd81a7719f4eb78db033086a835eeb8e84e58c2
Instruction Fuzzy Hash: 73F09032100114BF87016BAA9C4CC9FBBBDDF8A2657054039F605A3211DA758D01CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA8EB Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 00DAA90B
GetActiveWindow.USER32 ref: 00DAA916
SetActiveWindow.USER32(?,?,00000024,00DA4BED), ref: 00DAA924
FreeResource.KERNEL32(?,?,00000024,00DA4BED), ref: 00DAA940

Part of subcall function 00DB5BBF: EnableWindow.USER32(?,?), ref: 00DB5BD0

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 3db4eb53d2f34b19df229f0082daac65c5fe47a199301d32f9e25ee5176b4581
Instruction ID: b1fd4b1784f125b07b4629146b73b533938217dac53d4fc0a558a62ff3f50efb
Opcode Fuzzy Hash: 3db4eb53d2f34b19df229f0082daac65c5fe47a199301d32f9e25ee5176b4581
Instruction Fuzzy Hash: C1F04F34900A08CFCF22AF69C8859AEB7B2FF49702F690129E54272161CB325D41CF33

Uniqueness

Uniqueness Score: -1.00%

Function 00DFC36D Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00DFC392
GetTickCount.KERNEL32 ref: 00DFC39F
CoFreeUnusedLibraries.OLE32 ref: 00DFC3AE
GetTickCount.KERNEL32 ref: 00DFC3B4

Part of subcall function 00DFC311: CoFreeUnusedLibraries.OLE32(00000000,?,00DFC3F9,00000000), ref: 00DFC359
Part of subcall function 00DFC311: OleUninitialize.OLE32(?,00DFC3F9,00000000), ref: 00DFC35F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: ad08ed1be24976a30869802443e6b5380ce9398acd760c9e6ce7858bf15d2917
Instruction ID: ed7ed710d2f6d2040225fb0ed3983b60fc811c3273ec42d197396e265393f359
Opcode Fuzzy Hash: ad08ed1be24976a30869802443e6b5380ce9398acd760c9e6ce7858bf15d2917
Instruction Fuzzy Hash: 86E06D3281421CDBC720AF64FD497BC3BE5FB493A4F5BD02BE61492064C7759861EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E3A6BC Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00E3A6D7
SetRectEmpty.USER32(?), ref: 00E3A6DD
SetRectEmpty.USER32(?), ref: 00E3A6E3
SetRectEmpty.USER32(?), ref: 00E3A6E9

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 746ff0eab17892212ce14fd53c2487b79d12d30ffb19e73a6ad6cfc3ea292755
Instruction ID: 5de829d3ba49a636498a9b530d626d1a2115baaba4c0d35470306c1d7aaed51e
Opcode Fuzzy Hash: 746ff0eab17892212ce14fd53c2487b79d12d30ffb19e73a6ad6cfc3ea292755
Instruction Fuzzy Hash: DEE0C9B74007199AC730AB6AEC44AC7B3FCEF84314B15492AE586C3514D679F58ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC21C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00DC21FB

Strings

(, xrefs: 00DC2309

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 4262b7fcf25e3f2a4fe65ecd0b15e5cb3b5026b4d0821c0f6270c587d0f1fc19
Instruction ID: 0870515349f50ed55d2589436bae267ed9ef335ee64baebae6ef7d2e45397895
Opcode Fuzzy Hash: 4262b7fcf25e3f2a4fe65ecd0b15e5cb3b5026b4d0821c0f6270c587d0f1fc19
Instruction Fuzzy Hash: BB517C31600B01DFD769CF69C985A2AF7F5FF84314B584A2DE4828BAA2C770F841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DBEE73 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DBEECA
_memcmp.LIBCMT ref: 00DBEFDC

Strings

0<, xrefs: 00DBEE81

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: _memcmp
String ID: 0<
API String ID: 2931989736-2848842329
Opcode ID: 53625e9881f73853c0a561f4ce2fabb30f953284d5a0978c04356dc9d8979253
Instruction ID: a0781028c37d50d2590f179d809a2fd59662896e212b6ed7d60ac58808b44674
Opcode Fuzzy Hash: 53625e9881f73853c0a561f4ce2fabb30f953284d5a0978c04356dc9d8979253
Instruction Fuzzy Hash: E4510C75A00219EFDB04CFA5C888DEEBBB9FF89704B144498F906EB250D771E902CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DE8B17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DE8B1E
IsRectEmpty.USER32(?), ref: 00DE8C31

Part of subcall function 00DAB692: MoveToEx.GDI32(?,?,00000000,?), ref: 00DAB6BC
Part of subcall function 00DAB692: MoveToEx.GDI32(?,?,00000000,?), ref: 00DAB6CD

Strings

h+, xrefs: 00DE8B29

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Move$EmptyH_prolog3_Rect
String ID: h+
API String ID: 2559423521-1818233205
Opcode ID: 3e858fc5237d41373cd301bf2668a83d4276ab9aa00062aff00ec8583a2c4d87
Instruction ID: b22c740ebd40153d98e8f9f536af2d8d9c865b8b95ba5f4246672684a1c56c19
Opcode Fuzzy Hash: 3e858fc5237d41373cd301bf2668a83d4276ab9aa00062aff00ec8583a2c4d87
Instruction Fuzzy Hash: 8F515D30A01659DFCF01EFA1CD95AED7BB2BF49350B545068F506BB2A1DB31D906EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00DC0535 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DC053C

Part of subcall function 00DA6451: __CxxThrowException@8.LIBCMT ref: 00DA6467
Part of subcall function 00DA6451: __EH_prolog3.LIBCMT ref: 00DA6474

VariantClear.OLEAUT32(?), ref: 00DC06DD

Strings

@, xrefs: 00DC059F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClearException@8H_prolog3H_prolog3_ThrowVariant
String ID: @
API String ID: 3025591921-2766056989
Opcode ID: c408c5f3ad84becfdfdeff0cbcc97549055cb0153136946d8947518c0d0f21e4
Instruction ID: 2bd375259729eba3e3e6408b34f521fbfca2cd9f6ed1efd1c627c0b3d10da243
Opcode Fuzzy Hash: c408c5f3ad84becfdfdeff0cbcc97549055cb0153136946d8947518c0d0f21e4
Instruction Fuzzy Hash: 0B51D570E012199FCB04DFA8C888AEDBBF5BF48304F14452DE51AEB250EB74A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5176 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DE51E5
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 00DE5282

Strings

, xrefs: 00DE5210

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: b0d5e8bcbd2ffe8656292e268f2d17e2af50120148d7a3f8f4c82dc0b1a8cd59
Instruction ID: b4b2731144aa114c3bf1633f00c951f62c4abae5ed7b3493f45010dffbb6410e
Opcode Fuzzy Hash: b0d5e8bcbd2ffe8656292e268f2d17e2af50120148d7a3f8f4c82dc0b1a8cd59
Instruction Fuzzy Hash: 07414A71A00648DFCB11DF65D8849EEBBF5FF88340F14842EE95AA6250D7719A80CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00DD2F5B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DD2F65
GetParent.USER32(?), ref: 00DD3027

Strings

p, xrefs: 00DD3034

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3_Parent
String ID: p
API String ID: 383333065-2678736219
Opcode ID: 9209087a32a529c3890fcb55b8dc5972b9f724e2baec0ac2175dacaa8e76205c
Instruction ID: 4fea7e88cba4a2a96da8f32f0d5ef4622991a2094e283be75a8d0b50528d61aa
Opcode Fuzzy Hash: 9209087a32a529c3890fcb55b8dc5972b9f724e2baec0ac2175dacaa8e76205c
Instruction Fuzzy Hash: 7E3109326042429FCF346FB58C95ABDB2E4EF54310B18093FF519A7392EE71DA409632

Uniqueness

Uniqueness Score: -1.00%

Function 00DEC5A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00DEC5A7
InflateRect.USER32(?,000000FD,000000FD), ref: 00DEC5FD

Strings

%d%%, xrefs: 00DEC660

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3_InflateRect
String ID: %d%%
API String ID: 3173815319-1518462796
Opcode ID: 64571977f5da0cc1a97726102246e182ae84664b00f198cd35d61dd4204377c6
Instruction ID: d92825c53c53947ee4fb12147f7a3806589527bc77260857dd2ffaeeae1a4a69
Opcode Fuzzy Hash: 64571977f5da0cc1a97726102246e182ae84664b00f198cd35d61dd4204377c6
Instruction Fuzzy Hash: D5315A716102689FCF14EFA5CC84DEEB7B9FF89710B156559F801AB251DA70ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E507C5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E50899
KillTimer.USER32(?,00000002), ref: 00E508C8

Strings

, xrefs: 00E5087D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: KillRectTimerWindow
String ID:
API String ID: 1987732032-3916222277
Opcode ID: 19ac39a0b604cc60a72232ef5120a594a5f2c0153f487274104b4bd3e31e08cb
Instruction ID: 6b43126e2bf7b68ac92e3e937163648900a1f862b29976a88cf48ff8222a8a06
Opcode Fuzzy Hash: 19ac39a0b604cc60a72232ef5120a594a5f2c0153f487274104b4bd3e31e08cb
Instruction Fuzzy Hash: C0318131A046059FCB14DF68C885EAEB7F1FF88301F11192AF81AA7241DB74B945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E30678 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E3067F

Part of subcall function 00E89ED6: __EH_prolog3.LIBCMT ref: 00E89EDD
Part of subcall function 00E89ED6: GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 00E89F2D
Part of subcall function 00E89ED6: GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 00E89F3C
Part of subcall function 00E89ED6: GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 00E89F4B

SetRectEmpty.USER32(?), ref: 00E3088D

Strings

$L, xrefs: 00E30733

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Profile$H_prolog3$EmptyRect
String ID: $L
API String ID: 1529447813-1469215623
Opcode ID: 65fd15676937099a6a29a60a3e1ceb4ec607c88b2dccf5f7cc8badeec0f69349
Instruction ID: 2ecd3c5e269e71f60b073a88bee2d557018338d61cd7c4547e57b6675d216d6b
Opcode Fuzzy Hash: 65fd15676937099a6a29a60a3e1ceb4ec607c88b2dccf5f7cc8badeec0f69349
Instruction Fuzzy Hash: 875141B0805B40CBD365DF2AC1817DAFAE8BFA9300F50891FE5AE96361DBB02145CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00DC240C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(00000000), ref: 00DC24CC
CoTaskMemFree.OLE32(?), ref: 00DC24D6

Strings

TD, xrefs: 00DC246E

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: FreeTask
String ID: TD
API String ID: 734271698-1811200935
Opcode ID: 7f5822fcf8e59077688f023c6347ae264237be8d616e746caee8126459d60e07
Instruction ID: de690cb4a84190eae484a9e02aae62b5c8f21bb6d5d202f5f912ac813cf802c6
Opcode Fuzzy Hash: 7f5822fcf8e59077688f023c6347ae264237be8d616e746caee8126459d60e07
Instruction Fuzzy Hash: B2313C75A0421ADFCB04CFA8C884EEEB7F9AF8D314B14846DE906BB210D775E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DC4D0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00DC4D2C
GetWindowLongW.USER32(?,000000EC), ref: 00DC4D43

Strings

0, xrefs: 00DC4DBE

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ChildLongWindow
String ID: 0
API String ID: 1178903432-4108050209
Opcode ID: b67fdbfa4930cbe6b04819ab6f64be0ecde70f351895d0ed5a510ac966bd0e72
Instruction ID: 925aa0f36e4a806be9b361389b042e6282392a43de2b7152defc1ae6ab950cef
Opcode Fuzzy Hash: b67fdbfa4930cbe6b04819ab6f64be0ecde70f351895d0ed5a510ac966bd0e72
Instruction Fuzzy Hash: AF21E06610171B6BEB22BA259D61FAF62ACDF55760F2C011CFC03E7196EE74CD018170

Uniqueness

Uniqueness Score: -1.00%

Function 00DF21AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DF21DB
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00DF228F

Strings

px, xrefs: 00DF21ED

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClientRectRedrawWindow
String ID: px
API String ID: 804678526-3846731130
Opcode ID: 97b410ff7922e3b977751982aedd6bf5edaba2f900fb62d94f29a330b021567f
Instruction ID: 771c77a6e3ff349d585c73050c2171d1a88b454a2b4b0c4f9c29e47773d34aa6
Opcode Fuzzy Hash: 97b410ff7922e3b977751982aedd6bf5edaba2f900fb62d94f29a330b021567f
Instruction Fuzzy Hash: 69311771A00209AFCB14DF99C9889FEFBF5FF88300F24416AE905A7255D771AA41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E76C99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

@K, xrefs: 00E76CE5
TK, xrefs: 00E76CCF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID:
String ID: @K$TK
API String ID: 0-434564041
Opcode ID: f8e9f7bd4ffb74c11c7460d79b0aa616560f96c1a317187b6dc42dedbc9f6ec8
Instruction ID: d0a335095a09c1edd29a5cfcbb3a96979ad9cc6fd397bffe25df22cf5944b0a3
Opcode Fuzzy Hash: f8e9f7bd4ffb74c11c7460d79b0aa616560f96c1a317187b6dc42dedbc9f6ec8
Instruction Fuzzy Hash: A23141B1A00509AFCB14EFA5D8C5DBEBBF9FF48308B14402DE50AA7241EB749D44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DF2EF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF2F85
PtInRect.USER32(?,?,?), ref: 00DF2FDA

Strings

px, xrefs: 00DF2F44

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: Rect$Window
String ID: px
API String ID: 924285169-3846731130
Opcode ID: de48721a4e6485149442d6c267a8abd21522fa8b8906b428c47437b7db847bda
Instruction ID: f50113f1ac9e4291b0ecb6c97ae192ebc6798acd645c6a5544887eb00386aaf1
Opcode Fuzzy Hash: de48721a4e6485149442d6c267a8abd21522fa8b8906b428c47437b7db847bda
Instruction Fuzzy Hash: 63310DB1A01209DFCF14DFA9D9849EEBBF6FF48300B19846EE915A3211DB319A11DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DF20FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DF2153
GetClientRect.USER32(?,?), ref: 00DF216C

Part of subcall function 00DB5D83: SetWindowPos.USER32(?,?,?,?,?,?,?,?,00DAA8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00DB5DAB

Strings

px, xrefs: 00DF211D

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: RectWindow$Client
String ID: px
API String ID: 3228027793-3846731130
Opcode ID: 5354ced6c34fbfb6d9a3d2e5dbdee964b627ded161187ff2c9b2f822c7959340
Instruction ID: 21d93a35b33294df801ce9e9974302e215b9c99664aea0567770eb8ee88aa117
Opcode Fuzzy Hash: 5354ced6c34fbfb6d9a3d2e5dbdee964b627ded161187ff2c9b2f822c7959340
Instruction Fuzzy Hash: 5721E272D00209AFCB14DFA9C9899EEFBF8FF88300F14415AE505B2254DA71AA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DC8B4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DC8B54

Strings

OrigResetItems, xrefs: 00DC8B70
<w, xrefs: 00DC8BD1

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3
String ID: <w$OrigResetItems
API String ID: 431132790-1871141187
Opcode ID: 97d9476bb33b374633f5bcc286b743adf66f0618fcb2c3841fdf91ec458a1c9f
Instruction ID: 6287787f2e8f1327e98d77bf653b4df93d7d112409f6d5f2889eed461568c5eb
Opcode Fuzzy Hash: 97d9476bb33b374633f5bcc286b743adf66f0618fcb2c3841fdf91ec458a1c9f
Instruction Fuzzy Hash: 92215172A006158BCB20DF64C485FAEB7B2AF84710F1D426CE855AF185DF71ED41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 034863A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 0348643A
WSAGetLastError.WS2_32 ref: 0348644C

Part of subcall function 0348167C: _memmove.LIBCMT ref: 034816BD

Strings

W, xrefs: 0348642A

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLast$_memmove
String ID: W
API String ID: 2393646116-655174618
Opcode ID: ead007458bfe5cb9733dfa0823a41e0583cb5230c57290e8dd3ccab2ab878b4c
Instruction ID: 1d934f07855f67789051026f326a263efd319ecb1db17c1a5cdd8ef2d5174596
Opcode Fuzzy Hash: ead007458bfe5cb9733dfa0823a41e0583cb5230c57290e8dd3ccab2ab878b4c
Instruction Fuzzy Hash: 05213D74800209EFCF54FF94D9447EEBBB5BF00309F25805A9901AE290DB789A85CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00E00822 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E00829

Part of subcall function 00DC6200: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00DC6220

Part of subcall function 00DFDF89: __EH_prolog3.LIBCMT ref: 00DFDF90

Part of subcall function 00DFDFC6: __EH_prolog3.LIBCMT ref: 00DFDFCD

Strings

MFCShellTreeCtrl_EnableShellContextMenu, xrefs: 00E00874
TRUE, xrefs: 00E0089A

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: H_prolog3$ByteCharMultiWide
String ID: MFCShellTreeCtrl_EnableShellContextMenu$TRUE
API String ID: 2949695960-3623726486
Opcode ID: 829706e6c05c0245407436f11563082af353c6513ec4295af0efd45d81a757b4
Instruction ID: 1f8acb6f30da6893ad6be2077408ce1fcbacb09a98f0994d9cad123283c0507d
Opcode Fuzzy Hash: 829706e6c05c0245407436f11563082af353c6513ec4295af0efd45d81a757b4
Instruction Fuzzy Hash: 6D11347091024A9ADB05EBE4CC56BFEB3B5EF12301F108928B522B61D2DBB45A05CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00DBA131 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 00DBA156
CopyRect.USER32(?,?), ref: 00DBA168

Strings

(, xrefs: 00DBA14F

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 834acfc731842304859e417585d399dbe2e9be49955fd8573199d780373b34b1
Instruction ID: c31c9506caf927d05669533271bff9c008fee701c21d57add4f72f55d8b13131
Opcode Fuzzy Hash: 834acfc731842304859e417585d399dbe2e9be49955fd8573199d780373b34b1
Instruction Fuzzy Hash: B611C271A00209EFCB50CFADC98599EB7F9FB48340B548869E466E7210D770F945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAEA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB1C91: GetModuleHandleW.KERNEL32(?,?,00DB1D79,InitCommonControlsEx,00000000,?,00DB2B1D,00080000,00008000,?,?,00DB584C,?,00080000,?), ref: 00DB1C9F
Part of subcall function 00DB1C91: LoadLibraryW.KERNEL32(?,?,00DB1D79,InitCommonControlsEx,00000000,?,00DB2B1D,00080000,00008000,?,?,00DB584C,?,00080000,?), ref: 00DB1CAF

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00DDAED5
_memset.LIBCMT ref: 00DDAEEE

Strings

DllGetVersion, xrefs: 00DDAECF

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 344c058240eaaa68b2b509e1cc9ad4903a1541771db3e70a8cc9dc0817db30dd
Instruction ID: c57e1d6a5c2bf14343cdc88ca2409b18469b891e46d063d7039a59b5a2c1d5cc
Opcode Fuzzy Hash: 344c058240eaaa68b2b509e1cc9ad4903a1541771db3e70a8cc9dc0817db30dd
Instruction Fuzzy Hash: D9019EB1A002189BDB00EBBCD982BAE77F8AB09354F410176FA10F7291D7749D0497A1

Uniqueness

Uniqueness Score: -1.00%

Function 034865C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 034865FD
timeGetTime.WINMM ref: 0348661F

Strings

d, xrefs: 034865EC

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: SleepTimetime
String ID: d
API String ID: 346578373-2564639436
Opcode ID: bdc6e7350d604b850f793e6b45e5ec09daba57edf50b7bc8def28c436bbe717d
Instruction ID: 6f5d9f4f0156836e1f0d900e7f9b9332104d4b2c42f2cfb82d4c44536e42b2bb
Opcode Fuzzy Hash: bdc6e7350d604b850f793e6b45e5ec09daba57edf50b7bc8def28c436bbe717d
Instruction Fuzzy Hash: 99110630900248EFCB85EFA8D688B9DB7F1AB04305F1640A6D611AB2A0D778DF41DF85

Uniqueness

Uniqueness Score: -1.00%

Function 03488BD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 03488BE6
wsprintfW.USER32 ref: 03488C42

Strings

%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 03488C3A

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: LocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d
API String ID: 1577811021-876830276
Opcode ID: 8697ac50fdc0d803837793d42d9cc7b02d79d20edc39f9affb7257069a599803
Instruction ID: 507ff1af97a071c75cc9c741ea601f4829e92277b85f7c369885bad30a2ad63a
Opcode Fuzzy Hash: 8697ac50fdc0d803837793d42d9cc7b02d79d20edc39f9affb7257069a599803
Instruction Fuzzy Hash: F901925DC1021DAACB50AFE5D8455FEB7B8BF0CA01F105016F925F6650E6388A81DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00E14FCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00E14FD2
RegisterClipboardFormatW.USER32(00000010), ref: 00E1501B

Strings

ToolbarButton%p, xrefs: 00E15009

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ClipboardFormatH_prolog3Register
String ID: ToolbarButton%p
API String ID: 1070914459-899657487
Opcode ID: 4751ae0401f6c95e1a307c77e631cd41761bea4f952cb485d603e4ce3e6c7128
Instruction ID: 427b9b4c0ced78ce7150db2180c990d3fdf912f1a3794ec9840d2de0d4a5149f
Opcode Fuzzy Hash: 4751ae0401f6c95e1a307c77e631cd41761bea4f952cb485d603e4ce3e6c7128
Instruction Fuzzy Hash: C3F08C76801614CACB10FBA0ED0AAED7274EF09314F08A415F41077292DBB89A85CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00DDAAF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00DDAB00
GetProcAddress.KERNEL32(00000000,?), ref: 00DDAB39

Part of subcall function 00DA7416: ActivateActCtx.KERNEL32(?,?,00EFE768,00000010), ref: 00DA7436

Strings

UxTheme.dll, xrefs: 00DDAB19

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 323876227-352951104
Opcode ID: 29d046d7b83012332536da02a729c3086e6a61edee2ca2c0436b7c416d720b15
Instruction ID: 658b944a13dad8a99234ddf39f989c1d6ca7cf6a15d16b75d4f9d23e4bfb32c3
Opcode Fuzzy Hash: 29d046d7b83012332536da02a729c3086e6a61edee2ca2c0436b7c416d720b15
Instruction Fuzzy Hash: 51E06531A042085FDF11AF749D15B9837E86B09324F4AC06AFC04F7290CBB6DA01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03486A17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,03485FDD,?,00000000,?,?,?,?,?,03485447), ref: 03486A33
InterlockedExchange.KERNEL32(?,00000000), ref: 03486A42

Strings

OnClose===%d, xrefs: 03486A21

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: EventExchangeInterlocked
String ID: OnClose===%d
API String ID: 1909783032-4224812182
Opcode ID: 8a1f8f060de0d9c6468328cb1ed1f5a5b790e0397c6810a658ca0a3bec6d5dfa
Instruction ID: cddbd6c72ebc9471ee442d22da15f43bdec77bb78a81f4250ceb9775e54bdeb9
Opcode Fuzzy Hash: 8a1f8f060de0d9c6468328cb1ed1f5a5b790e0397c6810a658ca0a3bec6d5dfa
Instruction Fuzzy Hash: 83E0E636544204BFDB04DB99DD06E4EBBE4EF08311F144159F145DE252DA75D9109B54

Uniqueness

Uniqueness Score: -1.00%

Function 034869DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,15FF0D6A,?,03487307,034BA3F4,74D65E10,03486DA7,?,?,?,03485D67,?,00000010,?), ref: 034869FC
InterlockedExchange.KERNEL32(74D65DF8,00000001), ref: 03486A0B

Strings

OnHandShake===%d, xrefs: 034869E7

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: EventExchangeInterlocked
String ID: OnHandShake===%d
API String ID: 1909783032-1255018270
Opcode ID: de47e81ffde7745dd9050a6370ba739c891f3c4f8d66570d82e4d8bf8ac08cf6
Instruction ID: 437d3738c894abd2d2c28cf999d8ec8277de4aa779e02501f423ee0e0fbf7e09
Opcode Fuzzy Hash: de47e81ffde7745dd9050a6370ba739c891f3c4f8d66570d82e4d8bf8ac08cf6
Instruction Fuzzy Hash: 10E08636504204BFCB04EB98DC0AD4E77E4EF08300F104059F140DE242D97299109B14

Uniqueness

Uniqueness Score: -1.00%

Function 0348645A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 0348647B

Strings

CUdpSocket::Disconnect, xrefs: 03486461
%s, xrefs: 03486466

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ExchangeInterlocked
String ID: %s$CUdpSocket::Disconnect
API String ID: 367298776-4151877264
Opcode ID: 0c43f85802d71c4bad6d64abca3495678cdda9bded0bd50eb24ba5bb8b6a82d2
Instruction ID: 211916d4adf72fcf643be0b8a6464d57d2979aa16fc23657c8d8a65c89330a77
Opcode Fuzzy Hash: 0c43f85802d71c4bad6d64abca3495678cdda9bded0bd50eb24ba5bb8b6a82d2
Instruction Fuzzy Hash: F1D0C775554345BFEA04E79AED07B4E7798DB00615F20004EF501AE343D9A1A9004568

Uniqueness

Uniqueness Score: -1.00%

Function 03494410 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 0349445F
SetLastError.KERNEL32(0000007E), ref: 0349449D

Memory Dump Source

Source File: 00000000.00000002.1788297572.0000000003480000.00000040.00001000.00020000.00000000.sdmp, Offset: 03480000, based on PE: true

Associated: 00000000.00000002.1788297572.00000000034D2000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3480000_Wt3pGldAnr.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 8aeac4b1068b6d82896acd7d9e15af2ba7f648d215c2e4f4e1b145ee3ebb8436
Instruction ID: 89f466275261961815ce8182f051eee0b074259b08d4fb853a7fc1a3ed5981cc
Opcode Fuzzy Hash: 8aeac4b1068b6d82896acd7d9e15af2ba7f648d215c2e4f4e1b145ee3ebb8436
Instruction Fuzzy Hash: 83719E74A00209EFDF44CF89D984AADBBB1FF08314F14809AE919AB361D735AA52CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00DB65E0 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00F18878,?,?,00000000,?,00DB6AB4,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB65EE
TlsGetValue.KERNEL32(00F1885C,?,?,00000000,?,00DB6AB4,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6602
LeaveCriticalSection.KERNEL32(00F18878,?,?,00000000,?,00DB6AB4,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6618
LeaveCriticalSection.KERNEL32(00F18878,?,?,00000000,?,00DB6AB4,?,00000004,00DAEC17,00DA646D,00DA7D07,00000414,00DA44F4), ref: 00DB6623

Memory Dump Source

Source File: 00000000.00000002.1787083815.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000000.00000002.1787067392.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787183848.0000000000ECA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787218066.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000000F21000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1787270064.0000000001093000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_da0000_Wt3pGldAnr.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 3ea24723c2ea44ee1b388dbbcb976404c1e1b93cdfd0104704a0010bb157d8f4
Instruction ID: 8defb798a21d449021b9abf88c0143dad8b0f91f7190a22cc289a529a7fe7678
Opcode Fuzzy Hash: 3ea24723c2ea44ee1b388dbbcb976404c1e1b93cdfd0104704a0010bb157d8f4
Instruction Fuzzy Hash: D9F05476200108DFC7205F59DC4CD967BEEFB8436471D4479E84693111D675F8058A71

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wt3pGldAnr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\StartMenuExperienceHos.exe

C:\ProgramData\StartMenuExperienceHos.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Wt3pGldAnr.exe

Function 0349B9E1 Relevance: 177.3, APIs: 55, Strings: 46, Instructions: 560
sleepregistrythreadCOMMON

Function 00DBB770 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
libraryloaderstringCOMMON

Function 0349A244 Relevance: 101.9, APIs: 22, Strings: 36, Instructions: 356
COMMON

Function 0349B671 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 64
COMMON

Function 00DA10BE Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 72
librarymemoryloaderCOMMON

Function 00DA28D9 Relevance: 66.7, APIs: 37, Strings: 1, Instructions: 224
sleepnetworkstringCOMMON

Function 00DBB217 Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Function 00DA5AA6 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 240
registrymemoryCOMMON

Function 00DA461F Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 97
registryCOMMON

Function 00DA1194 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 84
libraryloadermemoryCOMMON

Function 00DA4A86 Relevance: 24.5, APIs: 13, Strings: 1, Instructions: 46
threadsynchronizationsleepCOMMON

Function 0349A7F1 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 148
registryCOMMON

Function 0349B81E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 110
threadprocessfileCOMMON

Function 00DA474C Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 57
COMMON

Function 00DA58DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123
registrysleepCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre